Skip to content
The AI-First Web

EU CADA: Where Your Framework Runs Now Determines Which Contracts You Win

The EU adopted CADA in June 2026. A four-tier sovereignty framework now governs public body cloud procurement.

· 5 min read
Share on X LinkedIn
EU CADA: Where Your Framework Runs Now Determines Which Contracts You Win

The Four Tiers

In June 2026, the European Commission adopted the Cloud and AI Development Act — CADA — establishing a four-tier sovereignty classification framework for cloud service providers operating within the EU. The framework categorizes providers based on three dimensions: whether infrastructure is physically located within EU member states, whether operations are conducted independently of non-EU entities, and whether the provider is majority EU-owned. Public bodies across all member states must use this framework when procuring cloud services.

The tiers create graduated compliance requirements. Tier 1 requires EU-located infrastructure. Tier 2 adds operational independence — no non-EU entity can access data or systems without explicit EU authorization. Tier 3 requires EU ownership. Tier 4 is full sovereignty: EU-located, EU-operated, EU-owned, with no legal exposure to extraterritorial data access requests. For organizations hosting web applications on AWS, Azure, or GCP, the tier system introduces a compliance variable that did not exist six months ago.

4
Sovereignty tiers
Source: European Commission, CADA adoption (June 2026)
Deferred to December 2027
AI high-risk deadline
Source: Regulations.AI (June 2026)

The Web Infrastructure Dimension

CADA's immediate impact is on cloud procurement. Its secondary impact is on web architecture decisions. A public sector organization in Germany, France, or the Netherlands evaluating a new web application must now consider where that application will be hosted — not just for performance or cost, but for sovereignty tier compliance. A Next.js application deployed on Vercel's US infrastructure does not meet Tier 1 requirements. The same application deployed on a EU-sovereign cloud provider does.

The framework does not mandate specific technologies. It mandates geographic and operational constraints on where technologies run. This creates a market advantage for cloud providers with EU-sovereign offerings and for web frameworks that deploy efficiently across multiple infrastructure providers. Vendor-locked architectures — platforms that only run on a single cloud provider's proprietary runtime — face friction when that provider's sovereignty tier does not meet procurement requirements.

All EU public body cloud procurement
Scope
Source: LegalNodes analysis (June 2026)

The AI Act Intersection

CADA arrives alongside the EU AI Act's implementation timeline, though the high-risk AI deadline under Annex III has been deferred to December 2027. The two regulations create overlapping compliance surfaces. An AI-powered web application hosted on non-EU cloud infrastructure must navigate both CADA's sovereignty requirements and the AI Act's risk classification requirements. Organizations building AI features into web applications — chatbots, recommendation engines, automated content generation — face a regulatory environment where the application's behavior and its infrastructure's location are both subject to compliance review.

The deferral of the AI Act's high-risk deadline provides temporary relief for organizations still classifying their AI systems. CADA's cloud sovereignty requirements carry no such deferral. Public body procurement must reference the tier framework immediately. Organizations seeking EU public sector contracts — government portals, municipal services, healthcare platforms, educational infrastructure — must demonstrate their cloud hosting meets the required sovereignty tier before the contract is awarded.

What This Changes for Platform Selection

For web framework selection, CADA introduces a new evaluation criterion: deployment portability. Frameworks that compile to static assets or containerized services — Hugo, Astro, Next.js, FastAPI — deploy identically across any infrastructure provider. The sovereignty tier of the hosting provider becomes a procurement variable, not a re-architecture project. Frameworks tightly coupled to specific cloud provider services face higher switching costs when sovereignty requirements change.

The EU is not restricting which technologies organizations use. It is restricting where those technologies run and who controls the infrastructure. For organizations outside the EU, this creates a market access consideration. For organizations inside the EU, it creates a procurement constraint that will shape cloud and web infrastructure decisions for the next decade.

Cloud hosting location now determines contract eligibility
EU digital sovereignty
Source: European Commission CADA framework (June 2026)

The four layers are stacked. The gaps between them are regulatory, not technical. Organizations that cannot bridge them will find themselves locked out of Europe's public sector.

Share this insight