Summary Phasing a multi-year compliance roadmap for the proposed Cloud and AI Development Act (CADA) requires anchoring your strategy to the staggered timeline in Article 48, which sets a one-year application delay after entry into force. The immediate priority is the designation of national competent authorities (Article 25) and data centre acceleration zones (Article 10) within the first six to twelve months. Public sector bodies and Union entities must complete their initial sovereignty risk assessments (Article 29) within one year of application, triggering a cycle of biennial reassessments and annual third-party audits for higher assurance levels. The roadmap culminates in a mandatory Commission evaluation four years after entry into force (Article 47), requiring organizations to maintain adaptive governance to accommodate potential amendments to assurance criteria.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is not a "big bang" regulation. It introduces a complex, phased framework where structural setup, risk assessment, and ongoing operational compliance occur on distinct timelines. For in-house counsel and compliance officers, constructing an accurate multi-year roadmap requires mapping the interplay between the final provisions (Articles 47 and 48) and the substantive obligations in the sovereignty and data centre chapters (Articles 10, 25, and 29).

The roadmap is a dynamic cycle, not a linear checklist. It begins with the legal activation of the Regulation, moves through the critical designation of national infrastructure and authorities, transitions into the substantive risk assessment and recognition phases, and settles into a rhythm of recurring audits and reviews.

Phase 1: Structural Setup and Authority Designation (Years 0–1)

The first phase of the roadmap is defined by the "entry into force" and "application" gap established in Article 48. The Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union. However, it shall apply only from the same day and month as the date of entry into force plus one year. This one-year grace period is the critical window for foundational preparation before any substantive obligations become legally binding on providers and public bodies.

During this pre-application window, Member States are under strict deadlines to establish the regulatory architecture. Article 25 mandates that Member States designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. These authorities must be designated by the date of entry into force plus one year. For compliance officers representing cloud service providers, this is the time to identify which national authority will serve as the "evaluating national competent authority" for your main establishment. Establishing early dialogue with these bodies is essential, as they hold the power to recognize Union assurance levels and manage the central repository.

Simultaneously, infrastructure planning must begin. Article 10 requires Member States to designate at least one data centre acceleration zone within their territory by the date of entry into force plus six months. These zones are designed to streamline permitting and ensure sustainable deployment. If your organization operates data centres or invests in infrastructure, you must monitor these designations closely. The roadmap should include a mapping exercise to align your current or planned facilities with these zones, as they will offer access to aggregated baseline permits and single information points under Article 12. Failure to align with these zones could result in missing out on accelerated permitting processes that are otherwise unavailable.

Phase 2: Initial Risk Assessments and Assurance Recognition (Year 1)

As the Regulation becomes applicable (one year after entry into force), the focus shifts immediately to substantive compliance. The most urgent obligation for public sector bodies and Union entities is the execution of sovereignty risk assessments. Article 29 requires these entities to carry out risk assessments within one year of the Regulation's entry into force. These assessments are not optional; they are the gatekeeper for public procurement. They determine which public sector activities contribute to the preservation of public order and, consequently, which Union assurance level (1, 2, 3, or 4) is appropriate for the cloud computing services used in those activities.

For private sector entities, particularly those in high-criticality sectors listed in Annex I of the NIS2 Directive, the roadmap should include voluntary impact assessments modeled on Article 29. While the proposal does not mandate these for all private entities, the text notes that public procurement requirements often mirror private sector practices in regulated industries. Proactively conducting these assessments allows organizations to identify dependencies on third-country providers and plan migrations to sovereign services before procurement deadlines force urgent, costly changes.

Concurrently, cloud computing service providers aiming to serve the public sector must initiate the recognition process. Providers seeking Union assurance level 1 must conduct a conformity self-assessment and issue an EU statement of conformity. Providers targeting levels 2, 3, or 4 must engage auditing organizations for independent third-party audits. The roadmap must account for the procedural timelines in Article 17: a 60-day evaluation period by the national competent authority, followed by a 60-day review period by other Member States. Delays in this phase can disqualify providers from public procurement tenders, as contracting authorities are prohibited from procuring services that do not meet the required assurance level.

Phase 3: Operational Compliance and Recurring Duties (Years 2–4)

Once initial recognitions are secured and risk assessments are filed, the roadmap shifts to operational maintenance. This phase is characterized by recurring, cyclical obligations that must be embedded into annual compliance calendars.

Biennial Risk Assessments: Article 29 mandates that risk assessments be carried out "thereafter every two years, or whenever necessary." Compliance officers must schedule these biennial reviews to reassess the sensitivity, criticality, and magnitude of data processed. The "whenever necessary" clause is critical; changes in geopolitical landscapes, the enactment of new third-country laws, or shifts in service provision can trigger an immediate reassessment. The roadmap must include a trigger mechanism for these ad-hoc reviews to ensure continuous compliance.

