The "European Sovereignty Act" is not the name of a single law. The phrase refers to the European technological sovereignty package, presented by the Commission on 3 June 2026. Its centrepiece for cloud and AI is the draft Cloud and AI Development Act, the CADA. Here is what it changes, and what businesses should already be checking.
On 3 June 2026, the European Commission presented a European Technological Sovereignty Package. It bundles several texts: the draft Cloud and AI Development Act (CADA), a Chips Act 2.0, an open-source strategy and a roadmap for AI in energy. So it is a set of measures, not a single regulation called the "Sovereignty Act".
As of 18 June 2026, the CADA is still a draft regulation: not adopted, not yet applicable. It pursues three goals. First, research and innovation in next-generation cloud and AI. Second, capacity: at least tripling Europe's data centre capacity within five to seven years, by removing barriers around permits, energy, land, water and financing. Third, autonomy: a common framework to assess the sovereignty of cloud and AI services, and a "Union added value" criterion in public procurement.
"We want to be sure nobody has a kill switch," the Commission summed up at the launch. It identifies two vulnerabilities: a structural deficit in data centre capacity, and a dependence on a small number of non-EU cloud providers.
The CADA sets out four assurance levels that the public sector could require based on its risk assessment. Providers would be assessed and recognised after audit.
Processing and storage on infrastructure located in the EU. This answers the location question, but not, on its own, the control question.
The provider demonstrates independence from third countries and transparency over its software supply chain.
The provider is owned and controlled from the Union, with additional criteria. Recognition of a third-country actor remains possible under conditions.
Full transparency and control over the software supply chain, with no interference from a third country. For the most sensitive uses.
A US company can run a data centre in Belgium or France. The data then sits in the Union, but the provider may remain subject to a parent company, to proprietary technology or to a third country's obligations. In the CADA's logic, hosting in the Union is only the first level. GDPR compliance, data residency and sovereignty are three distinct things.
The draft does not ban US AI in Europe. It creates a common assessment method and mainly steers the choices of the public sector and critical sectors according to risk. A private company will still be able to use non-EU providers, but will have to assess more closely the international transfers, applicable law, sub-processors, encryption, reversibility and service continuity.
Without waiting for the CADA to be adopted, you can already apply its logic to your providers.
For everyday office work, a maximum level is rarely needed. For health data, industrial secrets or critical systems, the requirements must be far stronger. Start from the criticality of the data, not from the provider.
The "Sovereignty Act" is a convenient but imprecise phrase. The real event of June 2026 is the technological sovereignty package, with the CADA at its core. The message for business: assess not only security and GDPR, but also control, jurisdiction, the software chain, reversibility and strategic dependence.
Molderez Consult SRL maps your cloud and AI services, classifies your data and builds a sovereignty grid tailored to your organisation's risk level.
Assess my sovereigntyTransparence : cet article a été rédigé avec l'aide de l'intelligence artificielle, puis relu par Molderez Consult SRL. Information générale, vérifiée le 18 juin 2026 ; le CADA est encore une proposition et son contenu peut évoluer.