Summary The proposed Cloud and AI Development Act (CADA) would fundamentally reshape the regulatory landscape for cloud and data centre operators in Sweden by introducing "acceleration zones" where projects benefit from an aggregated baseline permit and a strict 12-month permitting cap, as mandated in Articles 10 and 13. The proposal would also require Sweden to establish "single information points" to guide operators through the entire project lifecycle under Article 12, significantly reducing administrative fragmentation. Simultaneously, CADA would create a harmonised EU-wide sovereignty framework under Article 16, allowing Swedish providers to gain formal recognition at one of four Union assurance levels. Once recognised, these providers would be listed in a central Commission repository (Article 22), granting them preferential access to public procurement markets across the entire Union, provided they meet the specific criteria for data localisation, personnel, and cybersecurity.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), addresses two critical bottlenecks facing the European digital economy: the shortage of physical computing capacity and the over-reliance on non-European cloud providers. For cloud service providers and data centre operators in Sweden, the proposal offers a dual pathway: a streamlined regulatory regime for physical infrastructure deployment and a new, harmonised market for sovereign cloud services.

Accelerated Data Centre Deployment in Sweden

A primary objective of CADA is to triple the EU's data centre capacity within five to seven years. To achieve this, the proposal introduces a mechanism for "data centre acceleration zones" that would apply directly to Swedish territory.

Designation of Acceleration Zones (Article 10) Under Article 10, Sweden would be required to designate at least one data centre acceleration zone within its territory where data centre capacity is being deployed. The designation process is not arbitrary; Member States must consider specific factors including the availability of power grid capacity, network connectivity, the potential for waste heat reuse, and a preference for reusing brownfield sites over greenfield locations. This designation provides operators with legal certainty regarding where large-scale infrastructure can be built with state support and streamlined procedures.

The Aggregated Baseline Permit (Article 13) Once a project is located within a designated acceleration zone, Article 13 introduces a transformative procedural efficiency. The article stipulates that data centre projects deployed in these zones shall be considered "strategic projects" within the meaning of the environmental assessment acceleration framework. This classification grants them access to a dedicated toolbox for speeding up environmental assessments.

Crucially, Article 13(2) requires Sweden to prepare and issue an "aggregated baseline permit" for each designated acceleration zone. This baseline permit would cover the permits and administrative authorisations commonly required for data centre projects located within that zone, excluding only installation-specific permits. This mechanism is designed to prevent the repetitive processing of identical regulatory requirements for multiple projects in the same area, effectively front-loading the regulatory burden.

Strict Permitting Timeline To ensure predictability for investors, Article 13(5) imposes a binding timeline. It states that the permit-granting procedure for data centre projects deployed in acceleration zones shall not exceed 12 months from the moment a comprehensive application has been submitted. This creates a fixed regulatory horizon, a significant departure from the often indefinite timelines of traditional permitting processes.

Single Information Points (Article 12) To support operators navigating these complex processes, Article 12 mandates the designation of "single information points" (SIPs) for data centre projects in acceleration zones. These SIPs would assist operators throughout the entire lifecycle of the data centre project with respect to all authorisations required for deployment. The role of the SIP includes coordinating, facilitating, monitoring, and sharing information on procedures related to spatial planning, building permits, environmental assessments, water abstraction, and network connections. This centralised support is designed to reduce administrative fragmentation and provide a clear, single channel for communication between operators and public authorities.

The Union Cloud Computing Sovereignty Framework

Beyond physical infrastructure, CADA introduces a "Union cloud computing sovereignty framework" under Article 16. This framework consists of four "Union assurance levels" (levels 1 to 4), which define the criteria for cloud computing services to be considered as providing varying degrees of Union assurance. These criteria, detailed in Annex II of the proposal, cover aspects such as the location of infrastructure and personnel, data localisation, cybersecurity certification, and the absence of third-country control.

Recognition Mechanism (Article 17) For Swedish cloud providers, achieving recognition under this framework is a significant opportunity to access the public sector market. Article 17 establishes the mechanism for cloud computing service providers to be recognised as offering a specific Union assurance level. Providers must submit an application to the national competent authority of their establishment.

The process varies by level:

  • Level 1: Providers carry out a conformity self-assessment and issue an EU statement of conformity. Notably, Article 17(3) provides a specific advantage for Small and Medium-sized Enterprises (SMEs): the EU statement of conformity issued by SMEs for Union assurance level 1 shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority.
  • Levels 2, 3, and 4: Providers must undergo independent third-party audits to obtain a "positive" audit opinion.

