The Architecture of Trusted Partner Alignment: Building an EU Economic Foreign Policy Through Chips Act 2.0 and CADA

The simultaneous publication, on 3 June 2026, of the Chips Act 2.0 and the Cloud and AI Development Act (CADA) as part of the EU’s technology sovereignty package is often interpreted primarily through the lens of the European Union’s renewed embrace of industrial policy. Yet the two regulatory frameworks are more accurately understood as the most specific articulation to date of how the EU intends to manage its economic relationships with third countries in critical technologies.

Taken together, they establish a systematic framework for determining who qualifies as a trusted partner, and how that trust translates into operational terms. This trust framework constitutes the EU’s response to the vulnerabilities identified in the two acts: "overdependence on third countries for semiconductor design and manufacturing" and "insufficient crisis preparedness capabilities" in the Chips Act 2.0, and a "pronounced dependence on a limited pool of third-country providers" for cloud services and data centers in CADA.

The EU’s attempt to construct an architecture of trusted alignment through regulatory action is set to reshape the terms of engagement for foreign companies seeking access to the European market. Whether this model succeeds as an instrument of economic statecraft will depend on two factors: the strategic value that foreign companies and governments continue to attach to access to the European market, and the scale of public financial incentives that the EU and Members States will ultimately make available. As of today, the Multi-Annual Framework 2028-2034 (the EU’s main long-term budget) and the European Competitiveness Fund remain under negotiation.

The "Domestic Undertaking" Concept as Foreign Policy Instrument

The EU’s default posture toward foreign companies in technology sectors has long been open market access. Restrictions were treated as exceptions, justified on a case-by-case basis. The first Chips Act of 2023 partially departed from a strict free-market approach by creating a framework for first-of-a-kind semiconductor manufacturing facilities and authorizing state aid for large-scale projects. Yet it remained ownership-neutral. TSMC’s Dresden facility was as eligible for support as a company headquartered in the EU.

The domestic undertaking framework is thus central to this new step in constructing an EU economic foreign policy. Its practical implications are best understood as a set of rights and obligations that determines whether a company is inside or outside the EU’s technology security perimeter.

On the benefits side, only domestic undertakings can lead a "strategic project", a designation that provides priority permitting and preferential access to the European Competitiveness Fund (the size of which remains under negotiation, and will be closely watched by industry). Only domestic undertakings can join the B2B Semiconductor Supply Chain Platform, which will provide aggregated market intelligence, early warnings, and stress-testing results to participating companies. Companies outside this framework will face greater mandatory disclosure requirements during a crisis. In critical infrastructure procurement, contracting authorities must report the share of domestic undertakings in their semiconductor supply chains, and demonstrate dual-sourcing strategies that favor them. This initially operates as a soft preference, but the Commission can convert it into a binding requirement through implementing acts.

The obligations are the other side of the same framework. Production facilities operated by domestic undertakings must participate in the B2B Platform and commit to freedom from extraterritorial obligations imposed by third countries. Most importantly, they are subject to priority-rated orders: in a declared semiconductor crisis, the Commission can require them to override private contracts and redirect production toward critical sectors, with contractual liability suspended for the duration of the crisis.

The architecture remains open-ended. A foreign company that restructures to qualify as a domestic undertaking becomes part of the EU’s economic security framework and gains access to preferential policy instruments. The definition explicitly allows companies "owned and controlled by an undertaking established in a third country or territory with which the EU has concluded an agreement establishing a free trade area, a customs union or a strategic partnership in semiconductors". This flexible wording, together with the separate provision that membership in the WTO Agreement on Government Procurement qualifies companies for domestic undertaking status, ensures that companies from Taiwan can access the EU’s new framework.

CADA's "Associated Third Country" as a Foreign Policy Instrument

CADA introduces a mechanism with no real precedent in EU digital regulation: the "associated third country" designation. Its logic is straightforward, but its implications are potentially far-reaching. Cloud providers subject to third-country control are, by default, excluded from Union assurance levels 3 and 4, the highest tiers covering sensitive public sector workloads such as defense, intelligence, classified information and critical infrastructure operations. The vast majority of public sector cloud spending (email, productivity, administrative systems, non-sensitive databases) sits at levels 1 and 2, where the bar is either self-assessment or structural separation of activities in the home country and inside the EU. 

To qualify, a country must meet six cumulative conditions: a GDPR adequacy decision; the absence of domestic laws enabling compelled government access to non-personal data; the absence of powers to order service degradation or disruption; the absence of measures to impede the provision of state-of-the-art technologies and services; no barriers to EU cloud providers operating in the domestic market; and reciprocal access to public procurement markets for EU cloud companies. These are enforceable legal criteria subject to review, and published by the Commission through a continuously updated list of qualifying countries.

