Summary As proposed in COM(2026) 502 final, the European Commission would amend the Cloud and AI Development Act's (CADA) technical annexes—covering Leadership Initiatives, sovereignty assurance levels, and audit evidence—using delegated acts rather than the full ordinary legislative procedure. This mechanism, explicitly grounded in Recital 85 and Article 45, empowers the Commission to update Annex I (Grand Challenges), Annex II (assurance criteria), and Annex III (audit evidence) to reflect rapid technological and market developments. For legal and compliance teams, this means the specific technical requirements for cloud sovereignty and audit compliance are dynamic; they can be refined by the Commission without waiting for a new law, provided the European Parliament and Council do not object within a two-month scrutiny period.

Detail

The Cloud and AI Development Act (CADA) is designed as a living framework capable of adapting to the fast-paced evolution of cloud computing and artificial intelligence. A critical feature of this design is the delegation of power to the Commission to update the Regulation's operational details. This ensures that the technical criteria for "Union assurance levels" and the scope of "Grand Challenges" remain relevant without requiring the lengthy process of amending the primary legislation through the European Parliament and the Council.

The Legal Basis: Recital 85 and Article 45

The authority for these updates is explicitly defined in Recital 85 and operationalized by Article 45 of the proposal.

Recital 85 sets out the policy rationale, stating that to "take account of technological development and maintain an efficient framework," the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission. It specifically lists the following areas for potential amendment or supplementation:

  • Amending Annex I to reflect relevant market and technological developments regarding the Cloud and AI Leadership Initiatives.
  • Amending Annex II to update the criteria for Union assurance levels.
  • Supplementing the Regulation by laying down detailed rules for the performance of audits.
  • Amending Annex III to update the evidence required for audit procedures.
  • Specifying a Union assurance level for a contracting authority.
  • Requiring an impact assessment and risk mitigation measures for private companies operating in sectors of high criticality.

Article 45 formalizes this delegation. It confirms that the power to adopt delegated acts is conferred on the Commission for an indeterminate period from the date of entry into force. Crucially, this delegation is subject to strict procedural safeguards:

  1. Consultation: Before adopting a delegated act, the Commission must consult experts designated by each Member State.
  2. Scrutiny Period: The act enters into force only if no objection is expressed by the European Parliament or the Council within two months of notification. This period may be extended by three months at the initiative of either institution.
  3. Revocation: The delegation of power may be revoked at any time by the European Parliament or the Council.

Annex I: Cloud and AI Leadership Initiatives

Annex I defines the "Grand Challenges" that guide the Cloud and AI Leadership Initiatives. These include strategic priorities such as environmental sustainability of data centres, the development of European cloud stacks, frontier AI, physical AI, and industrial AI. These challenges determine the focus of large-scale, cross-sectoral initiatives supported by the Regulation.

The Commission's power to amend Annex I is derived from Article 6(4). This provision empowers the Commission to adopt delegated acts "to amend Annex I in a manner consistent with the objectives of the Cloud and AI Leadership Initiatives set out in Article 4."

As the technological landscape shifts—for example, if a new class of AI models emerges or if energy efficiency standards for data centres are redefined—the Commission can update the specific "Grand Challenges" listed in Annex I. This allows the EU to pivot its research and innovation support (potentially drawing on Horizon Europe or the Digital Europe Programme) toward emerging priorities without the delay of a full legislative revision. For compliance officers, this implies that the strategic direction of EU-funded projects is not fixed at the moment of adoption but can be refined to match the state of the art.

Annex II: Union Assurance Levels

Annex II is the core of the sovereignty framework. It sets out the cumulative criteria that cloud computing service providers must meet to be recognized as offering Union assurance levels 1, 2, 3, or 4. These levels determine the eligibility of services for public procurement, with higher levels required for activities contributing to public order.

The Commission's power to amend Annex II is derived from Article 16(2). This article empowers the Commission to adopt delegated acts "to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III."

The necessity of this power is highlighted in Article 16(3), which mandates that the Commission shall review Annex II and Annex III at least every 18 months to ensure they remain up to date with new legal or technical developments. This is critical because the criteria for higher assurance levels (2–4) involve complex technical requirements regarding data localization, personnel citizenship, and independence from third-country control. If new cybersecurity threats emerge, or if the definition of "control" by third-country entities evolves, the Commission can update the criteria to close loopholes or enhance security standards.

For cloud providers, this means the technical bar for achieving "Union assurance" is dynamic. A provider recognized today might need to adapt to updated criteria in the future to maintain their status, particularly as the Commission refines the definition of "substantial" or "high" cybersecurity certification or adjusts requirements for third-country control.

