EU's Cloud & AI development act met with a mixed reception

The European Commission has recently unveiled its proposal for the Cloud and AI Development Act (CAIDA), which aims to boost the local cloud & AI industry by reshaping both infrastructure and the European cloud market, as well as how public sector bodies can operate in the future.

CAIDA focuses on three major pillars: investment in research, development, and innovation (R&D&I); capacity building (tripling the European data center market within the next 5-7 years); and a comprehensive autonomy framework (4 levels of sovereignty and security, and new obligations for EU Member States). 

CAIDA met with a mixed reception

Thus far, the proposal has received mixed reviews. Industry associations like CCIA Europe have called the proposal discriminatory, as the CAIDA would require EU Member States to assess which use cases demand specific sovereignty levels that non-EU vendors “would be unable to meet by default”.  

Polish tech lawyer Mikolaj Barcenciewicz has previously stated that CAIDA should be risk-based rather than categorical, where Member States’ individual approach and subsidiarity should be preserved, rather than generalized. 

Swedish MEP Jörgen Warborn has recently shared his thoughts on the CAIDA proposal on LinkedIn, where he addresses the fact that the European digital sovereignty goals must be complemented by further simplification and improved business conditions with a strengthened “prospect of return on investment”. He also argues that while the EU’s sovereignty goals should indeed be strengthened in national applications that relate to national security, less sensitive areas should be open to foreign direct investments, as “a vast majority of global wealth is held outside the EU” and the EU should work towards attracting these investments, not vice versa: 

Finnish MEP Aura Salla, however, called for an even more centralized approach to testing booth-stress-testing tech dependencies and assessing risks at the Member State level. 

Finally, some interested parties - such as the German software provider Nextcloud - have stated that the current proposal is not ambitious enough and should be extended from the public sector to the private sector as well.

A 12-month ceiling for permits, but many more requirements to meet

CAIDA’s Title III establishes two primary mechanisms to rapidly expand EU data center capacity: Data Center Acceleration Zones and Data Center Strategic Projects. 

Within six months of the regulation entering into force, each Member State must designate at least one Acceleration Zone, integrated into local urban and district plans, while taking into account grid availability, network capacity, and a clear preference for brownfield sites.

Whether a development sits within these pre-approved zones or receives an individual Strategic Project designation, it benefits from a "green corridor" capped at a maximum 12-month permit-granting procedure.

However, CAIDA’s compliance checklist is demanding: infrastructure operators must adopt standardized EU sustainability KPIs, and local resource allocations will be tightly policed to prevent speculative hoarding or anticompetitive blocking. Realistically, this gives Member States a tight six-month window to establish compliant zones within complex local planning frameworks, followed by an equally compressed 12-month turnaround for individual permit approvals.

The actual construction of data centers is already heavily bottlenecked by the physical world: only a handful of specialized builders hold the required certifications, every development phase faces rigorous audits, and even modest facilities sometimes take years to build. By piling extensive new compliance burdens onto both Member States and infrastructure providers, EU policymakers risk rendering their "12-month maximum" permit cap a minor, meaningless goalpost in a structurally complicated pipeline.

Major changes in public procurement

CAIDA’s Title IV and supporting annexes outline a rigid new framework dictating the exact types of cloud computing software and services EU Member States can procure.

Public sector demand will be rigidly mapped against the four assurance levels set out in CAIDA’s Annex II: 

• Level 1 (basic sovereignty & secure), where third-country corporate ownership is allowed; 
• Level 2 (substantial digital sovereignty): where third-country corporate ownership is still allowed, under the condition that all operations, infrastructure, personnel, and support remain strictly within the EU, backed by a 'substantial' cybersecurity certification, and that customer data cannot be used for third-country AI training;
• Level 3 (high sovereignty & national security), where third-country corporate control is prohibited by default, with rare exceptions allowed by the European Commission;
• Level 4 (maximum autonomy & critical security), where third-country corporate control is completely banned.

How are EU Member States supposed to operationalize the new CAIDA framework? First, by appointing one or more National Competent Authorities to enforce the rules, audit suppliers, and process applications for cloud provider recognition. Within 1 year, Member States must carry out risk assessments (to be repeated every 2 years) to identify which public sector activities rely on cloud services and to determine the appropriate security assurance level.

The current proposal for CAIDA would completely upend how public procurement for cloud services has functioned until now. Previously, Member States’ public sector bodies could freely choose cloud service providers based on price, service quality, organizational needs, and sovereign risk-based legislation for data management. Where public procurement awards were once heavily dominated by price and standard technical specifications, Member States would now also have to evaluate non-price criteria, such as how significantly a provider contributes to the European digital ecosystem.

We welcome your contributions and discussions! If you spot any mistakes, please feel free to send us a correction at editor [at] eutechloop.com.