How CADA helps cloud and data centre operators in Cyprus

Summary The proposed Cloud and AI Development Act (CADA) would significantly benefit cloud and data centre operators in Cyprus by creating a streamlined regulatory environment for infrastructure and opening new markets for sovereign services. Under the proposal, Cyprus would be required to designate data centre acceleration zones where projects benefit from an aggregated baseline permit and a strict 12-month maximum permitting timeline. Operators would receive dedicated support throughout the project lifecycle via single information points. Furthermore, Cypriot cloud providers could seek formal recognition under the EU's Union cloud computing sovereignty framework, gaining entry into a central repository that enhances their competitiveness for public sector contracts across the Union, as procurement rules would mandate the use of recognised services.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), aims to strengthen Europe's cloud and AI ecosystem by addressing capacity shortages and reducing dependence on non-European providers. For operators in Cyprus, a Member State with growing digital infrastructure ambitions, the proposal introduces specific mechanisms to accelerate deployment and enhance market access. The benefits for Cypriot operators fall into two primary categories: simplified physical deployment of data centres through harmonised permitting, and enhanced commercial opportunities through the Union's sovereignty framework.

Accelerated Deployment via Acceleration Zones

A central pillar of CADA is the establishment of data centre acceleration zones. Under Article 10, Member States, including Cyprus, are required to designate at least one data centre acceleration zone within their territory where data centre capacity is being deployed. When designating these zones, Member States must consider factors such as available power grid capacity, network connectivity, and environmental sustainability. For operators, this designation signals government commitment to supporting infrastructure growth in specific areas, providing greater regulatory predictability.

Once a project is located within an acceleration zone, it benefits from streamlined administrative processes. Article 13 establishes that data centre projects deployed in these zones are considered strategic projects within the meaning of the Regulation on speeding-up environmental assessments. This classification grants them access to a dedicated toolbox for speeding up evaluations. Crucially, Article 13(2) requires Member States to prepare and issue an "aggregated baseline permit" for each designated acceleration zone. This permit covers the permits and administrative authorisations commonly required for data centre projects within that zone, excluding only installation-specific permits. This mechanism is designed to eliminate redundant administrative hurdles, allowing operators to focus on project-specific requirements rather than navigating fragmented local permitting processes.

Furthermore, Article 13(5) mandates that administrative applications related to the planning, construction, and operation of data centres in acceleration zones must be processed efficiently. The permit-granting procedure for these projects must not exceed 12 months from the submission of a comprehensive application. This strict timeline provides Cypriot operators with a clear expectation of regulatory lead times, reducing uncertainty and potential delays that often plague large-scale infrastructure projects. The proposal also notes that where such a status exists in national law, data centre projects shall be allocated the status of highest national significance possible.

Single Information Point Support

To further facilitate deployment, Article 12 introduces the requirement for Member States to designate single information points (SIPs) for data centre operators. These SIPs are designed to assist operators throughout the entire lifecycle of a data centre project in an acceleration zone. The role of the SIP includes coordinating and facilitating procedures related to spatial planning, building permits, environmental assessments, and network connections.

For operators in Cyprus, this means having a dedicated entry point for administrative support. Article 12(2) specifies that the SIP can help with applications for connection to electricity, heat, or communications networks, as well as providing information to the public to increase acceptance of data centre projects. The SIP is also tasked with assisting in assessing whether a data centre project may qualify as a strategic project under Article 14, which can unlock additional support measures. This centralized support structure reduces the administrative burden on operators, particularly small and medium-sized enterprises (SMEs), by providing clear guidance and coordinating interactions with various public authorities.

Sovereignty Framework and Market Access

Beyond physical deployment, CADA introduces a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers. This framework, outlined in Article 16, establishes four Union assurance levels. Cloud computing service providers, including those based in Cyprus, can apply for recognition at these levels to demonstrate their compliance with specific sovereignty criteria.

For Cypriot cloud providers, achieving recognition under this framework offers significant competitive advantages. Article 17 sets out the mechanism for recognition, where providers submit an application to the national competent authority of establishment. Once recognised, a provider's service is listed in a central repository maintained by the Commission, as per Article 22. This repository is publicly available and serves as a trusted source of information for public sector buyers across the EU.

