How CADA helps cloud and data centre operators in Estonia

Summary The proposed Cloud and AI Development Act (CADA) would significantly accelerate infrastructure deployment for Estonian cloud and data centre operators by mandating data centre acceleration zones with aggregated baseline permits and a strict 12-month permitting cap. Under Article 13, projects in these zones are treated as strategic, while Article 12 ensures a single information point guides operators through the entire lifecycle. Beyond deployment, CADA creates a unified market: Estonian providers can gain EU-wide recognition under the Union cloud computing sovereignty framework (Article 16) and be listed in the central repository (Article 22), unlocking public procurement opportunities across the Union that were previously fragmented by national rules.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is designed to address the critical bottlenecks in the EU's digital infrastructure: limited capacity, fragmented permitting, and dependence on non-EU providers. For Estonia, a nation with a mature digital ecosystem and ambitious data centre growth plans, the proposal offers a structured pathway to scale infrastructure rapidly while securing a competitive edge in the sovereign cloud market.

The proposal operates on two parallel tracks: supply-side acceleration (building the infrastructure faster) and demand-side harmonisation (creating a unified market for trusted services).

Accelerated Deployment: Acceleration Zones and Strategic Status

The most immediate impact for Estonian data centre operators lies in the creation of data centre acceleration zones. Under Article 10, Member States are required to designate at least one such zone within their territory where data centre capacity is being deployed. For Estonia, this means identifying specific geographic areas—likely leveraging existing industrial or tech hubs—where the regulatory environment is optimised for rapid expansion.

When designating these zones, Article 10(1) mandates that Member States consider critical factors including available and future power grid capacity, network connectivity, and the potential for waste heat reuse. Crucially, Article 10(2) requires a comprehensive analysis of energy needs and greenhouse gas impacts, ensuring that network development plans account for future data centre demand. This provides operators with the long-term certainty regarding energy availability that is often a primary bottleneck for investment.

Once a zone is designated, the regulatory treatment of projects within it changes fundamentally. Article 13(1) explicitly states that data centre projects deployed in acceleration zones shall be considered strategic projects within the meaning of the environmental assessment regulation. This designation triggers a dedicated "toolbox" of measures to accelerate environmental assessments and permit granting, ensuring that projects benefit from streamlined procedures while maintaining high environmental standards.

The Single Information Point and the 12-Month Cap

To eliminate the administrative friction that often plagues cross-border and domestic projects, Article 12 introduces the single information point. For any data centre project located in an acceleration zone, the operator has the right to be assisted by a single point of contact throughout the entire lifecycle of the project.

This point of contact is responsible for coordinating, facilitating, and monitoring all necessary authorisations, including:

• Spatial planning and building permits;
• Environmental assessments;
• Authorisations regarding water abstraction, wastewater discharge, and heat utilisation;
• Applications for connection to electricity, heat, or communications networks.

This mechanism prevents operators from having to navigate a labyrinth of disparate administrative bodies. The single information point acts as a central hub, ensuring that all relevant authorities (national, regional, and local) are coordinated.

The most significant procedural change, however, is the strict timeline introduced by Article 13(5). The proposal mandates that the permit-granting procedure for data centre projects in acceleration zones shall not exceed 12 months from the moment a comprehensive application has been submitted. This is a binding EU-wide cap that overrides any longer national timelines. For Estonian operators, this predictability transforms the investment calculus, allowing for precise financial modelling and faster time-to-market.

Aggregated Baseline Permits: Pre-Approving the Zone

To further reduce the burden on individual projects, Article 13(2) requires Member States to prepare and issue an aggregated baseline permit for each designated acceleration zone. This permit covers the permits and administrative authorisations commonly required for data centre projects located within that zone, excluding only installation-specific permits.

By pre-approving the general environmental and planning impacts at the zone level, the regulatory burden for individual projects is significantly reduced. An operator building a facility within a designated zone in Estonia would not need to re-litigate the fundamental planning or environmental impacts of the location itself, as these have already been assessed and approved via the baseline permit. This shifts the focus of the permitting process to the specific technical details of the individual facility, drastically cutting down administrative overhead.

The Sovereignty Framework: A Unified Market for Estonian Providers

While acceleration zones address the physical deployment of infrastructure, Title IV of the proposal addresses the market access challenges faced by European cloud providers. The proposal establishes a Union cloud computing sovereignty framework in Article 16, comprising four Union assurance levels. This framework provides a harmonised, auditable set of criteria for cloud computing services to be recognised as providing a specific level of sovereignty and security.

