Summary Businesses subject to the proposed Cloud and AI Development Act (CADA) generally do not need to be fully compliant on the day the regulation enters into force. As proposed in Article 48, CADA enters into force 20 days after publication in the Official Journal, but its substantive obligations only apply one year after that date. This creates a mandatory one-year transition period. During this gap, cloud service providers and data centre operators must prepare for compliance—such as auditing infrastructure for Union assurance levels or engaging with national authorities—but they are not yet legally bound by the operational rules until the application date.

Detail

To navigate the Cloud and AI Development Act (CADA) effectively, businesses must distinguish between two distinct legal concepts: entry into force and application. Under EU law, these are separate triggers with different implications for legal obligations. Confusing them can lead to either unnecessary panic or dangerous complacency.

Entry into Force vs. Application

According to Article 48 of the CADA proposal, the regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." Entry into force is a formal legal milestone. It means the text is officially law, the legal framework exists, and the Commission gains the power to adopt delegated and implementing acts. However, it does not necessarily mean the rules are active for private entities. It triggers certain administrative processes for Member States and the Commission, but it does not immediately impose operational duties on cloud providers or data centre operators.

In contrast, Article 48 explicitly states that the regulation "shall apply from [same day and month as date of entry into force plus 1 year]." This is the critical date for businesses. The application date is when the substantive obligations—such as the requirement for cloud computing services to meet specific Union assurance levels, the obligation for data centres to operate within designated acceleration zones, or the procurement mandates for public bodies—become legally binding. Until this date arrives, providers are not in breach of the operational rules simply for not yet meeting them.

The One-Year Transition Period

The one-year gap between entry into force and application is a deliberate transition period designed to allow the ecosystem to prepare. As proposed, this year is not a "free pass" to ignore the regulation; rather, it is a critical preparation phase. During this time, the regulatory infrastructure must be built.

The sovereignty framework relies on "Union assurance levels" (defined in Annex II) and recognition mechanisms (Article 17). These mechanisms require national competent authorities to be designated and operational before providers can submit applications. Article 25 requires Member States to designate these national competent authorities within one year of entry into force. If these authorities are not in place, providers cannot submit applications for recognition. Therefore, the transition period allows the regulatory machinery to be built so that when the application date arrives, providers can immediately comply.

Furthermore, the Commission will likely adopt delegated acts during this period to update criteria or specify procedures. For instance, Article 16(2) empowers the Commission to amend the Union assurance levels in Annex II, and Article 20(9) allows for rules on the performance of audits. Businesses must monitor these developments, as the final technical details of compliance may be refined during this year.

Specific Timelines in the Text

While Article 48 sets the general one-year rule for the application of the regulation, several specific provisions impose deadlines on Member States that fall within this transition period. Businesses must monitor these milestones because the availability of services (like a recognized sovereign cloud) depends on these national actions being completed before or around the application date.

  • National Strategies: Article 7 requires Member States to establish national cloud and AI strategies within one year of entry into force. These strategies will outline how the country intends to meet CADA's objectives, including data centre deployment and adoption of sovereign cloud.
  • Acceleration Zones: Article 10 requires Member States to designate at least one data centre acceleration zone within six months of entry into force. This is a crucial early step for data centre operators, as future projects may need to be located in these zones to benefit from streamlined permitting.
  • Competent Authorities: Article 25 requires the designation of national competent authorities within one year of entry into force. These authorities will be the gatekeepers for the recognition process under Article 17.

These deadlines fall strictly within the transition period. While providers are not yet bound by the operational rules, the ecosystem around them is being built. If a Member State fails to designate an acceleration zone or a competent authority by the required dates, it could delay the entire recognition process for providers.

What this means for you

For cloud service providers and data centre operators, the distinction between entry into force and application dictates your compliance roadmap. You should not wait until the application date to begin work, but you also do not need to be fully operational on the entry-into-force date. The one-year window is your preparation phase.

1. Map Your Obligations to the Application Date

Identify which provisions of CADA apply to your business model. Are you a cloud computing service provider seeking to serve the public sector? If so, you will need to be recognized under the Union assurance framework (Article 17). Are you a data centre operator? You may need to operate within an acceleration zone (Article 10) or apply for strategic project status (Article 14). Note that the legal requirement to be in compliance starts on the application date (entry into force + 1 year). However, the process to achieve compliance must start much earlier.

2. Use the Transition Year for Preparation

The one-year gap is for preparation, not inaction. Use this time to:

  • Audit Your Infrastructure: Assess whether your current data centres or cloud services can meet the criteria for Union assurance levels (Annex II). For example, can you guarantee that data remains exclusively within the Union? Can you demonstrate that your personnel are Union citizens (a requirement for levels 2, 3, and 4, conditional at level 2)? Can you prove your infrastructure is not subject to third-country control?
  • Engage with National Authorities: Since national competent authorities will be designated during this period, establish early contact. Understand their specific procedures for recognition applications (Article 17). The process involves submitting evidence, undergoing audits, and waiting for a review period.
  • Prepare Documentation: Start gathering the evidence required for audits (Article 21) or self-assessments (Article 19). The criteria are detailed in Annexes II and III, and preparing this documentation—such as Software Bill of Materials (SBOM), data flow diagrams, and proof of Union citizenship for personnel—takes significant time.
  • Monitor Secondary Legislation: The Commission will adopt delegated acts to update criteria and procedures. Watch for these developments, as they will clarify how to comply. For instance, the specific rules for the performance of audits are to be laid down by delegated acts under Article 20(9).

3. Plan for Public Sector Procurement

Public sector bodies will conduct risk assessments (Article 29) to determine which assurance levels they require. These assessments must be carried out by the application date. If you want to sell to the public sector, you need to be recognized before or at the application date, as procurement processes will likely reference these new requirements immediately. Article 30 mandates that contracting authorities procure only services recognized at the appropriate level. If you are not recognized by the application date, you may be excluded from public tenders.

Common misconceptions

Misconception 1: "I have 20 days to comply." No. The 20-day period after publication is only for the regulation to enter into force. It is not a compliance deadline. The substantive rules apply one year later. Confusing these dates could lead to panic or unnecessary rushed actions that do not align with the actual legal requirements.

Misconception 2: "I can wait until the application date to start anything." While you are not legally bound to be compliant until the application date, the recognition process (Article 17) involves audits, evidence submission, and national authority reviews. These processes take time. If you wait until the last month of the transition period to start your application, you may not be recognized by the time public sector procurement begins, putting you at a competitive disadvantage. The recognition decision requires a 60-day review period by other Member States, plus the time for the audit itself.

Misconception 3: "Entry into force means the rules are active." Entry into force is a legal formality. It means the text is law, but the obligations are dormant until the application date. However, it does trigger some administrative duties for Member States (like designating authorities under Article 25 and acceleration zones under Article 10), which indirectly affects you. If these national steps are delayed, your path to compliance may be blocked.

Misconception 4: "CADA applies immediately to all cloud providers." CADA's sovereignty framework and procurement rules primarily target cloud computing services provided to Union entities and public sector bodies. Private sector entities in certain critical sectors (listed in Annex I of the NIS2 Directive) may conduct impact assessments (Article 31), but the mandatory procurement rules (Article 30) apply to contracting authorities. Understand your specific role before assuming all rules apply to you immediately.

Related

This is general information about a draft EU regulation, not legal advice.