Does CADA give the Commission too much power through delegated acts?

Summary As proposed, the Cloud and AI Development Act (CADA) does not grant the European Commission unlimited legislative power; instead, it delegates authority strictly for non-essential, technical updates under Article 290 TFEU, subject to rigorous parliamentary and council scrutiny. While critics may argue this centralizes technical rule-making, Article 45 of the CADA proposal embeds explicit safeguards, including a defined scope, mandatory expert consultations, and the right for the European Parliament and Council to revoke the delegation at any time. For in-house counsel, this structure means that while the core legal obligations—such as the existence of the sovereignty framework and mandatory risk assessments—remain stable, the technical criteria for compliance (e.g., specific audit evidence or assurance-level criteria) will evolve through a transparent, politically accountable process.

Detail

The concern that the CADA proposal grants the European Commission excessive legislative power through delegated acts is a common critique of complex technical regulations. However, a close reading of the CADA proposal (COM(2026) 502 final) reveals that the delegation of power is tightly constrained by EU constitutional law and specific procedural safeguards designed to ensure democratic accountability. The proposal does not allow the Commission to rewrite the law; it empowers the Commission only to update technical details that require agility in a fast-moving sector.

The Constitutional Constraint: Article 290 TFEU

The legal basis for any delegated act in the EU is Article 290 of the Treaty on the Functioning of the European Union (TFEU). This article establishes a fundamental boundary: the European Parliament and the Council may delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of a legislative act.

Crucially, the TFEU mandates that the legislative act (in this case, the CADA Regulation) must explicitly define the objectives, content, scope, and duration of the delegation. It must also specify which non-essential elements are delegated. The CADA proposal adheres to this by limiting the Commission's power to specific, technical annexes and criteria, leaving the essential political choices—such as the existence of the sovereignty framework, the four assurance levels, and the mandatory risk assessments for public procurement—to the elected legislators.

Specific Limits in Article 45

Article 45 of the CADA proposal, titled "Exercise of the delegation," codifies these constitutional constraints into operational rules. It outlines the mechanisms by which the Commission may adopt delegated acts and, more importantly, the checks and balances that apply to them.

1. Scope of Delegation: Only Non-Essential Elements Article 45(2) specifies that the power to adopt delegated acts is conferred on the Commission for an indeterminate period from the date of entry into force. However, this power is strictly limited to the specific articles referenced in the text. The Commission cannot act outside this list. The delegated powers are:

• Article 6(4): Amending Annex I (Grand Challenges) to reflect relevant market and technological developments regarding the Cloud and AI Leadership Initiatives.
• Article 16(2): Amending Annex II (Union Assurance Levels criteria) and Annex III (Audit Evidence) to keep them up to date with new legal or technical developments.
• Article 20(9): Laying down detailed rules for the performance of audits, including procedural steps, rules for auditing organisations, technical competences, and templates for audit reports.
• Article 21(1): Amending Annex III to specify the necessary evidence needed to assess the audit criteria under Annex II.
• Article 31(3): Specifying the need for impact assessments and risk mitigation measures for private companies operating in sectors of high criticality.

This list is exhaustive. The Commission cannot adopt delegated acts on matters outside these specific references. For example, the Commission cannot use a delegated act to change the fundamental requirement for public sector bodies to conduct risk assessments (Article 29) or to alter the definition of a cloud computing service (Article 2). These remain fixed in the enacting terms of the Regulation.

2. Revocation Power: The Ultimate Check Article 45(3) provides the ultimate check on Commission power: "The delegation of power... may be revoked at any time by the European Parliament or by the Council." This means that if either legislative body believes the Commission is overstepping its mandate or misusing its delegated authority, it can instantly terminate the Commission's ability to issue further delegated acts. A decision to revoke takes effect the day following its publication in the Official Journal, though it does not affect the validity of delegated acts already in force. This ensures that the political masters retain control over their delegate.

3. Consultation and Transparency Article 45(4) mandates that before adopting a delegated act, the Commission must consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. This ensures that national technical expertise is integrated into the rule-making process before it becomes law.

Furthermore, Article 45(5) requires that as soon as a delegated act is adopted, the Commission must notify it simultaneously to the European Parliament and the Council. This triggers the scrutiny period.

4. The Objection Period: A "Negative Veto" Article 45(6) sets out the mechanism for parliamentary and council oversight. A delegated act enters into force only if no objection is expressed by either the European Parliament or the Council within a period of two months from notification. This period can be extended by three months at the initiative of either body. This "negative veto" power means the Commission cannot unilaterally impose technical rules; it must secure the tacit approval of the elected legislators. If either body objects, the act does not enter into force.

Balancing Technical Flexibility with Accountability

Recital 85 of the CADA explanatory memorandum justifies these delegated powers by highlighting the need for the framework to remain efficient and responsive to technological development. The recital notes that the Commission needs the power to:

• Amend Annex I to reflect relevant market and technological developments regarding the Cloud and AI Leadership Initiatives.
• Amend Annex II to update the criteria for Union assurance levels.
• Supplement the Regulation by laying down detailed rules for the performance of audits.
• Amend Annex III (audit evidence).
• Specify Union assurance levels for contracting authorities.
• Require impact assessments for private companies in high-criticality sectors.

