Does CADA change the Data Act's cloud-switching deadlines?

Summary No, the proposed Cloud and AI Development Act (CADA) does not alter, extend, or override the cloud-switching deadlines established by the Data Act (Regulation (EU) 2023/2854). The two regulations operate on entirely independent timetables addressing different legal triggers. The Data Act governs technical switching obligations and data portability for all market participants, while Article 29(6) of the CADA proposal establishes a separate, maximum 12-month migration window specifically for public sector bodies and Union entities required to move to higher sovereignty assurance levels. Compliance officers must track both regimes simultaneously, as they address distinct obligations: one for market freedom and portability, the other for public-order sovereignty.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, and the Data Act represent two distinct pillars of the EU's digital strategy. While both address cloud computing, their legislative intents, scopes, and operational mechanisms differ fundamentally. A critical area of confusion for legal and compliance teams is whether CADA's new sovereignty framework modifies the strict, technical switching timelines already in force under the Data Act.

The definitive answer is that CADA does not change the Data Act's switching deadlines. Instead, CADA introduces a parallel, sovereign-specific migration timeline for the public sector. These two timetables run independently, meaning an entity may be subject to both regimes at once, with different triggers and different deadlines.

The Data Act: Unchanged Switching Obligations

The Data Act is already in force and establishes a robust framework to reduce vendor lock-in and facilitate switching between data processing services. Its primary focus is on interoperability, data portability, and the removal of technical barriers that prevent customers from changing providers.

Under the Data Act, cloud computing service providers are legally obligated to assist customers in switching to another provider. This includes providing necessary tools for data transfer, ensuring interoperability, and adhering to specific response and execution timelines defined within the Act's framework. These obligations are triggered by a customer's decision to switch or terminate a contract.

CADA explicitly acknowledges the Data Act's role. The explanatory memorandum states that the proposal is "consistent with the rules on switching between data processing services introduced by the Data Act." It clarifies that while the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers," it "does not build the road towards a more sovereign and trusted EU cloud computing sector." Consequently, the Data Act's technical switching deadlines remain fully applicable and unchanged for all entities within its scope, regardless of CADA's adoption. The Data Act ensures you can switch; CADA may dictate where you must switch to, but it does not rewrite the how or the when of the technical switching process itself.

CADA Article 29: The 12-Month Sovereignty Migration Window

CADA introduces a new, distinct set of timelines specifically for public sector bodies and Union entities (such as EU institutions, agencies, and bodies). These entities are required to procure cloud services that meet specific "Union assurance levels" (sovereignty tiers) to safeguard public order.

The critical provision governing migration timelines is Article 29(6) of the CADA proposal. This article addresses scenarios where a mandatory risk assessment determines that a public sector body must migrate from a cloud service with a lower assurance level to one with a higher assurance level (e.g., moving from Union Assurance Level 1 to Level 2, 3, or 4) to ensure the preservation of public order.

Article 29(6) states:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This provision creates a maximum 12-month window for public sector bodies to complete a migration triggered specifically by a sovereignty risk assessment. This timeline is legally distinct from the Data Act's switching timelines for three key reasons:

1. Trigger: The CADA timeline is triggered by a public order risk assessment under Article 29(1), which identifies activities contributing to public order preservation (e.g., law enforcement, national security). It is not triggered by a customer's voluntary commercial decision to switch.
2. Scope: It applies exclusively to Member States and Union entities procuring cloud services. The Data Act applies broadly to business-to-business (B2B) and business-to-consumer (B2C) relationships across the entire market.
3. Objective: The goal of the CADA timeline is to achieve compliance with Union assurance levels (sovereignty criteria), whereas the Data Act's goal is to facilitate portability and interoperability regardless of the provider's location or ownership.

Independent Timetables and Concurrent Application

It is critical to understand that these two timetables run independently. A public sector body could theoretically be subject to both regimes simultaneously, creating a complex compliance landscape.

For example, a ministry might initiate a switch under the Data Act for commercial reasons (e.g., cost reduction or better features), which would trigger the Data Act's specific switching deadlines. Simultaneously, that same ministry might be required to migrate under Article 29(6) because a new risk assessment dictates that their current provider no longer meets the required Union Assurance Level for their public-order-relevant activities.

