Cloud and AI Development Act: Europe's Pivotal Bid for Digital Sovereignty

The European Commission is preparing to introduce the Cloud and AI Development Act (CADA) in the first quarter of 2026, a legislative proposal poised to significantly reshape Europe's digital landscape. This initiative is being heralded as a robust attempt to establish European cloud sovereignty, yet it enters an arena littered with the remnants of previous, less successful endeavors. ## Understanding the Core of CADA CADA distinguishes itself from prior efforts by being a binding legislative act, not merely a voluntary framework or a set of guidelines. Rooted in Article 114 TFEU, which focuses on internal market harmonization, it will impose direct effects across all member states, marking a departure from initiatives like GAIA-X. The proposal originated from the AI Continent Action Plan, championed by Ursula von der Leyen and managed under Executive Vice-President Henna Virkkunen's Tech Sovereignty portfolio. Following a public consultation from April to July 2025, the European Council, in its October 2025 conclusions, explicitly urged the Commission to pursue an 'ambitious' approach. The Commission's consultation document outlines CADA across three main pillars, each designed to tackle distinct challenges in European cloud policy. ### Pillar 1: Advancing Resource-Efficient Infrastructure Research and Innovation This pillar represents a long-term strategic play. Recognizing that Europe cannot outspend the US and China in data center scale, the strategy is to lead through superior engineering and efficiency. The Commission intends to fund research and development in areas such as AI-optimized hardware, intelligent power management, and methods for distributing AI workloads across smaller, decentralized facilities, rather than relying solely on massive hyperscale campuses. The focus on efficiency is critical, given that energy consumption is increasingly a limiting factor. The International Energy Agency forecasts a doubling of global data center electricity use, from approximately 415 TWh in 2024 to 945 TWh by 2030. With Europe facing inherently higher energy costs than its global counterparts, achieving greater efficiency in AI workloads could significantly mitigate a key competitive disadvantage. The efficacy of Pillar 1, however, depends on whether it translates into genuine strategic bets rather than a broad, thinly spread R&D agenda. While Europe boasts strengths in areas like photonics research in Eindhoven, neuromorphic computing at Intel's Irish labs, and energy-efficient inference work at institutions such as CEA in France, the historical challenge has been converting academic excellence into commercial success. A 2025 assessment by the European Court of Auditors on the R&D pillar of the EU Chips Act, a comparable initiative, concluded it would not meet its target of a 20% global semiconductor market share, recommending an "urgent reality check." This suggests that concentrated investment in areas of plausible European differentiation, rather than diffuse funding, will be crucial. ### Pillar 2: Fostering Data Center Investment Conditions The current data center landscape presents a stark reality: despite a comparable GDP, the United States possesses roughly twice Europe's global data center capacity. Furthermore, three US-based entities—AWS, Microsoft, and Google—command approximately 70% of the EU cloud market. This trend is concerning; the collective market share of European cloud providers has declined from 29% in 2017 to about 15% today, even as their revenues have tripled. They are expanding, but falling further behind. CADA proposes to address this by tripling EU data center capacity within five to seven years. Mechanisms under consideration include harmonized fast-track permitting across member states (to counter current fragmentation and delays), strategic grid integration for energy access, and capital support for new European market entrants via the proposed European Competitiveness Fund. Microsoft, in its consultation response, highlighted Aragon in Spain as an exemplary model for streamlined permitting. While such measures could ease data center construction, a critical question arises: who primarily benefits? If permitting is simplified and energy costs are reduced, the main beneficiaries, given the current market structure, are likely to be AWS, Azure, and GCP, which possess the capital, operational expertise, and customer base. As Finland's government presciently noted, action is needed to ensure that "the benefits of building data center capacity do not primarily flow to actors outside the EU." This highlights the paradox of Pillar 2: building infrastructure that primarily aids the very companies the EU seeks to reduce its reliance on, unless Pillar 3 fundamentally alters this dynamic. ### Pillar 3: Establishing Highly Secure EU-Based Cloud Capacity This pillar is widely seen as the make-or-break element for CADA's success. Its focus is to ensure that "a set of narrowly defined highly critical use cases can be operated using highly secure EU-based cloud capacity." Key stakeholders have identified critical use cases including defense, public administration, and vital infrastructure. Defining "highly secure EU-based" capacity presents a significant challenge, one where Europe has previously faltered. The European Cybersecurity Certification Scheme for cloud services (EUCS) has been stalled since 2019 over the exclusion of non-EU providers from the highest certification tiers. CADA aims to resolve this deadlock by embedding sovereignty requirements directly into legislation, bypassing the voluntary certification process. The Commission recently introduced a Cloud Sovereignty Framework for its own procurement of sovereign cloud services, stipulating assurance levels that demand complete EU control over technology and operations, subject exclusively to EU law. This framework is already