How CADA streamlines data centre permits and sovereign cloud recognition in Romania

Summary As proposed, the Cloud and AI Development Act (CADA) would fundamentally reshape the regulatory landscape for cloud and data centre operators in Romania. The proposal mandates the creation of "data centre acceleration zones" where projects benefit from an "aggregated baseline permit" and a strict 12-month maximum for permit-granting procedures (Articles 10, 13). To reduce administrative friction, Member States must designate "single information points" to guide operators through the entire project lifecycle (Article 12). For Romanian cloud providers, CADA establishes a harmonised EU-wide sovereignty framework; once recognised by Romanian authorities, a provider's service is valid across all Member States and listed in a central repository, unlocking cross-border public procurement opportunities (Articles 16, 17, 22).

Detail

The Cloud and AI Development Act (CADA), currently a proposal in COM(2026) 502 final, aims to address the fragmentation of the EU internal market for cloud and AI infrastructure. For Romania, a Member State with significant potential for data centre growth but facing regulatory complexity, the proposal introduces two distinct but complementary pillars: accelerated infrastructure deployment and a unified market for sovereign cloud services.

Accelerated Deployment: Data Centre Acceleration Zones

The primary mechanism for speeding up infrastructure build-out in Romania is the designation of "data centre acceleration zones." Under Article 10(1), Romania would be required to designate at least one such zone within its territory where data centre capacity is being deployed. When selecting these zones, Romanian authorities would be legally obliged to consider specific strategic factors, including:

• The availability and future capacity of the power grid and network connectivity;
• The potential for on-site clean energy generation and waste heat reuse;
• A preference for reusing brownfield sites over greenfield sites to minimise environmental impact (Article 10(1)).

Once a zone is designated, the regulatory burden for projects within it is significantly reduced through the concept of the "aggregated baseline permit." Article 13(2) requires Member States to prepare and issue this permit for each acceleration zone. This single permit would cover the standard administrative authorisations required for data centre projects located within the zone, such as spatial planning and building permits. Crucially, Article 13(4) clarifies that data centres deployed in these zones would only need to obtain additional permits for activities falling outside the scope of this aggregated baseline permit.

To prevent these streamlined processes from becoming bottlenecks, CADA imposes a strict timeline. Article 13(5) states that the permit-granting procedure for data centre projects in acceleration zones "shall not exceed 12 months, from the moment a comprehensive application has been submitted." This provides Romanian operators with a predictable regulatory horizon, a significant departure from the often indefinite timelines of current national procedures.

Furthermore, Article 13(1) establishes that data centre projects deployed in these acceleration zones are to be considered "strategic projects" within the meaning of the Regulation on speeding-up environmental assessments. This classification grants them access to a dedicated toolbox designed to accelerate environmental assessments, ensuring that the push for capacity does not compromise high levels of environmental protection but rather streamlines the compliance path.

Single Information Point Support

Recognising that even streamlined zones can involve complex interactions with multiple authorities, Article 12(1) mandates that Romania designate one or more "single information points" for data centre operators of projects in acceleration zones. These points serve as a centralised contact throughout the entire lifecycle of the project.

The scope of support provided by the single information point is comprehensive. Under Article 12(2), their role includes coordinating, facilitating, monitoring, and sharing information on procedures relating to:

• Spatial planning and building permits;
• Environmental assessments;
• Authorisations regarding water abstraction, wastewater discharge, and heat utilisation;
• Compliance with administrative and reporting obligations;
• Applications for connection to electricity, heat, or communications networks.

Additionally, Article 12(3) empowers the single information point to assist operators in assessing whether a specific data centre project may qualify as a "strategic project" under Article 14. This designation, which can be made by the Commission based on criteria such as grid stability contributions or addressing compute shortages, could unlock further support measures. The single information point acts as a critical bridge, ensuring operators have a clear, dedicated channel for guidance and dispute resolution, thereby reducing the administrative overhead of coordinating with disparate public bodies.

Sovereignty Framework: A Pathway for Romanian Providers

Beyond physical infrastructure, CADA addresses the market access challenges faced by Romanian cloud service providers. Currently, the lack of a harmonised definition of "sovereign" or "trusted" cloud services limits the ability of EU-based providers to compete for public contracts across borders. CADA proposes a "Union cloud computing sovereignty framework" consisting of four assurance levels (Article 16).

