At a glance
At a glance
The week Brussels went both ways
On 3 June, the European Commission proposed the Cloud and AI Development Act (CADA), and set out to push the bar on sovereignty higher than it has ever been. This act would move sovereignty from a value Brussels talks about to a rule it audits, with defence at the top tier.
On 10 June, negotiators of the European Commission closed a deal on the Defence Readiness Omnibus, one that pulls the oversight around defence procurement lower than it has been in years. Under it, permits that can run to four years shrink to around a hundred days. Applications get simpler. Checks, rarer.
Neither is law yet but the direction is unmistakable, and it runs both ways at once. One sits under the heading of sovereignty, the other under simplification. Different files, different briefings. Read either on its own and it tells a clean, complete story. Read them together, and the danger shows with you (the bidder) standing in the middle of it.
The tightening: a higher bar on sovereignty
CADA is the first attempt to write digital sovereignty directly into European law. It would sort cloud and AI infrastructure into audited levels, from data simply sitting in the EU at the bottom up to full control of the software supply chain at the top, with defence at that top tier. Sovereignty would become something you have to prove, formally, to a standard someone else sets and checks.
We have written in another reading about what that does to a bid and why evaluators score understanding rather than certificates. That argument still holds, and it is worth reading alongside this one.
For now, only one thing matters: the bar on sovereignty is rising. Hold that thought, and turn to the half that got far less attention.
The loosening: fewer checks everywhere else
The Defence Readiness Omnibus is built to make defence move faster. It is, on its own terms, welcome. Europe needs to build capability at speed, and red tape was genuinely in the way. But look at what it removes:
Run alongside it the AI Omnibus, agreed on 7 May, which pushes the AI Act’s high-risk obligations back from August 2026 to December 2027. A sixteen-month reprieve, sold, like the rest, under the banner of simplification and, in the Council’s own words, of strengthening sovereignty.
Each of these is a convenience. Each is also a piece of external structure removed. Think of all that procurement process (the checks, the gates, the assessments) as scaffolding. It is friction, yes. But scaffolding does useful work. It tells you what good looks like. It catches problems early and a passed check gives you proof you can point to.
Where the two collide: the sovereignty gap
Now put the halves together, and a gap appears not quite where you would expect it.
CADA raises the bar, but on a specific kind of sovereignty: the sovereignty of the infrastructure you build on. It audits where your cloud and AI sit, who controls the providers behind them, whether a foreign hand can reach the technology. The Omnibus loosens a different kind: the sovereignty of the partners you build with. And the two never meet.
Look at the ownership-control check. Its job is to confirm that a beneficiary (a member of your consortium) is genuinely European-controlled, and not quietly steered from outside the EU. That is a sovereignty check too, but a separate one: CADA vets your infrastructure, not your consortium’s shareholder registers. The Omnibus lets a single ownership-control assessment stand for 36 months instead of 18. Convenient, and a longer blind spot. Over a multi-year program, a partner can be acquired, take on a foreign investor, or restructure, and the old “all clear” keeps standing for up to twice as long.
So the loosening opens a sovereignty gap the tightening was never built to close. You can pass every CADA audit and still have a partner drift under foreign control between checks. And nothing in the new sovereignty law is looking.
Loosened subcontracting widens the same gap. CADA asks you to control your supply chain. The Omnibus lets you spread that chain across more parties, with fewer checks on each. More links to keep sovereign, and less external structure keeping them so.
Strip it to one sentence: the EU is raising the bar on the sovereignty of your technology and lowering it on the sovereignty of your partners, and the gap between the two is now yours to close, not the regulator’s.
Strategic implications for your bid
This is not a reason to mourn the simplification. It is a reason to read it properly. And the gap it opens is a delivery gap. It does not show at the bid, it shows in year two or three, when a partner’s ownership has quietly moved and no scheduled check was there to catch it. So do four things the lighter rules no longer require but that a serious bid still should.
Read both directions, not just the headline. Build the two-column map: in one column, the sovereignty obligations the tightening adds; in the other, the checks the loosening removes from your specific bid. The easy thing is to keep only the first column. The trouble next year will land on the bids that tracked the tightening and missed the loosening, or the reverse.
Rebuild the guardrails you will be judged on. Where an external check was removed, put your own in its place and show it in the proposal. If the ownership-control check now runs every 36 months, run your own in between, and write that into how you will govern the consortium. Self-imposed discipline is no longer optional housekeeping. With the regulator’s scaffolding gone, it is your evidence of sovereignty.
Treat the conveniences as commitments. The longer assessment window, the looser subcontracting, the standard clause you no longer negotiate. Each is a delivery exposure dressed as a simplification. Design for the exposure now, while your architecture is still a set of choices, not when it surfaces three years into delivery.
Make the discipline visible. Put the self-imposed checks in the proposal as a governance commitment the evaluator can see; your own control cadence, named and scheduled, not left implicit. When every bid gets lighter, generic compliance separates no one; visible, self-imposed rigour does. It reads as the work of a consortium that will still be standing at the end of the program, which, not a thinner application, is now the differentiator.
Read both directions
Brussels is tightening and loosening in the same breath. It is doing so for one reason: readiness. And that single purpose is why the two moves are so easy to read as one.
But the consortium that reads only the tightening will over-build on paper and miss the gaps the simplification opens. The one that reads only the loosening will mistake an easier bid for an easier program. The bid that wins, and the program that survives, belongs to whoever reads both and brings its own scaffolding to the places the regulator is taking it down.
That work starts long before the proposal does. It is the conversation worth having while your architecture is still a set of choices you can shape, rather than a problem you have inherited.
