How do I prepare for CADA's first periodic review under Article 47?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission is legally required to evaluate the Regulation's functioning four years after its entry into force, and subsequently every five years, as mandated by Article 47. This first periodic review is not a mere administrative formality; it is a substantive assessment that must pay specific attention to small and medium-sized enterprises (SMEs) and the position of new competitors. To prepare, organisations should begin documenting their compliance journey against the proposed Union Assurance Levels, establishing robust internal audit trails, and monitoring how the sovereignty framework impacts market entry for smaller players. As CADA is currently a proposal, these timelines and obligations would only apply once the Regulation is adopted and enters into force.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a significant shift in the EU's regulatory approach to cloud infrastructure and AI ecosystem sovereignty. While immediate attention is often focused on implementation deadlines and the establishment of data centre acceleration zones, forward-looking legal and compliance teams must also prepare for the long-term regulatory lifecycle. Central to this lifecycle is the mandatory periodic review mechanism established in Article 47.

The Legal Basis: Article 47 and the Review Timeline

Article 47, titled "Review," serves as the statutory anchor for the Regulation's ongoing oversight. It ensures that the legislative framework remains fit for purpose as technology evolves and market dynamics shift. The text of Article 47(1) is explicit regarding the timeline:

"By [date of entry into force plus 4 years], and every 5 years thereafter, the Commission shall evaluate this Regulation, and report to the European Parliament, the Council and the European Economic and Social Committee."

This creates a rigid evaluation schedule. The first review would occur exactly four years after the Regulation enters into force (which, under Article 48, would be the 20th day following publication in the Official Journal). Subsequent reviews would follow a five-year cadence.

The output of this evaluation is significant. Article 47(2) states:

"Where appropriate, the report referred to in paragraph 1 shall be accompanied by a proposal for amendment of this Regulation."

This provision empowers the Commission to propose legislative changes based on the findings of the review. For cloud service providers, public sector bodies, and private entities in high-criticality sectors, this means that the obligations established in the initial text—such as the criteria for Union Assurance Levels in Annex II or the procurement mandates in Article 30—could be amended, tightened, or relaxed based on the evidence gathered during the review.

The Specific Mandate: SMEs and New Competitors

A defining characteristic of the CADA review mechanism is its explicit focus on market fairness and the health of the competitive landscape. Article 47(3) introduces a critical qualitative requirement for the Commission's evaluation:

"In carrying out the evaluation referred to in paragraph 1, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors."

This clause is not merely a suggestion; it is a binding instruction. It acknowledges that the compliance costs and administrative burdens associated with the sovereignty framework (e.g., independent audits for Levels 2–4, data localisation requirements) may disproportionately affect smaller market entrants compared to established hyperscalers.

The review will likely scrutinise:

• Whether the current criteria for Union Assurance Levels create disproportionate barriers to entry for SMEs.
• If the "Union added value" criteria in public procurement (Article 32) are effectively supporting new competitors or if they inadvertently favour incumbents.
• Whether the administrative burden of the central repository (Article 22) and transparency obligations (Article 23) is manageable for smaller providers.

For legal teams, this implies that the first review could result in amendments specifically designed to lower the entry threshold for SMEs or simplify compliance procedures for new market players.

Scope of the Evaluation: What Will Be Assessed?

While Article 47 sets the timeline and the specific focus on SMEs, the scope of the evaluation is informed by the Regulation's broader objectives outlined in Article 1. The Commission's assessment will likely cover the effectiveness of the entire ecosystem framework, including:

1. Sovereignty Framework Effectiveness: Whether the four Union Assurance Levels (defined in Article 16 and Annex II) successfully mitigate risks related to third-country control, as intended by the proposal.
2. Data Centre Capacity: Progress towards the objective of tripling EU data centre capacity and the efficacy of "data centre acceleration zones" (Article 10) in streamlining permitting.
3. Market Dynamics: The actual shift in market share from third-country providers to EU-based providers, and whether public procurement rules (Article 30) have successfully driven demand for sovereign services.
4. Administrative Burden: The impact of reporting obligations, such as the central repository (Article 22) and the transparency requirements for providers (Article 23), on market participants.

Strategic Preparation for the First Review

Preparing for a review four years after entry into force requires a proactive, rather than reactive, approach. Organisations should treat the review period as a continuous compliance cycle.

1. Document the Compliance Journey from Day One From the moment CADA applies, organisations must maintain a comprehensive record of their compliance activities.

