This is precisely what exercised oversight looks like.

The RSB did not challenge the political objective of the initiative.

It challenged the justification.

The measures were considered insufficiently specified. Their proportionality had not been sufficiently demonstrated. The causal links between measures and expected effects were not sufficiently substantiated. The economic reasoning and the cost-benefit assessments were also considered insufficiently convincing. (Impact Assessment (SWD(2026) 502), Annex 1.3, Table 2)

This is the crucial point.

The RSB did not say:

The objective is wrong.

It said:

The homework has not been done.

And without that homework, there was no positive opinion.

In many procedures, criticism has little practical consequence. It is registered, answered, or simply acknowledged.

In the CADA process, that was not enough.

The criticism had to be addressed.

The Commission’s response shows that the criticism was procedurally consequential. The impact assessment was revised. Measures were specified in greater detail, the intervention logic was expanded, and parts of the economic reasoning were strengthened. (Impact Assessment (SWD(2026) 502), Annex 1.3, Table 2)

The specific changes matter.

More important, however, is the fact that they had to be made.

That is precisely what distinguishes symbolic oversight from exercised oversight.

Symbolic oversight expresses criticism.

Exercised oversight compels rework.

The Commission did not receive a positive opinion before that rework had taken place.

The first part examined the tension between infrastructure and dependence.

The second part examined the diagnosis of a demand and coordination problem.

This leaves one final question. If the proposed measures are actually implemented, how would the Commission later determine whether they are working?

Reading the monitoring and evaluation section, one notices how systematically this question is intended to be answered.

The impact assessment develops an extensive architecture of indicators, targets, and evaluations. Among other things, it monitors capacity expansion, market shares, provider presence, and dependencies (Annex 11).

At first, this is unsurprising. Anyone who formulates ambitious goals must also be able to determine whether those goals are being achieved.

The document becomes more interesting elsewhere. The further one follows the monitoring system, the clearer it becomes that the impact assessment distinguishes between two different levels.

On the one hand, it is concerned with the implementation of the measures themselves. On the other hand, it is concerned with the long-term effects those measures are intended to produce.

For implementation, the document provides early-warning mechanisms. Monitoring is intended to make potential bottlenecks or delays visible at an early stage and, where necessary, enable corrections during implementation (Annex 11).

For the actual outcome objectives, the architecture is structured differently. Provider shares, dependence reduction, or structural market changes are observed primarily through later evaluations, in some cases with multi-year time horizons (Annex 11).

At this point, a distinctive feature of the document begins to emerge. The impact assessment describes with considerable precision what progress would look like. Considerably less attention is given to the question of what happens if that progress fails to materialize.

For implementation problems, the document contains early-warning and correction mechanisms. For the actual outcome objectives, observation, evaluation, and later political decisions play a more prominent role.

As a result, the architecture becomes very strong in observing developments. The connection between observation and mandatory adjustment - through predefined or escalating response pathways in the event that targets are missed, for example - remains considerably more restrained.

This does not mean that failing to meet targets would be without consequences. The actual response to such developments remains more dependent on the later actions of the institutions involved.

The first part examined the tension between infrastructure and dependence.

This raises an obvious question: What is the actual problem from the Commission’s perspective?

Those who follow the public debate about Europe’s position in the cloud and AI market usually expect familiar answers at this point: too little capital, too little scale, too few European champions, too little computing capacity.

However, reading the impact assessment creates a different impression. What stands out first is where the document places its emphasis. The discussion revolves relatively little around the question of whether European providers are fundamentally capable of offering competitive services. Instead, the impact assessment repeatedly focuses on requirements, procurement, scaling, and market organization.

The further one follows the argument, the clearer a recurring pattern becomes.

Sovereignty requirements are formulated differently. Public procurement remains fragmented. Criteria are not comparable everywhere. Demand emerges in many places, but only to a limited extent becomes legible as a common market signal. Taken individually, these points appear almost administrative.

In the document, however, they become a market problem. This is because demand does not only fulfill an economic function. It also fulfills a coordination function.

When requirements are formulated differently across authorities, member states, and organizations, demand becomes difficult to compare. When demand becomes difficult to compare, it becomes difficult to pool. Without pooling, the long-term and sufficiently large contracts that are important for scaling emerge less frequently.

The impact assessment describes precisely this connection several times. According to the Commission’s presentation, the European market share stands at around 15% and shows no discernible tendency to change (Part 1, Section 2.4). At the same time, the document repeatedly points to fragmented demand, differing procurement logics, and the absence of common standards.

At this point, it becomes clear why the definition of sovereignty plays such a central role in the document.

At first glance, it appears to be a regulatory classification. Over the course of the impact assessment, however, it takes on another function.

The sovereignty tiers make requirements more comparable. This allows public institutions to describe their needs in more similar ways. Only then does the possibility emerge of bringing demand together across individual authorities or member states.

Why this matters becomes clear elsewhere. The impact assessment repeatedly points to the importance of larger and more stable contract volumes. Individual procurement procedures hardly change market structure. Coordinated demand, by contrast, can reach scales that become relevant for scaling.

The definition of sovereignty thereby acquires an additional meaning. It does not only serve to classify providers or services. At the same time, it creates the conditions under which demand can become visible as a common signal at all.

By the end of this argument, a remarkable picture emerges. The impact assessment describes a market in which requirements are difficult to compare, demand is difficult to pool, and scaling therefore becomes difficult to achieve.

This is precisely where the majority of the proposed measures intervene.

This also changes how CADA appears. The document no longer appears merely as an infrastructure package or a sovereignty package. It increasingly appears as an attempt to transform fragmented public demand into a coordinated signal of scale.

This also shifts the actual challenge. The central issue is not the existence of demand, but its organization.

The third part examines another distinctive feature of the document: CADA measures many of the decisive variables with surprising precision. The question is what happens when these targets are missed.

More infrastructure can be created without automatically reducing dependence on a small number of large providers.

This is where a tension begins that runs throughout the entire document. One of the central objectives of CADA is the expansion of digital infrastructure in Europe. The rationale is straightforward. Demand for cloud and AI computing capacity is growing, while large parts of the market remain concentrated among a small number of providers and locations.

At first glance, the logic appears simple. More infrastructure should strengthen Europe’s position.

However, reading the impact assessment produces a more differentiated picture. The document devotes considerable attention to the expected capacity gap. Permitting procedures, grid bottlenecks, and infrastructure constraints are described as key obstacles to further growth. The proposed response is correspondingly clear: accelerate permitting, create fast-track areas, and facilitate investment (Part 1).

Taken together, these measures are intended to increase the computing infrastructure available within the European Union. Up to this point, the argument is relatively straightforward.

The document becomes more interesting elsewhere.

The impact assessment treats dependence as a separate problem. It repeatedly distinguishes between infrastructure located in Europe and infrastructure controlled by European providers. This distinction becomes particularly visible in the proposed sovereignty framework.

Most public-sector use cases would remain open to non-European providers, provided they meet the relevant requirements. Only the highest sovereignty tiers are effectively reserved for EU-controlled providers (Part 1).

This creates a tension that runs throughout much of the document. The mechanisms for expanding capacity are largely provider-neutral. The mechanisms for reducing dependence are provider-selective. Both objectives appear within the same policy package, but they operate through different logics.

One consequence follows from this distinction. Additional capacity can be created in Europe without automatically changing who controls the market.

The capacity gap and the dependence gap are therefore related, but they are not the same thing.

Closing one does not automatically mean closing the other.

If dependency cannot be reduced through infrastructure alone, a different question emerges. What problem is CADA actually trying to solve?

That question is the focus of Part 2.

The language differs. Some discussions focus on human oversight, others on deployment approval, trust boundaries, traceability, uncertainty recognition, or Zero Trust architectures.

Yet the underlying concern increasingly looks the same.

The question is becoming less about evaluating a system in isolation and more about governing what happens when it acts.

Several recent signals point in that direction. OpenAI’s Frontier Governance Framework emphasizes deployment decisions, residual risk acceptance, and ongoing model review. Anthropic’s work on Zero Trust for AI Agents focuses on identity, authorization, and constrained execution. Gartner highlights autonomy levels, trust boundaries, and governance proportional to agent capabilities. Discussions around human oversight increasingly focus on whether oversight remains operationally meaningful under real conditions.

What I find interesting is not any individual argument. It is the fact that different fields, operating under different constraints, appear to be encountering the same governance boundary.

Independent convergence does not prove a conclusion is correct.

It can, however, be a useful indication that a structural problem is becoming visible.

Operational plausibility emerges first:

A small pilot group reports positive experiences, initial operational relief becomes visible. Modernization and fairness arguments generate support, and the system begins to appear useful and institutionally compatible.

Many other questions remain unresolved at this stage. Not only technical questions, but organizational ones:

• Who controls later system changes?

• How are problematic outputs reviewed or challenged?

• Who intervenes once usage, responsibility, and oversight begin to diverge?

These questions are often deferred into later working groups, guidelines, or governance processes.

This creates a structural asymmetry:

The organizational integration stabilizes while intervention, control, and accountability structures are only operationalized afterward.

Governance pressure therefore often becomes visible only once usage has already become organizationally stable.

Pressure appears when systems move beyond controlled settings, when audits require formal verification, or when incidents expose behavior under risk.

In these situations, evaluation changes its focus. Behavior has to be accounted for within the organization. Control has to remain possible. Responsibility has to be assigned.

This shifts the object of the decision: uncertainty becomes something that needs to be located and carried within existing structures.

As long as this assignment holds, systems remain in use. When it becomes unclear, stability weakens.

Decisions follow from this condition. They take place across selection, approval, integration, and operation, and they are revisited when pressure returns.

AI deployment is shaped by how organizations handle uncertainty under pressure.