Summary No, the proposed Cloud and AI Development Act (CADA) would not apply retroactively. As explicitly defined in Article 48, the regulation would enter into force 20 days after publication but would only become applicable one year later. This structure creates a clear prospective timeline, ensuring that legal obligations only attach to procurement procedures and actions taken after the application date. This aligns with the general EU legal principle of non-retroactivity, which protects economic operators and public authorities from penalties for decisions made under the legal framework existing at the time.

Detail

A primary concern for public-sector bodies, cloud providers, and legal counsel is whether the new sovereignty and procurement rules of CADA would disrupt existing contractual relationships. The text of the proposal is unambiguous: CADA is designed to apply prospectively. It governs future actions, not past ones.

The Timeline: Entry into Force vs. Application Date

To understand the non-retroactive nature of CADA, one must distinguish between the two distinct dates established in Article 48 of the proposal:

  1. Entry into Force: The regulation would enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This date marks when the law becomes part of the EU legal order, allowing for administrative preparation and the designation of competent authorities.
  2. Date of Application: The regulation would apply from the same day and month as its entry into force, plus one year.

This one-year gap is a deliberate legislative choice. It serves as a transition period for Member States to designate national competent authorities, for cloud computing service providers to prepare for recognition procedures, and for contracting authorities to align their procurement strategies with the new Union assurance levels. Crucially, the "date of application" is the moment the substantive obligations become active. Any cloud service contract signed, data centre permit granted, or procurement procedure launched before this date falls outside the mandatory scope of CADA's compliance requirements.

The Principle of Non-Retroactivity in EU Law

The prospective application of CADA is not merely a drafting convenience; it is a reflection of a fundamental principle of EU law: the principle of non-retroactivity. Under this principle, legal acts generally do not apply to situations that were completed or legal relationships that were concluded before the act entered into force. This principle ensures legal certainty, a cornerstone of the EU legal system, allowing businesses and public bodies to rely on the law as it stands at the time of their actions.

If CADA were applied retroactively, it would create significant legal instability. For instance, a public authority that procured a cloud service three years ago under the rules existing at that time would not be expected to breach that contract or face penalties simply because a new law was passed later. The proposal respects existing contractual relationships while setting new standards for future engagements. The text of Article 48 confirms this by separating the "entry into force" from the "application," a standard mechanism used to prevent retroactive effects.

Impact on Existing Contracts and Procurement

While CADA does not apply retroactively to existing contracts in terms of imposing new compliance penalties or invalidating them, it does influence the future management of those contracts.

Article 30 sets out obligations for contracting authorities regarding public procurement. It mandates that Union entities and public sector bodies must procure cloud computing services recognized as having at least Union Assurance Level 1 (or higher, depending on risk assessments). However, this obligation applies to procurement procedures initiated after the date of application. It does not invalidate contracts already in place.

Instead, the proposal encourages a forward-looking approach. When existing contracts expire or when new tenders are launched after the application date, public-sector bodies must comply with the CADA requirements. The transition period defined in Article 48 allows authorities to plan for this shift, ensuring they are not caught off guard when renewing or replacing services.

Transition and Migration for Critical Services

For public-sector activities identified as contributing to the preservation of public order (such as national security, defence, or critical infrastructure), Article 29 requires risk assessments to determine the appropriate Union Assurance Level (2, 3, or 4). If a risk assessment conducted after the application date reveals that a currently used service does not meet the required assurance level, the authority must migrate to a compliant service.

Article 29(6) specifies that if a risk assessment requires migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months. This provision acknowledges that while the law is not retroactive, there is a duty to move towards compliance for critical services within a defined timeframe after the law becomes applicable. This is a prospective obligation to achieve future compliance, not a retroactive penalty for past choices. The 12-month clock starts only once the risk assessment is completed under the new regime, not from the date of the original contract.

What this means for you

For public-sector procurement officers, legal counsel, and cloud service providers, the non-retroactive nature of CADA offers clarity and a manageable timeline for adaptation.

  • No Immediate Invalidity of Current Contracts: You do not need to audit or terminate existing cloud contracts immediately. Services procured before the application date remain valid under their original terms. The law does not reach back to "fix" past decisions.
  • Plan for Future Procurement: Use the one-year transition period (from entry into force to application date) to review your upcoming procurement pipeline. Ensure that tender documents issued after the application date include the required CADA criteria, such as Union Assurance Levels and EU added-value criteria.
  • Risk Assessment Preparation: Begin conducting the risk assessments required by Article 29 now, even before the law applies. This will help you identify which services will need to be migrated once the regulation is in force, allowing you to budget and plan for the 12-month migration window if necessary.
  • Engage with Providers: Inform your current cloud providers of the upcoming regulatory changes. This encourages them to seek recognition for their services under the CADA sovereignty framework, ensuring they are ready to bid for your future contracts.

Common misconceptions

Misconception 1: CADA invalidates all non-sovereign cloud contracts immediately. Reality: CADA does not invalidate existing contracts. It sets new rules for future procurement. Existing contracts continue until their natural expiration or until a specific migration is triggered by a new risk assessment under the new rules.

Misconception 2: The law applies the day it is published. Reality: Article 48 clearly states there is a one-year delay between entry into force and the date of application. This delay is crucial for preparation and does not create immediate liability.

Misconception 3: Public bodies must migrate all services within 12 months of publication. Reality: The 12-month migration period in Article 29(6) applies only if a risk assessment after the law is applicable determines that a current service does not meet the required assurance level for public order preservation. It is not a blanket mandate for all cloud services, nor does it start from the date of publication.

Related

This is general information about a draft EU regulation, not legal advice.