Can the CADA review lead to changes in the law?

Summary Yes, the Cloud and AI Development Act (CADA) review can lead to changes in the law, but not automatically. Under Article 47(2) of the proposal, the Commission's evaluation report "shall be accompanied by a proposal for amendment of this Regulation" where appropriate. Such a proposal would initiate the ordinary legislative procedure, requiring adoption by both the European Parliament and the Council. This is distinct from the Commission's power to adopt delegated acts (to update technical annexes) or implementing acts (for uniform application rules), which do not require a full legislative vote. The review mechanism ensures the Regulation remains adaptable, but significant structural changes remain subject to democratic co-decision.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed as a dynamic instrument capable of evolving alongside rapid technological shifts in cloud and AI. To achieve this, the proposal establishes a multi-layered governance framework for legal updates. It distinguishes clearly between full legislative amendments triggered by a periodic review and non-legislative updates via delegated or implementing acts. Understanding this distinction is vital for legal teams, as the procedural hurdles, timelines, and scope of changes differ fundamentally.

1. The Full Legislative Review: Article 47

Article 47 serves as the primary "sunset and review" clause for the entire Regulation. It mandates a comprehensive evaluation of the Act's functioning to ensure it continues to meet its objectives regarding competitiveness, resilience, and strategic autonomy.

• Timing: The Commission is required to evaluate the Regulation five years after its entry into force (Article 47(1)). The text specifies that the evaluation occurs "by [date of entry into force plus 4 years]" in the draft, but the operative clause in Article 47(1) states the evaluation shall take place "five years after its entry into force" and "every 5 years thereafter."
• Scope: The evaluation must detail the "effective application and enforcement of the proposed Regulation" and consider the positions of the European Parliament, the Council, and other relevant bodies, with specific attention to SMEs and new competitors.
• The Power to Propose Amendment: The critical mechanism for legal change lies in Article 47(2). It states: "Where appropriate, the report referred to in paragraph 1 shall be accompanied by a proposal for amendment of this Regulation."

This provision creates a conditional pathway for full legislative change. The Commission has the discretion to determine if the evaluation findings justify a structural overhaul. If the Commission concludes that the current framework is insufficient to address market failures, technological obsolescence, or new geopolitical risks, it may draft a formal legislative proposal.

2. Distinguishing Full Amendments from Delegated/Implementing Acts

A common point of confusion is the difference between the changes triggered by the Article 47 review and the routine updates the Commission can make without a new law. CADA provides two other mechanisms for updating the text, which operate under different legal bases and procedures.

Delegated Acts (Article 45)

Delegated acts allow the Commission to supplement or amend non-essential elements of the Regulation. Under Article 45, the power to adopt delegated acts is conferred for an indeterminate period.

• Scope: These acts are used to update technical criteria that require frequent adjustment. For instance, Article 16(2) empowers the Commission to amend Annex II (criteria for Union assurance levels) and Annex III (audit evidence) to reflect new legal or technical developments. Similarly, Article 20(9) allows for detailed rules on audit performance, and Article 21(1) allows for updates to audit evidence requirements.
• Procedure: These acts enter into force unless the European Parliament or the Council objects within a specific period (typically two months, extendable by three). They do not require the full ordinary legislative procedure.
• Frequency: The proposal explicitly requires the Commission to review Annex II and III "at least every 18 months" (Article 16(3)), ensuring these technical standards remain current without waiting for the five-year legislative review.

Implementing Acts (Article 46)

Implementing acts are used where uniform conditions for implementing the Regulation are needed.

• Scope: These are adopted via the examination procedure (Article 46(2)), involving a committee of Member State representatives. Examples include specifying the methodology for risk assessments (Article 29(3)), setting rules for the EuroCloud Federation (Article 35(6)), or defining fee structures for procurement (Article 40(5)).
• Procedure: Unlike delegated acts, the Commission cannot adopt these unilaterally; they require a positive vote from the Member State committee. However, they still bypass the full co-decision process of the Parliament and Council.

3. The Ordinary Legislative Procedure for Article 47 Amendments

If the Commission decides that the Article 47 review warrants a full amendment, the process shifts from administrative rule-making to the ordinary legislative procedure (co-decision), as outlined in Article 294 TFEU and referenced implicitly by the nature of a "proposal for amendment of this Regulation."

