The European Commission published its proposal for the Cloud and AI Development Act on 3 June 2026, introducing a four-tier sovereignty framework for cloud and artificial intelligence infrastructure. The proposal aims to reduce Europe's dependence on non-European technology, but experts warn that strict compliance requirements risk stalling the very industry they intend to build if domestic supply cannot meet the demand.
The four-tier sovereignty framework
CADA categorizes infrastructure from a baseline Level 1, requiring self-assessment and state-of-the-art cybersecurity, to a demanding Level 4. Level 4 mandates full EU ownership and control, EU-cleared personnel, zero transfer of AI inference data outside the EU, and third-party audits validated by national authorities. Zoltán Précsényi, Global Director of Privacy & Cyber at Elastic, said the ambition is legitimate but execution will be difficult.
"The buy side of the market will only be as sovereign as the sell side allows," Précsényi said. "Meaningful regulatory relief, significant investment incentives and pragmatic procurement reform are not footnotes to CADA. They are prerequisites."
The supply and demand mismatch
If high-level requirements enter into force before a competitive European cloud and AI supply exists, governments will face a political contradiction. They will be publicly committed to strategic autonomy but privately unable to enforce rules the available technology cannot satisfy. History shows this risk is real. The 2017 ePrivacy Regulation proposal stalled for nearly a decade, and the EUCS framework under the 2019 Cybersecurity Act failed to gain adoption due to irreconcilable divergences between member states and industry compliance hurdles.
CADA could follow the same trajectory if it forces public administrations into requirements the market cannot meet. When that tension becomes undeniable, the political debate tends to prolong indefinitely, and the proposal dies a slow death.
Calibration risks and necessary reforms
The calibration of requirements across the four levels will be the defining technical and political battleground. For engineering leaders managing these shifts, understanding AI for IT & Development practices is critical, especially regarding infrastructure automation and software engineering constraints. If Levels 3 and 4 are calibrated incorrectly, they could become de facto market exit barriers.
Précsényi warned that if foreign control is inferred from standard global business practices-such as international leadership, non-European funding, or cross-border data flows-the act will block European technology companies from scaling. "In that scenario, CADA becomes not a sovereignty instrument but a highly counter-productive isolationist measure," he said.
To avoid this outcome, Précsényi outlined three necessary conditions. First, regulatory burden reduction must address the energy, infrastructure, and data constraints that make building frontier technologies economically irrational in Europe. Second, venture capital mobilization must become a genuine policy priority, as European financial markets currently cannot deploy risk capital at the scale of Anglo-Saxon markets. Finally, strategic technology leadership requires managing these regulatory impacts on infrastructure scaling, making an AI Learning Path for CTOs highly relevant for executives overseeing these compliance frameworks.
Why this matters for IT and development professionals
IT and development teams will bear the operational weight of CADA's compliance tiers. If Level 3 or 4 requirements are enforced without adequate domestic tooling, engineering teams will face strict data residency mandates and vendor restrictions that limit their technology choices. Developers must prepare for stricter audit requirements, localized data processing constraints, and potential delays in adopting third-party AI infrastructure if European alternatives remain underdeveloped.
Your membership also unlocks:
