Summary As proposed, the Cloud and AI Development Act (CADA) would significantly accelerate data centre deployment in Poland by mandating data centre acceleration zones where projects benefit from aggregated baseline permits and streamlined environmental assessments. Article 12 requires Poland to designate single information points to guide operators through the entire project lifecycle. For Polish cloud providers, CADA establishes a harmonised Union cloud computing sovereignty framework (Articles 16–17). By meeting these criteria, a Polish provider can be recognised at a specific Union assurance level and listed in a central EU repository (Article 22), granting automatic market access for public procurement across all Member States without needing duplicate national assessments.

Detail

The Cloud and AI Development Act (CADA), as set out in the Commission proposal COM(2026) 502 final, is designed to address the EU's critical shortage of computing capacity and reduce strategic dependencies on non-European providers. For Poland, a Member State with significant potential for data centre growth but facing permitting bottlenecks, the proposal introduces a dual-track approach: accelerating physical infrastructure deployment and creating a unified market for sovereign cloud services.

Accelerating Data Centre Deployment in Poland

The primary barrier to rapid data centre expansion in the EU is often the fragmentation and duration of permitting processes. CADA addresses this by requiring Member States, including Poland, to designate data centre acceleration zones.

Designation of Acceleration Zones (Article 10) Under Article 10, Poland would be required to designate at least one data centre acceleration zone within its territory where data centre capacity is being deployed. The designation must occur within six months of the Regulation's entry into force. When selecting these zones, Polish authorities would need to consider specific factors, including:

  • The availability of future power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity capacity.
  • The ability to reuse waste heat.
  • Environmental sustainability and climate resilience.
  • The preference for reusing brownfield sites over greenfield sites.

This mechanism aims to concentrate deployment efforts in areas where the necessary infrastructure (energy, network) is or can be made available, directly supporting the proposal's objective to triple EU data centre capacity within five to seven years.

Strategic Project Status and Aggregated Baseline Permits (Article 13) Once a data centre project is located within a designated acceleration zone, it receives a significant regulatory boost. Article 13(1) explicitly states that data centre projects deployed in these zones shall be considered strategic projects within the meaning of the Regulation on speeding-up environmental assessments (referenced as Regulation (EU) 2026/XXX in the proposal). This status grants them access to a dedicated "toolbox" for accelerating environmental assessments, ensuring high levels of protection while reducing timelines.

Crucially, Article 13(2) introduces the aggregated baseline permit. For each designated acceleration zone, Poland would be required to prepare and issue a single permit that covers the standard permits and administrative authorisations required for data centre projects in that area. This permit would exclude only installation-specific permits (e.g., those unique to a specific machine or process).

  • Impact: This means that for many standard requirementsβ€”such as spatial planning, building permits, and general environmental authorisationsβ€”the regulatory hurdle is cleared at the zone level rather than the individual project level.
  • Timeline: Article 13(5) mandates that the permit-granting procedure for projects in these zones shall not exceed 12 months from the submission of a comprehensive application. This is a substantial reduction compared to the often multi-year timelines seen in fragmented national systems.

Single Information Points (Article 12) To further reduce administrative friction, Article 12 mandates the designation of single information points for data centre operators in acceleration zones.

  • Lifecycle Support: Operators have the right to be assisted by this single point throughout the entire lifecycle of the project. This includes assistance with spatial planning, building permits, environmental assessments, water abstraction, heat utilisation, and grid connections.
  • Coordination: The single information point acts as a coordinator, facilitating communication between the operator and various national, regional, and local authorities.
  • SME Focus: The provision explicitly requires these points to pay particular attention to SMEs, potentially establishing dedicated channels for guidance.

The Sovereignty Framework: A Gateway for Polish Providers

Beyond physical infrastructure, CADA introduces a Union cloud computing sovereignty framework to help public sector bodies and Union entities choose trusted cloud services. This framework is critical for Polish cloud providers looking to compete for public contracts not just in Poland, but across the entire EU.

Union Assurance Levels (Article 16) Article 16 establishes four Union assurance levels (Level 1 to Level 4). These levels define cumulative criteria that cloud computing service providers must meet to be recognised as offering "Union assurance." The criteria cover:

  • Establishment: The provider must be established in the Union.
  • Location: Infrastructure, assets, and personnel must be located in the Union (with specific nuances for higher levels).
  • Data Localisation: Customer data must remain exclusively within the Union.
  • Cybersecurity: Compliance with state-of-the-art standards, with higher levels requiring specific European cybersecurity certification (e.g., "substantial" for Levels 2 and 3, "high" for Level 4).
  • Third-Country Control: Strict limitations on control by third countries or legal entities established outside the Union.