The process unfolds as follows:

1. Commission Proposal: The Commission submits a formal legislative proposal to the European Parliament and the Council. This proposal would be based on the findings of the Article 47 evaluation report.
2. First Reading: The European Parliament adopts its position (amendments or approval), and the Council adopts its position.
3. Trilogue Negotiations: If the two institutions disagree, representatives from the Parliament, the Council, and the Commission meet in trilogues to negotiate a compromise text.
4. Adoption: The final text must be approved in identical wording by both the Parliament (by a majority of its component members) and the Council (by a qualified majority).
5. Entry into Force: Once adopted, the amending Regulation is published in the Official Journal of the European Union and enters into force on the twentieth day following publication (or a later date specified in the act).

This procedure ensures that any fundamental changes to the CADA framework—such as altering the definition of "public order," changing the scope of the sovereignty framework, or modifying the data centre acceleration zone rules—are subject to rigorous democratic scrutiny. It is a slower, more politically complex process than the adoption of delegated or implementing acts.

What this means for you

For legal counsel, compliance officers, and strategic planners, the existence of these dual tracks requires a proactive monitoring strategy.

1. Prepare for the Five-Year Horizon: Mark the date of CADA's entry into force plus five years. This is the trigger for the first comprehensive evaluation. Stakeholders should prepare impact assessments and position papers to influence the Commission's decision on whether to propose amendments under Article 47(2). If the market has evolved significantly (e.g., new AI architectures or sovereign cloud technologies), this is the moment to argue for structural updates.
2. Monitor the 18-Month Cycle for Technical Criteria: Do not wait for the five-year review to check your compliance status. The Commission is mandated to review Annex II and Annex III every 18 months. Changes to the criteria for Union assurance levels (e.g., cybersecurity certification levels or personnel requirements) could occur via delegated acts at any time. Your compliance team must track the Official Journal for these specific updates, as they can materially alter the requirements for maintaining recognition.
3. Track Implementing Acts for Methodologies: If you are a contracting authority or a private entity in a high-criticality sector, pay close attention to implementing acts under Article 29(3) (risk assessment methodologies) and Article 35(6) (EuroCloud Federation rules). These acts provide the detailed templates and rules you must follow. Failure to align with a new implementing act could render your procurement or sharing arrangements non-compliant, even if the main Regulation text remains unchanged.
4. Understand the "Where Appropriate" Discretion: Recognize that the Article 47 review does not guarantee a legislative amendment. The Commission has the discretion to conclude that the current framework is functioning well. If no proposal is made, the Regulation remains static in its core provisions until the next review cycle, though technical annexes may still evolve.

Common misconceptions

"The Article 47 review automatically updates the law."

• Reality: The review is an evaluation, not an automatic update. Article 47(2) explicitly states that a proposal for amendment is only made "where appropriate." If the Commission finds no need for change, no legislative proposal is issued, and the core text remains unchanged.

"Delegated acts are less important than legislative amendments."

• Reality: While delegated acts do not require a full parliamentary vote, they are legally binding and directly applicable. A change to Annex II via a delegated act can immediately alter the criteria for Union assurance levels, potentially disqualifying a provider or requiring a new audit. These changes can be more frequent and operationally significant than the rare full legislative amendments.

"The Commission can change the core objectives of CADA via delegated acts."

• Reality: Delegated acts are strictly limited to non-essential elements, such as technical criteria in annexes. They cannot alter the Regulation's fundamental objectives, scope, or core obligations (e.g., the requirement for public bodies to procure at specific assurance levels). Such changes would require a full legislative amendment via the ordinary legislative procedure.

"Implementing acts are optional guidelines."

• Reality: Implementing acts adopted under Article 46 are binding. For example, the methodology for risk assessments specified in an implementing act under Article 29(3) becomes the mandatory standard for Member States and Union entities.

Related

• CADA Review vs Delegated Acts: How the EU Cloud and AI Development Act Changes
• Why does the CADA review pay special attention to SMEs and new competitors?
• Who receives the CADA review report? Parliament, Council & EESC
• Which parts of CADA can the Commission change through delegated acts?
• CADA Timeline: From Adoption to Full Application and Review

This is general information about a draft EU regulation, not legal advice.