EU Cloud and AI Development Act (CADA) Goes Live May 27: What GovTech, Fintech and HealthIT Developers Need to Know
Post #1011 in the sota.io EU Cloud Sovereignty Series
On May 27, 2026, the European Commission will present the Cloud and AI Development Act (CADA) — the centrepiece of its long-delayed Tech Sovereignty Package. This is not a consultation document. It is a binding legislative proposal under Article 114 TFEU that will reshape how public-sector organisations in Europe procure and deploy cloud infrastructure.
If you are building software for government agencies, public healthcare institutions, or regulated financial entities in the EU, this post is your first-mover briefing.
What Is CADA?
CADA is the EU's formal legislative response to a structural problem that GDPR alone could not fix: US cloud providers control 65% of the European cloud market, and the 2018 US CLOUD Act means that US law enforcement can demand access to data stored on any US-company's infrastructure — regardless of where the servers are physically located.
The full name is the Cloud and AI Development Act. It is bundled with Chips Act 2.0 in what the Commission calls the "Tech Sovereignty Package." Together, these measures are the EU's answer to growing dependency on US digital infrastructure at a time of escalating geopolitical tension.
CADA's three core pillars:
- Public sector cloud eligibility requirements — only cloud providers meeting EU-defined sovereignty criteria may process certain categories of sensitive public-sector data
- Triple EU data centre capacity — the act sets an ambition target to dramatically expand EU-owned data centre infrastructure by 2030
- EU-wide cloud policy for public administrations — harmonising procurement rules across 27 member states so that a GovTech vendor approved in Germany can more easily operate in France or Poland
What CADA Restricts: The Three Sensitive Data Categories
CADA proposes that financial, judicial and health data processed by governments and public-sector organisations must be handled by cloud infrastructure meeting EU sovereignty requirements. This means:
| Data Category | Example Use Cases | Why It's Targeted |
|---|---|---|
| Financial data | National tax agencies, public budget systems, state-owned bank infrastructure | Treasury data + CLOUD Act = sovereignty risk |
| Judicial data | Court case management, law enforcement databases, prison administration | Rule-of-law data cannot be US-compellable |
| Health data | National health registries, hospital EHR systems, public health surveillance | GDPR Art. 9 special category + HIPAA parallel concerns |
The Commission's rationale is direct: under the 2018 US CLOUD Act, a US government subpoena to Microsoft, Amazon or Google can compel disclosure of data stored on European servers. For a national tax authority or a national health service, that is an unacceptable sovereignty exposure.
Who Is Affected: The Big Three US Providers Face Restrictions
The three hyperscalers that dominate the EU market face the most direct impact:
Microsoft Azure — The EU Data Boundary programme that Microsoft launched in 2023 was an attempt to pre-empt exactly this legislation. However, Microsoft Corp is a Delaware C-Corporation subject to US law, and the EU Data Boundary does not change Microsoft's legal compellability under the CLOUD Act. Azure's government cloud offerings (Azure Government, Microsoft 365 GCC) are US-region only and do not solve the EU sovereignty problem for European public bodies.
Amazon Web Services — AWS GovCloud is US-only. AWS European regions are operated by Amazon Web Services EMEA SARL (Luxembourg) but the ultimate parent is Amazon.com Inc. (Delaware). No contractual arrangement changes the US parent's legal exposure.
Google Cloud — Google LLC is a Delaware C-Corporation. Google Cloud's EU data regions and Google Workspace for EU data regions face the same structural problem: Google is US-compellable under CLOUD Act regardless of server location.
What CADA Does NOT Restrict
This is equally important for developers to understand:
Private-sector companies are explicitly excluded from CADA's restrictions. If you are building a SaaS product for private businesses — even in heavily regulated sectors like fintech or healthtech — CADA does not mandate which cloud infrastructure you must use.
