Commission proposes regulation to strengthen European cloud and AI infrastructures.

On 3 June, the European Commission presented its proposal for a Cloud and AI Development Act (CADA). The Regulation forms part of a broader package aimed at strengthening Europe’s technological sovereignty, which also includes the Chips Act 2.0 and the EU Open Source Strategy. Its objective is to enhance Europe’s competitiveness in cloud computing and artificial intelligence (AI), expand European computing and cloud capacities, and reduce dependencies on non-European providers.

Framework for cloud and AI

The proposed Regulation seeks to accelerate the deployment of European cloud and AI capacities, promote the uptake of these technologies and strengthen Europe’s technological sovereignty. Among other measures, it envisages so-called Cloud and AI Leadership Initiatives to support the research, development and deployment of European cloud and AI technologies. At the same time, it aims to facilitate the expansion of sustainable data centres and establish a common European framework for assessing sovereign cloud services. This Union Cloud Computing Sovereignty Framework would introduce different sovereignty levels against which cloud services could be assessed and recognised.

Public sector in focus

Alongside businesses, the public sector plays a central role in the proposal. Through the envisaged Cloud and AI Leadership Initiatives, the development and deployment of AI models and AI systems in the public sector are to be promoted. According to the proposal, these systems should help simplify administrative procedures, support decision-making and reduce administrative burdens. Critical public sectors such as healthcare are explicitly highlighted. In addition, the quality of public-sector data is to be improved, while the sharing and reuse of training data and AI models across the EU public sector are to be encouraged.

Sovereignty in public procurement

Another key element concerns the public procurement of cloud services. According to the Commission, significant dependencies on non-European cloud providers persist and cannot be adequately addressed under the existing public procurement framework. Public authorities would therefore be required to assess the level of sovereignty needed for specific public activities. Based on that assessment, cloud services should in principle only be procured if they meet at least the lowest European sovereignty level. In addition, procurement procedures should increasingly take into account considerations such as digital sovereignty, resilience and dependencies on third countries.

EuroCloud Federation and open source

The proposal also provides for the establishment of a European Public-Sector Cloud Federation (EuroCloud Federation). Its purpose is to connect national and European cloud initiatives and facilitate the shared use of highly trusted and secure cloud capacities across the public sector. In parallel, Union institutions and public authorities would be encouraged to promote the use of open-source solutions and make software developed by or for public authorities more easily reusable.

Relevance for social security

For social security institutions, the initiative is particularly relevant in view of the processing of sensitive data. Social security institutions handle large volumes of personal and other highly sensitive data and increasingly rely on robust digital infrastructures. At the same time, requirements relating to cybersecurity and resilience continue to grow. The proposed Regulation could therefore influence which cloud services public authorities may use in the future, what requirements will apply regarding their digital sovereignty, and how public institutions manage sensitive data in cloud-based environments.