Summary As proposed, the Cloud and AI Development Act (CADA) would provide Croatian data centre operators and cloud providers with accelerated permitting timelines, streamlined administrative support through Single Information Points, and access to a harmonised EU-wide sovereignty recognition framework. By designating data centre acceleration zones and treating projects within them as strategic, CADA aims to reduce permitting times to a maximum of 12 months while offering a clear pathway for providers to gain Union assurance levels and enter a central EU repository.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a comprehensive regulatory framework designed to strengthen the European cloud and AI ecosystem. For operators in Croatia, the proposal targets two primary bottlenecks: the slow, fragmented deployment of physical infrastructure and the lack of a unified trust framework for cloud services. The Act would operate on two parallel tracks: accelerating the physical build-out of data centres and creating a market for "sovereign" cloud services that Croatian providers could dominate.

Accelerated Deployment via Acceleration Zones and Single Information Points

Under CADA, Member States, including Croatia, would be required to designate "data centre acceleration zones" (acceleration zones) where data centre capacity is being deployed (Article 10). These zones are not merely geographic designations; they trigger a specific set of facilitative measures intended to remove regulatory friction and ensure balanced geographic deployment across the Union.

Aggregated Baseline Permits A key mechanism for speeding up deployment is the introduction of the "aggregated baseline permit." Under Article 13(2), Member States must prepare and issue an aggregated baseline permit for each designated acceleration zone. This permit covers the standard permits and administrative authorisations required for data centre projects located within that zone, excluding only installation-specific permits. By conducting environmental assessments and planning procedures at the zone level beforehand, operators avoid repeating these steps for every individual facility. Consequently, data centres deployed in these zones are only required to obtain additional permits for activities falling outside the scope of the aggregated baseline permit (Article 13(4)).

Strategic Project Status Data centre projects deployed in acceleration zones are automatically considered "strategic projects" within the meaning of the forthcoming Regulation on speeding-up environmental assessments (Article 13(1)). This status grants them access to a dedicated toolbox for accelerated environmental assessments, further reducing the time required for regulatory compliance. This designation is critical for projects that significantly contribute to the Union's digital and energy sectors, allowing them to benefit from streamlined procedures that would otherwise be unavailable.

Single Information Points To assist operators throughout the entire lifecycle of a data centre project, Article 12 mandates the designation of one or more "single information points" (SIPs) by Member States. Croatian operators would have the right, upon request, to be assisted by an SIP with respect to all authorisations required for deployment. The role of the SIP includes coordinating, facilitating, monitoring, and sharing information on procedures related to:

  • Spatial planning and building permits;
  • Environmental assessments, in accordance with the Regulation on speeding-up environmental assessments;
  • Authorisations regarding water abstraction, wastewater discharge, and heat utilisation;
  • Compliance with administrative and reporting obligations;
  • Applications for connection to electricity, heat, or communications networks.

Article 12(4) explicitly requires SIPs to pay particular attention to SMEs, establishing dedicated channels for communication to provide guidance and respond to queries. This centralised support aims to replace the current fragmented approach where operators must navigate multiple disparate authorities.

Faster Permitting Timelines The proposal sets a strict deadline for administrative processing. Article 13(5) states that the permit-granting procedure for data centre projects deployed in acceleration zones shall not exceed 12 months from the moment a comprehensive application has been submitted. While Member States may set shorter time limits, this 12-month cap provides a clear regulatory certainty for investors and operators planning deployments in Croatia. This timeline is a significant departure from the often protracted permitting processes currently experienced in many Member States.

Sovereignty Framework and Market Access

Beyond physical infrastructure, CADA establishes a "Union cloud computing sovereignty framework" to address dependencies on non-European providers and enhance trust in European services (Article 16). This framework consists of four "Union assurance levels" (Levels 1 to 4), each with specific criteria regarding data localisation, personnel citizenship, cybersecurity certification, and freedom from third-country control.

Recognition and the Central Repository Croatian cloud providers can apply for recognition under this framework by submitting an application to the national competent authority of their establishment (Article 17).

  • Level 1: Requires a conformity self-assessment and an EU statement of conformity.
  • Levels 2, 3, and 4: Require independent third-party audits and a "positive" audit opinion.

Once recognised, the national competent authority registers the service in a "central repository" established and maintained by the European Commission (Article 22). This repository is publicly available and serves as a single source of truth for public sector buyers across the EU. Inclusion in this repository is a prerequisite for participating in public procurement procedures that require sovereign cloud services.

Public Procurement Opportunities CADA mandates that contracting authorities in Member States procure cloud computing services that have been recognised under the sovereignty framework. Article 30(2) states that public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognised at Union assurance level 1. For activities identified as contributing to public order (e.g., national security, justice), authorities must procure services recognised at levels 2, 3, or 4 (Article 30(3)). This creates a guaranteed demand pool for Croatian providers who achieve the necessary assurance levels.

What this means for you

For Croatian data centre operators and cloud providers, CADA represents a shift from navigating fragmented national rules to operating within a harmonised, accelerated EU-wide framework.

For Data Centre Operators:

  1. Plan for Acceleration Zones: Engage early with Croatian authorities to identify or influence the designation of data centre acceleration zones. Deploying within these zones unlocks the aggregated baseline permit and the 12-month permitting cap.
  2. Leverage the Single Information Point: Utilise the SIP as your primary liaison for all regulatory interactions. This reduces administrative burden and ensures consistent information flow across planning, environmental, and connectivity authorities.
  3. Prepare for Strategic Status: Ensure your project documentation aligns with the criteria for strategic projects to benefit from accelerated environmental assessments.

For Cloud Providers:

  1. Assess Your Sovereignty Level: Evaluate your service against the criteria in Annex II of CADA. Determine whether you can meet the requirements for Level 1 (self-assessment) or Levels 2-4 (independent audit). Key factors include data residency within the EU, personnel location, and cybersecurity certifications.
  2. Pursue Recognition: Submit your application for recognition to the Croatian national competent authority. Gaining recognition allows you to be listed in the central repository, making you eligible for EU-wide public procurement.
  3. Target Public Sector Contracts: Align your sales strategy with the new procurement rules. Public authorities in Croatia and across the EU will be required to source from recognised providers, creating a significant market opportunity for compliant local players.

Common misconceptions

Misconception 1: All data centre projects in Croatia will benefit from the 12-month permitting cap. Reality: The 12-month cap applies specifically to projects deployed in designated data centre acceleration zones (Article 13(5)). Projects outside these zones may still be subject to longer, traditional permitting timelines unless national law provides otherwise.

Misconception 2: The Single Information Point (SIP) grants permits automatically. Reality: The SIP facilitates and coordinates the process (Article 12(2)), but it does not issue permits itself. It assists in navigating the various authorisations required from different authorities, but the actual approval still depends on meeting the substantive legal and technical requirements.

Misconception 3: Recognition under CADA is optional for public sector contracts. Reality: For public procurement, recognition is mandatory. Article 30(2) and (3) explicitly require contracting authorities to procure services that have been recognised as offering the appropriate Union assurance level. Non-recognised services cannot be procured for these activities, except in very limited, exceptional circumstances defined in Article 30(4).

Misconception 4: CADA replaces the AI Act or GDPR. Reality: CADA complements existing laws. It does not replace the AI Act's rules on high-risk systems or the GDPR's data protection requirements. Instead, it adds a layer of sovereignty and infrastructure deployment rules. Providers must comply with all applicable regulations simultaneously.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.