For Estonian cloud providers, this presents a transformative opportunity. Currently, public sector buyers across the EU may have divergent national standards for "sovereign" or "trusted" cloud services. Under CADA, an Estonian provider that meets the criteria for a specific assurance level can apply for recognition through the national competent authority in Estonia.

Article 17 outlines this recognition mechanism. Once a provider is recognised, the service is valid across the entire Union. This removes the need for providers to navigate divergent national sovereignty standards or undergo multiple audits in different Member States. A single recognition in Estonia grants access to the entire EU market.

This recognition is centralised and transparent. Article 22 mandates that the Commission establish and maintain a central repository of cloud computing services that have been recognised as offering Union assurance levels. Being listed in this repository increases visibility and trust among public sector buyers across Europe, effectively acting as a "passport" for Estonian providers.

Demand-Side Measures: Unlocking Public Procurement

The supply-side benefits of faster deployment are complemented by powerful demand-side measures. Article 30 sets out obligations for public procurement that directly benefit recognised providers.

• Baseline Requirement: Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having at least Union assurance level 1.
• Public Order Requirement: Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., law enforcement, defence, justice) must only procure services recognised as having Union assurance levels 2, 3, or 4.

This creates a guaranteed market for providers who achieve recognition. For Estonian providers, achieving a Union assurance level is no longer just a technical certification; it is a key to accessing public contracts across the EU. Article 32 further supports this by requiring contracting authorities to include "Union added value" criteria in their procurement, which can favour services that strengthen the EU's digital supply chain, including those designed or manufactured in the Union.

What this means for you

For cloud service providers and data centre operators in Estonia, CADA represents a shift from navigating fragmented national rules to operating within a harmonised EU framework. Here is how you can prepare:

1. Engage with National Authorities on Acceleration Zones: Work with Estonian authorities to identify potential sites for data centre acceleration zones. Ensure your projects align with the criteria in Article 10, such as energy efficiency and grid connectivity. Early engagement can position your projects to benefit from the aggregated baseline permits in Article 13.
2. Leverage the Single Information Point: Once acceleration zones are designated, utilise the single information point mandated by Article 12. Prepare your documentation to meet the comprehensive application requirements to ensure the 12-month permitting clock starts as soon as possible.
3. Plan for Sovereignty Recognition: Assess your current security and governance practices against the criteria in Annex II of the proposal. If you aim to serve the public sector, targeting Union assurance levels 2–4 is essential. Begin internal audits to identify gaps in areas such as data localisation, personnel screening, and supply chain transparency.
4. Market Your EU Added Value: When bidding for public contracts, highlight your compliance with CADA's sovereignty framework. Use the recognition from the central repository (Article 22) as a key differentiator. Emphasise your contribution to the EU's digital sovereignty in line with Article 32.

Common misconceptions

• "CADA replaces national planning laws." CADA does not replace national zoning or environmental laws. Instead, it harmonises the process for data centres in acceleration zones. National authorities still issue permits, but they must adhere to the 12-month timeline and use the aggregated baseline permit model for zones.
• "Only large hyperscalers can benefit." While hyperscalers have the resources to build large facilities, the sovereignty framework and public procurement rules create opportunities for smaller, specialised EU providers. By achieving Union assurance recognition, smaller Estonian providers can compete for public sector contracts that previously favoured global incumbents.
• "Sovereignty recognition is automatic." Recognition is not automatic. Providers must submit an application and evidence to the national competent authority (Article 17). For levels 2–4, an independent third-party audit is required (Article 20). The process involves rigorous assessment of technical, legal, and organisational measures.
• "Data centres outside acceleration zones are ignored." CADA focuses on acceleration zones to drive rapid capacity expansion, but it does not prohibit data centre deployment elsewhere. However, projects outside these zones will not benefit from the aggregated baseline permits or the strict 12-month permitting cap, making them slower and more administratively complex.

Related

• How CADA helps French cloud and data centre operators: Permits, zones and sovereignty
• How CADA helps cloud and data centre operators in Cyprus: Permits, Zones & Sovereignty
• Where will the data centre acceleration zones be in Estonia?
• How CADA accelerates data centre permits and sovereignty for Slovakia
• How do data centre permits and single information points work in Estonia under CADA?

This is general information about a draft EU regulation, not legal advice.