A view from Brussels: Why the CADA sovereignty proposal deserves attention

Like many people in Brussels, I dove into the Technology Sovereignty package proposed by the European Commission 3 June. 

The announcement didn't come as a surprise. After all, Executive Vice-President of the European Commission for Technological Sovereignty, Security and Democracy Henna Virkkunen has sovereignty in her job title. Both the Cloud and Artificial Intelligence Development Act and the Chips Act 2.0 were announced in her mission letter. 

The package was long-awaited and its publication was delayed several times in recent months. Reportedly, the initial drafting didn't pass the test of the Commission's internal legal service. 

It is also no secret that many member states have strong feelings. Even if the diagnosis is shared across European capitals, member states have not always agreed on what must be done. 

The Tech Sovereignty package is, therefore, a significant political signal, showing that the Commission has sufficient backing from member states to actually put a proposal on the table.  

The package contains four different documents: the Chips Act 2.0, the CADA, an Open Source Strategy, and a Strategic Roadmap for Digitalisation and AI in Energy. 

It focuses on the number of goals, including building capacity, resilience, encouraging the development of homegrown companies across the technological stack and supporting AI adoption and innovation. These are all logical and expected objectives from a public policy standpoint. 

Within the package, the CADA proposal might be the more politically and industrially loaded, with very clear and challenging governance implications. 

The EU has tried to promote a sovereignty approach for the digital space for two decades, going back to the early 2000s and early attempts at building a European cloud for research, followed by a more recent attempt with Gaia X.

The CADA proposal reflects unprecedented alignment on what it might mean to be cloud sovereign. It is reflective of the EU feeling it must take a stand, at a time when geopolitics and trans-Atlantic relations are turning on alarm signals. After all, it is not that long ago that the U.S., the host country to the top three service providers in the software and cloud space in Europe, was threatening to annex Greenland, fueling "what if" scenarios involving a kill-switch button. 

However, the details of the CADA proposal raise significant questions of interpretation and implementation. 

The act aims to strengthen the EU's cloud and AI ecosystem, investment and infrastructure, leveraging public sector purchasing power to move the needle. It mandates assurance levels for cloud contracting in the public sector and lays out sovereignty criteria for each level. 

The range across different assurance levels for some of those criteria will be very important for governance and compliance teams because they would impact third-party vendor screening and contracting, limit international data transfers for customer data — including telemetry and metadata, and limit the ability of cloud and AI service providers to train their services and models using data generated by the use of their services. Criteria could also bear personnel screening and EU nationality requirements, among others. 

This package will now have to be negotiated and inevitably some of its content will change. 

The way assurance levels are currently defined may vary. Taxonomy will call for debate — for example, to clarify how the CADA's use of "commercially sensitive data" aligns with the EU General Data Protection Regulation's definition of sensitive personal data. More broadly, the Commission proposes to have the power to update the assurance levels criteria. One can expect that member states may want to revisit that arrangement.

In short, many criteria would have clear compliance and governance implications. 

And most importantly, the proposal's Article 31 opens the door for private sector buyers to also adopt this approach — which would be a whole other ball game.