Updated juli 4, 2026
Summary: CADA restructures EU data centre permitting and introduces tiered sovereignty assurance levels that regulated buyers must map against GDPR Article 28, EUCS and NIS-2 obligations. Swiss-hosted providers outside the EU must proactively demonstrate equivalent assurance to navigate CADA's member-state audit process.

The Cloud and AI Development Act (CADA), proposed by the European Commission in June 2026, is a legislative instrument that simultaneously addresses three interdependent problems: the slow pace of data centre permitting across EU member states, the unsustainable energy trajectory of digital infrastructure, and the absence of a single enforceable sovereignty assurance standard for cloud services. For compliance officers, CISOs and IT decision-makers in regulated sectors, CADA is not a background policy document. It directly shapes which providers can credibly claim sovereign status, what energy and resilience disclosures buyers can demand in contracts, and how procurement processes under frameworks such as the Cloud III Dynamic Purchasing System will be structured in the years ahead.

How CADA streamlines data centre permitting without bypassing national planning rules

CADA introduces a dedicated “strategic digital infrastructure” designation that allows qualifying data centre projects to access accelerated environmental impact assessment timelines and a single-contact permitting authority within each member state. This mechanism does not override national planning law or environmental directives such as the EU EIA Directive (2011/92/EU); it creates a procedural fast lane within those frameworks.

For sovereign infrastructure buyers, the practical significance is twofold. First, new sovereign hosting facilities can reach operational status faster, reducing the lead times that have historically made sovereign options less competitive against hyperscalers with established footprints. Second, the designation criteria favour operators who demonstrate energy efficiency, grid integration and, crucially, alignment with the EU Data Centre Regulation’s reporting obligations. A provider that cannot demonstrate compliance with those criteria is unlikely to access the streamlined route, creating a quality filter that buyers can use in due diligence.

Note: CADA’s accelerated permitting applies only to facilities within EU member states. Swiss-hosted providers, including those operating under the revised Federal Act on Data Protection (revFADP), are not subject to CADA’s permitting regime and must demonstrate equivalent planning and resilience standards through independent audit or contractual disclosure.

Energy efficiency and grid-integration obligations: what they mean for hosting costs

CADA imposes binding energy obligations on data centre operators above a defined capacity threshold. These include mandatory Power Usage Effectiveness (PUE) targets aligned with the EU Data Centre Regulation, waste-heat recovery requirements where technically and economically feasible, participation in national grid flexibility programmes, and annual energy metric reporting to a centralised EU registry.

The cost implications are not symmetrical. Hyperscalers already operate at or below the PUE targets CADA mandates, because scale economics make energy efficiency a primary commercial driver. Smaller sovereign operators building new facilities must meet the same absolute standards with a smaller cost base to absorb the investment. This creates a short-term cost disadvantage for sovereign hosting that buyers should account for in contract negotiations, particularly when comparing total cost of ownership over five-to-ten-year terms rather than headline per-gigabyte pricing.

Obligation Hyperscaler impact Sovereign operator impact
PUE compliance Largely already met; marginal additional cost May require facility upgrades or new cooling investment
Waste-heat recovery Scale makes district heating partnerships viable Smaller heat output limits partnership options
Grid flexibility participation Managed via large-scale demand-response contracts Requires dedicated grid agreements; adds operational complexity
Annual energy reporting Existing internal ESG reporting absorbs most of the work New compliance overhead; opportunity to differentiate on transparency

EU data centre electricity consumption reached approximately 135 TWh in 2023, representing around 4% of total EU electricity demand, according to the European Commission’s Joint Research Centre (2024). CADA’s energy rules are a direct response to projections showing that AI workload growth will drive that figure substantially higher: the International Energy Agency’s Electricity 2024 report projects global data centre capacity to more than double between 2023 and 2030.

CADA’s 2035 capacity target and what it means for sovereign procurement

CADA sets an explicit political target of tripling EU data centre capacity by 2035. This ambition creates a structurally different competitive landscape for sovereign operators. Increased EU-based capacity means more choice for buyers, downward pressure on co-location pricing, and a larger pool of providers who can credibly offer EU-jurisdictional hosting. For organisations currently locked into long-term contracts with hyperscalers or legacy providers, the 2035 horizon is a planning parameter: sovereign alternatives will become more numerous and more price-competitive as the decade progresses.

The flip side is that not all of this new capacity will meet the sovereignty standards that regulated buyers require. CADA’s permitting fast lane is available to any qualifying data centre, not exclusively to operators committed to EU-controlled ownership structures or domestic staff. Buyers must therefore treat CADA compliance as a necessary but not sufficient condition for sovereignty, and layer the SEAL assurance framework on top of it as the primary assessment tool.

The SEAL framework: assurance levels and what they require in practice

CADA introduces a single EU-wide cloud sovereignty framework built around the Sovereignty Assurance Levels (SEAL), currently described in Cloud Sovereignty Framework v1.2.1. The four levels progress from basic transparency to full technical and legal isolation.