• For Cloud Providers: Document the methodology used for self-assessments (Level 1) or the preparation for independent audits (Levels 2–4). Keep records of how criteria in Annex II (e.g., personnel citizenship, data localisation) are met.
• For Public Sector Bodies: Retain detailed records of risk assessments conducted under Article 29 and the rationale for procurement decisions under Article 30.
• For SMEs: Specifically document any challenges faced in meeting the criteria. If the burden is disproportionate, this evidence will be crucial for the Commission's assessment under Article 47(3).

2. Monitor the Evolution of Technical Criteria The criteria for Union Assurance Levels are technical and detailed. Article 16(2) empowers the Commission to adopt delegated acts to amend Annex II and Annex III. Before the first periodic review, the Commission may already have updated these criteria via delegated acts. Organisations should monitor these updates closely to ensure their compliance posture remains aligned with the latest technical standards.

3. Engage in Stakeholder Consultations The review process is collaborative. The Commission will seek input from the European Parliament, the Council, and "other relevant bodies or sources" (Article 47(3)). Industry associations, SME representatives, and new market entrants should actively participate in these consultations. Providing concrete data on compliance costs and market barriers can directly influence the Commission's report and any subsequent amendment proposals.

4. Build Regulatory Agility The CADA framework interacts with other key regulations, including the AI Act and the Data Act. Establish a cross-functional team to monitor not only CADA but also the secondary legislation (delegated and implementing acts) that fleshes out the sovereignty framework. This agility ensures that the organisation can pivot quickly if the first review leads to significant regulatory shifts.

What this means for you

For in-house counsel and compliance officers, the first periodic review under Article 47 is a strategic checkpoint that begins long before the four-year mark.

• Audit Readiness: Ensure your internal controls are robust enough to demonstrate compliance with the sovereignty framework. This includes maintaining evidence for audit criteria set out in Annex III, such as software bills of materials (SBOMs), data flow diagrams, and proof of Union citizenship for personnel where required.
• Resource Allocation: Budget for ongoing compliance monitoring. The review may introduce new reporting requirements or modify existing ones. Having dedicated resources to track these changes is essential.
• Strategic Positioning for SMEs: If your organisation is an SME or a new market entrant, leverage the specific attention given to your category in Article 47(3). Document any disproportionate burdens you face and communicate them through appropriate industry channels. This can influence the outcome of the review in your favour, potentially leading to simplified compliance pathways.
• Procurement Strategy: For public sector bodies, ensure that your procurement processes for cloud services are fully aligned with the Union Assurance Levels. The review will assess whether these procurement rules are achieving their policy goals. Any deviations or challenges encountered should be documented to inform future policy adjustments.

Common misconceptions

Misconception 1: The review is only an internal Commission exercise. Many assume the periodic review is a closed-door administrative task. In reality, it is a collaborative process involving input from Member States, stakeholders, and the public. Your organisation's compliance data and feedback can directly influence the findings of the review and subsequent amendments.

Misconception 2: CADA is static until the review. The CADA proposal includes provisions for delegated and implementing acts (Articles 45 and 46), which allow the Commission to update technical criteria without going through the full legislative procedure. The first periodic review under Article 47 is a separate, broader evaluation, but it works in tandem with these delegated powers. Expect the regulatory landscape to evolve continuously, not just at the four-year mark.

Misconception 3: SMEs are exempt from compliance. While Article 47(3) highlights the need to consider the position of SMEs, it does not exempt them from compliance. On the contrary, the review will assess whether the current framework is effective for SMEs. If it is found to be overly burdensome, amendments may follow, but until then, SMEs must comply with the same core obligations as larger providers, albeit with potential simplifications in specific areas (e.g., the self-assessment route for Level 1).

Misconception 4: The review date is fixed from today. The four-year review clock starts from the date the Regulation enters into force, not from the date of the proposal's publication. Given that CADA is currently a proposal, the exact date of the first review is not yet known. Compliance officers should set internal reminders to track the entry-into-force date once adopted, to accurately calculate the review timeline.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)

Related

• How to prepare for the annual CADA audit review: Article 20(8) explained
• CADA penalties for cloud providers: Article 24 fines, mitigation & compensation
• How does cross-border review of a CADA recognition work?
• How does a public body apply CADA's open source first principle?
• How to apply for a data centre permit in a CADA acceleration zone: Article 12 & 13 guide

This is general information about a draft EU regulation, not legal advice.