European Commission formally tables the Cloud and AI Development Act, targeting a tripling of EU data centre capacity and drawing immediate industry fire

The European Commission formally adopted a legislative proposal for the Cloud and AI Development Act on June 3, 2026, moving from months of leaked drafts and policy consultations into a concrete legal text. The proposal is now with the European Parliament and Council for trilogue, a process that for complex digital legislation typically takes between 12 and 36 months.

The act has three stated objectives. The first covers research, development and innovation, meaning continued public support for next-generation European cloud and AI infrastructure. The second covers capacity, with a target to at least triple EU data centre capacity within five to seven years through streamlined permitting and site identification. The third covers autonomy, meaning a single EU-wide framework for assessing the sovereignty level of cloud and AI services. The framework assigns services to four levels, with Levels 3 and 4 representing high-autonomy requirements that non-EU providers would struggle to meet by default.

The capacity target is the headline number. Tripling EU data centre capacity in five to seven years from today's base would require an extraordinary acceleration of permitting, grid connection, and capital deployment across all 27 member states simultaneously. The Commission points to the Chips Act 2.0 and the EU Open Source Strategy as complementary instruments. Whether those instruments together can actually deliver the infrastructure buildout at that pace is a question for which no one currently has a credible answer. European cloud providers OVHcloud, Scaleway and Hetzner have been moving in this direction individually, but they collectively represent a fraction of the hyperscale capacity held by AWS, Azure and Google Cloud.

The sovereignty framework is the provision that matters most commercially, and the one that immediately drew criticism. The Computer and Communications Industry Association published a response on the same day calling the act discriminatory and warning it risks fragmenting the EU Single Market. CCIA's objections are pointed. Article 18's associated-country mechanism, the provision that would allow non-EU countries to qualify for lower-sovereignty-level procurement, sets a standard that no major technology-producing nation currently meets, including the European Union itself. Article 31 extends sovereignty requirements beyond public institutions to private entities, which CCIA characterises as forcing companies to choose less competitive suppliers even outside government procurement.

Those criticisms are not entirely bad faith. EU cloud policy has historically operated in a zone of ambiguity between genuine security concerns and protectionism dressed up as security. The CADA's four-level framework could be a good-faith attempt to give procurers a clear methodology, or it could function as a mechanism to systematically exclude US, Asian and UK cloud providers from the most commercially attractive contracts. The distinction matters enormously to the companies that provide those services and to the European companies that depend on the cloud infrastructure they run.

The political context shaping the CADA is the same one that produced the AI Act, the Data Act, the Data Governance Act and the Digital Markets Act: a Commission that is genuinely concerned about European dependence on foreign digital infrastructure, set against a tech industry that mostly builds on AWS, Azure and Google Cloud because they are, by many measures, still more capable than the European alternatives. The CADA does not resolve that tension. It tries to use procurement pressure to change the incentive structure, betting that if enough European public sector spending is directed toward European providers, those providers will invest enough to close the capability gap.

Whether that bet survives the trilogue is uncertain. Parliament's internal market committee has historically pushed back on digital legislation it views as protectionist, and several member states with strong US tech relationships, including Denmark, the Netherlands, and Ireland, are on record as skeptical of hard sovereignty requirements. The four-level framework will be the main battleground. A version that passes trilogue is likely to be either narrowed significantly or targeted much more tightly at genuinely sensitive government data rather than broad private sector activity.

For European cloud providers, the formal adoption is the moment the political discussion becomes a legal text. OVHcloud, Scaleway and a handful of German and Nordic providers have been building toward a sovereign cloud market for years. If the CADA reaches final form close to the Commission's draft, they gain a structural procurement advantage in the EU's largest and most stable customer base. If it does not, or if it takes four years to pass and two more to implement, that advantage remains theoretical. The clock is now running.