The rationale is that cloud and AI technologies evolve faster than the standard legislative procedure (which can take two to three years). If the CADA were to hard-code specific technical standards (e.g., specific encryption protocols, specific audit methodologies, or specific KPIs for data centres) into the main text, the law would be obsolete before it entered into force. Delegated acts allow for necessary technical updates without requiring a full re-legislation of the entire framework.

However, this flexibility is balanced against accountability. The Commission cannot change the principles of the sovereignty framework. It can only update the criteria used to measure compliance with those principles. For instance, the principle that public sector bodies must procure from recognized providers (Article 30) is fixed. The Commission can, via delegated acts under Article 16(2), update the technical criteria in Annex II that define what "recognized" means in terms of cybersecurity certificates or data localization proofs. This ensures that the political decision to protect public order remains with the legislators, while the technical implementation remains adaptable.

Implications for Compliance and Enforcement

For in-house counsel and compliance officers, the structure of Article 45 has practical implications. The core obligations—such as the requirement to submit an application for recognition to the national competent authority (Article 17) or to undergo independent audits for assurance levels 2-4 (Article 20)—are stable. However, the specific evidence required for those audits (Annex III) and the detailed procedural rules for auditing organizations (Article 20(9)) are subject to change via delegated acts.

This means compliance programs must be designed to be modular. Organizations should not hard-code compliance checks against a static version of Annex II or Annex III. Instead, they must monitor the adoption of delegated acts, which will be published in the Official Journal and notified to the Parliament and Council. The two-month objection period provides a window for stakeholders to lobby against technically flawed or overly burdensome delegated acts before they enter into force.

What this means for you

For legal and compliance teams, the delegation of power under Article 45 is not a threat to legal certainty but a mechanism for maintaining it in a dynamic market. However, it requires proactive monitoring.

1. Monitor the Official Journal: You must track the publication of delegated acts amending Annexes I, II, and III. These acts will not be subject to the full ordinary legislative procedure but will enter into force if no objection is raised within two months (extendable by three months) under Article 45(6).
2. Engage During the Consultation Phase: Article 45(4) requires the Commission to consult experts designated by Member States. If you are part of a trade association or industry group, ensure your technical experts are engaged in these consultations. This is the most effective time to influence the technical details of audit criteria and assurance levels.
3. Design Flexible Compliance Frameworks: Since the Commission can amend the audit evidence requirements (Article 21(1)) and the criteria for Union assurance levels (Article 16(2)), your internal compliance policies should reference the Regulation and its Annexes as living documents, not static texts. Regularly review updates to Annex II and Annex III to ensure your audit preparations remain aligned with the latest delegated acts.
4. Understand the Limits: Know that the Commission cannot change the fundamental structure of the law via delegated acts. For example, it cannot remove the requirement for public sector risk assessments (Article 29) or change the definition of a cloud computing service. If you face a regulatory change that alters these core elements, it will be through a full legislative amendment, not a delegated act, giving you a longer lead time and broader public debate.

Common misconceptions

Misconception 1: The Commission can change the law unilaterally. Correction: No. Under Article 45(6), a delegated act does not enter into force unless the European Parliament and the Council raise no objections within two months. Either body can block the act. Furthermore, under Article 45(3), either body can revoke the delegation entirely at any time.

Misconception 2: Delegated acts allow the Commission to alter essential political choices. Correction: Article 290 TFEU prohibits the delegation of essential elements. The CADA proposal strictly limits delegated acts to non-essential, technical elements such as updating annexes on grand challenges, assurance criteria, and audit evidence. The core obligations, such as the mandatory use of recognized services for public procurement (Article 30), remain fixed in the enacting terms.

Misconception 3: There is no oversight of the Commission's technical rule-making. Correction: Article 45(4) mandates consultation with Member State experts before adoption. Additionally, the transparency requirement in Article 45(5) ensures simultaneous notification to the Parliament and Council, enabling immediate scrutiny. The revocation power in Article 45(3) serves as a permanent check on abuse of power.

Misconception 4: Delegated acts are permanent and unchangeable by legislators. Correction: The delegation is for an indeterminate period, but it is not irreversible. The European Parliament and the Council retain the right to revoke the delegation at any time under Article 45(3). This ensures that the Commission's power is always subject to political control.

Related

• Which parts of CADA can the Commission change through delegated acts?
• CADA Delegated Acts: How Long Does the Commission Keep Its Power?
• CADA Delegated & Implementing Acts: What the Commission Decides Later
• Who does the Commission consult before adopting a CADA delegated act?
• CADA Delegated Acts: The Article 45 Procedure Explained

This is general information about a draft EU regulation, not legal advice.