Agefi Luxembourg - juin 2026

AGEFI Luxembourg 42 Juin 2026 IA & Tech ByVincentWELLENS,Avocat à laCour&Ottavio COVOLO, Avocat à laCour,NautaDutilhAvocats Luxembourg S.à r.l O n 3 June 2026, the EUCommis­ sion published a proposal for a regulation establishing a framework of measures for strengthening Europe’s cloud andAI ecosystem: the Cloud andAI Development Act, or “CADA”. The propo­ sal aims at providing legal instruments for the EU and the Member States to commit to actions to improve the com­ petitiveness of the EU ecosys­ tem in relation to AI, cloud systems, and data centres, whilst also furthering the di­ gital sovereignty of the EU. How does this fit in the current landscape of EU regula­ tions on the same topics and what does CADA actually bring to the table ? CADA, part of thewider EUTech SovereigntyPack­ age, was published together with three other initia­ tives:the“ChipsAct2.0”(whichmobilizesfundingin the area of semiconductors), the “EU Open Source Strategy” (not a legislative text but rather policy ob­ jectives to increase adoption and support of open­ source software), and a “Strategic roadmap for digitalisationandAIinenergy”(alsoanonlegislative textsettingobjectivestoleveragetechnologyforbetter efficiency of the energy grid). Given the current geopolitical context, thispackage is yet another step in addressing the EU’s structural de­ pendencies on technology and services stemming from other countries, motivated by concerns of sovereignty and market competitiveness. As a com­ petitivenesstoolforEUplayers,itdoesnotaimatreg­ ulating products and services with the indirect effect of excluding or hampering nonEUplayers, as some commentators sawwith the GDPR. Rather, it directs theEUMember States to take concrete steps towards key technological objectives (socalled “grand chal­ lenges”) through 3mainpillars. Pillar 1: R&DandDataCentres TheCADAprovides for theadoptionof “Cloudand AI Leadership Initiatives” by the Commission and MemberStates,whichconsistofprogrammesinthat area supported by EU funding, including Horizon Europe and the Digital Europe Programme. The CADAsetsout indetail thedifferent operational ob­ jectives that such initiatives may serve, whilst em­ phasising that they should be consistent and coherent with other existing initiatives at the EU level. Theproposal refers for instance to theobjective of “ tripling the EU’s data centre capacity within the next five to sevenyears ”whilst also increasing“ the adoption of cloud computing services across the public sector ”. The Commission is also empowered to designate “fron­ tier priority projects” to receive further support in tackling the “grand challenge” of developing “ the next generationofmultimodal frontierAImodels and sys­ tems and pioneering novel capabilities ”. MemberStatesarealsotaskedwithsettingup“Expe­ rience andAcceleration Centres for AI” in line with structures of innovation hubs introduced with the Digital Europe Programme. Member States must in addition adopt specific cloud andAI strategies con­ sistent with CADA, meaning that the Luxembourg “Accelerating digital sovereignty 2030” strategic ini­ tiativemayneed to be tweaked as a result. CADAalso aims at facilitating data centre develop­ ments. Member states must designate at least one “data centre acceleration zone”, where data centre projects will benefit from streamlined permitting processes (through notably a single contact point put in place by the Member State for all communi­ cations), aggregated baseline permits, and a maxi­ mum 12month permitgranting timeline.The Commissionmay alsodesignate certaindata centre projects as “strategic projects” in certain circum­ stances, enabling them to benefit from additional public support measures and preferential access to EU funding instruments. Theseprovisionspresentbothopportunitiesandpo­ tential constraints for hyperscalers and other cloud andAI serviceproviders. Theaccelerationzones and streamlined permitting could significantly reduce the time and cost of deployingnewfacilities, but the emphasisonsustainability requirements, theprefer­ ence for brownfield over greenfield sites, and the conditionsforgridconnectionwillshapeinvestment decisions. The streamlined administrative process mayadd further pressure on the challengesLuxem­ bourg is currently facing in relation to building per­ mits and the administrative procedures related thereto. This being said, the future introduction of the« once only »principlenot requiredbyCADAmay bring a competitive advantage when compared to otherMember States. Pillar 2: Autonomy, or the CloudSovereignty Framework The key element of CADA, and reportedly likely source of discus­ sionintheupcomingtriloguediscus­ sions, is the introductionof a cloud EUassurancescheme,similarto ISO and the CSAStar ones, but focused on ensuring digital sovereignty. By way of background, this