Summary No, revoking a delegated power under the proposed Cloud and AI Development Act (CADA) does not invalidate delegated acts that were already adopted and are in force. As explicitly stated in Article 45(3) of the CADA proposal (COM(2026) 502 final), a decision to revoke the delegation "shall not affect the validity of any delegated acts already in force." Revocation is strictly prospective: it terminates the European Commission's authority to adopt new delegated acts or amend existing ones from the date of revocation onward, but the legal status of measures adopted prior to that date remains preserved. This mechanism ensures regulatory stability for the cloud and AI ecosystem, preventing a legal vacuum even if the legislative co-legislators withdraw the Commission's rule-making mandate.

Detail

The Cloud and AI Development Act (CADA), currently a proposal (COM(2026) 502 final), establishes a dynamic regulatory framework for the EU's cloud and AI ecosystem. Given the rapid pace of technological change in cloud infrastructure, AI models, and cybersecurity standards, the Regulation relies heavily on delegated acts to update technical criteria without requiring a full legislative procedure for every minor adjustment. However, to maintain democratic oversight, the Treaty on the Functioning of the European Union (TFEU) and CADA itself empower the European Parliament (EP) and the Council to revoke these delegated powers.

The Legal Basis: Article 45(3) of CADA

The core of this mechanism is found in Article 45, titled "Exercise of the delegation." While Article 45(2) establishes the duration of the delegation (indeterminate from the date of entry into force), Article 45(3) specifically addresses the revocation process and its legal consequences.

The text of Article 45(3) states:

"The delegation of power referred to in Article 6(4), Article 16(2), Article 20(9), Article 21(1), and Article 31(3) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force."

This provision contains three critical legal components:

  1. The Authority to Revoke: The power to revoke lies exclusively with the European Parliament or the Council. The Commission cannot revoke its own delegation.
  2. The Timing of Effect: The revocation takes effect the day following publication in the Official Journal (or a later date specified in the decision).
  3. The Preservation of Validity: The explicit clause "It shall not affect the validity of any delegated acts already in force" creates a "grandfathering" effect for existing rules.

Scope of Delegated Powers Subject to Revocation

The revocation mechanism applies to specific, high-impact areas where the Commission is empowered to update technical annexes or rules. Under Article 45(2), the delegation covers:

  • Article 6(4): Amending Annex I (Grand Challenges) to reflect relevant market and technological developments regarding the Cloud and AI Leadership Initiatives.
  • Article 16(2): Amending the Union assurance levels set out in Annex II and the evidence set out in Annex III (critical for the cloud sovereignty framework).
  • Article 20(9): Laying down detailed rules on the performance of audits, including procedural steps and templates for audit reports.
  • Article 21(1): Amending Annex III to specify the necessary evidence needed to assess audit criteria.
  • Article 31(3): Specifying the need for impact assessments and risk mitigation measures for private companies operating in sectors of high criticality.

If the EP or Council revokes the delegation for any of these specific articles, the Commission immediately loses the ability to update the corresponding annexes or rules.

Prospective vs. Retrospective Effect

The distinction between prospective and retrospective effect is the cornerstone of legal certainty in CADA.

Prospective Effect (The Future): Once the revocation decision takes effect, the Commission is stripped of the authority to:

  • Adopt new delegated acts in the specified areas.
  • Amend or repeal existing delegated acts via the delegated procedure.
  • Update technical criteria (e.g., changing the cybersecurity assurance level requirements in Annex II) without a new legislative act.

Retrospective Effect (The Past): Crucially, the revocation has no retrospective effect on acts already adopted. As Article 45(3) mandates, any delegated act that was validly adopted before the revocation date remains legally binding.

  • Example: If the Commission adopted a delegated act on 1 January 2027 updating the audit evidence requirements for Union Assurance Level 3, and the EP revokes the delegation on 1 June 2027, the 1 January act remains in full force. Cloud providers must continue to comply with the updated evidence requirements. The revocation simply means the Commission cannot issue a further update on 1 July 2027 to change those requirements again.

This aligns with general EU legal principles regarding the non-retroactivity of legislation. The legislative co-legislators (EP and Council) can stop the process of rule-making, but they cannot retroactively erase the results of that process that were already law.

Who Can Revoke and How?

Under Article 45(3), the power to revoke is a political check held by the European Parliament or the Council.

