CADA vs AI Act Deadlines

Summary The EU AI Act and the proposed Cloud and AI Development Act (CADA) operate on distinct, non-overlapping timelines that compliance teams must track simultaneously. The AI Act is already in force, with prohibitions applying from 2 February 2025 and most high-risk obligations from 2 August 2026. CADA, as a proposal (COM(2026) 502 final), would enter into force 20 days after publication and apply one year later. Crucially, Article 29 of the CADA proposal mandates that Member States and Union entities complete their first sovereignty risk assessments by the date of application (i.e., one year after entry into force), not one year after application. This creates a parallel compliance track where the AI Act governs the algorithm and CADA governs the infrastructure, requiring organizations to align two separate regulatory calendars.

Detail

Navigating the intersection of the AI Act and the proposed CADA requires understanding that these are two separate legislative instruments with different legal statuses, entry-into-force mechanisms, and specific deadline structures. For legal counsel, the primary challenge is synchronizing the operational timelines of both to avoid regulatory gaps.

The AI Act: Phased Application from 2025 to 2027

The AI Act (Regulation (EU) 2024/1689) is already law and applies in phases. The timeline is fixed and independent of CADA's legislative progress:

• Prohibitions (2 February 2025): The prohibitions on certain AI practices (e.g., social scoring, certain biometric categorisation) apply immediately. Organizations must cease using these systems by this date.
• Governance and GPAI Rules (2 August 2025): Key governance structures, including the AI Office and the European Artificial Intelligence Board, become operational. Rules for general-purpose AI (GPAI) models, including transparency obligations, also apply from this date.
• High-Risk AI Obligations (2 August 2026): The bulk of the AI Act, including requirements for high-risk AI systems (risk management, data governance, technical documentation, conformity assessment), applies. This is the primary deadline for most enterprises deploying high-risk AI.
• Transitional Periods: Existing high-risk AI systems placed on the market or put into service before the application date generally have a transitional period to comply. The standard timeline for existing systems is 24 months after the general application date (2 August 2026), meaning the final deadline for bringing existing high-risk systems into full compliance is 2 August 2028.

CADA: Proposal Status and Entry-Into-Force Timeline

Unlike the AI Act, CADA is currently a proposal. It is not yet law, and its timelines are conditional on adoption. However, the text of the proposal (COM(2026) 502 final) outlines a specific sequence:

• Entry into Force: Under Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union.
• Application Date: Article 48 further states that the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]." This creates a one-year implementation window for providers and public bodies to prepare.

The Critical Intersection: CADA Article 29 Risk Assessments

The most significant overlap occurs in the public sector. CADA introduces a "Union cloud computing sovereignty framework" to mitigate risks from third-country providers. Central to this is Article 29, which mandates risk assessments to determine the required "Union assurance level" for cloud services.

Article 29(1) of the CADA proposal states:

"By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary, Member States and Union entities shall carry out risk assessments..."

This deadline is precise: the risk assessment must be completed by the date of application.

• Entry into Force: Day 0.
• Application Date: Day 0 + 1 year.
• Article 29 Deadline: Day 0 + 1 year.

Therefore, the risk assessment is due on the application date, not one year after the application date. This is a critical distinction: if CADA enters into force on 1 January 2028, it applies on 1 January 2029, and the Article 29 risk assessment is due by 1 January 2029.

Synchronizing the Timetables

For in-house counsel, these deadlines are additive. An organization deploying a high-risk AI system in the public sector must:

1. Ensure the AI system complies with the AI Act's high-risk requirements by 2 August 2026 (or by 2 August 2028 for existing systems).
2. Ensure the cloud infrastructure hosting the AI system meets the sovereignty requirements of CADA, as determined by the risk assessment mandated under Article 29, which is due on the date of application of CADA.

The AI Act focuses on the algorithm and its impact on fundamental rights, while CADA focuses on the infrastructure and its geopolitical sovereignty. Both must be satisfied.

What this means for you

For in-house counsel and compliance officers, the dual timeline of the AI Act and the proposed CADA requires a coordinated strategy:

1. Map Your Cloud Dependencies Now: Even though CADA is not yet law, the proposed Article 29 framework provides a clear preview. Begin mapping which public sector activities rely on cloud services and identify if these services are provided by entities subject to third-country control.
2. Prepare for the Article 29 Deadline: If CADA is adopted, you will have one year from entry into force to complete your risk assessment. This assessment must determine the appropriate Union assurance level (1–4) for your cloud services. Start gathering data on your providers' sovereignty credentials (establishment, data residency, control structures) as these are the criteria in Annex II.
3. Align AI Act and CADA Procurement: When procuring AI systems, ensure your vendor selection accounts for both AI Act compliance (e.g., high-risk conformity) and CADA sovereignty requirements. Article 30(3) of CADA requires that public sector bodies whose activities contribute to public order must only procure cloud services recognised as offering Union assurance levels 2, 3, or 4. This may limit your choice of cloud providers regardless of their AI Act compliance.
4. Monitor Legislative Progress: Since CADA is a proposal, its text and timelines may change. The entry-into-force date depends on when the final text is published. Track COM(2026) 502 final through the European Parliament and Council.
5. Document Risk Assessments Distinctly: The AI Act requires a risk management system (and potentially a fundamental rights impact assessment). CADA Article 29 requires a specific sovereignty risk assessment. Ensure these are documented separately, as they serve different regulatory purposes: the AI Act focuses on health, safety, and fundamental rights; CADA focuses on public order, data confidentiality, and operational autonomy.

Common misconceptions

"CADA replaces the AI Act for cloud services." No. The AI Act regulates the AI systems themselves (including GPAI models and high-risk applications). CADA regulates the cloud computing services that host or support these systems. They are complementary. A cloud provider must comply with CADA's sovereignty framework, while an AI developer must comply with the AI Act's product safety rules.

"The AI Act deadlines apply to CADA." No. The AI Act has fixed dates (2025–2027). CADA's deadlines are relative to its own entry into force. You cannot use the AI Act's 2026 deadline to delay CADA compliance if CADA enters into force earlier.

"Risk assessments under the AI Act satisfy CADA Article 29." No. The AI Act requires a risk management system and, for some deployers, a fundamental rights impact assessment. CADA Article 29 requires a specific sovereignty risk assessment to determine the Union assurance level for cloud services. These are distinct assessments with different criteria and outcomes.

"CADA only applies to the public sector." While Article 29 specifically mandates risk assessments for Member States and Union entities, the broader CADA framework applies to all cloud computing service providers seeking recognition under the Union assurance levels. Private sector entities in critical sectors (under NIS2) may also conduct similar impact assessments under Article 31, and procurement rules in Article 32 affect all public sector buyers, influencing the market for all providers.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Migration Deadlines vs Data Act Switching Rights: The 12-Month Rule
• Does CADA change the Data Act's cloud-switching deadlines?
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?
• Why does CADA call the Data Act an 'enabler'?
• Why does CADA borrow the AI Act's definition of 'AI system'?

This is general information about a draft EU regulation, not legal advice.