influencing discussions. Dassault Systèmes advocates for requiring cloud providers to be headquartered in the EU, while SAP suggests that existing certification frameworks are adequate. France and Germany recommend leveraging public procurement mandates to foster competitive EU solutions. Predictably, Microsoft has urged the EU to avoid measures that might "discriminate against non-EU actors," citing WTO obligations. The urgency is amplified by the US CLOUD Act, which asserts extraterritorial jurisdiction, compelling US companies to produce data regardless of its physical location. This means a US hyperscaler, even with a data center in Frankfurt, German staff, and encryption managed by an EU company, remains under US jurisdiction. While major data disclosures to US authorities for European customers under the CLOUD Act have not been reported, the structural exposure is a concern for EU member states, particularly for defense, classified government systems, and critical infrastructure. ## Implications for Hyperscalers The impact on AWS, Azure, and Google Cloud will largely depend on the stringency of Pillar 3. * **Scenario 1: Strict Sovereignty.** This approach would reserve critical public sector workloads exclusively for EU-headquartered providers, aligning with France's preference and the Commission's maximum assurance level. This would create a protected market for European players like OVHcloud, Scaleway, and IONOS, effectively excluding hyperscalers from symbolically significant government contracts. * **Scenario 2: Qualified Sovereignty.** This involves hybrid models where hyperscalers collaborate with EU partners through joint ventures, meeting operational requirements such as EU-based, security-cleared staff, EU-controlled encryption, and immunity from US extraterritorial law. Italy's public administration already employs this model. Hyperscalers like Microsoft (Bleu, with Orange and Capgemini), GCP (S3NS, with Thales), SAP (Delos), and AWS (with its new €7.8 billion European Sovereign Cloud in Germany) are already positioning themselves for such arrangements. * **Scenario 3: Sovereignty Washing.** This scenario implies that requirements can be met simply by hosting servers within the EU, essentially maintaining the status quo. Hyperscalers would invest in "sovereign" branding and fulfill superficial compliance without fundamental structural changes. The prevailing political sentiment leans towards a compromise between Scenario 1 and Scenario 2. The European Council's call for ambition, combined with joint endorsements for EU-wide sovereign cloud definitions by leaders like Emmanuel Macron and Friedrich Merz, signals a strong resolve. The current geopolitical climate, marked by renewed US-EU tensions and the implications of the CLOUD Act, has made digital dependence on the US increasingly unpalatable. Hyperscalers, however, have a history of adapting to regulatory shifts and are likely to evolve their strategies once more. ## The Lingering Shadow of Past Failures Professor Antonio Calcara of Vrije Universiteit Brussels observes a recurring pattern in EU cloud policy: "failure at the EU level is designed to lead to national success." Member states often use EU-level progress to strengthen their individual bargaining positions with US hyperscalers, rather than fostering collective European alternatives. This transforms the EU framework into a negotiating tool, not a market-building instrument. This pattern is evident in historical initiatives: * **CloudWatt and Numergy (2012):** France's €150 million national cloud champions both failed within five years, unable to attract customers or match hyperscaler scale. * **EUCS (2019):** This certification scheme has been deadlocked for six years over sovereignty requirements, a challenge CADA now seeks to address legislatively. Member states have been unable to agree on whether to exclude non-EU providers from the highest assurance levels. * **GAIA-X (2020):** Launched as the "Airbus of the Cloud" by France and Germany, it aimed to create a federated European data infrastructure. However, it admitted AWS, Microsoft, and Google as members, prompting criticisms like Nextcloud CEO Frank Karlitschek's description of it as a "paper monster." Founding member Scaleway eventually withdrew, and European cloud market share continued its decline during GAIA-X's existence. * **IPCEI-CIS (2023):** This initiative, involving €1.2 billion in public funding across seven member states, yielded only one operational sovereign edge cloud platform (virt8ra), highlighting a significant disparity between investment and output. As Europe grapples with these internal negotiations, the global competition for AI workloads is intensifying from unexpected quarters. ## A Glimpse at Global Competition: India's Bold Move While Europe debates its cloud future, countries like India are taking decisive action. India's finance minister, Nirmala Sitharaman, recently announced a significant policy: zero taxes through 2047 on revenues from cloud services sold outside India, provided those services operate from Indian data centers. This 21-year tax holiday is a powerful incentive for cloud providers to establish AI infrastructure in India and serve global customers. Major hyperscalers are already heavily invested: Google has committed $15 billion to an AI hub and data center expansion in India; Microsoft is following with $17.5 billion by 2029 for AI and cloud expansion; and Amazon is adding $35 billion by 2030, building on an existing $40 billion investment. Domestically, a Reliance-Brookfield-Digital Realty joint venture is investing $11 billion in a 1-gigawatt AI-focused data center campus in Andhra Pradesh, while Adani Group plans to commit up to $5 billion alongside Google for a new AI data center project. These developments underscore the fierce global competition for digital dominance, a landscape Europe must navigate with strategic foresight and effective implementation.