Central Repository and Market Access (Article 22) Once recognised, these services are registered in a central repository maintained by the Commission, as outlined in Article 22. This central repository would be publicly available, allowing public sector bodies across the EU to easily identify trusted providers. Article 30 further drives demand by requiring public sector bodies whose activities have not been identified as contributing to the preservation of public order to use cloud computing services recognised as having at least Union assurance level 1. Those activities identified as critical to public order must procure services recognised as offering levels 2, 3, or 4. This creates a guaranteed market for compliant Swedish providers, not just domestically, but across the entire EU single market.

Strategic Projects and Funding Opportunities

In addition to acceleration zones, Article 14 allows the Commission to designate specific data centre projects as "strategic projects" if they meet certain criteria, such as supporting essential public sector functions, incorporating highly sustainable features, or addressing major compute capacity shortages. While the Commission makes the designation, Member States may apply support measures to these projects. This provides an additional pathway for Swedish operators to secure public support for innovative or critical infrastructure projects that align with Union objectives.

What this means for you

For cloud service providers and data centre operators in Sweden, CADA presents both operational efficiencies and new market opportunities, but also introduces specific compliance obligations.

Faster Time-to-Market via Acceleration Zones By locating new data centre projects within designated Swedish acceleration zones, operators can benefit from the aggregated baseline permit model. This reduces the time spent on repetitive regulatory approvals, potentially cutting down the permitting process to a maximum of 12 months. Engaging with the single information point early in the project lifecycle can further streamline interactions with various authorities, ensuring that spatial planning, environmental, and grid connection issues are addressed in a coordinated manner.

EU-Wide Market Access for Sovereign Providers Achieving recognition under the Union assurance levels allows Swedish providers to compete for public sector contracts across the EU. The central repository serves as a digital badge of trust, making it easier for public authorities in other Member States to identify and procure services from Swedish providers. This is particularly valuable for smaller EU-based providers looking to scale beyond their national borders, as the automatic recognition for SMEs at Level 1 lowers the barrier to entry significantly.

Compliance Costs and Preparation Operators aiming for Union assurance levels 2, 3, or 4 must prepare for independent third-party audits. This involves documenting compliance with stringent criteria regarding data localisation (data must remain exclusively within the Union), personnel (Union citizenship requirements for higher levels), cybersecurity certifications (at least "substantial" for levels 2 and 3, "high" for level 4), and software supply chain transparency. Early investment in compliance infrastructure and documentation will be necessary to secure a "positive" audit opinion and subsequent recognition.

Strategic Positioning and Monitoring Operators should monitor the designation of acceleration zones in Sweden and assess whether their planned projects align with the criteria for strategic projects. Engaging with national authorities to understand the specific conditions and support measures available for these zones and projects can provide a competitive advantage. Furthermore, providers should prepare for the possibility of third-country control restrictions, as the framework explicitly limits the ability of non-EU entities to control the provider, especially for higher assurance levels.

Common misconceptions

Misconception: CADA replaces national planning laws. CADA does not replace national spatial planning or environmental laws. Instead, it harmonises certain procedures and introduces new mechanisms like acceleration zones and single information points to work within existing national frameworks. The aggregated baseline permit simplifies but does not eliminate the need for compliance with environmental and planning regulations; it merely consolidates the permitting process for projects within the designated zones.

Misconception: Only large hyperscalers can benefit. While large providers may have the resources to quickly comply with higher assurance levels, CADA includes specific provisions to support smaller providers. For example, Article 17(3) provides that the EU statement of conformity issued by SMEs for Union assurance level 1 shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. This lowers the barrier to entry for smaller Swedish providers seeking to offer sovereign cloud services.

Misconception: Sovereignty recognition is automatic. Recognition under the sovereignty framework is not automatic. Providers must actively apply, submit evidence, and, for higher levels, undergo rigorous independent audits. The process involves detailed scrutiny of ownership structures, data flows, and cybersecurity measures. Providers must proactively manage their compliance posture to achieve and maintain recognition.

Misconception: CADA restricts the use of non-EU technology. CADA aims to reduce dependency on third-country providers by promoting European alternatives, but it does not outright ban non-EU technology. However, the criteria for higher Union assurance levels (particularly levels 3 and 4) impose strict requirements regarding third-country control and data localisation, which may make it challenging for providers heavily reliant on non-EU infrastructure or personnel to achieve the highest levels of assurance. The framework allows for third-country control only under specific derogations where the Commission has adopted an implementing act under Article 18.

Related

This is general information about a draft EU regulation, not legal advice.