The week Brussels went both ways
On 3 June, the European Commission proposed the Cloud and AI Development Act (CADA), and set out to push the bar on sovereignty higher than it has ever been. This act would move sovereignty from a value Brussels talks about to a rule it audits, with defence at the top tier.
On 10 June, negotiators of the European Commission closed a deal on the Defence Readiness Omnibus, one that pulls the oversight around defence procurement lower than it has been in years. Under it, permits that can run to four years shrink to around a hundred days. Applications get simpler. Checks, rarer.
Neither is law yet but the direction is unmistakable, and it runs both ways at once. One sits under the heading of sovereignty, the other under simplification. Different files, different briefings. Read either on its own and it tells a clean, complete story. Read them together, and the danger shows with you (the bidder) standing in the middle of it.
The tightening: a higher bar on sovereignty
CADA is the first attempt to write digital sovereignty directly into European law. It would sort cloud and AI infrastructure into audited levels, from data simply sitting in the EU at the bottom up to full control of the software supply chain at the top, with defence at that top tier. Sovereignty would become something you have to prove, formally, to a standard someone else sets and checks.
We have written in another reading about what that does to a bid and why evaluators score understanding rather than certificates. That argument still holds, and it is worth reading alongside this one.
For now, only one thing matters: the bar on sovereignty is rising. Hold that thought, and turn to the half that got far less attention.
The loosening: fewer checks everywhere else
The Defence Readiness Omnibus is built to make defence move faster. It is, on its own terms, welcome. Europe needs to build capability at speed, and red tape was genuinely in the way. But look at what it removes:
Run alongside it is the AI Omnibus, agreed on 7 May, which pushes the AI Act’s high-risk obligations back from August 2026 to December 2027. A sixteen-month reprieve, sold, like the rest, under the banner of simplification and, in the Council’s own words, of strengthening sovereignty.
Each of these is a convenience. Each is also a piece of external structure removed. Think of all that procurement process (the checks, the gates, the assessments) as scaffolding. It is friction, yes. But scaffolding does useful work. It tells you what good looks like. It catches problems early and a passed check gives you proof you can point to.
Where the two collide: the sovereignty gap
Now put the halves together, and a gap appears not quite where you would expect it.
CADA raises the bar, but on a specific kind of sovereignty: the sovereignty of the infrastructure you build on. It audits where your cloud and AI sit, who controls the providers behind them, whether a foreign hand can reach the technology. The Omnibus loosens a different kind: the sovereignty of the partners you build with. And the two never meet.
Look at the ownership-control check. Its job is to confirm that a beneficiary (a member of your consortium) is genuinely European-controlled, and not quietly steered from outside the EU. That is a sovereignty check too, but a separate one: CADA vets your infrastructure, not your consortium’s shareholder registers. The Omnibus lets a single ownership-control assessment stand for 36 months instead of 18. Convenient, and a longer blind spot. Over a multi-year program, a partner can be acquired, take on a foreign investor, or restructure, and the old “all clear” keeps standing for up to twice as long.
So the loosening opens a sovereignty gap the tightening was never built to close. You can pass every CADA audit and still have a partner drift under foreign control between checks. And nothing in the new sovereignty law is looking.
Loosened subcontracting widens the same gap. CADA asks you to control your supply chain. The Omnibus lets you spread that chain across more parties, with fewer checks on each. More links to keep sovereign, and less external structure keeping them so.
Strip it to one sentence: the EU is raising the bar on the sovereignty of your technology and lowering it on the sovereignty of your partners, and the gap between the two is now yours to close, not the regulator’s.
Strategic implications for your bid
This is not a reason to mourn the simplification. It is a reason to read it properly. And the gap it opens is a delivery gap. It does not show at the bid, it shows in year two or three, when a partner’s ownership has quietly moved and no scheduled check was there to catch it. So do four things the lighter rules no longer require but that a serious bid still should.
Read both directions, not just the headline. Build the two-column map: in one column, the sovereignty obligations the tightening adds; in the other, the checks the loosening removes from your specific bid. The easy thing is to keep only the first column. The trouble next year will land on the bids that tracked the tightening and missed the loosening, or the reverse.
Rebuild the guardrails you will be judged on. Where an external check was removed, put your own in its place and show it in the proposal. If the ownership-control check now runs every 36 months, run your own in between, and write that into how you will govern the consortium. Self-imposed discipline is no longer optional housekeeping. With the regulator’s scaffolding gone, it is your evidence of sovereignty.
Treat the conveniences as commitments. The longer assessment window, the looser subcontracting, the standard clause you no longer negotiate. Each is a delivery exposure dressed as a simplification. Design for the exposure now, while your architecture is still a set of choices, not when it surfaces three years into delivery.
Make the discipline visible. Put the self-imposed checks in the proposal as a governance commitment the evaluator can see; your own control cadence, named and scheduled, not left implicit. When every bid gets lighter, generic compliance separates no one; visible, self-imposed rigour does. It reads as the work of a consortium that will still be standing at the end of the program, which, not a thinner application, is now the differentiator.
Read both directions
Brussels is tightening and loosening in the same breath. It is doing so for one reason: readiness. And that single purpose is why the two moves are so easy to read as one.
But the consortium that reads only the tightening will over-build on paper and miss the gaps the simplification opens. The one that reads only the loosening will mistake an easier bid for an easier program. The bid that wins, and the program that survives, belongs to whoever reads both and brings its own scaffolding to the places the regulator is taking it down.
That work starts long before the proposal does. It is the conversation worth having while your architecture is still a set of choices you can shape, rather than a problem you have inherited.
June 9, 2026 | Governance
June 9, 2026 | Governance
© 2026 iMotivat B.V – All Rights Reserved
© 2026 iMotivat B.V – All Rights Reserved