Annual Audits and Reviews: For services recognized at Union assurance levels 2, 3, or 4, Article 20 requires audited providers to submit their audit report and associated "positive" audit opinion for review annually. This review can be conducted by the same or a different auditing organization. The roadmap must budget for these annual costs and allocate resources for the auditing organization's access to premises and data. Furthermore, Article 23 imposes transparency obligations: providers must notify the auditing organization and national competent authority "as soon as possible" of any material changes that could affect their assurance status. This creates a continuous compliance loop rather than a static annual event.

Procurement and Added Value: Throughout this phase, contracting authorities must apply Union added value criteria in public procurement, as outlined in Article 32. The roadmap should include training for procurement teams on how to evaluate tenders based on European supply chain contributions, integration of Union technologies, and innovation within the Union. Additionally, Member States must monitor procurement of innovation and report annually to the Commission, with an objective that at least 25% of relevant procurement be awarded to innovative SMEs (Article 33).

Phase 4: The Four-Year Review and Adaptive Strategy (Year 4+)

The final pillar of the multi-year roadmap is the regulatory review itself. Article 47 requires the Commission to evaluate the Regulation by the date of entry into force plus four years, and every five years thereafter. This review is not a formality; it may lead to amendments in the assurance level criteria, audit procedures, or the scope of the Cloud and AI Leadership Initiatives.

Compliance officers should treat this four-year mark as a strategic checkpoint. The Commission's evaluation will consider the positions of the European Parliament, the Council, and other relevant bodies, with specific attention to SMEs and new competitors. If the Commission proposes amendments, the roadmap must include a contingency plan for adapting to new delegated acts or implementing acts. For instance, the Commission is empowered to amend Annex II (assurance level criteria) and Annex III (audit evidence) via delegated acts. The roadmap must remain flexible enough to absorb these technical updates without disrupting core operations.

What this means for you

For in-house counsel and compliance officers, this phased approach transforms CADA from a static compliance checklist into a dynamic governance framework. You cannot simply "check the box" at Year 1 and ignore the Regulation thereafter. The recurring nature of risk assessments and audits means that sovereignty compliance becomes a permanent function of your IT and legal departments.

Specifically, you must:

  1. Map your authorities: Identify your national competent authority under Article 25 immediately. Your relationship with this body will define your recognition timeline for Union assurance levels.
  2. Integrate with procurement: Align your legal compliance roadmap with your procurement cycles. Article 29's risk assessments will dictate which services you can buy. If your risk assessment concludes that a service requires Union assurance level 3, you cannot legally procure a level 1 service for that activity.
  3. Budget for audits: Unlike self-declared compliance for level 1, levels 2–4 require independent audits. Factor these annual costs into your operational budget from Year 1, as the audit reports must be reviewed annually under Article 20.
  4. Prepare for migration: If your current providers do not meet the required assurance levels, Article 29(6) allows for a reasonable transition period not exceeding 12 months to migrate to compliant services. Your roadmap must include a migration strategy for any non-compliant critical services identified in the initial risk assessment.

Common misconceptions

Misconception 1: CADA applies only to cloud providers. While cloud providers bear the burden of recognition and auditing, the obligations on public sector bodies and Union entities are equally stringent. Article 29 places the onus on these entities to determine what level of sovereignty is required. Failure to conduct these risk assessments is an infringement of the Regulation, regardless of whether the provider is compliant.

Misconception 2: Risk assessments are a one-time event. Article 29 explicitly states that assessments must be carried out "every two years, or whenever necessary." Many organizations plan for a single assessment at the start of the Regulation's application. This is incorrect. Geopolitical shifts, changes in data sensitivity, or modifications to service architecture can trigger an immediate reassessment.

Misconception 3: The four-year review resets the clock. The review under Article 47 evaluates the functioning of the Regulation and may propose amendments. It does not reset the compliance clock for individual entities. Your annual audits and biennial risk assessments continue uninterrupted. The review may, however, change the criteria you are assessed against, necessitating updates to your compliance programs.

Misconception 4: SMEs are exempt from sovereignty requirements. While the proposal provides some derogations for SMEs in the recognition process (e.g., automatic recognition of EU statements of conformity for level 1), they are not exempt from the underlying criteria. If an SME provides services to the public sector, it must still meet the assurance level requirements. The roadmap must account for these specific SME pathways to avoid unnecessary administrative burdens.

Related

This is general information about a draft EU regulation, not legal advice.