The European Commission published the European Technological Sovereignty Package on 3 June 2026, proposing measures to address the “wicked problems” facing chips, AI, and cloud computing.

In this the second of two articles on the Package, we examine the AI and cloud computing proposals of the draft Cloud and AI Development Act (CADA).

Who doesn’t like AI and Cloud Computing?

Services that combine AI and Cloud Computing are universally popular. Who doesn’t love Google Maps, Prime Video, Netflix, Apple TV+, Disney+ or other streaming services. Or phone apps, smart thermostats, and photos that move like magical Harry Potter pictures? AI and Cloud Computing are the cool kids of the modern world. Like many cool kids, they have an often-unseen parent. A parent needed to feed and support them. That parent is data centres. AI and cloud computing need data centres to survive. For their part, data centres also have needs.

In particular, data centres need to be close to: (i) the electricity grid and a reliable energy supply; (ii) fibre-optic networks; (iii) water; (iv) transport links; and (v) a skilled workforce. These locational needs have driven sharp geographic concentration, and with it, market concentration. According to the European Commission, Google, Amazon, and Microsoft (all US-headquartered and subject to US federal law) now control over 70% of the European cloud market. Fewer providers means greater dependency and greater risk. This is what CADA has set out to change. For Ireland, where we play host to data centre infrastructure for all three hyper-scalers, CADA could have real consequences.

What does the EU plan to change to bring new entrants into the European AI and Cloud Computing Marketplace?

CADA is organised into the following five titles:

• Title I: Subject Matter and Definitions
• Title II: Research, Development and Deployment Activities
• Title III: Data Centre Capabilities
• Title IV: Autonomy
• Title V: Final Provisions

For Ireland, Titles III and IV are the most relevant. Together, these seek to reduce market concentration and establish regional levels of data control within the EU by:

• tripling EU data centre capacity within five to seven years; this growth is to be geographically balanced;
• streamlining authorisation through acceleration zones; and
• requiring each Member State government to review the cloud computing systems used checking the sensitivity of that use, and the resulting level of European control needed.

Tripling the EU’s Datacentres: Streamlining Permitting and Acceleration Zones

Title III of the CADA requires Member States to take each of the following actions to triple the EU’s Datacentre capacity:

• Acceleration Zones: Propose at least one data centre acceleration zone within their territory within six months of CADA’s entry into force;
• Underlying Acceleration Zone Requirements: Consider eight different factors (e.g. future power grid capacity and the potential for storage and clean energy generation, available and future network capacity, and the potential to reuse data centre waste heat) when designating acceleration zones;
• One-Stop Shop on Permitting Information: Set up a one-stop-shop for data centre permitting information for operators who want to develop projects within a designated acceleration zone. This is to cover spatial, planning and building permits, environmental assessments, water abstraction and wastewater discharge, along with authorisations for heat utilisation and recovery.
• Accelerated Environmental Assessment: Support data centre projects in acceleration zones being treated as “Strategic Projects” benefitting from accelerated environmental assessments.
• Strategic Project Designation: Lay down the mechanism for expression of interest and conditions, and designation by the Commission of data centre “Strategic Projects”.
• Monitoring: Establish a mechanism for the Commission to monitor the EU’s progress in increasing the compute capacity available, the volume of demand for data centre capacity, and the size of the capacity gap.

Who Will Control the Cloud?

Title IV is the most politically significant part of CADA. It establishes a single EU-wide sovereignty framework for cloud and AI services, built around four assurance levels. The framework is designed to give public sector bodies (e.g. Government, regulators, local authorities) a clear, auditable basis for deciding which cloud providers they can trust with which types of data and workload.

Title IV creates a four-tier trust rating system for cloud services (i.e. assurance levels I-IV). Every Member State must audit which cloud services its public bodies use, assess how sensitive and critical those uses are, and produce a national plan for moving to cloud providers that meet the required rating for each use case. Cloud service providers can also be recognised under the framework by Member States, after undergoing an audit.

• Assurance Level I (EU Establishment): The core requirements for level I are for the service provider to be established in the EU; to process and store all data on infrastructure physically located in the EU; have transparent information on subcontractors; and a guarantee that no third-country law can oblige it to report software vulnerabilities to a foreign authority before they are publicly disclosed. This can be self-certified. Full conditions to be satisfied are set out in Annex II.
• Assurance Level II (Independence and Transparency): This is a level up and requires an independent audit along with the satisfaction of conditions on staff and restrictions on the use of data to train AI.
• Assurance Level III (EU Ownership and Control): At Level III, the provider and all of its subcontractors must not be subject to third-country control at all. Full conditions to be satisfied are set out in Annex II.
• Assurance Level IV (Full Sovereignty): At level IV, providers must have full transparency and control over their entire software supply chain from end to end, with absolutely no possibility of interference from any third country at any layer.

Under CADA, all public bodies will be required to use at least a Level I provider. Critical public functions (i.e. health, law enforcement, defence, justice, border management; and NIS2 critical infrastructure sectors such as gas and electricity) will be obliged to use Level II, III or IV. The risk assessment will determine which level applies to which function. Narrow derogations are available under Articles 18 and 30 respectively, but both are designed to be exceptional and time-limited rather than a permanent alternative to compliance.

What will this mean for Ireland and the EU?

CADA is still in draft form. As a proposed regulation, it must pass through the full EU legislative process before it becomes binding law. Changes are likely, and Irish stakeholders should engage actively in that process. That said, the intended direction of travel is clear. For the EU, CADA signals a wish to shift away from dependence on US hyper-scalers for critical digital infrastructure, with binding sovereignty requirements for public sector cloud procurement and an ambitious target to triple EU data centre capacity within five to seven years.

For Ireland, the stakes are particularly high. As Europe’s most concentrated data centre market, and the EU home of all three US hyper-scalers most directly targeted by the legislation, Ireland sits at the intersection of every tension CADA is designed to resolve between digital ambition and energy constraint; between Foreign Direct Investment attraction and sovereignty; and between existing hyper-scaler relationships and the new European cloud ecosystem the legislation seeks to build. Irish public bodies, data centre operators, cloud providers, and energy planners all have reason to watch the progress of this legislation closely and to begin preparing now.

Please reach out to Fergus Devine or Eva Barrett or another member of Energy & Infrastructure team for strategic advice on the CADA.

Please click here to access our article on the Chips Act 2.0.

Contributed by Sophie Nicholson