Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally reshape the deployment landscape for cloud and data centre operators in Italy. The proposal mandates the creation of "data centre acceleration zones" where projects benefit from an "aggregated baseline permit" and a strict 12-month permitting cap. Operators would receive lifecycle support from designated "single information points" to navigate complex authorisations. Furthermore, Italian providers could gain EU-wide recognition under a harmonised sovereignty framework, allowing them to list their services in a central repository and compete for public contracts across the Union. These measures aim to reduce fragmentation, accelerate capacity expansion, and enhance the competitiveness of Italian cloud infrastructure.

Detail

The proposed Cloud and AI Development Act (CADA), presented in COM(2026) 502 final, addresses the EU's critical shortage of computing capacity and its strategic dependence on non-European providers. For cloud service providers and data centre operators in Italy, the proposal introduces a dual-track approach: accelerating physical infrastructure deployment through streamlined permitting and harmonising market access through a unified sovereignty framework. The following sections detail how these provisions would impact operators operating within Italian territory.

Accelerated Deployment through Data Centre Acceleration Zones

To address the bottleneck in data centre deployment, CADA requires Member States to designate specific geographic areas as "data centre acceleration zones." Under Article 10, Italy would be required to designate at least one such zone within its territory where data centre capacity is being deployed. When selecting these zones, Italian authorities must consider critical factors including available and future power grid capacity, network connectivity, and the potential for waste heat reuse, ensuring that sites are viable for large-scale, sustainable operations.

For operators in Italy, locating a project within an acceleration zone triggers significant regulatory advantages. Article 13 establishes that data centre projects deployed in these zones are automatically considered "strategic projects" within the meaning of the upcoming Regulation on speeding-up environmental assessments. This classification unlocks a dedicated toolbox designed to accelerate administrative and permit-granting processes.

The most transformative element for Italian operators is the "aggregated baseline permit." Article 13(2) requires Member States to prepare and issue a single permit for each designated acceleration zone. This aggregated baseline permit covers the administrative authorisations commonly required for data centre projects within that area, excluding only installation-specific permits. Consequently, once Italy issues this baseline permit for a zone, operators would not need to secure individual permits for standard requirements like spatial planning or building authorisations for the zone itself. They would only need to obtain additional permits for activities falling outside the scope of this baseline. This mechanism drastically reduces the regulatory burden and the time required to bring new capacity online.

Furthermore, Article 13(5) imposes a strict temporal limit on these processes. The permit-granting procedure for data centre projects in acceleration zones must not exceed 12 months from the moment a comprehensive application has been submitted. This provides Italian operators with a high degree of predictability, contrasting sharply with traditional permitting routes that can often extend for several years due to administrative fragmentation.

Single Information Points for Lifecycle Support

To ensure that the acceleration zones function effectively, CADA introduces the concept of Single Information Points (SIPs). Article 12 requires Member States to designate one or more SIPs specifically for data centre operators working within acceleration zones. These SIPs are mandated to assist operators throughout the entire lifecycle of the data centre project.

For an Italian data centre operator, this means having a dedicated, centralised point of contact to coordinate and facilitate all necessary authorisations. Article 12(2) outlines that the role of the SIP may include coordinating spatial planning and building permits, environmental assessments, and applications for connection to electricity, heat, or communications networks. Crucially, the SIP is also tasked with assisting in assessing whether a specific project may qualify as a "strategic project" under Article 14, potentially unlocking further support measures.

This support is particularly valuable for navigating the complex interplay between national, regional, and local authorities in Italy. By centralising administrative support, the SIP helps mitigate the risk of delays caused by fragmented oversight or lack of coordination among different public bodies. Article 12(4) further notes that SIPs should pay particular attention to SMEs, potentially establishing dedicated channels for communication, which could significantly benefit smaller Italian data centre operators who may lack extensive legal or regulatory teams.

Sovereignty Framework and EU-Wide Recognition

Beyond physical deployment, CADA addresses the strategic need for technological sovereignty, which is critical for Italian providers seeking to serve public sector clients. Article 16 establishes a Union cloud computing sovereignty framework consisting of four assurance levels. This framework provides a harmonised and auditable set of criteria for cloud computing services to be considered as providing "Union assurance."

For Italian cloud providers, meeting these criteria offers a significant competitive advantage. Article 17 outlines the mechanism for recognition. A cloud computing service provider established in the EU, such as an Italian provider, can apply for recognition to the national competent authority of its establishment (in this case, the Italian authority). If the provider meets the requirements for Union assurance level 1, 2, 3, or 4, it receives recognition that is valid across the entire Union.