Annex III: Audit Evidence

Annex III details the specific audit evidence that auditing organizations must request from providers to assess compliance with the assurance levels in Annex II. It provides indicative examples of evidence for criteria such as Union establishment, infrastructure location, data localization, and the absence of third-country control.

The Commission's power to amend Annex III is derived from Article 21(1). This article empowers the Commission to adopt delegated acts "to amend Annex III by laying down the necessary evidence needed to assess the audit criteria under Annex II."

Additionally, Article 20(9) empowers the Commission to supplement the Regulation by laying down detailed rules on the performance of audits. This includes procedural steps, rules for auditing organizations, their technical competences, auditing methodologies, and templates for audit reports.

For compliance teams, this distinction is vital. While the high-level criteria in Annex II define what must be achieved, Annex III defines how it is proven. The Commission can update Annex III to require new types of logs, specific contractual clauses, or architectural diagrams as industry best practices evolve. This ensures that the audit process remains rigorous and aligned with current technological realities.

The Delegated Act Process vs. Legislative Change

The use of delegated acts offers a streamlined path for regulatory updates compared to the ordinary legislative procedure.

  • Ordinary Legislative Procedure: Requires a proposal from the Commission, followed by co-decision and adoption by both the European Parliament and the Council. This process is lengthy and politically complex.
  • Delegated Acts: Adopted by the Commission alone, subject only to a non-objection period by the Parliament and Council.

This mechanism allows for more agile responses to technological changes, which is essential in the cloud and AI sectors where innovation cycles are measured in months rather than years. However, the Commission cannot use this power to alter the fundamental structure of the Regulation (e.g., creating a new assurance level or removing the sovereignty framework). Such changes would require a full legislative amendment.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the delegation of power to amend CADA's annexes has several practical implications:

  1. Dynamic Compliance Obligations: Do not treat the criteria in Annexes I, II, and III as static. The Commission can update technical requirements for sovereignty assurance and audit evidence via delegated acts. You must establish a monitoring process to track the adoption of new delegated acts, particularly those amending Annex II (assurance levels) and Annex III (audit evidence), as these directly impact your certification status and procurement eligibility.
  2. Audit Readiness and Flexibility: As the Commission refines the audit evidence requirements in Annex III via delegated acts under Article 21(1) and Article 20(9), your internal audit processes and documentation practices must be adaptable. Ensure that your cloud services can generate the specific logs, contractual proofs, and architectural diagrams that may be required by updated audit rules. Relying on a "snapshot" of compliance at the time of adoption may be insufficient.
  3. Strategic Alignment for Projects: If your organization is involved in EU-funded Cloud and AI Leadership Initiatives, monitor updates to Annex I via Article 6(4). Changes to the "Grand Challenges" could affect the eligibility and focus of your projects. Aligning your R&D and innovation strategies with the updated Grand Challenges will be crucial for securing funding and support.
  4. Procurement Strategy: For public sector entities or those supplying public sector clients, updates to Annex II via Article 16(2) could change the criteria for Union assurance levels. A change in criteria could mean that services previously compliant with assurance level 3 might need additional measures to maintain that status. Proactively assess your service architecture against potential future updates to avoid non-compliance during the mandatory 18-month review cycles mentioned in Article 16(3).
  5. Engagement in Consultations: The Commission is required to consult experts designated by Member States before adopting a delegated act. While direct stakeholder consultation is not explicitly mandated in the same way as for primary legislation, engaging with national authorities and industry groups can provide early insights into potential amendments. This allows you to prepare for changes before they are formally adopted.

Common misconceptions

  • Misconception: Annex amendments require full legislative approval.
    • Reality: Amendments to Annexes I, II, and III are made through delegated acts, which are adopted by the Commission alone, subject to a non-objection period by the Parliament and Council. This is a significantly faster process than full legislative change.
  • Misconception: The Commission can change the core principles of CADA via delegated acts.
    • Reality: The Commission's power is limited to amending technical criteria, evidence requirements, and operational details. It cannot change the fundamental structure of the Regulation, such as the existence of the four assurance levels or the basic obligations of providers, without a full legislative revision.
  • Misconception: Audit rules are fixed at adoption.
    • Reality: Article 20(9) and Article 21(1) allow the Commission to update audit methodologies, evidence requirements, and templates. Compliance teams must expect these rules to evolve as auditing best practices and technological capabilities develop.
  • Misconception: Only large providers need to monitor delegated acts.
    • Reality: While SMEs have some automatic recognition for assurance level 1, all providers seeking higher assurance levels (2–4) or participating in Leadership Initiatives must comply with the updated criteria in the annexes. The delegated acts apply to all relevant market participants.

Related

This is general information about a draft EU regulation, not legal advice.