The Cloud and AI Development Act (CADA) is set to be the EU’s most significant legislative intervention in cloud sovereignty to date. Expected to be proposed in the first half of 2026 under Article 114 TFEU, CADA will complement the existing regulatory stack – the Data Act, the AI Act, NIS2 – and reshape how cloud services are procured, delivered, and trusted in Europe. This opening keynote, from the directorate responsible for cloud and software policy, sets out the Commission’s thinking on CADA in concrete terms: what the Act is expected to contain, where the Commission is drawing hard lines on data localisation, infrastructure requirements, and interoperability, and where the market can expect flexibility. How does CADA change the calculus for cloud providers and public sector buyers? What does it mean for European industrial capacity in cloud? And how does it fit within the broader Competitiveness Compass and tech sovereignty agenda?

The AI Act is now in its implementation phase. How does “Sovereign AI” intersect with cloud infrastructure obligations? This session addresses accountability chains for data handling and model lifecycles in high-risk public sector AI, the interplay between the AI Act and cloud sovereignty requirements, and the upcoming Digital Omnibus implementation timelines.

European concerns over the widespread reliance on US clouds were spurred by a series of moments, including the Snowden revelations, the US CLOUD Act, and the US sanctions on the ICC. Driven by these concerns, many organisations are looking to adopt sovereign cloud solutions that protect data from foreign jurisdictions, while strengthening operational resilience and avoiding vendor lock-in. The market has responded with a range of different solutions that promise customers digital autonomy. So, how do these models differ – and how can organisations navigate the resulting sovereignty spectrum to choose a model that balances control, cost, and innovation?

The gap between EU-level standardisation and national interpretation is creating a fragmented map of “sovereignty” across Europe. What is the EU trying to standardise through frameworks and procurement guidance, and where will it leave room for Member States to diverge? As CADA advances through co-decision, how will it interact with existing national schemes such as SecNumCloud and BSI C5, and where will the Act drive convergence? What counts as unacceptable jurisdictional exposure in policy terms, and what kinds of mitigations are likely to be treated as credible rather than cosmetic when public buyers test claims? How should policymakers balance sovereignty objectives with other EU priorities such as openness, competition, resilience, and industrial policy?

Sovereignty requirements are moving from policy documents into live procurement. But what happens when ambitious sovereignty language meets the reality of writing a tender, evaluating bids, and managing a supplier market? This session brings together the operational and political perspectives: how procurement authorities are interpreting sovereignty objectives in practice, what the evaluation process actually looks for, and where parliamentary scrutiny is pushing for higher ambition — or greater pragmatism. What makes a sovereignty claim credible in a scored evaluation? Where do requirements consistently create friction between buyers and suppliers? And how can procurement be designed to strengthen the market rather than shrink it?

Once CADA is on the table, the immediate question is how it will be implemented. Standards, certification, and interoperability are the operational levers that will translate the Act’s sovereignty objectives into practical market signals for cloud infrastructure and services. What role will interoperability and exit readiness play in CADA’s implementation, and how might they appear in procurement expectations, certification frameworks, or delegated acts? How will CADA interact with existing standards at CEN-CENELEC and with the EUCS process? What should the market expect in terms of harmonisation – shared definitions, minimum documentation, baseline controls – and where will sector-specific or Member State variation remain? How should providers and buyers interpret “trusted cloud” signals when the reality is multi-cloud, multi-supplier delivery?

High-level sovereignty policy often hits a wall when it becomes a specific tender document. How does a buyer translate concepts such as “operational independence” or “jurisdictional immunity” into enforceable pass-or-fail criteria without shrinking the bidder pool to zero? What happens when suppliers respond – which requirements trigger immediate disputes, price hikes, or no-bid warnings? When strict sovereignty is enforced, what trade-offs emerge around audit rights, privileged access controls, exit planning, and sub-contractor transparency? With the Cloud III DPS tender (€180 million, launched October 2025) providing the first real-world application of the Cloud Sovereignty Framework, this session brings together the people who write and evaluate tenders rather than just those who write policy.

The Executive Vice-President responsible for the EU’s digital and frontier technologies portfolio delivers a keynote address at the summit, setting out the Commission’s political vision for Europe’s digital future. How does the Commission intend to balance sovereignty ambitions with competitiveness? What will CADA and related legislative initiatives mean for Europe’s cloud market? And what commitments does the Commission expect from industry in return?

The demand for Sovereign Cloud in Europe is accelerating as governments and regulated industries seek greater control over sensitive data, infrastructure technology sourcing, and the jurisdiction governing cloud-provider operations amid rising geopolitical risk and growing AI adoption. Yet sovereignty is not one-size-fits-all. Organisations must balance compliance requirements with application needs, service levels, budgets, and risk tolerance when choosing the right Sovereign Cloud solution. This panel explores how cloud service providers, EU member states, and regulated industries are approaching sovereignty in the procurement and delivery of cloud services.

Sovereignty and cybersecurity regulation are converging in practice for cloud services. As Member States implement NIS2 and increase scrutiny of third-party risk, incident readiness, and operational continuity, are sovereignty claims being judged increasingly through a security lens? What does this mean for audit rights, subcontractor controls, software provenance, privileged access governance, and service continuity obligations? Where do providers encounter conflicting demands across supervisory cultures and procurement authorities, and what EU-level clarification would reduce fragmentation without lowering the bar?

The EU’s direction of travel will reshape public procurement, compliance strategies, and market structures in cloud infrastructure and services. Which elements of today’s sovereignty debate are most likely to harden into common baselines, and which will remain politically contested? Where is the EU most likely to draw firm lines for critical services – jurisdictional exposure, operational control, supply chain transparency, portability and exit, security assurance – and where will managed exposure remain acceptable? How will AI governance obligations interact with sovereign cloud expectations, and what will CADA’s passage through co-decision mean for the sector?