
CADA Is a Procurement Law, Not a Sovereignty Act
Swedish cloud providers are popping champagne today. The EU's Cloud and AI Development Act, CADA, just introduced "Sovereignty Effective Assurance Levels" that tier cloud providers by data residency and foreign law exposure. Elastx and Safespring are calling it a "welcome step". They think they just got a competitive moat. I think they just got a target painted on their backs.
Let me explain why, from Jönköping, this looks less like sovereignty and more like the EU handing US hyperscalers a clean acquisition playbook.
What CADA Actually Does (And What It Doesn't)
CADA creates a tiered classification system. Think of it as a label. Level 1: basic compliance. Level 2: data stays in EU. Level 3: no exposure to foreign law, full operational sovereignty. Government procurement will soon require certain levels for certain data categories.
What it does NOT do: build a single server. Fund a single European chip fab. Create a single piece of infrastructure software. Invest in a single open-source project. Train a single AI model on European compute.
It is a procurement regulation wearing a sovereignty costume.
This matters because the entire premise of digital sovereignty is that Europe needs to control its own compute stack. CADA does not address the stack. It addresses the contract layer. The difference is enormous.
The Acquisition Playbook Is Already Open
Here is what actually happens next. Microsoft, Amazon, and Google look at CADA's tiering system and see a compliance checklist. They have done this before. They did it with GDPR. They did it with Schrems II. They will do it with CADA.
Option A: Acquire a European cloud provider that already qualifies for Level 3. Rebrand it. Run it as a "sovereign subsidiary." The infrastructure stays European on paper. The software stack, the orchestration layer, the AI services, the monitoring, the billing platform, all of it remains American.
Option B: White-label. Partner with a Safespring or an Elastx. Let them be the "sovereign front." Push all the higher-margin services (AI, ML, managed databases, analytics) through integration APIs that flow back to US-controlled platforms.
Option C: Open a data center in Sweden, staff it with EU nationals, incorporate an EU subsidiary with an independent board, and check every single CADA box. This is literally what Microsoft did with its German cloud model years ago. They killed that one, but the playbook is proven.
The Dutch government just blocked a US acquisition of a Dutch cloud provider. Good instinct. But one blocked deal does not make a strategy. It signals that European governments know the risk. It does not signal that they have a plan beyond playing defense.
Why Swedish Cloud Companies Should Be Terrified
I have met some of the people running Swedish cloud companies. They are good operators. Technically competent. Ideologically committed to open source and data sovereignty. I respect them.
But they are celebrating being reclassified as compliant vendors in a procurement framework. That is not winning. That is being handed a jersey and told you get to play. The question is: who owns the league?
Here is the financial reality. Elastx and Safespring are tiny. Their combined revenue is a rounding error on Azure's Swedish business. CADA gives them access to government contracts. Great. Government contracts in Sweden are thin-margin, compliance-heavy, and slow-moving. The real money, the enterprise SaaS layer, the AI compute, the platform services, stays with the hyperscalers.
Worse: CADA makes these companies more attractive acquisition targets. A Swedish cloud provider with Level 3 CADA certification is suddenly valuable to a US hyperscaler who needs a sovereignty-compliant entity in the EU. The premium on acquisition goes up. The incentive to stay independent goes down.
We have seen this pattern in defense procurement. In telecom. In pharma. A regulation designed to protect local players ends up making them more acquirable because compliance certification becomes the asset, not the technology.
Sweden vs. the World: The Nordic Trap
From San Francisco, CADA looks like another EU regulation to route around. And they will route around it. The US tech ecosystem is structurally designed to absorb regulatory barriers. Compliance is a cost center they can afford. For a 50-person Swedish cloud company, compliance is half the engineering team.
From Jönköping, it looks different. Sweden has real advantages in software development. We have strong engineering talent. We have relatively cheap energy (for now). We have a culture of pragmatism and trust. But we do not have a domestic hyperscaler. We do not have a chip manufacturer. We do not have a large-scale AI training facility. We are consumers of American infrastructure dressed in European contracts.
The Nordics have a particular version of this problem. We are technically sophisticated enough to build good integration layers. We are too small to build the underlying platforms. CADA rewards the integration layer. It does not fund the platform layer. So we become a well-certified middle tier in someone else's stack.
Compare this to what is happening in Asia. China built its own stack. Not because of regulations, but because they invested in actual infrastructure. Alibaba Cloud, Huawei Cloud, Tencent Cloud, these are not compliance wrappers. They are full platforms. Europe decided to write rules instead of writing checks. CADA is the predictable result.
Kvartal raised the question this week of whether Sweden could undermine EU tech independence entirely. It is a fair question. Sweden's instinct is to stay open, pragmatic, pro-trade. That instinct is correct 90% of the time. But when it means cheerfully handing sovereignty-certified shells to American acquirers, the pragmatism becomes self-defeating.
