Summary Yes, as proposed in the Cloud and AI Development Act (CADA), the European Parliament or the Council can revoke the Commission's delegated powers at any time. Under Article 45(3) of the proposal, a revocation decision takes effect the day following its publication in the Official Journal of the European Union, though it explicitly "shall not affect the validity of any delegated acts already in force." This power applies to the specific delegations listed in the article, covering updates to the Cloud and AI Leadership Initiatives, the Union assurance levels, audit rules, and private-sector impact assessments.
Detail
The Cloud and AI Development Act (CADA) is designed to be a dynamic regulatory framework capable of adapting to rapid technological shifts in cloud computing and artificial intelligence. To achieve this without requiring a full legislative amendment for every technical update, the proposal confers specific delegated powers on the European Commission. However, this delegation is not unconditional. The proposal establishes a robust system of checks and balances, empowering the co-legislators—the European Parliament and the Council—to withdraw these powers entirely if they deem the Commission's exercise of them to be inappropriate or if the political consensus shifts.
The Legal Mechanism: Article 45(3)
The core mechanism for this oversight is found in Article 45(3) of the CADA proposal. This provision grants the European Parliament and the Council the authority to revoke the delegation of power "at any time." The text is explicit regarding the scope and the consequences of such a decision:
"The delegation of power referred to in Article 6(4), Article 16(2), Article 20(9), Article 21(1), and Article 31(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force."
This clause serves three critical functions:
- Unilateral Action: Either the Parliament or the Council can trigger the revocation independently; a joint decision is not required.
- Immediate Effect: The revocation becomes effective the day after publication in the Official Journal (unless a later date is specified), ensuring a swift cessation of the Commission's authority.
- Legal Certainty: Crucially, it protects the stability of the regulatory environment by ensuring that existing delegated acts remain valid even after the power to create new ones is withdrawn.
Scope of Revocable Powers
The revocation power is not a blanket removal of all Commission authority under CADA. Instead, it targets the specific delegations listed in Article 45(3). These powers allow the Commission to amend non-essential elements of the regulation to keep pace with innovation. The specific areas subject to revocation include:
- Article 6(4): The power to amend Annex I (Grand Challenges). This allows the Commission to update the list of strategic technological and industrial challenges (e.g., frontier AI, physical AI, industrial AI) to reflect market and technological developments.
- Article 16(2): The power to amend Annex II (Union assurance levels) and Annex III (Audit evidence). This is perhaps the most critical delegation, as it allows the Commission to update the technical criteria for cloud sovereignty (Levels 1–4) and the evidence required for audits.
- Article 20(9): The power to supplement the regulation by laying down detailed rules on the performance of audits. This includes procedural steps, rules for auditing organisations, their technical competences, auditing methodologies, and templates for audit reports.
- Article 21(1): The power to amend Annex III to lay down the necessary evidence needed to assess the audit criteria under Annex II. This ensures the audit process remains rigorous and up-to-date.
- Article 31(3): The power to specify the need for impact assessments and risk mitigation measures for private companies operating in sectors of high criticality, and to specify Union assurance levels for specific public sector activities.
Effects of Revocation: Timing and Validity
The proposal carefully distinguishes between the power to act and the validity of actions already taken.
1. The Effective Date According to Article 45(3), the revocation "shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein." This creates a clear, predictable timeline. Once published, the Commission immediately loses the authority to adopt new delegated acts in the specified areas. If a later date is specified, the Commission retains its powers until that date arrives.
2. The "Grandfathering" of Existing Acts The most significant legal safeguard in Article 45(3) is the clause stating that revocation "shall not affect the validity of any delegated acts already in force." This means that if the Commission has already adopted a delegated act updating the cybersecurity criteria for Union assurance Level 3, and the Parliament subsequently revokes the power to amend Annex II, that specific update remains legally binding.
This provision is essential for market stability. Cloud providers, auditing organisations, and public sector bodies rely on the technical criteria set out in delegated acts for compliance. If revocation automatically invalidated these acts, it would create immediate legal chaos, leaving providers without a clear standard for compliance. By preserving the validity of existing acts, the proposal ensures that the regulatory framework does not collapse upon the withdrawal of the Commission's update powers.
