Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally transform the landscape for cloud and data centre operators in Greece by mandating the creation of "data centre acceleration zones" with streamlined permitting and dedicated "single information points." For Greek cloud providers, the proposal establishes a harmonised EU-wide sovereignty framework, offering a clear, auditable path to recognition at four assurance levels and listing in a central repository. This would reduce market fragmentation, lower barriers to public procurement across the EU, and enhance the competitiveness of Greek providers against non-EU incumbents.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a structural shift in how the EU approaches digital infrastructure. For operators in Greece, the proposal addresses two critical bottlenecks that have historically hindered growth: the administrative complexity of deploying physical data centre capacity and the fragmented nature of public procurement for cloud services. By harmonising rules across Member States, CADA aims to accelerate the build-out of sustainable computing infrastructure while fostering a trusted, sovereign European cloud ecosystem.

Accelerating Data Centre Deployment in Greece

A primary challenge for data centre operators in Greeceβ€”and across the EUβ€”has been the divergent and often lengthy permitting processes for new facilities. CADA addresses this by introducing specific mechanisms to fast-track deployment, directly impacting Greek infrastructure planning.

Data Centre Acceleration Zones Under Article 10, Member States, including Greece, would be obligated to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed. When designating these zones, Greek authorities would need to consider specific criteria, such as the availability of future power grid capacity, network connectivity, the potential for waste heat reuse, and the preference for reusing brownfield sites over greenfield ones. This designation is not merely symbolic; it triggers a streamlined regulatory environment designed to overcome the "capacity gap" identified by the Commission.

Aggregated Baseline Permits To drastically reduce administrative burden, Article 13 introduces the concept of an "aggregated baseline permit." For each designated acceleration zone, Greek authorities would be required to prepare and issue a permit that covers the permits and administrative authorisations commonly required for data centre projects within that zone, excluding installation-specific permits. This means that before a specific operator even submits an application, the zone-level assessmentsβ€”including environmental assessments and planning proceduresβ€”would have already been carried out. Data centres deployed in these zones would only need to obtain additional permits for activities falling outside this aggregated baseline.

Furthermore, Article 13 sets a strict timeline: the permit-granting procedure for data centre projects in acceleration zones must not exceed 12 months from the submission of a comprehensive application. This provides Greek operators with a predictable timeline for regulatory approval, a significant improvement over current variable national practices. Crucially, data centre projects deployed in these zones are explicitly considered "strategic projects" within the meaning of the environmental assessment acceleration framework, allowing them to benefit from a dedicated toolbox for faster environmental assessments.

Single Information Points Navigating the permitting process can be complex, involving multiple authorities for spatial planning, environmental assessments, and grid connections. Article 12 mandates that Member States designate one or more "single information points" for data centre operators in acceleration zones. These points would assist operators throughout the entire lifecycle of the project, coordinating and facilitating procedures related to:

  • Spatial planning and building permits.
  • Environmental assessments.
  • Authorisations for water abstraction, wastewater discharge, and heat utilisation.
  • Applications for connection to electricity, heat, or communications networks.

This single point of contact reduces the administrative friction for Greek operators, ensuring that queries and applications are handled efficiently. The single information point also has a specific role in assessing whether a project may qualify as a strategic project under Article 14.

Sovereignty Framework and Market Access

Beyond physical infrastructure, CADA introduces a "Union cloud computing sovereignty framework" designed to reduce dependence on non-EU providers. This framework is critical for Greek cloud providers seeking to compete in the public sector market, both domestically and across the EU.

Union Assurance Levels Article 16 establishes four "Union assurance levels" (Level 1 to Level 4) based on criteria set out in Annex II of the proposal. These levels define the degree of sovereignty, security, and operational autonomy a cloud service offers. For Greek providers, this creates a standardised benchmark. If a Greek provider meets the criteria for a specific level (e.g., data remaining exclusively in the Union, personnel being Union citizens, or absence of third-country control), they can apply for recognition. The criteria are cumulative and become stricter at higher levels; for instance, Level 4 requires a "high" cybersecurity certification, whereas Levels 2 and 3 require a "substantial" certification.

Recognition and the Central Repository Once a provider submits an application for recognition to the national competent authority of establishment, they undergo an assessment. For Level 1, this involves a conformity self-assessment. For Levels 2–4, it requires an independent third-party audit. Upon successful recognition, the service is registered in a central repository maintained by the Commission, as detailed in Article 22.

