Summary As proposed, the Cloud and AI Development Act (CADA) would significantly streamline the deployment of data centres in Portugal by mandating "acceleration zones" where projects benefit from an aggregated baseline permit and a strict 12-month maximum permitting timeline. The Act establishes Single Information Points to guide operators through the entire project lifecycle, reducing administrative friction. Crucially, CADA creates a unified Union cloud computing sovereignty framework, allowing Portuguese providers to gain formal EU-wide recognition for their services. This recognition would be listed in a central repository, unlocking access to public procurement markets across the Union and reducing dependence on non-EU hyperscalers.

Detail

The Cloud and AI Development Act (CADA), as set out in the Commission proposal COM(2026) 502 final, is designed to address the critical shortage of computing capacity in the EU and reduce strategic dependencies on third-country providers. For cloud service providers and data centre operators in Portugal, the proposal introduces a harmonised regulatory framework that targets two specific bottlenecks: the speed of physical deployment and the fragmentation of trust standards. By establishing data centre acceleration zones and a Union assurance framework, CADA would provide Portuguese operators with a clearer path to market entry and a competitive advantage in the public sector.

Accelerated Deployment: Acceleration Zones and Aggregated Permits

The most immediate operational benefit for data centre operators in Portugal lies in the deployment of data centre acceleration zones. Under Article 10, Member States are required to designate at least one such zone within their territory where data centre capacity is being deployed. When designating these zones, Portugal would be required to consider specific factors including available power grid capacity, network connectivity, waste heat reuse potential, and environmental sustainability.

Once a project is situated within a designated acceleration zone, the regulatory landscape changes fundamentally. Article 13 establishes facilitated administrative and permit-granting processes. A key innovation is the treatment of these projects as strategic projects within the meaning of the Regulation on speeding-up environmental assessments. This status grants them access to a dedicated toolbox for accelerating environmental assessments, ensuring that high-level protection of human health and the environment is maintained while reducing delays.

The core mechanism for speed is the aggregated baseline permit. Article 13(2) mandates that Member States prepare and issue an aggregated baseline permit for each designated acceleration zone. This single permit covers the permits and administrative authorisations commonly required for data centre projects located within that zone, excluding only installation-specific permits. Consequently, operators would not need to navigate a fragmented series of individual applications for common requirements. They would only need to obtain additional permits for activities falling outside the scope of this baseline permit.

Furthermore, Article 13(5) imposes a strict temporal limit on the process. It mandates that administrative applications related to the planning, construction, and operation of data centres in acceleration zones be processed in an efficient, transparent, and timely manner. The permit-granting procedure shall not exceed 12 months from the moment a comprehensive application has been submitted. This creates a predictable timeline for Portuguese operators, significantly reducing the financial risks associated with prolonged regulatory uncertainty and allowing for faster capital deployment.

Single Information Point Support

To ensure that the streamlined permitting process is accessible and navigable, Article 12 requires Member States to designate single information points for data centre operators of projects in acceleration zones. These points serve as a centralised contact for operators throughout the entire lifecycle of the data centre project.

The role of the single information point is comprehensive. It assists in coordinating, facilitating, monitoring, and sharing information on procedures relating to:

  • Spatial planning and building permits.
  • Environmental assessments.
  • Authorisations regarding water abstraction, wastewater discharge, and heat utilisation and recovery.
  • Compliance with applicable administrative and reporting obligations.
  • Applications for connection to electricity, heat, or communications networks.

This support is particularly valuable for small and medium-sized enterprises (SMEs). Article 12(4) explicitly states that the single information point shall pay particular attention to SMEs and, where appropriate, establish a dedicated channel for communication to provide guidance and respond to queries. By consolidating regulatory interactions into a single touchpoint, CADA aims to minimise the friction and confusion often experienced by operators navigating complex national bureaucracies.

Sovereignty Framework and Market Access

Beyond the mechanics of physical deployment, CADA introduces a Union cloud computing sovereignty framework that directly benefits European cloud providers by creating a unified standard of trust. Article 16 establishes four levels of Union assurance, providing a harmonised set of criteria for cloud services to be recognised as trustworthy and sovereign. This framework addresses concerns regarding data sovereignty, operational continuity, and protection against extraterritorial access by third-country authorities.