The restrictions apply to:
- National and regional government agencies
- Public hospitals and national health services
- Public financial bodies (national banks, tax authorities, public pension funds)
- Public courts and judicial administration
They do NOT apply to:
- Private banks and insurance companies using regulated cloud services
- Private hospitals and clinics
- Private sector fintech companies
- Any B2B or B2C commercial software regardless of sector
This is a crucial distinction. CADA is a public-sector procurement rule, not a sector-wide data localisation mandate.
Why This Matters Right Now: The GovTech Developer Problem
If you are building for public sector clients — or if your current private-sector clients include public bodies — the procurement implications start now, not when CADA becomes law.
Here is the timeline problem:
- May 27, 2026 — Commission presents CADA as a formal legislative proposal
- 2026-2027 — European Parliament and Council review, amend, and negotiate the text (typically 18-24 months for complex digital legislation)
- 2028-2029 — Final text enters into force, implementation period begins
- Procurement decisions happen years before compliance deadlines — a government IT system built in 2026 will still be running in 2030
This means public sector clients will start inserting CADA-readiness clauses into procurement contracts now. If your cloud infrastructure is Azure, AWS or Google Cloud, you may find yourself disqualified from public sector tenders before the law even takes effect.
The CLOUD Act Problem That CADA Is Solving
To understand why CADA is needed, you need to understand what CLOUD Act actually does.
The Clarifying Lawful Overseas Use of Data Act (2018) allows US law enforcement to issue subpoenas to US companies for data stored anywhere in the world. The critical phrase is "US companies" — not "US servers." If the cloud provider is incorporated in the United States, its servers in Frankfurt, Amsterdam or Dublin are fully within the reach of US government requests.
GDPR provides no protection here. A data processing agreement under GDPR Art. 28 governs how a processor handles data. It does not create a legal barrier against US government compulsion. The Standard Contractual Clauses (SCCs) that replaced Privacy Shield do not address sovereign compellability — they govern commercial transfer conditions between controllers and processors.
The only structural protection is choosing cloud providers that are not subject to US law — i.e., not incorporated in the US and not owned by US parent companies.
EU-Native Cloud Alternatives for CADA Compliance
For GovTech, HealthIT and public-sector Fintech developers who need to get ahead of CADA, here are the leading EU-sovereign cloud platforms:
Infrastructure-as-a-Service (IaaS)
Hetzner Online GmbH — German GmbH, family-owned, no US parent. Operates data centres in Nuremberg, Falkenstein, Helsinki and Ashburn. Hetzner is the most commonly cited alternative for CADA-compliant infrastructure given its pure EU ownership structure and competitive pricing. Not subject to CLOUD Act.
OVHcloud — French SA listed on Euronext Paris. HQ Roubaix, France. No US parent. Operates data centres across Europe. OVH Groupe SAS is the holding entity. Strong government cloud offering (SecNumCloud certification in France). Not subject to CLOUD Act.
Scaleway — French SAS, subsidiary of Iliad Group (founded Xavier Niel). Operates data centres in Paris and Amsterdam. Strong developer experience. Not subject to CLOUD Act.
Exoscale — Swiss AG, operated by A1 Digital International (A1 Telekom Austria Group). Swiss DPA jurisdiction. Not subject to CLOUD Act.
Platform-as-a-Service (PaaS)
sota.io — EU-native managed PaaS running on Hetzner Germany infrastructure. No US parent company, no CLOUD Act exposure. Deploy any language or framework without managing infrastructure. Designed for GDPR compliance from day one. Starting from €9/month.
Database-as-a-Service
Supabase (self-hosted on EU IaaS) — Open source, self-hostable on Hetzner or OVH. StackGres on Hetzner — PostgreSQL-as-a-service, EU-hosted. managed Postgres via Hetzner — directly on Hetzner compute.
Managed Kubernetes
STACKIT — German cloud from Schwarz Group (Lidl/Kaufland parent). The Dutch Central Bank (DNB) recently chose STACKIT over AWS for exactly the sovereignty reason CADA addresses. Strong public sector track record.
plusserver — German GmbH, Cologne. Operates gardenlinux-based Kubernetes (PSKE), EU-DSGVO certified, EUCS-aligned.
