Does CADA depend on the Data Act being fully applicable first?

Summary No, the proposed Cloud and AI Development Act (CADA) does not depend on the Data Act being fully applicable first. As proposed in COM(2026) 502 final, CADA operates as a standalone regulatory framework that complements, rather than relies upon, the Data Act. While the Data Act's switching and interoperability provisions serve as a technical "enabler" for CADA's demand-side measures—specifically facilitating the migration obligations under Article 29(6)—CADA's core sovereignty, data centre, and procurement rules apply independently of the Data Act's rollout timeline. The Commission explicitly frames the Data Act as an enabler that "opens the path" to reducing dependencies, but notes it does not "build the road" to a sovereign sector, a gap CADA is designed to fill.

Detail

The legislative architecture of CADA is designed to function autonomously, addressing specific market failures regarding cloud computing sovereignty, capacity deficits, and strategic autonomy that the Data Act does not resolve. The proposal explicitly distinguishes its objectives from those of the Data Act, clarifying that while the two instruments are consistent, they are not sequentially dependent.

The Data Act as an Enabler, Not a Precondition

The explanatory memorandum to CADA establishes the precise legal relationship between the two instruments. It states that the proposal is "consistent with the rules on switching between data processing services introduced by the Data Act." However, it crucially qualifies this consistency by noting that the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services or encourage the entry into the market of a more diverse set of cloud computing service providers."

Instead, the Data Act is described as an "enabler for the proposal." By reducing vendor lock-in and enabling multi-cloud approaches through switching rights, the Data Act creates the technical and market conditions under which users can freely choose providers. This facilitates the uptake of European cloud services, which is a primary goal of CADA. However, this relationship is functional, not conditional. CADA introduces new, binding obligations for providers (such as the Union assurance levels under Article 16) and public authorities (such as risk assessments under Article 29) that exist regardless of whether a user has exercised their right to switch under the Data Act.

The Commission's analysis confirms that the Data Act "opens the path towards a possible reduction of dependencies on non-EU providers but does not build the road towards a more sovereign and trusted EU cloud computing sector." CADA is the instrument proposed to build that road. Therefore, the existence or full operationalization of the Data Act is not a legal precondition for CADA's entry into force or its application.

Independence from Data Act Rollout

CADA establishes its own legal basis (Articles 114 and 173(3) TFEU) and its own timeline for application, entirely decoupled from the Data Act's implementation schedule. Article 48 of the CADA proposal specifies that the Regulation shall enter into force on the twentieth day following its publication and shall apply from one year after its entry into force. This timeline is independent of the Data Act's phased application dates.

Key CADA mechanisms operate without reference to the Data Act's full implementation:

• Union Assurance Levels (Title IV): The framework for recognizing cloud services at different levels of sovereignty (Levels 1–4) is self-contained. Providers must meet specific cumulative criteria in Annex II of CADA to gain recognition. This process involves conformity self-assessments (Level 1) or independent third-party audits (Levels 2–4) and does not require the Data Act's switching mechanisms to be active.
• Data Centre Deployment (Title III): The obligations for Member States to designate data centre acceleration zones (Article 10) and streamline permitting processes (Article 13) are infrastructure-focused. These measures address physical capacity and regulatory bottlenecks, unrelated to the data portability rules found in the Data Act.
• Public Procurement (Article 30): The requirement for contracting authorities to procure services with specific Union assurance levels is a standalone procurement rule. It mandates that authorities procure at least Level 1, and Level 2–4 for public-order-relevant activities, regardless of the status of data switching rights elsewhere.

Interaction with Article 29(6) Migration Obligations

The most direct point of interaction between the two laws concerns the migration of public sector workloads. Article 29(6) of CADA states:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

Here, the Data Act plays a supportive, not a constitutive, role. The "data portability requirements applicable to such migration" referenced in Article 29(6) are bolstered by the Data Act's provisions on switching and interoperability. If the Data Act is fully applicable, public authorities have clearer, legally backed mechanisms to extract data from incumbent providers, facilitating the migration required by CADA's risk assessments.