comesafterinitiativessuchas in France or Germany to con­ sider sovereignty issues when procuringservices(the“ Cloudde Confiance ”and“ SouveränerCloud ” strategiesrespectively),andtheCommission’s own Cloud Sovereignty Framework also aimed at includingasovereigntyscoreinpublicprocurements. This is not to be confusedwith the other existingEU cybersecurity certification scheme (“ EUCC ”) focused solely on cybersecurity. Although, as dis­ cussedpreviously inourFebruaryarticle, theunder­ lying rationale of cybersecurity is also reflective of geopolitical tensions in ensuring digital resilience, meaningcontrollingsupplychainswhilstmitigating the risk of foreign interference. ThecloudEUassurancescheme,however,includesa mechanism of trusted third States, or “Associated ThirdCountries”,similartotheGDPR’sadequacyde­ cisions,whichareevenoneoftheprerequisites,inad­ dition to the absence of any “illegitimate” measures tocompelthecloudserviceprovidertostopproviding services, including for sanctionsrelatedobligations. CADA furthermore includes consequences in cases ofbreachesoftherulesregardingtheframework,e.g., cases of misrepresentation towards customers. Enti­ tiesinbreachmayfacepenaltiesfromMemberStates, which are free to decide on administrative and/or criminal fines depending on their national law, with Luxembourg expected to provide only administra­ tive fines given the approach taken in other laws on the subjectmatter. Customersof entities arealsopro­ vided the explicit right to seek damages or loss suf­ fered as a result of said infringement “in accordance withUnionandnationallaw”.Carefulconsideration shouldthereforebegiventotheexactscopeoftheas­ surances (which could amount to contractual war­ ranties), since they could override any waiver or exclusion of liability provided in terms and condi­ tions of cloud service providers. Pillar 3: Public procurement Thecloudsecurityframeworkwillbecomeamanda­ torypartofpublicprocurements,withanexplicitobli­ gation formember States (alone or jointly) to identify through risk assessments whether cloud computing is or couldbeused for agivenactivity, anddetermine the appropriate assurance level required for it. CADAalready sets out some examples of assurance levels : national security, internal security, external bordermanagement, defence, justiceor lawenforce­ ment must be at least level 2. Publicprocurementsmust also include aspart of the quality criteria ( critères d’attribution du marché ) the tenderer’s contribution to the development of a Eu­ ropean cloud andAI ecosystem (e.g., integration of EU technology and hardware designed or manu­ factured in theEU) to the extent linked to the subject matter of the contract and remains a nondecisive element in the award of the contract. NIS2 entities are also allowed to – i.e., encouraged – to make use of the certification scheme in their risk assessments, with the Commission tasked with publishing guidance andmethodology to that end. CADA also establishes a EuroCloud Federation, open topublic entities onavoluntarybasis, but sub­ ject to a fee paid to the European Commission. Membership to the federation enables the sharing of and joint procurement of data centre and cloud services. Theproposal targets specifically ‘idle’cloud resources not being actively used. Key takeaways CADAis the most operationally direct expression of the EU’s shift towards “open strategic autonomy” in the digital sector. For public bodies, it introduces a structured sovereignty classification regime that will reshape how cloud and AI services are tendered, awarded, and governed. For providers —especially those headquartered outside the EU — it signals a market that is actively designing competitive advan­ tage around origin, supply chain transparency, and infrastructure location. This comes at a time where concrete initiatives are also relayed to the retail sector, such as the launch of EuroOffice in early June as a sovereign alternative to anoffice suite. Whether or not CADApasses in its current form, it confirms a trend for the upcoming decade of EU digital procurement. CADA: Anew proposal for digital sovereignty rules in the EU? ȱ Level ȱ 0 ȱ No ȱ S overeignty ȱ – ȱ The ȱ minimal ȱ requirements ȱ of ȱ level ȱ 1 ȱ are ȱ not ȱ met ȱ Level ȱ 1 ȱ J urisdictional ȱ S overeignty ȱ – ȱ i . a . , ȱ the ȱ cloud ȱ computing ȱ service ȱ provider ȱ is ȱ established ȱ in ȱ the ȱ E U , ȱ customer ȱ data ȱ must ȱ remain ȱ in ȱ the ȱ E U ȱ unless ȱ allowed ȱ otherwise, ȱ but ȱ direct ȱ subcontractors ȱ for ȱ operational ȱ and ȱ technical ȱ assistance ȱ are ȱ located ȱ outside ȱ of ȱ the ȱ E U. ȱ Level ȱ 2 ȱ Data ȱ S overeignty ȱ – ȱ i . a . , ȱ subcontractors ȱ must ȱ be ȱ established ȱ in ȱ the ȱ E U , ȱ holding ȱ of ȱ at ȱ least ȱ the ȱ assurance ȱ level ȱ “ substantial ” ȱ under ȱ the ȱ EECC, ȱ no ȱ reliance ȱ on ȱ the ȱ data ȱ to ȱ fine Ȭ tune ȱ any ȱ A I ȱ system ȱ operated ȱ by ȱ a ȱ third ȱ country ȱ or ȱ legal ȱ entity ȱ in ȱ that ȱ third ȱ country . ȱ Level ȱ 3 ȱ Digital ȱ R esilience ȱ – ȱ i . a . , ȱ the ȱ personnel, ȱ including ȱ the ȱ personnel ȱ of ȱ the ȱ subcontractors ȱ which ȱ are ȱ involved ȱ in ȱ the ȱ provision ȱ of ȱ the ȱ audited ȱ service ȱ are ȱ E U ȱ citi z ens ȱ and ȱ where ȱ appropriate, ȱ the ȱ personnel ȱ must ȱ also ȱ have ȱ the ȱ necessary ȱ national ȱ security ȱ clearance . ȱ Level ȱ 4 ȱ Full ȱ Digital ȱ S overeignty ȱ – ȱ software ȱ supply ȱ chain ȱ requires ȱ effective ȱ control ȱ over ȱ design ȱ and ȱ evolution ȱ of ȱ components ȱ not ȱ merely ȱ source ȱ code ȱ audits ȱ and ȱ remote Ȭ feature ȱ blocking, ȱ no ȱ possibility ȱ for ȱ public ȱ entities ȱ to ȱ waive ȱ requirements . ȱ ȱ (names of the levels are provided on the basis of the existing Cloud Sovereignty Framework for illustration purposes, no labels have been given inCADA) A près deux journées intenses les 10 et 11 juin à Luxexpo The Box, Nexus Luxembourg 2026 a clôturé son édi­ tion la plus ambitieuse à ce jour. L’événe­ ment a réuni plus de 9 600 participants venus de plus de 80 pays, confirmant sa place de plus grand sommet international consacré à la technologie, à l’intelligence artificielle (IA) et à la finance numérique au Luxembourg. Fondé en 2023 par les entrepreneurs luxembour­ geois Kamel Amroune et Mike Koedinger, Nexus s’est rapidement imposé comme un rendezvous incontournablepour les décideurs politiques, inves­ tisseurs, startups, entreprises technologiques et experts du numérique. Cette édition 2026 a enre­ gistré une hausse de fréquentationde 14%par rap­ port à l’année précédente. Réparti sur 13 500m², le sommet s’articulait autour de quatre grands pôles thématiques : l’intelligence artificielle et la cybersécurité, la finance numérique, les startups et scaleups, ainsi qu’un espace dédié aux institutions et aux initiatives luxembourgeoises. Au total, 675 intervenants se sont exprimés lors de 227 sessions organisées sur cinq scènes. L’un des thèmes centraux des débats a été la souveraineté technologique européenne. Plusieurs responsables politiques et économiques ont souligné la nécessité pour l’Europe de dévelop­ per ses propres capacités en matière d’intelligence artificielle. La viceprésidente exécutive de la Commissioneuropéenne chargéede la souveraineté technologique, HennaVirkkunen, a estimé que l’IA était devenue un enjeu majeur de compétitivité, de sécurité et de résilience pour l’Union européenne. Le Premier ministre luxembourgeois Luc Frieden a réaffirmél’ambitionduGrandDuchédedevenirune plateforme européenne de référence pour l’intelli­ genceartificielle.Selonlui,laréussiteeuropéennedans ce domaine passera par une coopération renforcée entre les États membres. Les discussions ont égale­ ment porté sur la finance numérique, la tokenisation des actifs, la cybersécurité, l’informatique quantique, l’utilisation responsable des données et les nouveaux modèles économiques liés à l’IA. Plusieursdirigeants degrandesentreprisestechnologiques,defondsd’in­ vestissement et d’institutions internationales ont par­ tagé leur visiondes transformations à venir. Le volet entrepreneurial a constitué l’un des temps forts de l’événement. Pas moins de 247 startups et scaleups sélectionnées ont présenté leurs innova­ tions dans douze catégories différentes au sein de la Launchpad Arena. Le grand prix, doté d’un accompagnement et de services d’une valeur supé­ rieure à 130 000 euros, a été remporté par Exobiosphere, une entreprise luxembourgeoise spé­ cialisée dans la biotechnologie spatiale et la décou­ verte demédicaments enmicrogravité. Par ailleurs, quinze jeunes pousses ont été récompensées lors de la cérémonie de remise des diplômes du pro­ gramme d’accélération Fit 4 Start, soutenu par Luxinnovation et leministère de l’Économie. Les lauréats évoluent dans les domaines du numé­ rique, de la santé et du spatial. Les Luxembourg AI ExcellenceAwardsontégalementdistinguéplusieurs projetsinnovantsdansdessecteurstelsquelafinance, lasanté,ladurabilité,laproductivitéetlatransforma­ tiondes entreprises grâce à l’intelligence artificielle. Àl’issue de cette édition record, les organisateurs ont salué ledynamismede l’écosystème luxembourgeois et européen. Ils ont annoncé queNexus 2027 se tien­ dra les 9 et 10 mars 2027 à LuxembourgVille, avec l’ambition de poursuivre le développement de cette plateforme internationaledédiéeà l’innovationet à la souveraineté technologique européenne. Avec une fréquentation en forte hausse, un pro­ gramme dense et des débats centrés sur les grands enjeux stratégiques du numérique, Nexus 2026 marque une nouvelle étape dans la volonté du GrandDuchédes’imposercommeunacteurmajeur de l’innovation en Europe. Luxembourg confirme son statut de hub européen de l'innovation ©ChambredeCommerce&Paperjam