Enterprise DNA

Omni by Enterprise DNA

Enterprise DNA Resources

Latest AI and industry news. Practical AI operating-system thinking for owners, operators, and teams doing real work.

220k+

Data professionals

Omni

AI agents and apps

Audit

Map the manual work

News Breaking Regulation

EU's Cloud and AI Development Act Is Now Official Law

The EU published its Cloud and AI Development Act today, July 15, starting a compliance clock for cloud providers, AI developers, and enterprises worldwide.

Enterprise DNA | | via European Commission Digital Strategy
EU's Cloud and AI Development Act Is Now Official Law

Today, July 15, 2026, the European Union published its Cloud and AI Development Act (CADA) in the Official Journal of the EU. That publication marks the formal start of a compliance clock that businesses using cloud services and AI tools across Europe need to understand — whether they are based inside the EU or not.

The Act formally takes effect on August 4, 2026. From that point, a phased set of requirements begins rolling out, with the first tier of cloud sovereignty obligations applying from February 2028 and the most demanding requirements becoming mandatory by August 2029.

What CADA Actually Does

CADA is designed to reduce Europe’s reliance on non-European cloud and AI infrastructure. The underlying concern from EU legislators is straightforward: a significant portion of European enterprise and public-sector data flows through hyperscalers headquartered outside the EU. CADA introduces a classification system for cloud providers based on three main factors:

  • Location of infrastructure: Where data centres are physically based within the EU
  • Operational independence: Whether the provider can operate free of influence from non-EU jurisdictions
  • Ownership and control: Whether the company is ultimately owned and controlled within the EU

Providers that cannot meet sovereignty criteria at the highest tier will face restrictions in certain public-sector and regulated-industry procurement. Fines for non-compliance can reach a percentage of a company’s global annual turnover — making this a material financial risk for large cloud vendors.

Who Gets Affected and When

The most immediate impact falls on public sector organisations and regulated industries — healthcare, banking, defence contractors. For most private enterprises, the near-term obligations are less dramatic, but the direction of travel matters.

Cloud service providers — including Amazon Web Services, Microsoft Azure, and Google Cloud — need to prepare their European infrastructure and governance structures for the sovereignty classifications. The practical implication for enterprise customers: the cloud contracts and architectures you choose in the next 18 months will carry real compliance significance once the February 2028 deadline arrives.

AI developers building on cloud infrastructure in Europe also face new transparency and documentation obligations under CADA. This overlaps with existing AI Act requirements, and businesses need to think about these two frameworks together rather than in isolation.

What This Means for Business

This is not a distant regulatory exercise. A few practical realities worth considering now:

Data residency decisions are becoming compliance decisions. Choosing where to store and process data for EU operations is no longer just a performance or cost question. CADA’s cloud sovereignty tiers mean some combinations of provider, region, and ownership structure will become restricted in certain contexts by 2028.

Vendor contracts signed now will outlast the phased deadlines. If your business is in a multi-year cloud or AI platform contract today, the compliance environment at the end of that contract will look materially different from today. It is worth asking vendors directly how they plan to achieve the relevant CADA classification for your use case.

The governance gap is becoming a legal gap. CADA is the latest in a sequence — alongside the AI Act, GDPR, and the upcoming Digital Operational Resilience Act — that is converting informal AI governance expectations into enforceable legal requirements. Businesses that have been treating AI governance as a best-practice recommendation are now on a countdown to treating it as a compliance requirement.

The Broader Picture

CADA joins an increasingly dense EU technology regulatory stack. Unlike GDPR, which arrived as a surprise to many organisations, businesses have had time to watch CADA develop through the legislative process. That means the publication today is less of a shock and more of a starting gun for compliance programmes that are overdue.

For businesses using AI to support operations — whether for analytics, automation, or customer service — the practical question is not whether CADA applies, but which tier of obligations is relevant to your specific use of cloud and AI infrastructure, and who in your organisation is accountable for meeting those obligations.

The phased timeline (2028 for tier one, 2029 for tier two) is generous enough that panic is not warranted. Delay is. The businesses that begin mapping their cloud and AI infrastructure to CADA’s classification criteria now will have a significant head start over those that wait until the deadlines are six months away.

Enterprise DNA’s advisory practice helps organisations build AI strategies that are commercially sound and compliant with the regulatory frameworks shaping enterprise AI adoption. If you are working through what CADA means for your AI investment decisions, start with a discovery call.