In such a scenario, the entity must comply with both sets of requirements. The Data Act's switching obligations (e.g., the provider's duty to assist, data portability formats) would support the technical execution of the migration. Meanwhile, Article 29(6) sets the hard deadline for completing the move to a compliant sovereign provider. The 12-month CADA window acts as the outer limit for the entire migration process, within which the technical switching steps mandated by the Data Act must be executed.

Conversely, a private company is not subject to the mandatory 12-month migration deadline in Article 29(6). If a private entity switches providers, it remains bound solely by the Data Act's switching timelines and its own contractual terms. While CADA Article 31 allows private sector entities in high-criticality sectors (listed in Annex I of the NIS2 Directive) to conduct similar impact assessments, these are currently voluntary or subject to future delegated acts. They do not carry the same mandatory 12-month migration deadline as the public sector provision.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the key takeaway is the necessity of maintaining two separate compliance calendars and understanding the interaction between them.

1. For Public Sector Bodies and Union Entities

• Monitor Risk Assessments: Under Article 29(1), Member States and Union entities must carry out risk assessments every two years (or whenever necessary). If a risk assessment identifies that your current cloud provider does not meet the required Union Assurance Level for your public order-relevant activities, you have a maximum of 12 months to migrate (Article 29(6)).
• Plan for Complexity: The 12-month window must account for "technical feasibility, continuity of service and data portability requirements." This implies that the migration plan must be robust. You cannot simply delay migration; you must demonstrate that the transition is being managed within this timeframe.
• Coordinate with Data Act Rights: Ensure that your current provider is fulfilling their Data Act switching obligations to facilitate this CADA-mandated migration. If the provider fails to assist with data portability or switching tools, you may need to enforce Data Act provisions to ensure you can meet the CADA 12-month deadline. The Data Act provides the mechanism; CADA provides the deadline.

2. For Private Sector Entities

• Data Act Compliance Remains Primary: Your switching deadlines are governed by the Data Act. CADA does not relieve you of these obligations, nor does it impose a new 12-month migration deadline on you.
• Watch for Future Delegated Acts: Article 31 allows the Commission to require impact assessments for private entities in high-criticality sectors. While no mandatory migration deadlines are currently set for the private sector in the text, future delegated acts could introduce requirements. Stay alert for Commission guidance on Article 31.
• Strategic Alignment: Even if not legally mandated to migrate within 12 months, private entities in critical sectors may face market pressure to adopt sovereign cloud services to align with public sector partners who are bound by CADA.

3. For Cloud Providers

• Dual Compliance: You must continue to comply with Data Act switching obligations for all customers. Additionally, if you aim to serve the public sector under CADA, you must be prepared for clients to migrate away from you within 12 months if you fail to meet the required Union Assurance Level.
• Penalties: Note that penalties for CADA infringements are set by Member States (Article 24) and must be "effective, proportionate and dissuasive." Penalties for Data Act infringements are set by national authorities transposing the Data Act. You face potential liability under both regimes if you fail to support a switch or if you lose a public contract due to non-compliance with sovereignty levels.

Common misconceptions

Misconception 1: CADA replaces the Data Act for cloud switching. Fact: CADA complements the Data Act. The Data Act's switching rules remain in force. CADA adds a sovereignty layer for public procurement but does not repeal or amend the Data Act's switching deadlines. The explanatory memorandum confirms CADA is "consistent with" the Data Act.

Misconception 2: The 12-month migration window in CADA applies to all cloud users. Fact: The 12-month deadline in Article 29(6) applies specifically to Member States and Union entities (public sector) when a risk assessment mandates a move to a higher assurance level. It does not apply to private sector switching, which remains governed by contract and the Data Act.

Misconception 3: A CADA risk assessment overrides a Data Act switching request. Fact: They are independent. A Data Act switching request is a contractual/consumer right. A CADA risk assessment is a public order obligation. If both apply, the public sector body must ensure the Data Act switching process is completed within the 12-month CADA window if the switch is driven by sovereignty requirements.

Misconception 4: CADA sets a fixed 12-month deadline for all sovereignty migrations. Fact: Article 29(6) states the period "shall not exceed 12 months." This is a maximum limit. The actual timeframe should be "reasonable" and depend on technical feasibility. However, authorities cannot justify delays beyond 12 months.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA Migration Deadlines vs Data Act Switching Rights: The 12-Month Rule
• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?

This is general information about a draft EU regulation, not legal advice.