CADA Review Clause vs AI Act & Data Act

Summary As proposed, the Cloud and AI Development Act (CADA) establishes a distinct review timeline: an initial evaluation four years after entry into force, followed by subsequent reviews every five years thereafter (Article 47). This schedule differs from the EU AI Act's four-year cycle and the Data Act's fragmented reporting obligations. Crucially, Article 47(3) imposes a mandatory requirement for the Commission to pay "specific attention to small and medium-sized enterprises and the position of new competitors." This explicit focus on market structure and competition is a unique feature of CADA, designed to ensure the regulation does not inadvertently entrench incumbents while addressing the EU's strategic dependency on third-country providers.

Detail

The CADA Review Framework: Article 47

The review mechanism for the Cloud and AI Development Act is codified in Article 47, titled "Review." This provision establishes a structured, long-term evaluation cycle designed to assess the regulation's effectiveness in strengthening the EU's cloud and AI ecosystem.

Timing and Frequency Under Article 47(1), the European Commission is required to evaluate the Regulation "by [date of entry into force plus 4 years], and every 5 years thereafter." The results of this evaluation must be reported to the European Parliament, the Council, and the European Economic and Social Committee. This creates a predictable rhythm for legislative oversight: an initial deep dive four years post-adoption, followed by a quinquennial (five-year) cycle.

Content and Focus The review is not merely a procedural formality. Article 47(2) stipulates that the report "shall, where appropriate, be accompanied by a proposal for amendment of this Regulation." This empowers the Commission to initiate legislative changes based on the evaluation's findings.

Most significantly, Article 47(3) defines the substantive scope of the evaluation. It mandates that the Commission "shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors."

This clause is a direct legislative response to the market concentration issues identified in the proposal's Explanatory Memorandum. The text notes that the EU market share of European cloud providers dropped from 29% in 2017 to 15% in 2022, remaining stagnant. By embedding the "position of new competitors" into the review mandate, the proposal ensures that the Commission must actively assess whether CADA's measures—such as the sovereign cloud framework, data centre acceleration zones, and open-source promotion—are successfully lowering barriers to entry or if they are creating new hurdles for smaller players.

Comparison with the EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) operates under a different review logic, reflecting its nature as a product-safety and fundamental-rights regulation rather than a market-structure instrument.

• Frequency and Triggers: The AI Act contains a more granular review structure. Under Article 112, the Commission must assess the need to amend the list of prohibited practices and high-risk AI systems once a year until the end of the delegation of power. Furthermore, a broader evaluation of the entire Regulation is due by 2 August 2029 and every four years thereafter (Article 112(3)).
• Focus of Evaluation: The AI Act's annual assessments are technical, focusing on the evolution of AI risks and the need to update annexes. The broader four-year review focuses on the application of the Act, fundamental rights protection, and the functioning of the internal market regarding AI systems.
• SME Consideration: While the AI Act considers SME interests in the context of penalty calculations (Article 99) and compliance support mechanisms, it does not contain a review clause that explicitly mandates a specific focus on the "position of new competitors" as a primary evaluation metric. CADA's Article 47(3) is unique in making the competitive position of new entrants a statutory requirement for the review itself.

Comparison with the Data Act

The Data Act (Regulation (EU) 2023/2854) does not feature a single, consolidated "review clause" article in the same format as CADA or the AI Act. Instead, its evaluation mechanisms are distributed across specific operational provisions.

• Fragmented Reporting: The Data Act requires the Commission to report on specific aspects, such as the application of switching obligations, interoperability requirements, and the fairness of data access conditions. These are often tied to the implementation of specific rights (e.g., data portability) rather than a holistic ecosystem review.
• Strategic vs. Operational: The Data Act's focus is operational: ensuring data can move and be accessed. CADA's review is strategic: ensuring the market structure supports sovereignty and resilience. The Data Act lacks the explicit, high-level mandate to evaluate the regulation's impact on the market share of new competitors that is central to CADA's Article 47.

Comparison with the Digital Governance Act (DGA)

The Digital Governance Act (Regulation (EU) 2023/2854, specifically the provisions on common data spaces) emphasizes governance and interoperability. Its review mechanisms are often tied to the establishment of specific common data spaces or sectoral regulations.

• Sector-Specific vs. Holistic: Unlike CADA's Article 47, which is a blanket review of the entire cloud and AI regulatory framework, the DGA's assessments are more fragmented and sector-specific. CADA's approach provides a unified checkpoint for the entire ecosystem, allowing for a holistic view of how cloud infrastructure, AI development, and sovereignty measures interact.
• Competition Mandate: The DGA does not contain a review clause with the same explicit "specific attention to SMEs and new competitors" language found in CADA. CADA's review is uniquely designed to monitor the competitive dynamics of the supply chain, not just the governance of data spaces.

