CADA Migration Deadlines vs Data Act Switching Rights

Summary Under the proposed Cloud and AI Development Act (CADA), public sector bodies and Union entities that identify a need to migrate to a higher level of cloud sovereignty must complete the transition within a "reasonable transition period that shall not exceed 12 months" (Article 29(6)). This migration obligation is explicitly supported by the Data Act's provisions on switching and interoperability, which are designed to remove vendor lock-in and enable data portability. CADA does not create new switching rights but leverages existing Data Act mechanisms to ensure that the operational autonomy required by CADA's sovereignty framework can be practically achieved without disproportionate disruption to services. The 12-month deadline is a maximum cap, conditioned on technical feasibility and the availability of portability tools.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, and the Data Act (Regulation (EU) 2023/2854) are designed to function as complementary instruments within the EU's digital sovereignty architecture. While the Data Act establishes the technical and contractual rights for users to switch between cloud computing service providers, CADA establishes the strategic and sovereignty-driven obligations that may trigger such switches in the public sector. Understanding how CADA's migration deadlines relate to Data Act switching rights requires examining the interplay between CADA's risk assessment obligations, its specific migration timelines, and the Data Act's role as an enabler of those transitions.

The CADA Migration Trigger: Article 29 Risk Assessments

CADA introduces a Union cloud computing sovereignty framework comprising four assurance levels. To determine which level is appropriate for specific public sector activities, Member States and Union entities must conduct risk assessments as outlined in Article 29. These assessments identify activities that contribute to the preservation of public order, such as those in national security, defence, justice, or law enforcement, as well as sectors falling under the NIS2 Directive.

If a risk assessment concludes that a public sector body's current cloud service does not meet the required Union assurance level, a migration is required. Article 29(6) of CADA explicitly addresses the timeline for this transition. It states that where a risk assessment requires migration to another cloud computing service, the Member State or Union entity shall migrate within a "reasonable transition period that shall not exceed 12 months."

This 12-month deadline is not arbitrary; it balances the urgency of addressing public order risks with the technical complexity of migrating large-scale cloud environments. Crucially, Article 29(6) mandates that this period must take into account "technical feasibility, continuity of service and data portability requirements applicable to such migration." This phrasing directly links CADA's sovereignty goals to the practical realities of data movement, implicitly relying on the frameworks established by the Data Act. The provision acknowledges that a rigid deadline without regard for technical constraints could compromise service continuity, a core objective of the regulation.

The Data Act as the Enabler of CADA Migration

The Data Act, which entered into force in 2023, provides the legal and technical scaffolding for switching cloud providers. It introduces obligations for cloud computing service providers to enable switching, including the requirement to provide data in an interoperable format and to cooperate with new providers during the transition.

CADA's explanatory memorandum explicitly positions the Data Act as an "enabler" for the proposed regulation. The memorandum notes that while the Data Act "does not contain elements to shape up a more competitive offer of European cloud computing services," its "cloud switching and interoperability provisions... make it possible for users to embrace European cloud computing services more strongly." The Data Act is thus the mechanism that allows the strategic goals of CADA to be operationalized.

When a public sector body is compelled by Article 29 to migrate within 12 months, it will likely rely on the Data Act's switching mechanisms to execute this move. The Data Act's provisions on data portability ensure that the "data portability requirements" referenced in Article 29(6) are not just theoretical but legally enforceable rights. This means that if a cloud provider hinders the migration process or refuses to provide data in a usable format, the public sector body can invoke its rights under the Data Act to facilitate the CADA-mandated transition. Without the Data Act's portability guarantees, the 12-month CADA deadline could be impossible to meet for many complex workloads, potentially forcing Member States to seek derogations or face non-compliance.

Practical Implications of the 12-Month Window

The 12-month migration period set out in Article 29(6) is a maximum limit. The actual duration depends on the "technical feasibility" and "continuity of service." For complex, legacy systems or those with massive datasets, this period may be fully utilized. For simpler workloads, migration may occur more rapidly. The regulation requires the transition period to be "reasonable," implying that if a migration can be completed in six months, waiting for the full 12 months would be non-compliant.

The requirement to consider "data portability requirements" in Article 29(6) implies that public sector bodies must assess their ability to move data before finalizing their risk assessment conclusions or procurement strategies. If the current provider does not support the interoperability standards required by the Data Act, the migration timeline may be at risk, potentially necessitating early engagement with the provider or regulatory authorities. This creates a feedback loop where the readiness of the market (via Data Act compliance) directly influences the feasibility of the CADA timeline.

Furthermore, CADA encourages a multi-cloud strategy to enhance resilience. Article 29(9) requires Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. This aligns with the Data Act's goal of enabling users to combine offers from different providers. A multi-cloud approach can mitigate the risk of a single point of failure and may simplify future migrations by distributing workloads across different assurance levels, thereby reducing the complexity of any single migration event.

Interaction with Procurement and Sovereignty Levels

The migration obligation is tied to the outcome of the risk assessment. If an activity is deemed to require Union assurance level 2, 3, or 4, the public sector body must procure services that meet these criteria. Article 30 of CADA stipulates that contracting authorities whose activities are identified as contributing to public order must only procure services recognized as offering the appropriate Union assurance level.