SEAL Level 1 requires the provider to disclose data location, ownership structure and the legal jurisdictions to which it is subject. Level 2 adds contractual data-residency guarantees, audit rights for the customer, and a documented sub-processor list. Level 3, the standard most relevant to finance, healthcare and public administration, requires technical isolation, customer-controlled encryption key management, and demonstrated legal immunity from non-EU access regimes including the US CLOUD Act and FISA Section 702. Level 4 is reserved for classified and critical national infrastructure data and demands physical separation, sovereign key management and continuous third-party audit.

ENISA has stated clearly: “Sovereignty in cloud services is not a binary state. It exists on a spectrum, and regulators expect organisations to articulate precisely where on that spectrum their chosen provider sits and why that position is sufficient for the sensitivity of the data involved.” This framing is directly relevant to procurement decisions: a SEAL Level 2 certificate from a provider that is ultimately owned or controlled by a non-EU parent entity does not satisfy the legal-immunity requirement that Level 3 mandates.

Swiss-hosted providers and CADA recognition: navigating the audit process

Switzerland is not an EU member state and its data centres fall outside CADA’s direct regulatory scope. However, Swiss hosting under the revised Federal Act on Data Protection (revFADP) offers a structurally distinct advantage: Switzerland is not subject to the US CLOUD Act, Patriot Act or FISA 702, removing the legal-access risk that makes US-controlled cloud fundamentally incompatible with SEAL Level 3 requirements.

Under CADA’s member-state audit process, a non-EU provider seeking recognition equivalent to a SEAL level must submit to a formal assessment by an ENISA-accredited third-party auditor appointed by the member state of the requesting organisation. Equivalence is not automatic and is not granted on the basis of revFADP compliance alone. Swiss-hosted providers must document their technical architecture, key management practices, staff access controls, and legal exposure analysis in a format that maps to the SEAL criteria. Buyers should request this documentation before contract signature, not as a post-hoc exercise.

Key point: A Swiss provider that cannot produce a completed SEAL-equivalent audit pack is not in a position to serve buyers subject to NIS-2 Article 21 or DORA Article 19 continuity obligations, regardless of how strong its revFADP posture may be.

CADA, NIS-2 and DORA: energy resilience as a compliance obligation

CADA’s grid-integration requirements intersect directly with the continuity obligations that NIS-2 and DORA impose on essential entities and financial institutions respectively. NIS-2 Article 21 requires organisations to implement measures addressing “business continuity, backup management and disaster recovery, and crisis management.” DORA Article 19 mandates ICT business continuity testing and third-party risk assessments for critical providers.

The practical consequence of CADA’s energy rules for resilience planning is that participating in grid flexibility programmes, while beneficial for sustainability, introduces a managed form of demand variability. A data centre that agrees to reduce load during grid stress events must have on-site backup power capacity sufficient to maintain availability at the service levels committed in customer SLAs. Buyers should contractually require that backup power systems, typically diesel generators or battery energy storage systems, are sized and tested to cover the duration of grid-flexibility events, not merely the duration of an unplanned outage.

The IBM Cost of a Data Breach Report 2024 recorded the average cost of a data breach at USD 4.88 million, the highest figure in the report’s history. For regulated entities under NIS-2 and DORA, the financial exposure from a breach caused by inadequate resilience at a hosting provider compounds with regulatory penalties and reputational damage in ways that make upfront investment in resilience-verified hosting economically rational.

Using CADA assurance levels in contract negotiation alongside GDPR Article 28

The European Commission has stated that “Europe needs to build its own digital infrastructure capacity at scale, while ensuring that capacity meets the highest standards of energy efficiency and data protection. These two goals are not in conflict; they are mutually reinforcing.” For procurement teams, this translates into a concrete contractual structure.

GDPR Article 28 requires that data processing agreements with processors specify, among other things, the subject matter and duration of processing, the nature and purpose of processing, and the technical and organisational security measures in place. A provider holding a SEAL Level 3 certificate provides documentary evidence for the security measures element, but Article 28 due diligence extends further: buyers must review sub-processor lists, assess data transfer mechanisms for any cross-border transfers, and verify that audit rights are exercisable in practice, not merely stated in contract language.

The EUCS (EU Cybersecurity Certification Scheme for Cloud Services), developed by ENISA, operates in parallel with CADA’s SEAL framework. At the time of writing, the EUCS high assurance level includes sovereignty requirements that align substantially with SEAL Level 3. Buyers evaluating providers should request both EUCS certification status and SEAL-level documentation, treating discrepancies between the two as a due-diligence flag requiring explanation from the provider.

FAQ

Does CADA apply to data centres located outside the EU, such as those in Switzerland?

CADA’s direct regulatory obligations apply to operators building or expanding data centres within EU member states. Swiss-hosted providers are not subject to CADA’s permitting or energy rules, but they must demonstrate equivalent assurance independently if they wish to serve regulated EU buyers who use the SEAL framework as a procurement benchmark. Equivalence recognition under CADA’s member-state audit process requires a formal assessment; it is not automatic.

