Summary As proposed, the Cloud and AI Development Act (CADA) would significantly accelerate data centre deployment in Ireland by mandating "data centre acceleration zones" where projects benefit from an "aggregated baseline permit" and a strict 12-month permitting cap. Operators would receive dedicated support via "single information points" throughout the project lifecycle. Simultaneously, the proposal establishes a Union-wide sovereignty framework (Articles 16–22), allowing Irish cloud providers to gain EU-wide recognition for their services, list in a central repository, and access public procurement markets across the Union that require specific "Union assurance levels."

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, addresses two critical bottlenecks for the digital economy: the speed of physical infrastructure deployment and the fragmentation of trust in cloud services. For Ireland, a pivotal hub for European data centre capacity and cloud services, the proposal introduces a dual-track mechanism. The first track streamlines the permitting process for physical assets through designated zones and single points of contact. The second track creates a harmonised market for "sovereign" cloud services, enabling Irish providers to compete on a level playing field across the EU single market.

Accelerated Deployment: Acceleration Zones and Aggregated Permits

The proposal directly targets the administrative delays often associated with large-scale data centre construction. Under Article 10, Member States are required to designate "data centre acceleration zones" within their territory where data centre capacity is being deployed. When designating these zones, Member States must consider specific factors including available power grid capacity, network connectivity, and the ability to reuse waste heat. For Irish operators, this means that projects located within these designated zones would operate under a harmonised, accelerated regulatory regime.

A cornerstone of this acceleration is the "aggregated baseline permit" introduced in Article 13. For each designated acceleration zone, Member States must prepare and issue a single permit that covers the administrative authorisations commonly required for data centre projects within that area. This baseline permit excludes only installation-specific permits. Consequently, operators would not need to navigate a fragmented series of individual permits for spatial planning, environmental assessments, and grid connections for every new facility within the zone. They would only need to obtain additional permits for activities falling outside the scope of this baseline.

Furthermore, Article 13 imposes a strict timeline on this process. The permit-granting procedure for data centre projects deployed in acceleration zones "shall not exceed 12 months, from the moment a comprehensive application has been submitted." This legal certainty is a significant competitive advantage, allowing Irish operators to plan capital expenditure and operational rollouts with greater precision. Additionally, Article 13 clarifies that data centre projects in these zones are considered "strategic projects" within the meaning of the Regulation on speeding-up environmental assessments, granting them access to a dedicated toolbox for accelerated environmental reviews.

Single Information Points: Lifecycle Support

To further reduce administrative burdens, Article 12 mandates the designation of "single information points" for data centre operators in acceleration zones. This provision grants operators the right to be assisted by a single point of contact throughout the entire lifecycle of their project. In the Irish context, where projects often involve coordination between local authorities, environmental agencies, and grid operators, this centralisation is vital.

The single information point is tasked with coordinating, facilitating, and monitoring procedures relating to spatial planning, environmental assessments, water abstraction, heat utilisation, and applications for connection to electricity and communications networks. Article 12 also requires these points to pay particular attention to small and medium-sized enterprises (SMEs), potentially establishing dedicated channels for communication. This mechanism ensures that operators do not get lost in bureaucratic silos, providing a clear path from application to operational status.

The Sovereignty Framework: Recognition and Market Access

Beyond physical infrastructure, CADA introduces a "Union cloud computing sovereignty framework" in Title IV, designed to create a unified market for trusted cloud services. Article 16 establishes four "Union assurance levels" (1 to 4), with criteria set out in Annex II. These levels assess factors such as the location of infrastructure, data residency, cybersecurity standards, and freedom from third-country control.

For Irish cloud providers, achieving recognition under this framework offers a direct pathway to the EU public sector market. Article 17 outlines the recognition mechanism: providers submit an application to their national competent authority (in Ireland, this would be the designated authority under Article 25).

  • Level 1: Providers can carry out a conformity self-assessment and issue an EU statement of conformity. Notably, Article 17(3) includes a derogation for SMEs, allowing their statements of conformity to be "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."
  • Levels 2, 3, and 4: These require independent third-party audits. Article 20 mandates that providers undergo audits by independent organisations to obtain an audit report and a "positive" audit opinion.

Once recognised, a provider's service is valid across the entire Union. This eliminates the need for separate national certifications in each Member State, significantly reducing market entry costs for Irish providers.

The Central Repository and Public Procurement

Article 22 mandates the establishment of a "central repository" of cloud computing services recognised under the framework. The Commission would maintain this repository, and national competent authorities would register recognised services. The repository would be publicly available and regularly updated. For Irish providers, inclusion in this central repository serves as a powerful trust signal, demonstrating compliance with rigorous EU sovereignty standards.