  • Timing: They may revoke the delegation "at any time." This provides a continuous safeguard against executive overreach.
  • Procedure: The revocation is enacted via a formal decision. This decision must be published in the Official Journal of the European Union to take effect (unless a later date is specified).
  • Distinction from Objection: It is vital to distinguish revocation from objection.
    • Objection (Article 45(6)): The EP or Council can object to a specific delegated act within two months of notification (extendable by three months). If objected to, that specific act does not enter into force.
    • Revocation (Article 45(3)): This targets the power itself. It stops the Commission from making any further acts in that domain. It is a systemic action, not a reactive one to a single text.

Implications for Regulatory Stability

The explicit preservation of validity in Article 45(3) is a deliberate design choice to prevent regulatory chaos. The cloud and AI sectors rely on precise, up-to-date technical standards (e.g., for cybersecurity certification or audit evidence). If revocation were to invalidate past acts, it would create an immediate legal vacuum:

  • Providers would no longer know which technical standards to follow.
  • National competent authorities would lose their enforcement basis for existing certifications.
  • Public procurement under Article 30 (requiring specific assurance levels) would become legally ambiguous.

By ensuring that "delegated acts already in force" remain valid, CADA guarantees that even if political consensus for future updates collapses, the existing technical framework continues to operate. The only way to remove an existing delegated act after a revocation would be through a full legislative amendment of the Regulation itself, a much higher threshold than the delegated procedure.

What this means for you

For in-house counsel, compliance officers, and legal teams, understanding the prospective nature of revocation is essential for risk management and long-term planning.

1. Compliance Continuity is Guaranteed

If the European Parliament or Council revokes the Commission's delegated power under CADA, your obligation to comply with delegated acts already in force does not disappear.

  • Action: Continue to adhere to all technical criteria, audit methodologies, and assurance level requirements that were adopted prior to the revocation date.
  • Risk: Assuming that a revocation "wipes the slate clean" is a critical error. The legal baseline is frozen at the moment of revocation, not erased.

2. Monitoring the Political Climate

While revocation is a rare and extreme measure, it signals a significant shift in EU policy.

  • Action: Monitor not just the adoption of new delegated acts, but also the political discourse in the EP and Council regarding the Commission's rule-making powers.
  • Implication: A revocation suggests the legislature may intend to address the matter through a full legislative amendment (a slower, more rigid process) rather than delegated acts. This could lead to a period of regulatory stagnation where technical criteria become outdated relative to technological advancements.

3. Impact on the Sovereignty Framework

The cloud sovereignty framework (Title IV) relies heavily on delegated acts to update Annex II (criteria for Union assurance levels) and Annex III (audit evidence) under Article 16(2) and Article 21(1).

  • Action: If the delegation for these articles is revoked, the criteria for sovereign cloud certification become static.
  • Strategy: Compliance officers should anticipate that the current criteria will remain valid indefinitely unless the Regulation itself is amended. This reduces the risk of frequent changes but increases the risk of the framework becoming technologically obsolete.

4. No Retroactive Liability or Exemption

  • Liability: Providers cannot be held liable for failing to comply with delegated acts that were not yet in force at the time of revocation (as the Commission could not adopt them).
  • Exemption: Conversely, providers cannot claim exemption from acts that were in force. The legal obligations remain binding.

Common misconceptions

Misconception 1: Revocation voids all Commission actions in that area. Correction: Revocation only prevents future actions. Article 45(3) explicitly preserves the validity of acts already in force. The past legal acts remain binding and enforceable.

Misconception 2: Revocation is the same as objecting to a specific act. Correction: Objection (Article 45(6)) targets a specific delegated act, preventing it from entering into force. Revocation (Article 45(3)) targets the power itself, stopping all future acts in that domain. Objection is reactive to a specific text; revocation is a systemic removal of authority.

Misconception 3: The Commission can revoke its own delegated powers. Correction: Only the European Parliament or the Council can revoke the delegation. The Commission exercises the power but does not control its own revocation. This ensures democratic oversight and prevents the executive from unilaterally limiting its own accountability.

Misconception 4: Revocation creates an immediate legal vacuum. Correction: Because existing acts remain valid, there is no vacuum. The existing delegated acts continue to govern the sector until and unless they are formally repealed or amended by a new legislative act (which would require a full legislative procedure, not a delegated act).

Related

This is general information about a draft EU regulation, not legal advice.