Europe's Cloud and AI Development Act: Grand ambition, fragile foundations

On 3 June, the European Commission published its proposal for a Cloud and AI Development Act, accompanied by an impact assessment that is, in many respects, the most candid document Brussels has produced in years on the question of European technological sovereignty. At its core, CADA introduces a four-tier sovereignty classification framework for cloud and artificial intelligence infrastructure, ranging from a baseline Level 1 built on self-assessment and state-of-the-art cybersecurity, to a demanding Level 4 requiring full EU ownership and control, EU-cleared personnel, no transfer of AI inference data outside the EU, and third-party audit validated by national authorities. While the ambition is clear and undoubtedly legitimate, the execution will be anything but straightforward.

The ambition

Europe wants to send a signal to the market: domestic cloud and AI infrastructure must emerge, strategic public sector bodies and critical industries must be able to anchor their technology choices in European offerings, and the continent must reduce its dependence on infrastructure controlled by non-European actors. That is a healthy political and industrial objective. The sovereignty framework in CADA is a serious attempt to translate this political vision into operational criteria across control structures, personnel, supply chains, subcontractors, vulnerability disclosure and cybersecurity certification.

But regulatory demand-side drivers alone will not get Europe to where it wants to be. The buy side of the market will only be as sovereign as the sell side allows. This means that the political debate on CADA itself must not crowd out the equally, if not more, urgent work of removing the structural barriers that currently prevent a competitive European cloud and AI supply from emerging. Meaningful regulatory relief, significant investment incentives and pragmatic procurement reform are not footnotes to CADA. They are prerequisites. Without them, the framework risks being an elegant architecture with no building to hold up.

The political pitfall

There is a specific and underappreciated failure mode lurking in the CADA proposal, and it deserves to be named plainly. If the requirements for upper levels enter into force before a sufficient market offering exists to meet them, European governments will get caught in a contradiction: publicly committed to strategic autonomy, but privately unable to enforce rules that the available technology cannot satisfy.

This risk is not theoretical. The history of European digital regulation offers cautionary precedents. The 2017 ePrivacy Regulation proposal has been moribund for almost a decade, ground down by the impossibility of reconciling political positioning with market realities. The EUCS framework under the 2019 Cybersecurity Act never achieved adoption, in no small part because the debate about sovereignty criteria exposed irreconcilable divergences between member states, and because the industry found no stable ground on which to build compliance strategies. CADA could follow the same trajectory. Governments cannot credibly argue against strategic autonomy, but they also cannot realistically force their public administrations and regulated industries into compliance requirements that the available supply cannot meet. When that tension becomes undeniable, the political debate tends not to resolve: it prolongs indefinitely, and the proposal dies a slow and inglorious death.

The path to European technological excellence

Assuming we avoid that trap and CADA advances, the calibration of requirements across the four levels will be the defining technical and political battleground, and it is anything but a formality. Based on the European Parliament's and Council's track record, we can expect protracted horse trading, episodic demands for greater stringency, and sometimes radical standoffs between member states with very different domestic technological bases, risk appetites and political cultures.

Much of the noise will focus on Levels 1 and 2, on where their thresholds should be set to restrict nondomestic providers from certain markets, and on the reciprocal impacts to expect in international trade. That debate, however pointed, is something of a sideshow, mired in the last decades' cyclical trans-Atlantic drama. The more consequential question, and the one that will ultimately determine whether CADA advances European technological excellence or merely entrenches European technological insularity, is how Levels 3 and 4 are calibrated.

Get those wrong, and Levels 3 and 4 will become de facto market exit barriers: not gateways to a European sovereign tier, but walls that trap successful European technology companies within the continent's borders and prevent them from scaling to where they could genuinely compete with North American or Asian counterparts. 

If foreign control, interference or influence is inferred from factors such as international business leadership, access to non-European funding, presence in non-European markets, exposure to third-country laws, revenue from foreign customers, shares held abroad or stocks traded on international exchanges, IP registered in non-European jurisdictions, data flows operating across borders, employment of non-European workforces in non-European locations, or reliance on any other non-European inputs, then the practical effect of CADA will not be European grandeur. It will be a systematic obstacle blocking the growth path of the continent's most promising technology companies, preventing them from reaching the scale necessary to compete globally. In that scenario, CADA becomes not a sovereignty instrument but a highly counter-productive isolationist measure, one that protects European mediocrity while penalizing European ambition.

Move the right levers

CADA should not be allowed to race ahead of the broader ecosystem conditions that make its ambitions achievable. Three imperatives stand out.

First, regulatory burden reduction must go orders of magnitude beyond the cosmetic adjustments of the Digital and AI Omnibus proposals. This means confronting not only our overly complex and still growing Digital Rulebook but also the environmental, energy, infrastructure, research and applied science constraints without which frontier technologies cannot develop. Cloud infrastructure and frontier AI are energy, data and knowledge-intensive by nature. Europe cannot simultaneously demand technological self-reliance and maintain regulatory environments in which it is economically irrational to build the necessary infrastructure, and excruciatingly onerous as well as legally perilous to attract, accumulate and leverage the necessary data.

Second, venture capital mobilization must become a genuine policy priority, not a rhetorical one. The upfront investment required for Europe's cloud and AI rebirth is substantial, and capital will flow to where it yields the highest return at the lowest cost. This is not about public funding and its alleged lever effect: investment needs are in another dimension entirely. Until European financial markets can deploy risk capital at a scale comparable to what Anglo-Saxon markets routinely mobilize, the supply side will remain structurally underpowered.

Third, this debate needs candor and honesty. Ambitious objectives are legitimate, but political grand standing is not harmless. CADA's development should incorporate substantive feedback not only from sympathetic academics, civil society and aligned politicians, but from the actual buyers and users of the technologies Europe wants to promote: public institutions and state-subsidized critical sectors that operate on tighter budgets, lower or no returns, less competitive wages, longer procurement cycles and deeper bureaucratic constraints than the commercial market. They fulfill missions of critical importance, their technological resilience is paramount, but they cannot afford to pay more for less capable technology. Their voice is not peripheral to this debate. It is central to whether CADA succeeds or fails.