CADA: The EU Gets Serious About AI Sovereignty

The European Commission is now taking official steps to reduce its dependence on US Big Tech companies.

Under the “Cloud and AI Development Act” (CADA), it sets out clear sovereignty requirements for public sector cloud and AI procurement. Private companies in critical sectors such as banking, energy, and healthcare may apply the same criteria.

This signals a clear message from the Commission: where AI runs and who controls it is now just as important as what it does.

“In addition, a unified EU-wide framework for assessing sovereignty in cloud and AI will be introduced. However, the majority of our market will remain open to like-minded partners. This will help protect critical applications and sensitive data, and support the development and deployment of advanced cloud and AI technologies.”

— European Commission, Press Release - “The Commission proposes a technological sovereignty package to strengthen Europe’s digital autonomy and resilience”, June 3, 2026

Who Is Affected?

Mandatory - for the public sector when procuring AI and cloud services. The more sensitive the task, the higher the required protection level.

For everyone else - a benchmark for assessing how dependent or independent your own infrastructure actually is.

CADA Provides a Framework for Assessing Cloud and AI Sovereignty

The four security levels are to be used by public bodies for their risk assessments - and the Commission opens the same instrument to the private sector:

Level 1 - data is processed and stored in infrastructure located within the Union.

Level 2 - the provider demonstrates independence from third countries and transparency over its software supply chain.

Level 3 - the provider originates from the EU and is subject only to EU law. Additional criteria are to be assessed, such as the nationality of personnel. The Commission may recognize providers from third countries.

Level 4 - the provider has full transparency and control over its software supply chain and there is no influence by a third country.

Cloud providers can be recognized under this system by member states after undergoing an audit.

Sovereignty Means More Than Processing Data in Europe

Under CADA, what matters is how much genuine control Europe has over things like:

Where data is processed and stored
How independent providers are from third countries
Who owns and controls the operating company
How transparent the software supply chain is
How much foreign influence is possible

For high operational sovereignty, it is advisable to run AI either with a provider under full EU control or locally on your own infrastructure.

Very soon, where your AI runs will matter just as much as what it does.

About brainbot

brainbot is a Mainz-based company that automates operational processes for small and medium-sized businesses using AI agents: invoice processing, order processing, document processing, and customer communication via AI-powered phone systems. The agents run entirely on-premises or in the customer's private cloud and are integrated into existing systems such as ERP or DMS, rather than replacing them. All operational data remains on-premises, is GDPR-compliant, and is inaccessible to U.S. hyperscalers. The brainbot integration team handles the complete integration into the customer's existing system landscape. brainbot offers dedicated AI infrastructure without external dependencies, particularly for companies subject to NIS2 requirements and operators of critical infrastructure.