Why the SME and Competition Focus Matters

The emphasis on SMEs and new competitors in Article 47(3) is not rhetorical; it is a corrective mechanism. The Explanatory Memorandum highlights that the current landscape is characterized by a "pronounced dependence on a limited pool of third-country providers," with three non-EU hyperscalers controlling over 70% of the European cloud market.

By mandating that the review explicitly considers the "position of new competitors," the legislature intends to ensure that CADA's measures are actually lowering barriers to entry. If the sovereign cloud framework or data centre acceleration zones inadvertently favor large incumbents (who have the capital to meet complex assurance levels), the review process is legally required to identify and report this failure. This ensures that the "Union added value" criteria in procurement (Article 32) and the support for open-source solutions (Article 41) are effectively fostering a diverse ecosystem rather than consolidating power further.

What this means for you

For in-house counsel, compliance officers, and strategic planners, understanding the nuances of Article 47 is critical for long-term risk management and market positioning.

1. Regulatory Horizon Planning With a review scheduled for four years after entry into force, followed by five-year cycles, you have a predictable timeline for potential legislative changes. Unlike the AI Act's annual technical updates, CADA's reviews are less frequent but potentially more transformative regarding market structure. You should plan your compliance infrastructure to be adaptable to shifts in sovereignty requirements and market access rules that may emerge from these reviews. If the Commission finds that the current Union assurance levels are too burdensome for smaller providers, significant amendments to the criteria in Annex II could follow.

2. SME and New Competitor Status If your organization qualifies as an SME or a new competitor, document your engagement with CADA's support measures (e.g., access to AI factories, open-source initiatives, or procurement opportunities). The Commission's obligation to pay "specific attention" to your position means that evidence of barriers to entry or competitive disadvantages could directly influence future amendments. Active participation in stakeholder consultations during the review periods will be essential to ensure your challenges are recorded in the Commission's report.

3. Sovereignty and Procurement Compliance The review will likely assess the effectiveness of the Union assurance levels and the risk assessment mechanisms under Article 29. Compliance officers should monitor how the Commission interprets "public order" and "sovereignty" in its reports. If the review finds that current assurance levels are insufficient or too burdensome, significant changes to procurement criteria and vendor requirements may follow. The review could also lead to adjustments in the "Union added value" criteria in Article 32.

4. Cross-Border Coordination As CADA aims to harmonize data centre deployment and cloud sovereignty across the EU, the review will evaluate cross-border cooperation. For multinationals, this means monitoring whether the Commission's review leads to stricter harmonization or allows for national deviations. Prepare for potential updates to the definition of "cloud computing service" or the criteria for Union assurance levels based on the findings of the Article 47 evaluation.

Common misconceptions

Misconception 1: CADA's review is identical to the AI Act's. Many assume all new EU digital laws follow the AI Act's review model. This is incorrect. CADA's Article 47 has a longer interval (every five years after the initial four) and a distinct focus on market competition and SMEs, whereas the AI Act focuses heavily on risk classification updates and fundamental rights. The AI Act's annual reviews are technical; CADA's are strategic.

Misconception 2: The review is automatic and binding. The review itself is an evaluation and report. Article 47(2) states the report "shall, where appropriate, be accompanied by a proposal for amendment." This means the Commission is not obligated to propose changes; it depends on the findings. However, the obligation to consider SMEs and new competitors in the evaluation process is mandatory.

Misconception 3: CADA replaces the Data Act's governance. CADA complements the Data Act but does not replace its governance mechanisms. The Data Act focuses on data access and switching; CADA focuses on infrastructure, sovereignty, and AI development. Their review clauses serve different purposes: the Data Act ensures operational compliance, while CADA ensures strategic market health.

Misconception 4: Only large providers need to worry about the review. The explicit focus on SMEs and new competitors in Article 47(3) means that smaller providers are central to the review's success metrics. If CADA fails to improve the market share of EU providers, the review will highlight this. Therefore, SMEs have a vested interest in engaging with the review process to advocate for measures that reduce barriers to entry.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• What is the review clause in the Cloud and AI Development Act (CADA)?
• CADA Timeline: From Adoption to Full Application and Review
• CADA Review vs Delegated Acts: How the EU Cloud and AI Development Act Changes
• CADA Review Cycle: How often will the Cloud and AI Development Act be evaluated?
• Why does the CADA review pay special attention to SMEs and new competitors?

This is general information about a draft EU regulation, not legal advice.