Countries seeking to ensure that their cloud providers can compete at the highest levels of the EU public sector market now have a clear roadmap of the reforms required. For countries whose intelligence or data-security laws contain such provisions (read China and the United States), it creates an incentive to reform, or to go to confrontation. Still, there are two possible ways around this restriction: an implementing decision by the European Commission formally recognizing the provider’s country of origin as sufficiently aligned with EU requirements, or a localization strategy through the construction of structurally independent EU subsidiaries by large cloud companies from non-associated third countries.

What Demand-Side Policy Adds to this Picture

Chips Act 2.0 makes clear that, while "the initial Chips Act was predominantly supply driven", the EU is now placing "greater emphasis on demand-side measures". The most tangible shift concerns public procurement. Article 30 establishes a baseline voluntary mechanism: contracting authorities procuring infrastructure, equipment, or systems in critical sectors may require tenderers to submit a security-of-supply declaration covering the share of domestic chip suppliers in their products, evidence of a dual-sourcing strategy involving at least one domestic undertaking, and a supply chain resilience plan.

The framework contains a new built-in escalation mechanism. Article 31 allows the Commission, after identifying supply chain risks through its monitoring activities, to recommend that contracting authorities favor domestic chip suppliers. If these recommendations are disregarded and vulnerabilities persist, the Commission can adopt a binding implementing act requiring a security-of-supply declaration for specific categories of procurement.

In cloud services, mandatory risk assessments and minimum assurance-level requirements introduced by Articles 29 and 30 of CADA require EU public sector bodies to assess whether cloud providers are exposed to third-country jurisdiction and to integrate that assessment into procurement decisions.

Positioning Vis-à-Vis the United States

Chips Act 2.0 explicitly states that "Europe’s approach to technological sovereignty is grounded in openness, partnership and fair competition". CADA’s explanatory memorandum stresses consistency with the EU’s obligations under the WTO Government Procurement Agreement. Yet the relationship with the United States is one of the most politically sensitive dimensions of the new framework, particularly in cloud services. 

American hyperscalers currently account for more than 70% of the European cloud market. Under CADA, this position is not directly challenged: providers subject to third-country control remain eligible for assurance level 1. The constraints emerge at the higher assurance levels that cover sensitive public-sector workloads, critical infrastructure, and the most strategically valuable government contracts. Access to these tiers is effectively conditional on a provider’s home country being designated as an associated third country under CADA’s Article 18. Among the cumulative conditions for such a designation is the absence of measures allowing public authorities to exercise control over cloud providers in ways that conflict with the EU’s rules on access to non-personal data. Current US legislation, including the CLOUD Act, raises obvious questions in this regard.

The significance of Article 18 lies less in its immediate impact than in the incentive structure it creates. The mechanism establishes a direct link between access to the most sensitive segments of the European cloud market and the legal environment governing a provider in its home jurisdiction. In this respect, it echoes the logic of the GDPR adequacy regime, which over time helped create the conditions for the negotiation of the 2023 EU-US Data Privacy Framework. The difference is that the issue at stake is no longer the transfer of personal data, but the security and resilience of digital infrastructure. In a favorable scenario for the EU, this mechanism would both create new market opportunities for European cloud providers seeking to scale and provide the EU with additional leverage in future transatlantic negotiations. 

Positioning Vis-à-Vis China

Whereas the transatlantic relationship is shaped by deep commercial interdependence and an alliance relationship central to Europe’s security, the regulatory architecture of both acts formally places Chinese-controlled entities outside the EU’s circle of trust.

China does not meet the criteria established under Chips Act 2.0 and CADA for domestic undertakings or associated third countries. It has no GDPR adequacy decision, maintains extensive data security and national intelligence legislation, and does not provide reciprocal access to its public procurement market for European cloud providers. As a result, Chinese-controlled entities are unlikely to qualify for the most advantageous categories established by either framework. The logic is reinforced by the explicit reference in the Chips Act 2.0 annexes to the Nexperia case as an illustration of the vulnerabilities the regulation seeks to address.

The Architecture Is Incomplete But Consequential

Neither regulation constitutes a finished framework. Both Member States and the European Parliament are likely to seek significant revisions to the Commission’s proposals. The strategic project framework under Chips Act 2.0 remains dependent on the negotiations over the European Competitiveness Fund, which will determine the actual financing available for projects. The list of associated third countries under Article 18 of CADA has yet to be published, and no semiconductor strategic partnership has been concluded with any partner. Meanwhile, the 27 national risk assessments required by CADA are likely to produce divergent outcomes unless the Commission first provides the necessary guidance, which has not yet been issued.