Procedural Context: Revocation vs. Objection
It is vital to distinguish between revocation (Article 45(3)) and objection (Article 45(6)).
- Objection: Under Article 45(6), the Parliament or Council can object to a specific delegated act within a two-month period (extendable by three months). If an objection is raised, that specific act does not enter into force. However, the underlying power to adopt future acts remains intact.
- Revocation: This is a more drastic measure. It does not target a single act but rather withdraws the source of the power itself. Once revoked, the Commission cannot adopt any further delegated acts in the affected areas until the delegation is re-established (which would require a new legislative act).
Revocation is therefore a political tool used when the co-legislators fundamentally disagree with the Commission's approach to updating the regulation, rather than just disagreeing with a single technical update.
What this means for you
For legal counsel, compliance officers, and cloud service providers, understanding the revocation mechanism is critical for long-term strategic planning and risk management.
1. Regulatory Stability Despite Political Volatility The "grandfathering" clause in Article 45(3) provides a significant buffer against political instability. If your organisation has invested in compliance measures based on a delegated act (e.g., specific audit methodologies under Article 20(9)), those measures remain valid even if the Parliament revokes the Commission's power to update them. You do not need to fear that a political decision to revoke powers will instantly nullify your current compliance status.
2. The Risk of Regulatory Stagnation While existing acts remain valid, the inability to adopt new delegated acts creates a risk of regulatory lag. If the Commission's power to amend Annex II (assurance levels) is revoked, the technical criteria for cloud sovereignty will freeze in their current state. In a fast-moving sector like AI and cloud computing, this could lead to a mismatch between the regulatory requirements and technological reality. Compliance teams should monitor the legislative process closely; a move towards revocation signals that the current technical framework may become static for an extended period.
3. Strategic Implications for Audit and Sovereignty For providers seeking recognition at Union assurance levels 2, 3, or 4, the delegated powers under Article 20(9) and Article 21(1) are the engine of the audit regime. If these powers are revoked, the detailed rules for audits (methodologies, templates, auditor competences) will cease to evolve. This could impact the ability of auditing organisations to adapt to new threats or technologies. Providers should ensure their internal controls are robust enough to withstand a potential freeze in regulatory updates.
4. Monitoring the Co-Legislators Since the Parliament or Council can revoke powers "at any time," organisations must maintain a high level of vigilance regarding the political climate in the EU. A revocation would likely be preceded by significant political debate or disagreement with the Commission's implementation of CADA. Early detection of such signals allows organisations to prepare for a scenario where the regulatory update mechanism is paused, potentially requiring them to lobby for a legislative amendment to restore the delegation if necessary.
Common misconceptions
"Revocation invalidates all delegated acts." This is incorrect. Article 45(3) explicitly states that revocation "shall not affect the validity of any delegated acts already in force." Only the power to adopt future acts is removed. Existing acts remain binding law.
"The Commission can revoke its own powers." No. The power to revoke lies exclusively with the European Parliament or the Council. The Commission is the recipient of the delegation and cannot unilaterally withdraw the power granted to it by the legislators.
"Revocation stops the entire CADA regulation from working." Not necessarily. Revocation only stops the Commission from amending or supplementing the regulation via delegated acts. The core provisions of CADA, including the sovereignty framework, data centre deployment rules, and public procurement obligations, remain in full force. Only the dynamic update mechanism is paused.
"Revocation is the same as objecting to a delegated act." No. Objection (Article 45(6)) prevents a specific act from entering into force but leaves the power to adopt future acts intact. Revocation (Article 45(3)) withdraws the underlying power entirely, preventing any future delegated acts in that area until the delegation is restored by legislation.
Related
- Can the European Parliament or Council object to a CADA delegated act?
- Which parts of CADA can the Commission change through delegated acts?
- Who receives the CADA review report? Parliament, Council & EESC
- Who does the Commission consult before adopting a CADA delegated act?
- What is the legal basis for delegated powers in CADA?
This is general information about a draft EU regulation, not legal advice.