Recognition Mechanism (Article 17) For a Polish cloud provider, achieving recognition is the key to market access. Article 17 outlines the procedure:

  1. Application: The provider submits an application to the national competent authority of establishment (in this case, the Polish authority designated under Article 25).
  2. Assessment:
    • For Level 1, the provider carries out a conformity self-assessment (Article 19) and issues an EU statement of conformity. Notably, for SMEs, this statement is directly and automatically recognised in all Member States without prior review by the national authority.
    • For Levels 2, 3, and 4, the provider must undergo an independent third-party audit (Article 20) to obtain a "positive" audit opinion.
  3. Union-Wide Effect: Once the Polish authority recognises the service, it is recognised throughout the Union. This mutual recognition eliminates the need for Polish providers to undergo separate, duplicative sovereignty assessments in Germany, France, or any other Member State.

Central Repository (Article 22) To ensure transparency and facilitate procurement, Article 22 requires the Commission to establish and maintain a central repository of cloud computing services recognised under the framework.

  • Visibility: Once a Polish provider is recognised, their service is registered in this central repository.
  • Access: The repository is publicly available and regularly updated. Public sector bodies across the EU can use it to identify and procure services that meet the required assurance levels.
  • Duration: Records of recognition (and any revocations) remain available for five years.

Public Procurement and Market Demand

The sovereignty framework directly drives demand. Article 30 sets out procurement obligations for contracting authorities:

  • Baseline Requirement: All contracting authorities must procure at least Union assurance level 1 services.
  • Public Order Requirement: For activities identified as contributing to the preservation of public order (e.g., defence, law enforcement, critical infrastructure under the NIS2 Directive), authorities must procure services recognised at Level 2, 3, or 4.

This creates a guaranteed market for Polish providers who meet these standards. Furthermore, Article 32 allows contracting authorities to include Union added value criteria in their tenders, evaluating how much a tenderer contributes to strengthening the EU digital supply chain (e.g., using hardware or software designed in the Union). This further incentivises the selection of European providers like those based in Poland.

What this means for you

For Data Centre Operators in Poland

CADA offers a clear, accelerated pathway to deployment.

  1. Target Acceleration Zones: Engage with Polish authorities to identify where acceleration zones will be designated. Locating a project here is the fastest route to market, offering an aggregated baseline permit and a 12-month maximum permitting timeline.
  2. Leverage Single Information Points: Utilise the designated single information point early in your planning phase to coordinate spatial, environmental, and grid requirements. This single point of contact is designed to prevent the "runaround" between multiple agencies.
  3. Monitor National Strategies: Under Article 7, Poland must adopt a national cloud and AI strategy within one year of the Regulation's entry into force. This strategy will likely detail the specific locations of acceleration zones and the operational model of single information points.

For Polish Cloud Service Providers

The sovereignty framework is a strategic lever for expansion.

  1. Aim for Recognition: Whether you are an SME aiming for Level 1 (via self-assessment) or a larger provider targeting Levels 2–4 (via audit), achieving recognition is the prerequisite for accessing the EU public sector market.
  2. Prepare for Audits: If targeting Levels 2–4, ensure your internal processes for data localisation, personnel screening (Union citizenship requirements apply at higher levels), and cybersecurity certification are robust. The audit evidence required is detailed in Annex III of the proposal.
  3. List in the Repository: Once recognised, your service will be listed in the central repository. This acts as a verified "seal of approval" for public buyers across the EU, removing the friction of proving sovereignty in every new market.
  4. Watch for Public Order Assessments: Under Article 29, Member States must conduct risk assessments to identify which activities require higher assurance levels. Understanding which sectors in Poland (and the EU) are deemed "public order" relevant will help you prioritise your compliance efforts.

Common misconceptions

Misconception 1: CADA forces all data centres to be built in acceleration zones. CADA does not prohibit construction outside these zones. However, projects outside acceleration zones will not benefit from the aggregated baseline permit or the mandatory 12-month permitting cap. They will remain subject to standard national permitting procedures, which may be slower and more fragmented. The acceleration zones are an incentive, not a mandate for location.

Misconception 2: The sovereignty framework is only for large hyperscalers. The framework is designed to be accessible to providers of all sizes. Article 17(3) explicitly states that for SMEs, the EU statement of conformity for Level 1 is directly and automatically recognised in all Member States without the need for prior evaluation by the national competent authority. This significantly lowers the barrier to entry for smaller Polish providers.

Misconception 3: Meeting sovereignty criteria is purely a technical exercise. The criteria are holistic. While cybersecurity is a major component (requiring certification at Levels 2–4), the framework also imposes strict legal and organisational requirements. These include ensuring data remains exclusively in the Union, verifying that personnel are Union citizens (for Levels 2–4), and proving that the provider is not subject to control by a third country. Providers must demonstrate compliance with all these aspects through documented evidence.

Misconception 4: CADA replaces national planning laws. CADA complements national laws; it does not override them. It provides a framework to accelerate processes within existing national planning and environmental protection standards. The aggregated baseline permit is issued by national authorities based on national law, but the process and timeline are harmonised and accelerated by the Regulation.

Related

This is general information about a draft EU regulation, not legal advice.