Summary As proposed, the Cloud and AI Development Act (CADA) would offer Finnish cloud and data centre operators a streamlined path to deployment and expanded market access. By designating "data centre acceleration zones," Finland would provide "single information points" and "aggregated baseline permits" to cut permitting times to a maximum of 12 months. Simultaneously, the proposed sovereignty framework would allow compliant Finnish providers to gain EU-wide recognition at one of four assurance levels, listing them in a central repository and unlocking public procurement opportunities across the Union.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, aims to strengthen Europe's cloud and AI ecosystem by addressing the shortage of compute capacity and reducing dependence on third-country providers. For operators in Finland, the proposal introduces specific mechanisms to accelerate infrastructure deployment and standardise trust criteria. The following sections detail how these provisions, particularly Articles 10, 12, and 13, would impact data centre operations, alongside the sovereignty framework outlined in Articles 16 and 22.

Accelerated Deployment via Data Centre Acceleration Zones

Under CADA, Member States, including Finland, would be required to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed (Article 10(1)). These zones are designed to facilitate the development, expansion, and modernisation of data centres by providing a clear and streamlined regulatory framework. When designating these zones, Finnish authorities would consider factors such as available power grid capacity, network connectivity, and the potential for reusing waste heat, ensuring that new infrastructure is sustainable and integrated with local energy needs (Article 10(1)(b), (c), (e)).

For operators, the primary benefit lies in the simplified permitting process. Article 13 establishes that data centre projects deployed in acceleration zones are considered "strategic projects" within the meaning of the Regulation on speeding-up environmental assessments (Article 13(1)). This status grants them access to a dedicated toolbox for accelerated environmental assessments. Crucially, Article 13(2) requires Member States to prepare and issue an "aggregated baseline permit" for each designated acceleration zone. This permit covers the permits and administrative authorisations commonly required for data centre projects within that zone, excluding installation-specific permits. Consequently, operators would only need to obtain additional permits for activities falling outside this aggregated baseline, significantly reducing administrative burden and timeline uncertainties.

Article 13(5) further mandates that administrative applications related to the planning, construction, and operation of data centres in these zones be processed in an efficient, transparent, and timely manner. The permit-granting procedure must not exceed 12 months from the submission of a comprehensive application. This cap on processing time provides Finnish operators with greater predictability and reduces the risk of prolonged delays that currently plague large-scale infrastructure projects.

Single Information Point Support

To further support operators, Article 12 introduces the requirement for Member States to designate "single information points" (SIPs) for data centre operators of projects in acceleration zones. The SIP serves as a central contact for operators throughout the entire lifecycle of the data centre project, assisting with all required authorisations (Article 12(1)).

The role of the SIP includes coordinating, facilitating, monitoring, and sharing information on procedures related to spatial planning, building permits, environmental assessments, and authorisations regarding water abstraction and heat utilisation (Article 12(2)(a)–(f)). By consolidating these interactions into a single channel, the SIP reduces the fragmentation operators often face when dealing with multiple national, regional, and local authorities. Article 12(4) also highlights that SIPs should pay particular attention to SMEs, establishing dedicated communication channels to provide guidance and respond to queries. For Finnish operators, this means a more structured and supportive administrative environment, where complex regulatory queries can be addressed by a designated entity rather than navigating disparate bureaucratic silos.

Sovereignty Framework and EU-Wide Recognition

Beyond physical deployment, CADA introduces a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers. Article 16 establishes four "Union assurance levels" with specific criteria that cloud computing service providers must meet to be recognised as offering a certain level of sovereignty. These criteria, detailed in Annex II, cover aspects such as the establishment of the provider in the Union, the location of infrastructure and assets within the Union, and the absence of third-country control that could compromise service continuity or data confidentiality.

For Finnish cloud providers, achieving recognition under this framework offers significant competitive advantages. Article 17 outlines the mechanism for recognition: providers submit an application to the national competent authority of their establishment. For Union assurance level 1, providers issue an EU statement of conformity based on a self-assessment (Article 19). For levels 2, 3, and 4, providers undergo independent third-party audits (Article 20). Once recognised, the service is recognised across the Union at the appropriate assurance level (Article 17(7)).