This EU-wide recognition is crucial for Italian providers looking to expand beyond domestic borders. It removes the need to navigate divergent national sovereignty standards in other Member States, creating a level playing field and reducing compliance costs. The framework is particularly relevant for public sector contracts, as Article 30 mandates that contracting authorities procure services that meet specific assurance levels based on risk assessments. For instance, if an Italian public body identifies an activity as contributing to the preservation of public order, it must procure services recognised at levels 2, 3, or 4.

Central Repository and Transparency

To enhance transparency and trust, Article 22 requires the Commission to establish and maintain a central repository of cloud computing services that have been recognised under the sovereignty framework. National competent authorities, including Italy's, are responsible for registering recognised services in this repository.

For Italian operators, being listed in this central repository serves as a mark of compliance and trust. It provides visibility to public sector bodies and private entities across the EU who are seeking sovereign-compliant cloud services. The repository is publicly available, allowing potential customers to easily identify verified providers. This transparency helps Italian providers demonstrate their commitment to data sovereignty and security, which is increasingly important for both public and private sector clients. The repository ensures that once an Italian provider is recognised, their status is visible and verifiable across the single market.

Strategic Projects and Additional Support

In addition to the acceleration zones, CADA provides for the designation of "data centre strategic projects" under Article 14. These are projects that significantly contribute to the Union's digital and energy sectors and meet specific criteria, such as enhancing essential public sector functions, incorporating highly sustainable features, or addressing major compute capacity shortages.

If an Italian data centre project is designated as a strategic project, it may be eligible for support measures from Member States and Union programmes. This could include financial support or other incentives, subject to state aid rules. The designation process involves an open call for expressions of interest, and the Commission designates projects that meet at least two of the specified criteria, such as contributing to grid stability or addressing major compute capacity shortages. This offers Italian operators a pathway to secure additional backing for large-scale, innovative infrastructure projects.

What this means for you

For cloud service providers and data centre operators in Italy, CADA presents a transformative set of opportunities and new compliance requirements. Here is how you should prepare:

  • Monitor Acceleration Zone Designations: Keep a close watch on the Italian government's designation of data centre acceleration zones under Article 10. Positioning your projects within these zones will allow you to benefit from the aggregated baseline permit and the 12-month permitting cap under Article 13.
  • Engage with Single Information Points: Once SIPs are established in Italy, engage with them early in your project planning. Utilise their support for coordinating permits and grid connections as outlined in Article 12 to streamline your deployment timeline and avoid administrative bottlenecks.
  • Assess Sovereignty Compliance: Evaluate your services against the Union assurance levels in Annex II of CADA. If you aim to serve public sector clients or expand across the EU, obtaining recognition under Article 17 is crucial. Start gathering the necessary evidence for self-assessment (Level 1) or independent audits (Levels 2-4), noting that Level 2 and above require a European cybersecurity certificate of at least "substantial" assurance.
  • Prepare for Strategic Project Applications: If your project has significant sustainability or innovation features, consider applying for designation as a strategic project under Article 14. This could open doors to additional support and recognition, particularly if your project addresses grid stability or capacity shortages.
  • Update Your Market Strategy: Highlight your compliance with CADA's sovereignty framework in your marketing materials. Being listed in the central repository under Article 22 will be a key differentiator for clients seeking trusted, sovereign cloud services across the Union.

Common misconceptions

  • "CADA is already in force." CADA is a proposal (COM(2026) 502 final) and is not yet law. It must be adopted by the European Parliament and the Council before it becomes binding. The text may change during the legislative process.
  • "All data centres in Italy will automatically be in acceleration zones." No. Member States must designate specific zones under Article 10. Only projects within these designated zones benefit from the accelerated permitting and aggregated baseline permits. Projects outside these zones will follow standard national permitting procedures.
  • "Sovereignty recognition is optional for private sector contracts." While CADA primarily mandates sovereignty levels for public procurement (Article 30), the private sector, particularly entities in critical sectors under NIS2, is encouraged to conduct similar impact assessments (Article 31). Market demand for sovereign services is likely to grow regardless of direct mandates.
  • "The single information point replaces all permits." The SIP facilitates and coordinates the process but does not eliminate the need for permits. However, within acceleration zones, the aggregated baseline permit covers many common requirements, reducing the number of individual permits needed.
  • "Sovereignty recognition is only for Italian public bodies." Recognition under Article 17 grants EU-wide validity. An Italian provider recognised at Level 2, 3, or 4 can sell to public bodies in any Member State without needing separate national certifications.

Related

This is general information about a draft EU regulation, not legal advice.