This central repository is publicly available and serves as a single source of truth for contracting authorities across the EU. For a Greek provider, being listed here means their sovereignty status is recognised not just in Athens, but in Berlin, Paris, or Warsaw. This removes the need for repeated, divergent national certifications and opens up cross-border public procurement opportunities.

Public Procurement Obligations The sovereignty framework is reinforced by demand-side measures. Under Article 30, contracting authorities in Greece (and other Member States) would be required to procure cloud computing services that have been recognised under the CADA framework. Specifically, public sector bodies whose activities contribute to the preservation of public order would be mandated to procure only services recognised at Union assurance levels 2, 3, or 4. This creates a guaranteed market for Greek providers who can achieve these higher assurance levels, particularly in sectors like healthcare, justice, or internal security.

Strategic Projects and Investment

CADA also provides a mechanism for the Commission to designate "data centre strategic projects" under Article 14. These are projects that significantly contribute to the Union's digital and energy sectors, such as those with highly sustainable features, those supporting grid stability, or those addressing major compute capacity shortages. If a Greek data centre project is designated as strategic, it may become eligible for support measures from Member States and EU programmes, provided such support complies with State aid rules. This offers an additional financial incentive for large-scale, innovative deployments in Greece.

What this means for you

For cloud service providers and data centre operators in Greece, CADA offers both immediate operational benefits and long-term strategic advantages.

Faster Time-to-Market If you are planning a new data centre in Greece, positioning your project within a designated acceleration zone would allow you to benefit from the aggregated baseline permit and the 12-month permitting cap. Engaging early with the single information point can help you navigate the pre-application phase more effectively, reducing the risk of delays. The requirement for Member States to designate these zones within six months of the regulation's entry into force means the framework could be operational relatively quickly.

Competitive Edge in Public Sector The sovereignty framework levels the playing field. Currently, non-EU hyperscalers often dominate public procurement due to their scale and established presence. CADA's assurance levels reward providers that demonstrate strong EU alignment, such as keeping data and personnel within the Union. If you are a Greek provider, you are naturally well-positioned to meet these criteria. Achieving recognition at Level 2, 3, or 4 would make you a mandatory consideration for high-criticality public contracts across the EU, not just in Greece.

Investment Opportunities The designation of strategic projects could unlock access to EU funding and national support measures. If your project incorporates innovative sustainability features (e.g., advanced cooling, waste heat reuse) or supports grid stability, you should consider applying for strategic project status. This designation can enhance your project's credibility and financial viability.

Compliance and Auditing Preparing for the audit requirements of Levels 2–4 should begin now. This involves documenting your supply chain, ensuring data residency, and verifying personnel citizenship. For Level 1, the self-assessment process is lighter, but transparency around subcontractors and cybersecurity standards is still required. Early preparation will ensure you are ready to apply for recognition as soon as the framework is operational.

Common misconceptions

Misconception 1: CADA bans non-EU cloud providers. CADA does not ban non-EU providers. However, it creates a tiered system where public sector bodies, especially those handling sensitive data or critical infrastructure, are required to use services with specific assurance levels. Non-EU providers can still compete, but they must meet stringent criteria, such as demonstrating that their home country does not compel data access or service disruption. For many, this is a high bar, which indirectly benefits EU-based providers who can more easily meet these sovereignty requirements.

Misconception 2: Acceleration zones apply to all data centres in Greece. No. Acceleration zones are specific geographic areas designated by the Greek government. Only data centres built within these zones benefit from the aggregated baseline permit and the 12-month permitting cap. Operators outside these zones will still follow national permitting procedures, which may be longer and more complex. However, the Commission monitors the capacity gap and may recommend measures to address shortages, potentially leading to the designation of more zones in underserved areas.

Misconception 3: Assurance levels are optional for public sector procurement. No. Under CADA, the use of recognised assurance levels becomes mandatory for public sector bodies. Contracting authorities must conduct risk assessments to determine the appropriate level (1, 2, 3, or 4) for their activities. For activities contributing to public order, Levels 2–4 are mandatory. This means that Greek public authorities cannot simply choose any cloud provider; they must select from the central repository of recognised services.

Misconception 4: CADA replaces national planning laws. CADA complements rather than replaces national laws. It sets EU-wide minimum standards for acceleration zones and permitting timelines. Greece will still need to designate zones and issue permits in accordance with its national legal framework, but the CADA framework provides a structured, accelerated pathway that national authorities must follow.

Related

This is general information about a draft EU regulation, not legal advice.