Cloud and AI have long since ceased to be merely \u201cIT topics.\u201d They form the foundation of digital services, customer engagement, healthcare, government, financial processes, security, logistics, and, increasingly, business operations. But behind every AI application and every cloud service lies a practical question: where is it hosted, who manages it, what laws apply to it, and who ultimately has access to it? <\/p>\n\n
That is precisely what the proposed Cloud and AI Development Act<\/strong> \u2014 CADA<\/strong> for short\u2014is all about. With this law, the European Commission aims to strengthen the European cloud and AI ecosystem\u2014not only by enabling greater computing power and data center capacity, but above all by clarifying which cloud services are suitable for which types of data and processes. <\/p>\n\n So the essence of CADA is not that \u201ceverything must be European.\u201d The essence is this: the more sensitive the data or the more critical the process, the more clearly it must be demonstrated who has control over the service, the data, the infrastructure, the software chain, and the subcontractors.<\/strong> <\/p>\n\n Europe relies heavily on cloud and AI services from a limited number of large non-European providers. These providers offer a great deal of innovation, scale, and reliability. At the same time, a strategic dependency is emerging. For ordinary applications, this may be acceptable. For sensitive public processes, critical infrastructure, or data with significant societal impact, however, the situation is different. <\/p>\n\n Consider government data, healthcare information, police and judicial applications, defense, crisis management, critical infrastructure, or AI systems that support decision-making in public services. In such cases, it\u2019s not enough to simply know that the servers are located in Europe. You also want to know who has legal control, who has technical access, who provides support, which software components are used, and which foreign laws might have an impact. <\/p>\n\n CADA is working to organize this through a European framework for cloud sovereignty.<\/p>\n\n A key principle of CADA is the risk-based approach. Not every application needs to meet the most stringent requirements. A simple public website has different requirements than a system used for defense, the judiciary, or healthcare records. <\/p>\n\n That is why the assessment begins with the question: How sensitive is the data, and how critical is the process?<\/strong><\/p>\n\n Based on that, the required level of cloud sovereignty is determined. The sensitivity of the application is therefore the determining factor. But after that, the focus shifts to the provider and the service: can the provider demonstrate that it meets the requirements associated with that level? <\/p>\n\n That is what makes CADA practically relevant. It is not just an abstract label, but a set of verifiable checkpoints. <\/p>\n\n CADA introduces four so-called Union assurance levels<\/strong>. These levels indicate the degree of control, autonomy, and protection offered by a cloud service. <\/p>\n\n At the lower levels, the focus is primarily on basic safeguards, such as having a physical presence in the EU, processing data within the EU, transparency regarding subcontractors, and adequate cybersecurity. At higher levels, the requirements become stricter. These include, for example, the location of personnel, legal control, ownership structure, operational support, control over the software chain, and protection against unauthorized access by third countries. <\/p>\n\n This makes the difference between \u201cdata is stored in Europe\u201d and \u201cthe service is sufficiently sovereign for a critical application\u201d much clearer. A provider cannot, therefore, simply claim that it uses European data centers. The question becomes: Who has actual, legal, and technical control over the entire chain? <\/p>\n\n One important effect of CADA is that cloud sovereignty is becoming less of a vague concept. Currently, providers do not always use terms such as \u201csovereign cloud,\u201d \u201ctrusted cloud,\u201d or \u201cEU cloud\u201d in the same way. This makes it difficult for buyers to properly compare offers. <\/p>\n\n CADA aims to put an end to this by having services assessed based on harmonized criteria. Independent audits are planned for higher assurance levels. The result must be recognizable and usable across Europe, so that a service that has been recognized at the appropriate level does not have to be re-evaluated against a different set of standards in every member state. <\/p>\n\n This is important for both providers and customers. Providers will have a clearer understanding of the requirements they must meet. Governments and other public organizations will have a more concrete framework for determining which cloud solution is appropriate for the risk associated with their application. <\/p>\n\n Perhaps the biggest shift lies in how we think about the supply chain. CADA looks not only at the main supplier, but also at the parties surrounding it. <\/p>\n\n Who are the subcontractors? Where are the infrastructure, personnel, and support located? Which software components are part of the service? Is there an up-to-date overview of dependencies? Can a third country influence maintenance, updates, security patches, or continuity? And are there technical or organizational measures in place to prevent unauthorized access or disruption? <\/p>\n\n This means that cloud sovereignty is not just a legal issue. It is also an operational and technical issue. A cloud service can only be reliably assessed if the entire chain is transparent enough. <\/p>\n\n For government agencies and public organizations, CADA is particularly relevant in the context of procurement. They will need to better determine which assurance level is appropriate for the application they wish to procure. <\/p>\n\n For less sensitive applications, a lower level may be sufficient. For critical processes, a higher level may be required. The bidding process thus becomes not only a comparison of price, functionality, and availability, but also of demonstrable control, autonomy, and supply chain management. <\/p>\n\n This could change the market. European and Dutch cloud providers will have opportunities if they can demonstrate that they meet stricter sovereignty requirements. Major international providers will remain relevant, but for sensitive applications, they will need to demonstrate more clearly how they mitigate legal, technical, and operational risks. <\/p>\n\n In addition to assurance levels, European added-value<\/strong> procurement criteria are also used. This means that bidders in public tenders can earn extra points if they can demonstrate that they contribute to the European cloud and AI ecosystem. <\/p>\n\n Consider the use of European technology, development, or innovation within the EU; strengthening the European digital supply chain; transparency regarding software and hardware; or the use of components that contribute to European supply security.