Being listed in the central repository is particularly valuable because public procurement rules under CADA mandate the use of recognised services. Article 30 requires contracting authorities to procure cloud computing services that have been recognised under Article 17. For activities contributing to the preservation of public order, authorities must procure services recognised at Union assurance levels 2, 3, or 4. Even for non-critical activities, a minimum of Union assurance level 1 is required. This creates a structured demand for sovereign cloud services, providing Cypriot providers with a clear pathway to compete for EU-wide public sector contracts. The proposal also encourages the use of open-source solutions and European technologies, providing opportunities for Cypriot providers to integrate these elements into their offerings.

What this means for you

For cloud service providers and data centre operators in Cyprus, CADA presents both operational efficiencies and strategic market opportunities.

Operational Efficiencies: If you are planning to build or expand data centre facilities, locate your projects within designated acceleration zones to benefit from the aggregated baseline permit and the 12-month permitting cap. Engage early with the single information point to navigate the administrative landscape effectively. The aggregated baseline permit reduces the time spent on routine authorisations, allowing you to focus on technical and installation-specific approvals. This predictability can improve project financing and reduce holding costs during the permitting phase. Note that the proposal aims to triple EU capacity in the next five-to-seven years, creating a high-demand environment for compliant infrastructure.

Strategic Market Access: For cloud providers, the sovereignty framework is a key differentiator. Invest in meeting the criteria for Union assurance levels, starting with level 1. This involves ensuring that your infrastructure, assets, and customer data remain within the Union, and that you comply with cybersecurity standards. Achieving recognition and being listed in the central repository positions your services as compliant with EU public procurement requirements. This is particularly relevant as Cypriot public authorities and other EU entities increasingly prioritize sovereign cloud solutions to protect public order and data confidentiality.

Competitive Positioning: Cyprus can leverage its geographic position and growing digital infrastructure to attract EU-wide business. By aligning with CADA's objectives, Cypriot operators can demonstrate their commitment to European technological sovereignty. This alignment can enhance your reputation among EU public sector buyers and private entities seeking to mitigate third-country risks. Additionally, the proposal encourages the use of open-source solutions and European technologies, providing opportunities for Cypriot providers to integrate these elements into their offerings.

Common misconceptions

Misconception 1: CADA is already in force. CADA is a proposal, not yet enacted law. The provisions described, including acceleration zones and the sovereignty framework, are contingent on the regulation being adopted by the European Parliament and the Council. Operators should monitor legislative developments but should not assume these rules are currently applicable. The proposal would enter into force on the 20th day following its publication and apply one year later.

Misconception 2: All data centre projects automatically benefit from accelerated permitting. The streamlined permitting processes, including the aggregated baseline permit and 12-month timeline, apply specifically to projects located within designated data centre acceleration zones. Projects outside these zones may not benefit from the same level of administrative simplification. Member States must first designate these zones within six months of the regulation's entry into force.

Misconception 3: Sovereignty recognition is mandatory for all providers. Recognition under the sovereignty framework is voluntary for providers. However, it becomes essential if you wish to serve public sector customers who are required to procure recognised services. Private sector clients may also prefer recognised providers, but there is no universal mandate for all cloud providers to seek recognition.

Misconception 4: The single information point makes all decisions. The single information point facilitates and coordinates the permitting process but does not have the authority to grant permits itself. Its role is to assist operators in navigating the various administrative requirements and to ensure timely processing by the relevant authorities.

Misconception 5: The sovereignty framework only applies to large hyperscalers. The framework is designed to be accessible to providers of all sizes. In fact, Article 17(3) provides a derogation for SMEs, where their EU statement of conformity for Union assurance level 1 shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. This lowers the barrier to entry for Cypriot SMEs.

Related

• How CADA helps French cloud and data centre operators: Permits, zones and sovereignty
• How CADA helps cloud and data centre operators in Estonia: Permits, Zones & Sovereignty
• Where will the data centre acceleration zones be in Cyprus under CADA?
• How CADA accelerates data centre permits and sovereignty for Slovakia
• CADA Data Centre Permits in Cyprus: Single Information Points & Baseline Permits

This is general information about a draft EU regulation, not legal advice.