How does the Cloud and AI Development Act (CADA) affect Austria?

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is drafted as an EU Regulation. As proposed, it would be directly applicable in Austria once it enters into force, binding the country without any need for national transposition. As proposed, Austria would have to establish a national cloud and AI strategy (Article 7), designate at least one data centre acceleration zone where capacity is being deployed (Article 10), and designate one or more national competent authorities to enforce the cloud-sovereignty rules (Article 25). For public bodies, providers and data centre operators in Austria, the practical effect would be risk-based, sovereignty-aware cloud procurement and a faster, more coordinated route to building data centres.

Detail

CADA is a proposed Regulation, not yet adopted and not yet in force. Because the Commission has chosen the Regulation as its legal instrument, the text would — once adopted and in force — become part of the Austrian legal order automatically, without Austria passing a separate national implementing law. Article 48 provides that the Regulation would enter into force on the twentieth day after publication in the Official Journal and would apply one year after entry into force. This direct applicability is what ensures uniform rules across all Member States; Austria's role would be to carry out specific administrative tasks the proposal assigns to Member States, not to re-legislate the rules themselves.

The proposal's stated aims (Article 1) are to strengthen the Union's cloud and AI ecosystem — including by accelerating data centre deployment, enabling a sovereign cloud and AI offer to safeguard public order, reducing dependencies on critical technologies, and fostering public-sector cloud adoption. For Austria, this translates into several specific duties.

1. A national cloud and AI strategy (Article 7) As proposed in Article 7(1), Austria would have to establish a national cloud and AI strategy within one year of the Regulation's entry into force. Article 7(2) lists the minimum content (eight elements, points (a)–(h)): key objectives and priorities for cloud and AI adoption in line with the "AI first" principle plus a governance and monitoring framework; measures to accelerate adoption among public bodies, SMEs and SMCs (including support for the Experience and Acceleration Centres for AI under Article 5); deployment of AI in strategic sectors such as healthcare, energy and mobility; deployment of high-value, energy-efficient data centre capacity; investment in high-intensity computing infrastructure such as AI factories, AI gigafactories and quantum computers; procurement and procurement-of-innovation measures; cloud-stack technologies built on open hardware and software; and measures to ensure access to high-quality data. Austria would have to notify the Commission within three months of adoption and review the strategy at least every three years (Article 7(5)).

2. Designating a data centre acceleration zone (Article 10) As proposed in Article 10(1), where data centre capacity is being deployed in its territory, Austria would have to designate at least one data centre acceleration zone within six months of entry into force. When designating, Austria would consider the aspects in Article 10(1)(a)–(h), including the location and dimension of the site, current and future power-grid capacity (and scope for on-site storage and clean-energy generation), network connectivity, support for phasing out legacy copper networks, waste-heat reuse, permitting acceleration measures, a preference for reusing brownfield over greenfield sites, and the site's ability to function sustainably. The proposal's broader ambition (set out in the explanatory memorandum) is to at least triple the EU's data centre capacity within five to seven years and to reach the needed capacity by 2035.

3. Designating a national competent authority (Article 25) As proposed in Article 25(1), Austria would have to designate one or more national competent authorities to enforce the cloud-sovereignty Chapter within one year of entry into force, and may designate an existing authority. The proposal does not name a specific Austrian body — that would be for Austria to designate. Under Article 25(4), the Member State of a provider's main establishment would have exclusive competence to enforce the Chapter, and the Commission would maintain a public register of the designated authorities (Article 25(2)).

4. What changes for public bodies, providers and operators

• Public-sector buyers: Under Article 29, Austria (with Union entities, where relevant) would carry out risk assessments to identify which public-sector activities contribute to the preservation of public order and which Union assurance level (2, 3 or 4) is appropriate. Under Article 30, activities not identified as contributing to public order would have to use services recognised at Union assurance level 1; activities that do contribute to public order — in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement — would have to use services recognised at level 2, 3 or 4. Procurement would therefore turn on a provider's recognised assurance level, not on price alone.
• Cloud providers: A provider wishing to be recognised at a Union assurance level would apply to the competent authority of establishment (Article 17). Level 1 rests on an EU statement of conformity; levels 2–4 require an independent audit report and a positive audit opinion. The detailed criteria sit in Annex II.
• Data centre operators: Operators building in an acceleration zone would benefit from facilitated permitting — including an aggregated baseline permit per zone and a permit-granting limit not exceeding 12 months from a comprehensive application (Article 13), plus the right to be assisted by a single information point across the project lifecycle (Article 12) — but would have to meet the sustainability conditions in Article 11, which require Member States to use the key performance indicators in Delegated Regulation (EU) 2024/1364 and to allocate resources on fair, reasonable and non-discriminatory terms. Larger or strategically important projects may also be designated by the Commission as data centre strategic projects under Article 14 where they meet at least two of the criteria there.

What stays the same

It is as important to see what CADA would not change. As proposed, it does not displace the GDPR's rules on personal data, the AI Act's requirements for AI systems, or national cybersecurity law; the Commission presents it as complementary to those regimes. Nor would it confer new powers on Austria to regulate cloud pricing or to compel the use of any particular provider. Its leverage is indirect but real: through public procurement (which assurance levels apply to which activities), through the national strategy (where investment and support are steered), and through the zone framework (where and how fast data centres get built).

What this means for you

If you are a public-sector procurement officer in Austria, CADA would shift your role from buying IT services on price and features toward managing sovereignty and risk:

• Risk assessments would drive your tiering. The national risk assessment under Article 29 would determine whether your activities require level 1 or a higher level (2–4). Engage early to find out how your services are classified.
• Verify recognition, not just certification. You would need to check that a provider's service is recognised under CADA at the required assurance level (drawing on the central repository the proposal envisages), rather than relying on a general cybersecurity certificate alone.
• Align with the national strategy. Your procurement should track Austria's Article 7 strategy, which is expected to emphasise European providers and open hardware and software.
• Use the support structures. The Experience and Acceleration Centres for AI (Article 5) are designed as entry points for public bodies and SMEs.

Common misconceptions

• "Austria must pass a new law to comply." Incorrect. CADA is proposed as a Regulation and, as proposed, would be directly applicable in Austria without national transposition. Austria's task would be administrative — designating zones, an authority and a strategy — not re-enacting the rules.

• "All non-European cloud services would be banned." Incorrect. The proposal creates four graded Union assurance levels rather than an outright ban. Lower-risk activities would need only level 1; only public-order-relevant activities would require levels 2–4. Whether a third-country-controlled service can qualify at a higher level depends on the conditions in the proposal and Annex II.

• "This only affects large ministries." Incorrect. The procurement rules apply to "contracting authorities" generally, which includes regional and local public bodies, not only central government.

• "Data centre operators would face fewer environmental rules." Incorrect. Acceleration zones speed up permitting but, under Article 11, operators must meet sustainability KPIs from Delegated Regulation (EU) 2024/1364; the aim is faster deployment with environmental standards intact.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• How does the Cloud and AI Development Act affect Sweden?
• How does the Cloud and AI Development Act affect Spain?
• How does the Cloud and AI Development Act affect Slovenia?
• How does the Cloud and AI Development Act affect Slovakia?
• How does the Cloud and AI Development Act affect Romania?

This is general information about a draft EU regulation, not legal advice.