<\/p>\n\n It is important to note that this is not an automatic \u201cEurope wins\u201d rule. Price, quality, and technical suitability remain important. The points system is intended as a supplementary quality criterion. But in tenders, such a criterion can indeed make a difference\u2014especially for contracts in which cloud sovereignty, continuity, and control over the supply chain are major considerations. <\/p>\n\n For providers, this means they must be able to substantiate their European value in concrete terms\u2014not just with marketing claims, but with evidence: where is development taking place, who manages the service, what technology is used, what does the software chain look like, and how is dependence on third countries limited? <\/p>\n\n CADA also includes measures to increase European data center capacity. This makes sense: without sufficient computing power, Europe cannot build a strong cloud and AI market. Sustainability plays an important role in this, for example through energy efficiency, better utilization of servers, and faster procedures for innovative and sustainable data center projects. <\/p>\n\n But for many organizations, this is not the core of CADA. Data center capacity is primarily a supply-side prerequisite. The strategic impact for cloud users, public institutions, and providers lies primarily in the question of which services will eventually be deemed suitable for sensitive or critical applications. <\/p>\n\n Organizations don’t have to wait until CADA is finalized to start preparing. The direction is clear: cloud choices are increasingly being evaluated based on risk, control, and dependency. <\/p>\n\n A good first step is to map out the current cloud landscape. Where is the data located? Which processes are critical? Which vendors and subcontractors are involved? What contractual exit options are available? Which support and management processes are routed through third countries? And is it clear which laws may apply to the provider? <\/p>\n\n For public organizations, there is an additional question: Which assurance level will be appropriate for which application in the future? Not everything needs to meet the highest level, but the rationale must be better substantiated for sensitive or critical processes. <\/p>\n\n For cloud providers, the message is just as clear. Anyone who wants to compete in the sovereign cloud segment in the future will have to be able to demonstrate how the chain of control works. Transparency, auditability, legal structure, software chain, support model, and operational autonomy will become key commercial differentiators. <\/p>\n\n The Cloud and AI Development Act is not just about increasing European cloud capacity, but above all about trust: Europe wants to be able to determine which cloud services are appropriate for which risks, and wants providers to demonstrate their control over data, infrastructure, software, and the supply chain.<\/p>\n\n This shifts cloud sovereignty from a marketing term to a verifiable framework. And that could have major implications for public procurement, cloud strategy, and the position of Dutch and European cloud providers. <\/p>\n","protected":false},"excerpt":{"rendered":" Cloud and AI have long since ceased to be merely \u201cIT topics.\u201d They form the foundation of digital services, customer engagement, healthcare, government, financial processes, security, logistics, and, increasingly, business operations. But behind every AI application and every cloud service lies a practical question: where is it hosted, who manages it, what laws apply to […]<\/p>\n","protected":false},"author":2,"featured_media":31333,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[544],"tags":[549,722,714,712,713,718,717,723,720,724,715,727,601,726,719,725,716,711,721],"class_list":["post-31332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-ai","tag-ai-act","tag-bids","tag-cada","tag-cloud","tag-cloud-and-ai-development-act","tag-cloud-sovereignty","tag-cloud-strategy","tag-compliance","tag-data-governance","tag-data-sensitivity","tag-digital-autonomy","tag-digital-sovereignty","tag-dutch-cloud-providers","tag-european-cloud","tag-european-technology","tag-public-sector","tag-sovereign-cloud-2","tag-supply-chain-audit"],"_links":{"self":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/comments?post=31332"}],"version-history":[{"count":1,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31332\/revisions"}],"predecessor-version":[{"id":31334,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/posts\/31332\/revisions\/31334"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media\/31333"}],"wp:attachment":[{"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/media?parent=31332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/categories?post=31332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pegamento.nl\/en\/wp-json\/wp\/v2\/tags?post=31332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Why is CADA necessary?<\/h2>\n\n
Data sensitivity determines the required level<\/h2>\n\n
Four Levels of Cloud Sovereignty<\/h2>\n\n
From a promising vision to tangible evidence<\/h2>\n\n
The audit trail will be decisive<\/h2>\n\n
What does this mean for public procurement?<\/h2>\n\n
The upcoming points system<\/h2>\n\n
What about the data centers?<\/h2>\n\n
What should organizations be doing right now?<\/h2>\n\n
CADA in one sentence<\/h2>\n\n