What Real Sovereignty Would Look Like
If the EU were serious about cloud sovereignty, CADA would look completely different. It would include:
Direct infrastructure investment. Not loans, not innovation grants. Direct equity stakes in European compute capacity. Build GPU clusters. Fund European alternatives to NVIDIA's CUDA ecosystem. This is industrial policy, not regulation.
Open-source mandates with funding. Every piece of government-funded cloud infrastructure should produce open-source software. Not as an afterthought. As a condition. Europe's advantage is collective action. Use it.
Anti-acquisition provisions with teeth. The Dutch blocking one deal is a start. CADA should include automatic foreign investment review for any Level 3 certified provider. Make the sovereignty label mean something beyond procurement.
A European AI compute initiative. This is where CADA really misses. AI is eating cloud. Within three years, most cloud spend will be AI-related. If Europe does not have sovereign AI compute, CADA's data residency tiers become irrelevant because the valuable processing happens wherever the models are trained and served.
Where This Goes: 2027-2030
Here is my honest read on the trajectory.
Short term (next 12 months): Swedish and European cloud providers win some government contracts they would not have won before. They hire compliance teams. They celebrate in trade press. The actual infrastructure underneath does not change.
Medium term (2027-2028): US hyperscalers complete their CADA compliance strategies. Some through acquisition. Some through white-labeling. Some through sovereign subsidiaries. The market share numbers barely move. European providers find themselves competing on price in a market where price competition is suicide against companies with infinite capital.
Long term (2029-2030): As AI models grow and the path toward AGI becomes clearer, the compute question becomes existential. Whoever controls the training infrastructure controls the AI. Europe's CADA-certified cloud providers are running inference on models they did not train, on hardware they do not manufacture, using software frameworks they did not build. Sovereignty is a legal fiction at that point.
The AGI trajectory makes this worse, not better. More capable AI systems require more compute, more data, more sophisticated orchestration. Every layer of that stack is dominated by American and increasingly Chinese companies. CADA addresses none of those layers. It addresses who signs the government contract.
What Builders Should Actually Do
If you are a CTO or founder in Sweden or Europe right now, stop waiting for regulation to save you. Here is what matters.
Own your deployment layer. At HEIMLANDR, we build SaaS platforms that can run anywhere. Multi-cloud, self-hosted, hybrid. This is not a feature. It is a survival strategy. If your product is locked to one cloud provider, you are not sovereign. You are dependent, regardless of what CADA says.
Invest in self-hosting capability. This is real. Build AI solutions that your customers can run on their own metal. This is harder than calling an API. It is also the only path to actual independence.
Think about the full stack. If you are doing blockchain development or smart contract development in Europe, you already understand what it means to build on infrastructure you do not control. Apply that thinking to everything. What do you actually own? What can be pulled out from under you?
Do not build a business on CADA compliance as your moat. Compliance moats erode. Technology moats compound. If your value proposition is "we are CADA Level 3 certified," you are one acquisition away from irrelevance.
What to Look At
Some specific things worth your time this week.
awesome-selfhosted (300k+ stars). This is the real sovereignty stack. A massive, community-maintained list of self-hostable services. If you are serious about not depending on someone else's cloud, start here. Every tool on this list is one less dependency on a hyperscaler.
n8n. Workflow automation you can self-host. Nearly 195k stars. If you are building custom SaaS development for European clients who care about data residency, n8n on your own infrastructure is worth more than any CADA certification.
Netdata. Full-stack observability, self-hostable. If you are running your own infrastructure, as European sovereignty implies you should, you need monitoring that does not phone home to a US-owned SaaS. Netdata does this well.
Kubernetes. Still the backbone of any serious multi-cloud strategy. If your software development in Sweden depends on sovereign deployment, K8s is the orchestration layer that keeps you portable.
The Uncomfortable Truth
I am writing this from Jönköping. Not from Stockholm. Not from Berlin. Not from San Francisco. From a small city in southern Sweden where we build software that actually works for real businesses.
From here, the gap between EU sovereignty rhetoric and EU sovereignty reality is obvious. We do not have a domestic hyperscaler. We do not have our own GPU supply chain. We do not have competitive AI foundation models. What we have is a new procurement regulation that tells us which label to put on the same American infrastructure we were already using.
CADA is not a bad regulation. It is an insufficient one. It mistakes classification for capability. It mistakes labels for leverage. And the Swedish cloud companies celebrating it are mistaking access for power.
If you are building in Europe right now, do not wait for Brussels to give you sovereignty. Build it yourself. Own your stack. Ship portable software. Invest in open source. Make acquisition harder and independence more valuable.
That is the punk rock approach to sovereignty. Not waiting for someone to regulate your competition away. Building something they cannot buy.
Fredrik Brunnberg is the CEO of HEIMLANDR.IO, building AI and software solutions from Jönköping, Sweden. This is the daily HEIMLANDR briefing. If you found this valuable, share it with someone who builds things.
CEO & Writer
CEO of HEIMLANDR.IO. Punk rock tech from Jönköping, Sweden. Building AI systems, blockchain infrastructure, and writing about where this industry is actually heading — no echo chamber, no hype.