For Portuguese cloud providers, this presents a significant commercial opportunity. By meeting the criteria for Union assurance levels (detailed in Annex II), providers can apply for formal recognition. Article 17 outlines the mechanism for this recognition: providers submit an application for recognition to the national competent authority of their establishment. Once recognised, a provider's service is acknowledged across the entire Union, facilitating cross-border expansion and eliminating the need to navigate divergent national sovereignty standards.

Article 22 requires the Commission to establish and maintain a central repository of cloud computing services recognised under this framework. Inclusion in this repository enhances visibility and trust, making it easier for public sector bodies and private entities across the EU to identify and procure services from European providers. This is particularly impactful in the public sector, where Article 30 mandates that contracting authorities procure cloud services with at least Union assurance level 1. For activities identified as contributing to the preservation of public order (such as law enforcement or defence), Article 30(3) requires the procurement of services recognised at levels 2, 3, or 4.

This creates a guaranteed demand channel for compliant European providers. A Portuguese provider recognised at a high assurance level would effectively have a "passport" to supply public sector bodies across the EU, helping to level the playing field against dominant non-EU hyperscalers who may struggle to meet the specific sovereignty criteria regarding establishment, personnel, and third-country control.

What this means for you

For cloud service providers and data centre operators in Portugal, CADA offers both operational efficiencies and strategic commercial advantages.

1. Reduced Time-to-Market: If your data centre projects are located within designated acceleration zones, you can expect a significantly faster permitting process. The 12-month maximum timeline for permit-granting and the use of aggregated baseline permits mean less time spent in regulatory limbo and a quicker start-up of operations. This predictability is crucial for securing financing and meeting investment deadlines.

2. Simplified Administrative Burden: The Single Information Point acts as a dedicated guide through the regulatory landscape. Instead of coordinating with multiple authorities for various permits, you will have a single contact for assistance. This reduces administrative overhead, minimises the risk of errors, and provides a clear channel for resolving issues, with specific attention paid to the needs of SMEs.

3. Enhanced Market Credibility: By aligning your services with the Union assurance levels, you can gain formal recognition as a sovereign cloud provider. This recognition is valid across the entire EU, allowing you to market your services as trustworthy and compliant with high sovereignty standards. This is a key differentiator when competing for public sector contracts or serving private clients with strict data sovereignty requirements.

4. Access to the Central Repository: Being listed in the central repository of recognised services increases your visibility to potential clients across the EU. It serves as a seal of approval, demonstrating that your services meet rigorous EU-defined criteria for sovereignty and security. This visibility is essential for capturing the demand generated by the public procurement mandates in Article 30.

5. Strategic Planning: As Portugal designates acceleration zones, operators should prioritise locations within these zones to benefit from the streamlined processes. Engaging early with the single information point can help identify potential regulatory hurdles and ensure compliance with sustainability and energy efficiency requirements, which are key criteria for zone designation under Article 10.

Common misconceptions

Misconception 1: CADA applies only to large hyperscalers. While large providers will certainly benefit, CADA's provisions on acceleration zones and single information points apply to all data centre operators. Additionally, the sovereignty framework includes specific provisions for SMEs. Under Article 17(3), the EU statement of conformity for Union assurance level 1 issued by SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority, making it highly accessible to smaller European providers.

Misconception 2: The sovereignty framework is only for the public sector. While public procurement rules (Article 30) mandate the use of sovereign services for certain activities, the recognition mechanism and central repository are available to all providers. Private sector entities, particularly those in critical sectors falling under the NIS2 Directive, are also encouraged to carry out similar impact assessments and use the framework to mitigate risks (Article 31).

Misconception 3: Acceleration zones eliminate all permitting requirements. Acceleration zones and aggregated baseline permits simplify the process but do not eliminate it. Operators still need to obtain installation-specific permits and comply with environmental and energy regulations. However, the baseline permit covers common requirements, drastically reducing the volume of individual applications and the associated administrative burden.

Misconception 4: CADA replaces national planning laws. CADA harmonises certain aspects of data centre deployment and sovereignty but works within the existing national legal frameworks. Member States retain responsibility for designating zones and issuing permits, but they must adhere to the streamlined timelines and procedures set out in CADA. The Act complements national laws by adding a layer of EU-wide certainty and speed.

Related

This is general information about a draft EU regulation, not legal advice.