Summary The proposed Cloud and AI Development Act (CADA) would fundamentally reshape the regulatory landscape for Maltese cloud and data centre operators by introducing a streamlined permitting regime and a unified market access mechanism. Under Article 10, Malta would be required to designate "data centre acceleration zones," where projects would benefit from an "aggregated baseline permit" and a strict 12-month cap on the permit-granting procedure under Article 13. Operators would receive dedicated support throughout the project lifecycle via a "single information point" mandated by Article 12. Beyond infrastructure, Article 16 establishes a Union-wide sovereignty framework. Compliant Maltese providers could be formally recognised at one of four assurance levels and listed in a central EU repository under Article 22, granting them automatic eligibility for public procurement contracts across the entire Union, bypassing fragmented national trust assessments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to address the critical shortage of computing capacity in the EU and the strategic dependence on third-country providers. For Malta, a jurisdiction with limited land area but high connectivity potential, the proposal offers a dual pathway: accelerating the physical deployment of data centre infrastructure and harmonising the trust standards required to sell cloud services to the public sector.

Accelerating Data Centre Deployment in Malta

The primary bottleneck for data centre expansion in the EU has historically been fragmented permitting processes and lengthy environmental assessments. CADA addresses this through a targeted mechanism for "acceleration zones."

Designation of Acceleration Zones (Article 10) Under Article 10, Member States are obliged to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed. For Malta, this would involve identifying specific sites or areas suitable for high-density computing infrastructure. When designating these zones, the Maltese authorities would be required to consider critical factors including:

  • Available and future power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity capacity.
  • The ability to reuse waste heat.
  • The preference for reusing brownfield sites over greenfield sites.

This designation creates a pre-assessed regulatory environment, signalling to investors that the site has been vetted for energy and grid readiness.

Single Information Points (Article 12) To reduce administrative friction, Article 12 mandates that Member States designate "single information points" for data centre operators within these acceleration zones. This single point of contact provides assistance throughout the entire lifecycle of the project. Its role includes coordinating and facilitating procedures for:

  • Spatial planning and building permits.
  • Environmental assessments.
  • Authorisations regarding water abstraction, wastewater discharge, and heat utilisation.
  • Applications for connection to electricity, heat, or communications networks.

For a Maltese operator, this means navigating a single interface rather than engaging with multiple disparate agencies, significantly reducing the administrative burden and uncertainty.

Strategic Projects and Aggregated Baseline Permits (Article 13) The most transformative provision for operators is found in Article 13. Data centre projects deployed in acceleration zones are explicitly deemed "strategic projects" within the meaning of the EU framework for speeding up environmental assessments. This status triggers a specific permitting regime:

  • Aggregated Baseline Permit: Article 13(2) requires Member States to prepare and issue an "aggregated baseline permit" for each designated acceleration zone. This permit covers the permits and administrative authorisations commonly required for data centre projects within that area, excluding only installation-specific permits. This effectively "pre-approves" the general conditions for the zone.
  • 12-Month Cap: Article 13(5) establishes a strict timeline. The permit-granting procedure for data centre projects in acceleration zones "shall not exceed 12 months, from the moment a comprehensive application has been submitted." This cap provides operators with a predictable timeline for capital expenditure and project completion, mitigating the financial risks of regulatory delays.

The Sovereignty Framework and Market Access

While infrastructure measures address the "supply" side, CADA addresses the "demand" side by creating a harmonised trust framework. This allows Maltese providers to compete on a level playing field across the EU.

Union Assurance Levels (Article 16) Article 16 establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (1 to 4). These levels are defined by cumulative criteria in Annex II, covering:

  • Establishment: The provider must be established in the Union.
  • Location: Infrastructure, assets, and personnel must be located in the Union (with specific nuances for levels 2-4).
  • Data Localisation: Customer data must remain exclusively within the Union.
  • Third-Country Control: Providers must demonstrate the absence of control by third countries that could compromise operational autonomy or data security.
  • Cybersecurity: Compliance with state-of-the-art standards or specific European cybersecurity certification schemes.

Recognition Mechanism (Article 17) Maltese providers seeking to access the public sector market must undergo a recognition process under Article 17.

  • Application: The provider submits an application to the national competent authority of establishment (in Malta, the relevant designated authority).
  • Level 1 (Self-Assessment): For Union assurance level 1, the provider carries out a conformity self-assessment and issues an "EU statement of conformity." Notably, Article 17(3) provides a derogation for SMEs: their statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."
  • Levels 2-4 (Independent Audit): For higher assurance levels, the provider must undergo an independent third-party audit to obtain a "positive" audit opinion.