For a Romanian provider, the pathway to market expansion is clear:

1. Application: The provider submits an application for recognition to the national competent authority of establishment—in this case, the Romanian authority (Article 17(1)).
2. Assessment: The authority assesses the provider against the criteria in Annex II. For Level 1, this involves a self-assessment; for Levels 2, 3, and 4, it requires an independent third-party audit (Articles 19, 20).
3. Union-Wide Recognition: If the Romanian authority recognises the service, that recognition is valid across the entire Union. Article 17(7) states that where no reasoned objection is raised by other Member States within the review period, the service is "recognised throughout the Union at the appropriate Union assurance level."
4. Central Repository: Once recognised, the service is registered in a central repository maintained by the Commission (Article 22). This repository is publicly available and regularly updated, providing Romanian providers with visibility and credibility across the EU market.

This mechanism allows Romanian providers to position themselves as competitive, trusted options for public procurement in Germany, France, or any other Member State, provided they meet the required assurance level. This is particularly relevant for public sector activities identified as contributing to the preservation of public order, which under Article 30(3) must procure services recognised at Union assurance levels 2, 3, or 4.

Strategic Project Designation and Investment

In addition to the zone-based acceleration, Article 14 allows the Commission to designate specific data centre projects as "strategic projects" if they meet criteria such as contributing to the security of the electricity grid, addressing major compute capacity shortages, or including highly sustainable features. While the Commission makes the final designation, the single information point in Romania would assist operators in assessing whether their project qualifies (Article 12(3)). Strategic projects may be eligible for support measures from Member States and Union programmes, further incentivising investment in high-quality, sustainable data centre infrastructure in Romania.

What this means for you

For cloud service providers and data centre operators in Romania, the proposed CADA represents a shift from fragmented national regulations to a harmonised, EU-wide framework with clear timelines and support structures.

• Predictable Permitting: If your project is located in a designated acceleration zone, you can expect a maximum 12-month timeline for permit-granting procedures. The aggregated baseline permit reduces the number of individual authorisations you need to secure, streamlining your pre-construction phase.
• Dedicated Support: You will have access to a single information point to guide you through spatial planning, environmental assessments, and utility connections. This reduces the administrative overhead of coordinating with multiple public authorities and provides a clear path for assessing strategic project status.
• EU Market Access: By aligning your services with the CADA sovereignty framework, you can seek recognition from Romanian competent authorities. Once recognised and listed in the central repository, your services become eligible for procurement by public sector bodies across the EU, provided they meet the required assurance level. This is particularly relevant for providers aiming to serve critical public sector functions that require higher levels of sovereignty (levels 2–4).
• Investment Opportunities: Projects that demonstrate high sustainability, innovation, or contribution to grid stability may qualify as strategic projects, potentially unlocking access to EU funding and support mechanisms.

Common misconceptions

• "CADA applies only to hyperscalers." CADA applies to all cloud computing service providers and data centre operators, regardless of size. The sovereignty framework and acceleration zone benefits are available to any provider that meets the relevant criteria.
• "The aggregated baseline permit covers all permits." The aggregated baseline permit covers the permits commonly required for data centre activities within the acceleration zone, but it explicitly excludes installation-specific permits. Operators may still need to obtain additional permits for activities falling outside the baseline scope.
• "Recognition in Romania is only valid in Romania." Under CADA, recognition by the national competent authority of establishment (e.g., in Romania) results in recognition across the entire Union. The central repository ensures transparency and mutual recognition of the assurance level.
• "All data centres are automatically in acceleration zones." Member States must designate acceleration zones where capacity is being deployed. Not all data centre projects in Romania will automatically fall within these zones; operators should verify the status of their site with the relevant national authorities.
• "CADA is already law." CADA is currently a proposal (COM(2026) 502 final). It has not yet been adopted by the European Parliament and the Council. The timelines and mechanisms described above would only apply if and when the regulation enters into force.

Related

• How do data centre permits and single information points work in Romania under CADA?
• Where will the data centre acceleration zones be in Romania?
• How CADA accelerates data centre permits and sovereignty for Slovakia
• How CADA helps French cloud and data centre operators: Permits, zones and sovereignty
• How CADA helps cloud and data centre operators in Estonia: Permits, Zones & Sovereignty

This is general information about a draft EU regulation, not legal advice.