Article 22 requires the Commission to establish and maintain a "central repository" of cloud computing services that have been recognised under Article 17. This repository is publicly available and regularly updated. For Finnish providers, listing in this central repository serves as a mark of trust and compliance, facilitating procurement by public sector bodies across the EU. Article 30 mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having at least Union assurance level 1. For activities identified as contributing to public order, higher assurance levels (2, 3, or 4) are required. Thus, recognition under CADA effectively opens the door to EU-wide public sector procurement opportunities.

Strategic Projects and Funding Opportunities

In addition to acceleration zones, Article 14 allows the Commission to designate specific data centre projects as "strategic projects" if they meet certain criteria, such as supporting essential public sector functions, including highly sustainable or innovative features, or addressing major shortages of compute capacity. While designation is at the Commission's discretion, Finnish operators with projects that align with these strategic goals may benefit from enhanced support measures, including potential access to Union funding and streamlined state aid rules. This mechanism encourages the deployment of high-value, innovative data centres that contribute to the EU's broader digital sovereignty objectives.

What this means for you

For cloud service providers and data centre operators in Finland, CADA presents a structured pathway to faster deployment and expanded market access.

For Data Centre Operators:

  • Faster Time-to-Market: By locating projects within designated data centre acceleration zones, you benefit from the aggregated baseline permit (Article 13), which pre-approves common requirements, and a strict 12-month cap on permit-granting procedures. This reduces uncertainty and accelerates construction timelines.
  • Administrative Ease: The single information point (Article 12) provides a dedicated liaison for all authorisation processes, simplifying interactions with multiple authorities and ensuring consistent guidance throughout the project lifecycle.
  • Strategic Positioning: Engaging early with Finnish authorities to identify potential acceleration zones and ensuring your projects incorporate sustainable and innovative features (Article 10) can position your facility as a candidate for strategic project designation, potentially unlocking additional support.

For Cloud Service Providers:

  • EU-Wide Recognition: Aligning your services with the Union assurance levels (Article 16) and undergoing the necessary self-assessment or independent audit (Articles 19–20) allows you to be listed in the central repository (Article 22). This recognition is a prerequisite for procuring cloud services in many EU public sectors, effectively granting you passporting rights for public sector contracts across the Union.
  • Competitive Advantage: Demonstrating compliance with sovereignty criteria, such as data localisation within the Union and absence of third-country control, enhances your value proposition to clients concerned with data sovereignty and operational resilience.
  • Preparedness for Procurement: With Article 30 mandating the use of recognised sovereign cloud services by public authorities, ensuring your services meet at least Union assurance level 1 is essential for participating in public procurement. Higher assurance levels open access to more sensitive public sector workloads.

Common misconceptions

Misconception 1: CADA applies only to the public sector. While the sovereignty framework and procurement rules (Articles 29–30) heavily target public sector bodies, the provisions on data centre acceleration zones, single information points, and strategic projects (Articles 10–14) apply to all data centre operators deploying capacity in the EU, regardless of whether their end-users are public or private. The streamlined permitting benefits private sector operators as well.

Misconception 2: Recognition under the sovereignty framework is automatic for EU-based providers. Being established in the Union is a necessary but not sufficient condition for recognition. Providers must actively demonstrate compliance with the cumulative criteria for the desired assurance level (Annex II) and undergo the formal recognition process, including self-assessment or independent audit (Articles 17–20). Simply operating in Finland does not grant automatic inclusion in the central repository.

Misconception 3: The aggregated baseline permit covers all permits. Article 13(2) clarifies that the aggregated baseline permit covers permits commonly required for data centre projects within the zone, excluding installation-specific permits. Operators will still need to obtain additional permits for activities falling outside this baseline, such as specific grid connection permits or unique environmental authorisations not covered by the zone-wide assessment.

Misconception 4: CADA replaces national environmental laws. CADA harmonises certain conditions and accelerates procedures but does not replace national environmental protection laws. Data centre projects in acceleration zones must still comply with applicable Union and national law, including requirements for energy efficiency and environmental protection (Recital 38). The aggregated baseline permit facilitates this compliance but does not waive substantive environmental safeguards.

Related

This is general information about a draft EU regulation, not legal advice.