What are CADA’s four SEAL levels and which applies to sensitive public-sector data?

Level 1 covers basic transparency about data location and legal jurisdiction. Level 2 adds contractual data-residency guarantees and audit rights. Level 3 requires technical isolation, customer-controlled encryption keys, and demonstrated immunity from non-EU legal access regimes. Level 4 is intended for classified and critical national infrastructure data, requiring physical separation, sovereign key management and continuous third-party audit. Most regulated buyers in finance, healthcare and public administration will find Level 3 is the minimum defensible standard for sensitive personal or operationally critical data.

How does CADA interact with GDPR Article 28 processor agreements?

CADA’s SEAL framework does not replace GDPR Article 28 processor agreements; it sits alongside them. A SEAL Level 3 or Level 4 designation provides evidence that a processor has implemented technical and organisational measures consistent with Article 28(3)(c) and (f), but the controller remains responsible for its own due diligence. Compliance officers should treat a SEAL certificate as a starting point for contract negotiation, not as a substitute for reviewing sub-processor lists, audit reports and data transfer mechanisms.

What energy obligations does CADA impose, and how do they affect sovereign provider pricing?

CADA requires qualifying data centres to meet binding PUE targets, implement waste-heat recovery where feasible, participate in grid flexibility programmes, and report energy metrics annually. These obligations raise the baseline capital and operational costs for any new sovereign facility. Smaller sovereign operators face a proportionally higher compliance cost than hyperscalers. Buyers should request PUE disclosures and ask providers to itemise CADA-related compliance costs within their pricing models before signing multi-year contracts.

How should a CISO or DPO approach CADA sovereignty assurance in practical due diligence?

Start by mapping the sensitivity classification of the data to be processed against the four SEAL levels to determine the minimum level required. Then request documentary evidence from the provider: a completed SEAL-level audit report, EUCS certification status, a sub-processor list with jurisdictional disclosure for each entity, and contractual confirmation that audit rights are exercisable within the contract term. For providers outside the EU, request the CADA-equivalent audit pack submitted to an ENISA-accredited auditor. Discrepancies between claimed assurance and documented evidence are the single most important flag in sovereign hosting due diligence.

Frequently asked questions

Does CADA apply to data centres located outside the EU, such as those in Switzerland?
CADA's direct regulatory obligations apply to operators building or expanding data centres within EU member states. Swiss-hosted providers are not subject to CADA's permitting or energy rules, but they must demonstrate equivalent assurance independently if they wish to serve regulated EU buyers who use CADA's SEAL framework as a procurement benchmark. Under CADA's member-state audit process, equivalence recognition requires a formal assessment; it is not automatic.
What are CADA's four sovereignty assurance levels and which level applies to classified or highly sensitive public-sector data?
CADA defines four SEAL levels. Level 1 covers basic transparency about data location and legal jurisdiction. Level 2 adds contractual data-residency guarantees and audit rights. Level 3 requires technical isolation, encryption key control by the customer, and demonstrated immunity from non-EU legal access regimes. Level 4, the highest, is intended for classified and critical national infrastructure data, requiring physical separation, sovereign key management and continuous third-party audit. Most regulated buyers in finance, healthcare and public administration will find that Level 3 is the minimum defensible standard.
How does CADA interact with GDPR Article 28 processor agreements?
CADA's SEAL framework does not replace GDPR Article 28 processor agreements; it sits alongside them. A SEAL Level 3 or Level 4 designation provides evidence that a processor has implemented the technical and organisational measures required under Article 28(3)(c) and (f), but the controller remains responsible for conducting its own due diligence. Compliance officers should treat a SEAL certificate as a starting point for contract negotiation, not as a substitute for reviewing sub-processor lists, audit reports and data transfer mechanisms.
What energy obligations does CADA impose, and how do these affect a sovereign provider's cost structure relative to a hyperscaler?
CADA requires new and significantly expanded data centres above a defined capacity threshold to meet binding Power Usage Effectiveness targets, use waste-heat recovery where technically feasible, integrate with national grid flexibility programmes, and report energy metrics annually to a central EU registry. These obligations raise the baseline capital and operational expenditure for any new sovereign facility. However, hyperscalers operating at scale already meet or exceed most of these thresholds, meaning smaller sovereign operators face a proportionally higher compliance cost. Buyers should request energy and PUE disclosures as part of procurement and factor regulatory compliance costs into long-term contract pricing.
How should a CISO or DPO use CADA's procurement vehicle, the Cloud III Dynamic Purchasing System, in practice?
The Cloud III Dynamic Purchasing System is a pre-competed UK framework that is separate from CADA itself, though both address sovereign cloud procurement. Under CADA, the European Commission is developing its own EU-level procurement guidance aligned with the SEAL framework. A CISO or DPO evaluating sovereign options should check whether a prospective provider is listed or assessable under relevant national frameworks, request evidence of SEAL-level certification or equivalent third-party audit, and use the SEAL level as a filter before proceeding to detailed technical and legal due diligence. The assurance level claimed must match the sensitivity classification of the data to be processed.