Summary Under the proposed Cloud and AI Development Act (CADA), the regulatory baseline is not fixed. The Commission holds the power to amend critical sovereignty criteria and audit evidence through delegated acts, while implementing acts will define specific procedural rules and risk-assessment methodologies. To maintain compliance, organisations must actively track the Commission's exercise of powers under Articles 45 and 46. Crucially, Annex II (Union assurance levels) and Annex III (audit evidence) are subject to a mandatory review at least every 18 months under Article 16(3), meaning the definition of a "sovereign" service can evolve significantly. Compliance officers must also monitor implementing acts regarding risk-assessment templates (Article 29(3)) and recognition procedures (Article 17(12)).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed as a dynamic regulatory framework. Its core obligationsβ€”particularly those establishing the Union cloud computing sovereignty frameworkβ€”are not static. The proposal explicitly empowers the European Commission to adopt delegated and implementing acts to ensure the regulation remains aligned with rapid technological and market developments. For in-house counsel and compliance officers, understanding the mechanism of these changes is as critical as understanding the baseline rules established in the main text.

The Power to Amend: Articles 45 and 46

CADA distinguishes between two distinct types of secondary legislation, each serving a different function in the regulatory ecosystem.

  • Delegated Acts (Article 45): These allow the Commission to supplement or amend non-essential elements of the regulation. Under Article 45, the Commission is empowered to adopt delegated acts to amend Annex I (Grand Challenges), Annex II (Criteria for Union Assurance Levels), and Annex III (Audit Evidence). Crucially, Article 45 also empowers the Commission to specify the Union assurance level for a contracting authority and to require impact assessments for private entities in high-criticality sectors. These acts can be adopted for an indeterminate period but are subject to revocation by the European Parliament or the Council.
  • Implementing Acts (Article 46): These ensure uniform conditions for implementation across the Union. Article 46 confers implementing powers on the Commission, particularly regarding the practical arrangements for recognition procedures, the methodology for risk assessments, and the templates to be used by Member States and Union entities. These acts are adopted in accordance with the examination procedure laid down in Regulation (EU) No 182/2011.

Reviewing the Core Criteria: Annexes II and III

The most significant operational impact for cloud providers and public sector buyers lies in the criteria for Union assurance levels. Article 16 establishes the sovereignty framework comprising four assurance levels. However, the specific technical and legal criteria for these levels are detailed in Annex II, and the evidence required to prove compliance is detailed in Annex III.

Article 16(2) explicitly states that the Commission is empowered to adopt delegated acts in accordance with Article 45 to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III. Furthermore, Article 16(3) mandates that the Commission shall review Annex II and Annex III at least every 18 months to ensure they remain up to date with new legal or technical developments. This means the definition of what constitutes a "sovereign" service is subject to regular, mandatory revision. A service compliant today may not meet the amended criteria tomorrow if the Commission tightens the requirements via a delegated act.

Additionally, Article 21(1) reinforces this dynamic nature. It states that auditing organisations should assess compliance based on the audit evidence listed in Annex III, and that the Commission is empowered to amend Annex III via delegated acts to lay down the necessary evidence needed to assess the criteria under Annex II. This creates a direct link between the evolving technical standards in the annexes and the audit process itself.

Tracking Implementing Acts: Procedures and Methodologies

While delegated acts change the substance of the criteria, implementing acts change the process. Compliance officers must distinguish between these two tracks to ensure their monitoring regimes are comprehensive.

  • Risk Assessment Methodology: Article 29 requires Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate for their activities. Article 29(3) specifies that the Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology to be applied, the templates to be used, and the elements to be taken into account. Compliance officers must monitor these implementing acts to ensure their internal risk assessment templates align with the Commission's prescribed methodology.
  • Recognition Procedures: Article 17(12) allows the Commission to adopt implementing acts concerning the practical arrangements for the recognition procedures. This includes the procedural steps for a cloud provider to be recognised as offering a specific Union assurance level, ensuring a harmonised application of the framework across Member States.
  • Audit Performance: Article 20(9) empowers the Commission to adopt delegated acts to lay down rules on the performance of audits, including procedural steps, rules for auditing organisations, and templates for audit reports. While this is a delegated act, it directly impacts the operational execution of compliance.

The Legislative Process and Timelines

Understanding the timeline of these acts is vital for planning.

  • Delegated Acts: Under Article 45(6), a delegated act enters into force only if no objection is expressed by the European Parliament or the Council within a period of two months of notification. This period can be extended by three months at the initiative of either institution. Monitoring the notification date is therefore essential for planning compliance timelines, as the "clock" starts ticking immediately upon notification.
  • Implementing Acts: These are subject to the examination procedure under Article 46(2). This involves a committee of Member State representatives. Drafts are often visible in the comitology register before final adoption, providing an early warning system for upcoming procedural changes.

What this means for you

For in-house counsel and compliance officers, a passive approach to CADA compliance is insufficient. You must establish a proactive monitoring regime for secondary legislation to avoid sudden non-compliance due to regulatory updates.

  1. Set Up Comitology Alerts: Monitor the EU's comitology register for drafts related to CADA (2026/0138 COD). Look specifically for draft delegated acts amending Annex II and Annex III, and draft implementing acts related to Article 29 (risk assessments) and Article 17 (recognition procedures).
  2. Review Internal Risk Templates Quarterly: Since Article 29(3) mandates that the Commission will specify the methodology for risk assessments via implementing acts, your internal risk assessment templates must be flexible enough to incorporate these methodological updates as soon as they are published. Do not rely on static templates.
  3. Audit Evidence Readiness: Ensure your cloud providers (or your own internal processes, if you are a provider) are prepared for shifts in audit evidence requirements under Article 21(1). The evidence required to prove compliance with Annex II criteria may become more granular or technical over time, potentially requiring new documentation or technical controls.
  4. Engage with Industry Associations: The Commission often consults stakeholders before drafting delegated acts. Participation in forums like the Alliance for Industrial Data, Edge and Cloud can provide early visibility into upcoming changes to Annex II and III, allowing for strategic preparation before the acts are formally proposed.
  5. Track the 18-Month Review Cycle: Mark your calendar for the mandatory reviews under Article 16(3). Even if no delegated act is immediately proposed, the review process itself signals a period of heightened regulatory scrutiny where changes are most likely to occur.

Common misconceptions

"The assurance level criteria are fixed." This is incorrect. As noted in Article 16(3), the criteria in Annex II are reviewed every 18 months. A service compliant today may not meet the amended criteria tomorrow if the Commission tightens the requirements via a delegated act. The framework is designed to evolve with technology.

"Only the Official Journal needs monitoring." While the Official Journal is the formal source of adoption, the Commission's expert groups and the comitology register are where drafts are often previewed. The "examination procedure" under Article 46 means that implementing acts are subject to committee scrutiny before adoption, providing a window for stakeholder feedback and early detection of changes.

"Delegated acts take effect immediately." Delegated acts under Article 45 enter into force only if no objection is expressed by the European Parliament or the Council within a period of two months of notification. This period can be extended by three months. Monitoring the notification date is therefore essential for planning compliance timelines, as there is a built-in "suspension" period for political review.

"Annex III is just a static checklist." Article 21(1) explicitly empowers the Commission to amend Annex III via delegated acts to lay down the necessary evidence needed to assess the criteria under Annex II. The evidence required to prove compliance is as dynamic as the criteria themselves.

Related

This is general information about a draft EU regulation, not legal advice.