The 12-month migration period in Article 29(6) provides a buffer for this procurement and transition process. However, it also creates pressure on the market to have sufficient sovereign cloud capacity available. CADA aims to increase this capacity through data centre acceleration zones and strategic projects, but the migration deadline remains fixed regardless of market readiness. This underscores the importance of the Data Act's switching rights: they provide a predictable, regulated pathway for moving away from non-compliant providers, even if the market for sovereign alternatives is still maturing. The Data Act ensures that the "switch" is technically possible, while CADA ensures that the "switch" is strategically necessary.

Role of National Competent Authorities and the Commission

The Commission is tasked with providing guidance on the methodology for risk assessments and may specify the Union assurance levels needed for specific activities. If the Commission concludes that a Member State's risk assessment does not adequately address public order concerns, it can adopt implementing acts to specify the required assurance levels. This could trigger new migration obligations, resetting the 12-month clock under Article 29(6).

National competent authorities, designated under Article 25 of CADA, play a key role in supervising cloud computing service providers and ensuring compliance with the sovereignty framework. While they do not directly manage the migration process for public sector bodies, their oversight of providers' compliance with Data Act switching obligations is crucial. If a provider fails to cooperate with a migration required by CADA, the competent authority can enforce penalties under both CADA and the Data Act. This dual enforcement mechanism strengthens the position of public sector bodies during the migration process.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the relationship between migration deadlines and Data Act switching rights has several concrete implications:

1. Audit Your Switching Readiness: If you provide cloud services to the public sector, you must ensure your services are compatible with the Data Act's switching requirements. CADA's 12-month migration window assumes that data can be ported efficiently. If your architecture relies on proprietary formats or lacks interoperability, you risk losing public sector contracts or facing enforcement actions. The Data Act's requirement for data portability is the technical foundation for meeting CADA's deadline.
2. Plan for Multi-Cloud Architectures: Public sector bodies are encouraged to adopt multi-cloud strategies to meet sovereignty requirements. As an architect, you should design systems that are not tied to a single provider's ecosystem. Containerization, open standards, and API-driven interfaces will be essential for meeting the "technical feasibility" criteria of CADA migrations. This approach reduces the friction of switching and ensures continuity of service during the transition.
3. Monitor Risk Assessment Outcomes: Keep track of the risk assessments conducted by Member States and Union entities. If your current client's activities are reclassified as requiring a higher Union assurance level, you may face a 12-month deadline to migrate their workloads. Proactive engagement with clients to understand their risk posture can help you prepare for these transitions and avoid last-minute scrambles.
4. Leverage Data Act Rights: If you are a public sector body or an SME acting as a sub-contractor, understand that your right to switch providers is reinforced by the Data Act. If a provider attempts to hinder a CADA-mandated migration, you have legal recourse. Document all data portability requests and ensure they are made in accordance with the Data Act's procedural requirements. This documentation is critical if you need to demonstrate that a delay was caused by the provider's non-compliance rather than your own lack of planning.
5. Invest in Sovereign Capabilities: For cloud providers, the CADA framework creates a new market segment for sovereign cloud services. Investing in compliance with Union assurance levels 2, 3, and 4, and demonstrating compliance with Data Act switching obligations, will be critical for competing in the public sector market. The ability to prove that you can facilitate a smooth migration within 12 months will be a key differentiator.

Common misconceptions

• Misconception: CADA creates new data portability rights.
  • Reality: CADA does not create new data portability rights. It relies on the existing framework established by the Data Act. Article 29(6) references "data portability requirements applicable to such migration," indicating that CADA assumes the Data Act's provisions are in force and applicable. CADA sets the when and why of migration; the Data Act sets the how.
• Misconception: The 12-month migration period is a minimum.
  • Reality: The 12-month period in Article 29(6) is a maximum limit ("shall not exceed 12 months"). The actual period must be reasonable and take into account technical feasibility. Migrations should be completed as quickly as possible while ensuring service continuity. Waiting until the 12-month deadline expires without a valid reason could be considered non-compliant.
• Misconception: All public sector cloud services must be migrated immediately.
  • Reality: Only services identified through a risk assessment as contributing to the preservation of public order and requiring a higher Union assurance level are subject to mandatory migration. Other public sector activities may continue to use Union assurance level 1 services, which do not trigger the same migration urgency.
• Misconception: The Data Act forces users to switch to sovereign providers.
  • Reality: The Data Act enables switching but does not mandate it. CADA provides the strategic imperative for switching in specific public sector contexts. The Data Act provides the tools; CADA provides the trigger. Without a CADA risk assessment identifying a public order risk, the Data Act alone does not compel a switch to a sovereign provider.

Official sources

• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• Does CADA change the Data Act's cloud-switching deadlines?
• Why does CADA call the Data Act an 'enabler'?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for Cloud Providers: How it stacks with NIS2, DORA & the Data Act
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?

This is general information about a draft EU regulation, not legal advice.