Summary As proposed, the Cloud and AI Development Act (CADA) would provide Spanish data centre operators and cloud providers with a harmonised framework to accelerate deployment, reduce administrative burdens, and access new public sector markets. Key benefits include faster permitting through data centre acceleration zones with aggregated baseline permits, dedicated support from single information points throughout the project lifecycle, and a path to EU-wide recognition under a sovereignty framework that lists compliant providers in a central repository.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, aims to strengthen the European cloud and AI ecosystem by addressing critical bottlenecks in computing capacity and reducing dependence on third-country providers. For operators in Spain, a key market for data centre expansion, CADA introduces specific mechanisms designed to streamline deployment and enhance market access. The proposal focuses on two main pillars: accelerating the physical deployment of data centres through regulatory simplification and establishing a trust framework for cloud services to unlock public procurement.

Accelerating Data Centre Deployment in Spain

One of the most significant operational impacts of CADA is the simplification of data centre deployment through the designation of data centre acceleration zones. Under Article 10, Member States, including Spain, would be required to designate at least one acceleration zone within their territory where data centre capacity is being deployed. When designating these zones, authorities must consider factors such as site location, power grid capacity, network connectivity, and environmental sustainability. This designation creates a prioritised environment for infrastructure development, ensuring that regulatory frameworks support rapid scaling.

Within these acceleration zones, the proposal introduces streamlined administrative processes. Article 13 mandates that data centre projects deployed in these zones are considered strategic projects within the meaning of the Regulation on speeding-up environmental assessments. Crucially, this status allows Member States to issue an aggregated baseline permit for the zone. This permit covers the permits and administrative authorisations commonly required for data centre projects within that area, excluding only installation-specific permits. By pre-clearing many standard requirements, the proposal aims to ensure that administrative applications are processed efficiently, with permit-granting procedures not exceeding 12 months from the submission of a comprehensive application.

To further support operators, Article 12 requires Member States to designate single information points for data centre operators in acceleration zones. These points assist operators throughout the entire lifecycle of the data centre project, from spatial planning and building permits to environmental assessments and grid connections. The single information point acts as a central coordinator, monitoring procedures and facilitating information sharing, thereby reducing the complexity of navigating multiple national, regional, and local authorities.

Sovereignty Framework and Market Access for Spanish Providers

Beyond physical deployment, CADA establishes a Union cloud computing sovereignty framework to enhance trust and reduce dependencies on non-European providers. Article 16 outlines four Union assurance levels (1 to 4) that cloud computing service providers must meet to offer services to Union entities and public sector bodies. These levels are based on criteria such as the provider's establishment in the Union, the location of infrastructure and data, cybersecurity standards, and the absence of third-country control.

For Spanish cloud providers, achieving recognition under this framework offers a significant competitive advantage. Article 17 details the recognition process, where providers submit applications to their national competent authority. Once recognised, a provider's service is acknowledged across the entire Union at the appropriate assurance level. This mutual recognition eliminates the need for separate national certifications, allowing Spanish providers to compete seamlessly for public sector contracts across the EU.

To increase transparency and facilitate procurement, Article 22 requires the Commission to establish and maintain a central repository of cloud computing services that have been recognised under the sovereignty framework. This publicly available repository lists services by their assurance level, making it easier for public authorities to identify and procure trusted European cloud solutions. For Spanish providers, being listed in this central repository signals compliance with high EU standards, enhancing their credibility and marketability.

National Strategies and Coordination

CADA also requires Member States to adopt national cloud and AI strategies. Article 7 mandates that these strategies include measures to support the deployment of data centre capacity, with a focus on high-value data centres that deliver economic and societal benefits while adhering to high environmental standards. For Spain, this means that national policies would be aligned with EU objectives, potentially unlocking funding and support mechanisms for data centre projects that contribute to the Union's digital sovereignty.

What this means for you

For data centre operators and cloud service providers in Spain, CADA presents both opportunities and obligations. Understanding these implications is crucial for strategic planning and compliance.

For Data Centre Operators:

  • Faster Time-to-Market: By locating new projects within designated data centre acceleration zones, operators can benefit from the aggregated baseline permit mechanism. This reduces the time spent on obtaining multiple individual permits, potentially cutting permitting timelines to 12 months or less.
  • Reduced Administrative Burden: The single information point serves as a dedicated contact for all authorisations, simplifying interactions with various regulatory bodies. Operators should engage early with these points to navigate spatial planning, environmental assessments, and grid connection requirements efficiently.
  • Strategic Project Status: Projects in acceleration zones are automatically considered strategic, which may facilitate access to certain support measures and streamlined environmental assessments under related EU legislation.

For Cloud Service Providers:

  • Competitive Advantage in Public Procurement: Public sector bodies are required to procure cloud services that meet specific Union assurance levels. By seeking recognition under the CADA sovereignty framework, Spanish providers can position themselves as trusted alternatives to non-EU incumbents.
  • EU-Wide Recognition: Once recognised by the Spanish competent authority, your service's assurance level is valid across all Member States. This eliminates the need for redundant national certifications, reducing compliance costs and expanding market reach.
  • Visibility and Trust: Inclusion in the central repository enhances your visibility to public procurers. Being listed as a recognised provider signals adherence to high standards of data sovereignty, cybersecurity, and operational autonomy, which are increasingly important criteria in public tenders.

Actionable Steps:

  1. Monitor Designations: Keep track of the designation of data centre acceleration zones in Spain. Prioritise new projects in these areas to leverage streamlined permitting.
  2. Engage with Single Information Points: Establish early contact with the designated single information points to understand specific requirements and timelines for your projects.
  3. Assess Sovereignty Readiness: Evaluate your cloud services against the criteria for Union assurance levels. Begin preparing documentation and evidence required for recognition, particularly regarding data localisation, cybersecurity certifications, and absence of third-country control.
  4. Align with National Strategy: Ensure your business plans align with Spain's national cloud and AI strategy, focusing on sustainability, innovation, and contribution to the EU's digital ecosystem.

Common misconceptions

  • CADA replaces national permitting entirely. While CADA introduces aggregated baseline permits for acceleration zones, it does not eliminate all national permitting requirements. Installation-specific permits may still be required, and operators must comply with national laws on environmental protection, spatial planning, and energy efficiency. CADA harmonises and accelerates the process but does not replace national regulatory frameworks.

  • Only EU-owned providers can achieve high assurance levels. While the criteria for higher assurance levels (3 and 4) are strict regarding third-country control, providers subject to third-country control may still be audited for Union assurance level 3 if the Commission adopts a decision recognising that third country as providing sufficient safeguards under Article 18. However, the default expectation for high-assurance services is strong EU establishment and control.

  • Recognition is automatic upon meeting technical criteria. Recognition under the sovereignty framework requires a formal application and assessment by the national competent authority, followed by a review period involving other Member States. Providers must submit detailed evidence, including audit reports for levels 2-4, and undergo a rigorous evaluation process. It is not an automatic certification based solely on self-declaration.

  • The central repository is only for public sector use. While the primary purpose of the central repository is to facilitate public sector procurement, it is publicly available. Private sector entities, particularly those in regulated industries, may also use the repository to identify trusted cloud providers, leveraging the assurance levels as a benchmark for security and sovereignty.

Related

This is general information about a draft EU regulation, not legal advice.