Central Repository (Article 22) Once recognised, the service is registered in a "central repository" established and maintained by the Commission under Article 22. This repository is publicly available and lists all cloud computing services recognised as offering Union assurance levels 1 through 4. Being listed here is the key to market visibility and trust.

Public Procurement and Demand-Side Measures

The recognition mechanism directly unlocks market access. Article 30 sets the procurement rules for public sector bodies:

  • Minimum Requirement: All public sector bodies must procure cloud services recognised as having at least Union assurance level 1.
  • Public Order Relevance: For activities identified as contributing to the preservation of public order (e.g., national security, law enforcement, critical infrastructure), authorities must procure services recognised at Union assurance levels 2, 3, or 4.

This creates a "passport" effect. A Maltese provider recognised at level 2 in Malta is automatically eligible to bid for public contracts in Germany, France, or Italy, provided the service meets the level requirements. This eliminates the need for divergent national trust assessments.

Furthermore, Article 32 allows contracting authorities to include "Union added value" criteria in procurement. This enables authorities to award points to tenders that strengthen the EU digital supply chain, use hardware/software designed in the Union, or contribute to European innovation. Maltese providers with strong local supply chains or EU-based R&D could leverage this to gain a competitive edge.

What this means for you

For cloud service providers and data centre operators in Malta, CADA represents a strategic shift from navigating fragmented national rules to operating within a harmonised EU framework.

For Data Centre Operators:

  • Predictable Timelines: If your project is located in a designated acceleration zone, you can plan your investment with the certainty that the permitting process will not exceed 12 months. This reduces the "time-to-revenue" risk significantly.
  • Streamlined Administration: The single information point (Article 12) acts as a dedicated project manager for your regulatory journey, coordinating between planning, energy, and environmental authorities.
  • Strategic Status: Your projects would be classified as "strategic," potentially unlocking access to EU funding streams and streamlined environmental assessment tools that are not available to standard projects.

For Cloud Service Providers:

  • EU-Wide Market Access: By obtaining recognition under the sovereignty framework (Articles 16 and 17), your services become eligible for public procurement across the entire EU. This transforms your addressable market from the local Maltese market to the entire Union.
  • Competitive Advantage: Being listed in the central repository (Article 22) provides a verified seal of trust. For public sector buyers, this is often a mandatory requirement, making your service a "must-consider" option.
  • SME Opportunity: If you are an SME, the automatic recognition for Level 1 (Article 17(3)) lowers the barrier to entry, allowing you to compete immediately without a costly national recognition procedure.

Actionable Steps:

  1. Monitor Designations: Engage with Maltese authorities to understand where "data centre acceleration zones" will be designated and ensure your projects align with these areas.
  2. Gap Analysis: Conduct an internal audit against the criteria in Annex II. Determine which assurance level your current operations can support (e.g., data localisation, personnel citizenship, cybersecurity certification).
  3. Prepare for Audits: For levels 2-4, begin documenting your software bill of materials (SBOM), supply chain controls, and data flows to facilitate the independent audit process.
  4. Engage with the Single Point: Once designated, proactively engage with the single information point to understand the specific requirements for the aggregated baseline permit in your target zone.

Common misconceptions

Misconception 1: CADA replaces national planning laws. CADA does not abolish national planning or environmental laws. Instead, it harmonises the process for data centre projects in acceleration zones. The aggregated baseline permit (Article 13) covers common requirements, but installation-specific permits may still be required. Operators must still comply with national spatial planning and environmental protection standards, but the process is streamlined and time-bound.

Misconception 2: Only large hyperscalers can benefit from the sovereignty framework. The sovereignty framework applies to all cloud computing service providers, regardless of size. In fact, Article 17(3) includes a specific derogation for SMEs seeking Union assurance level 1: their EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This is a deliberate design to lower the barrier to entry for smaller Maltese providers.

Misconception 3: Recognition under CADA is optional for public sector contracts. For public sector bodies, using recognised services is mandatory. Article 30 sets a minimum requirement of Union assurance level 1 for all public sector cloud procurement. For activities related to public order, levels 2-4 are required. Therefore, obtaining recognition is not optional if you wish to participate in the public cloud market in the EU.

Misconception 4: The 12-month permit timeline applies to all data centre projects. The 12-month cap under Article 13(5) applies specifically to data centre projects deployed in designated acceleration zones. Projects outside these zones may not benefit from the same accelerated timelines or aggregated baseline permits, although they may still benefit from the single information point support if Member States extend it.

Related

This is general information about a draft EU regulation, not legal advice.