What Developers Should Do Before May 27
If you build for public sector clients:
- Audit your cloud dependencies — map every US-incorporated cloud service in your stack (compute, storage, databases, CDN, email, observability, secrets management)
- Add EU-sovereign alternatives to your architecture decision records — document viable replacements before clients ask you to
- Track the CADA text after May 27 — the Commission proposal will clarify which data categories and which tiers of public administration are in scope
- Start procurement template language now — draft a "CLOUD Act–free infrastructure declaration" you can attach to tender responses
If you build for private sector clients:
- Monitor but do not overreact — CADA does not apply to private companies
- If your private clients have public-sector subsidiaries or data-sharing agreements, map those data flows
- If you are considering a public sector expansion, start EU-sovereign infrastructure planning now
For existing public-sector deployments on AWS/Azure/GCP:
- Check contract terms for technology-lock clauses — some public contracts already require EUCS certification or NIS2-compliant infrastructure
- Run a CLOUD Act Transfer Impact Assessment (TIA) — document that you are aware of the risk and have a migration plan
- Pilot an EU-sovereign architecture — start with a non-sensitive workload tier to build operational familiarity before mandates take effect
The EUCS Connection
CADA does not exist in isolation. It connects to the EU Cybersecurity Certification Scheme for Cloud Services (EUCS), which ENISA has been developing since 2020. EUCS defines three assurance levels (Basic, Substantial, High), and the "High" level — which is where sovereign cloud requirements sit — originally included strict EU-incorporation requirements that were subsequently weakened under hyperscaler lobbying pressure.
CADA may effectively resurrect those requirements through legislation rather than certification scheme design. If CADA mandates that public-sector sensitive data must be on "EUCS High–equivalent sovereign infrastructure," the definition of what that means becomes legally binding rather than voluntary.
Watch for the specific language in the May 27 Commission proposal on this point. It will determine whether the existing EUCS certification pathway is sufficient for compliance or whether new sovereign criteria apply.
The Geopolitical Context
CADA's timing is not accidental. The Trump administration's second term has dramatically accelerated EU digital sovereignty discussions. The combination of CLOUD Act exposure, Section 702 FISA surveillance powers, and US executive orders affecting European tech companies has shifted the political calculus in Brussels.
The CNBC reporting that preceded the May 27 announcement notes that "as tensions with U.S. President Donald Trump's administration have intensified, there have been calls for Europe to diversify away from U.S. cloud providers." CADA is the legislative crystallisation of that call.
For developers, the geopolitical dimension is less important than the procurement reality: public sector clients in Europe will increasingly require CLOUD Act–free infrastructure, and CADA gives that requirement a legal basis.
Key Dates to Track
| Date | Event |
|---|---|
| May 27, 2026 | Commission presents Tech Sovereignty Package including CADA |
| Q3 2026 | European Parliament and Council receive the proposal |
| Q4 2026 – Q2 2027 | Trilogue negotiations (Parliament + Council + Commission) |
| 2027-2028 est. | CADA enters into force |
| 2028-2030 est. | Implementation period for public administrations |
The 18-24 month legislative process means procurement decisions made in late 2026 and 2027 will be the first real compliance inflection point.
Bottom Line
CADA is the EU's most significant cloud sovereignty move since GDPR. It converts the "we should avoid US cloud for sensitive government data" conversation into a binding legal requirement.
For GovTech, HealthIT and public-sector Fintech developers, the window to establish EU-sovereign architecture credentials is now — before procurement criteria harden and before competitors get there first.
The core principle is simple: choose cloud providers that are not incorporated in the United States, not owned by US parent companies, and not subject to CLOUD Act compulsion. That is the CADA compliance test in plain terms, and it has a short list of passing cloud providers.
Resources
- European Parliament Legislative Train — Cloud and AI Development Act
- EPRS Briefing on CADA (December 2025)
- CNBC: EU weighs restricting US cloud platforms for sensitive government data
- gHacks: EU New Tech Package May Restrict Microsoft, Amazon, and Google
- ENISA: EU Cybersecurity Certification Scheme for Cloud Services (EUCS)
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.