However, the absence of full Data Act applicability does not nullify Article 29(6). The obligation to migrate exists under CADA regardless. The phrase "data portability requirements applicable to such migration" refers to applicable Union law broadly, which includes the Data Act but also encompasses existing contractual obligations, the GDPR's right to data portability, and other EU data protection rules. If the Data Act is not yet fully in force, public authorities must still migrate, relying on existing portability standards or contractual terms, while CADA's 12-month deadline remains binding. The Data Act makes the migration easier and more standardized, but it does not make the migration possible in the first place; CADA creates the mandate to migrate.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the independence of CADA from the Data Act has several critical practical implications:

1. Parallel Compliance Timelines: You must prepare for CADA's obligations (e.g., risk assessments under Article 29, procurement criteria under Article 32) on CADA's schedule, not the Data Act's. Do not delay CADA compliance efforts waiting for Data Act clarifications or full implementation. The one-year application window for CADA begins upon its entry into force, independent of other regulations.
2. Migration Planning: If your organization is a public sector body or a provider serving public sector clients, Article 29(6) imposes a hard 12-month migration window if a risk assessment dictates a change in provider. While the Data Act's switching rules will make this easier, you must assume migration is possible using current contractual and technical means. Ensure your contracts include robust data export clauses that comply with both current law and the forthcoming CADA requirements. Relying on the Data Act as a "safety net" for migration is a strategic risk; CADA's deadline is absolute.
3. Provider Assurance: Cloud providers seeking to serve the public sector must pursue recognition under CADA's Union assurance levels (Article 17). This process involves independent audits (for Levels 2–4) and conformity self-assessments (for Level 1). These requirements are distinct from the Data Act's interoperability obligations and must be met independently. A provider cannot claim that CADA recognition is delayed because the Data Act is not fully operational.
4. Risk Assessment Integration: Member States and Union entities must conduct risk assessments under Article 29 to determine which assurance level is appropriate for their activities. These assessments consider data sensitivity, criticality, and public order risks, not just data portability. Ensure your risk frameworks account for CADA's specific criteria, which go beyond the Data Act's scope. The assessment must be completed within one year of CADA's entry into force.

Common misconceptions

"CADA cannot be enforced until the Data Act is fully operational."

• Reality: CADA has its own entry-into-force and application dates. Its sovereignty framework, data centre rules, and procurement criteria are legally self-sufficient. The Data Act is a complementary tool, not a prerequisite. The Commission explicitly states the Data Act is an "enabler," not a foundation.

"Article 29(6) migration is impossible without Data Act switching rights."

• Reality: While the Data Act enhances switching capabilities, Article 29(6) mandates migration regardless. Public authorities must use existing legal and contractual mechanisms to achieve portability if the Data Act is not yet fully applicable. The 12-month deadline applies irrespective of the Data Act's status. The obligation to migrate is triggered by the CADA risk assessment, not by the availability of a specific switching mechanism.

"CADA replaces the Data Act's cloud switching rules."

• Reality: CADA and the Data Act address different problems. The Data Act focuses on consumer and business rights to switch providers and avoid lock-in. CADA focuses on strategic autonomy, sovereignty assurance, and public sector procurement. They coexist, with CADA leveraging the Data Act's market-opening effects without replacing them. The Data Act ensures you can switch; CADA ensures you must switch to a sovereign provider if public order is at risk.

"CADA is just about data localisation, so it waits for the Data Act."

• Reality: CADA is about sovereignty, which includes control, personnel, and supply chain resilience, not just data location. The Data Act addresses data portability, but CADA addresses the broader "operational autonomy" and "strategic autonomy" gaps that the Data Act does not cover.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Does the Data Act govern cloud contracts that CADA tiers depend on?
• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?

This is general information about a draft EU regulation, not legal advice.