This recognition is not merely symbolic; it is a prerequisite for public procurement. Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of "public order." Based on these assessments, Article 30 dictates procurement rules:

  • Activities not identified as contributing to public order must procure services with at least Union assurance level 1.
  • Activities identified as contributing to public order (e.g., in national security, defence, justice, or law enforcement) must procure services recognised at Union assurance level 2, 3, or 4.

By achieving recognition at these levels, Irish providers become eligible to bid for these high-value public contracts across the EU, rather than being limited to the domestic market.

Strategic Projects and Investment

Article 14 introduces the designation of "data centre strategic projects." The Commission may designate projects that meet specific criteria, such as supporting essential public sector functions, incorporating highly sustainable or innovative features, or addressing major compute capacity shortages. Irish operators developing large-scale, energy-efficient data centres could qualify for this designation. While the proposal does not guarantee funding, Article 14(3) notes that strategic projects may be granted support from Union programmes, funds, and financial instruments, and Member States may apply support measures in a proportionate manner.

What this means for you

For cloud service providers and data centre operators in Ireland, CADA presents a transformative shift in both operational efficiency and market strategy.

1. Accelerated Physical Deployment If your data centre projects are located in or planned for designated acceleration zones, you can expect a streamlined permitting process. The 12-month cap on permit-granting procedures under Article 13 reduces the uncertainty that often plagues large infrastructure projects. Engaging with the single information point under Article 12 will simplify your interactions with multiple regulatory bodies, allowing your project management teams to focus on construction and deployment rather than navigating bureaucratic fragmentation. You should proactively engage with Irish authorities to understand the criteria for acceleration zone designation and the timeline for the aggregated baseline permit.

2. Strategic Market Expansion via Sovereignty Achieving recognition under the sovereignty framework is a critical growth lever. By aligning your services with the criteria for Union assurance levels (particularly Levels 2 and 3, which are required for sensitive public sector data), you position your Irish-based services as compliant and trusted across the EU. Listing in the central repository (Article 22) increases your visibility to public procurement officers in other Member States. This is particularly relevant for Irish providers who have historically served the US market; CADA offers a mechanism to pivot towards the EU public sector by demonstrating "sovereign" credentials.

3. Investment Readiness and Strategic Designation Consider whether your upcoming projects meet the criteria for strategic project designation under Article 14. Factors such as energy efficiency, integration of renewable energy, and contribution to local economic development can strengthen your application. Being designated as a strategic project can open doors to additional support and funding, enhancing the financial viability of your expansion plans. Ensure your project documentation highlights sustainability features and alignment with the "grand challenges" outlined in Annex I.

4. Proactive Compliance and Audit Preparation Start preparing your internal processes for the sovereignty framework immediately. This includes ensuring robust documentation of data residency, cybersecurity measures, and supply chain transparency. For providers aiming for higher assurance levels (2–4), engage with auditing organisations early to understand the evidence requirements under Annex III. Proactive compliance will speed up the recognition process once the regulation enters into force. Remember that for Level 1, SMEs benefit from automatic recognition, while larger providers must undergo the full evaluation process.

Common misconceptions

"CADA only benefits large hyperscalers." While large providers may have the resources to navigate the framework quickly, CADA includes specific measures to support smaller players. Article 17(3) provides a derogation for SMEs seeking Union assurance level 1, allowing their EU statements of conformity to be "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." Additionally, the proposal encourages the use of open-source solutions and supports SME participation in innovation procurement under Article 33.

"The sovereignty framework blocks non-EU providers entirely." CADA does not ban third-country providers. Instead, it creates a tiered system. Article 18 allows for the recognition of third countries as providing sufficient assurances for Union assurance level 3, provided they meet strict criteria regarding data protection, service continuity, and market access. This means that non-EU providers can still operate in the EU market, but they must demonstrate compliance with these high standards. The framework is designed to mitigate risks rather than create absolute barriers, ensuring that EU users have access to a diverse range of trusted services.

"All data centre projects will automatically be in acceleration zones." Not all data centre projects will be located in acceleration zones. Article 10 requires Member States to designate these zones where capacity is being deployed, considering factors like grid capacity and environmental impact. Projects outside these zones may not benefit from the aggregated baseline permit or the 12-month permitting cap. However, operators can still engage with single information points where available, and national authorities may adopt similar best practices outside designated zones.

"Sovereignty recognition is a one-time event." Recognition under the sovereignty framework is ongoing. Article 23 imposes transparency obligations on providers, requiring them to notify the auditing organisation and national competent authority of any material changes that could affect their assurance level. Providers must undergo annual reviews for Levels 2, 3, and 4 (Article 20). Continuous compliance is essential to maintain listing in the central repository and retain eligibility for public sector contracts.

Related

This is general information about a draft EU regulation, not legal advice.