How does the Cloud and AI Development Act (CADA) affect Belgium?

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is drafted as an EU Regulation. As proposed, it would bind Belgium directly once it enters into force, with no national transposition. Belgium would have to establish a national cloud and AI strategy (Article 7), designate at least one data centre acceleration zone where capacity is being deployed (Article 10), and designate one or more national competent authorities (Article 25). For public-sector buyers, this would introduce mandatory risk assessments (Article 29) and minimum sovereignty assurance levels for cloud services (Article 30), shifting procurement from price alone toward security and technological autonomy.

Detail

CADA is a proposed Regulation, not yet adopted. Because the Commission chose the Regulation as its instrument, the text would — once adopted and in force — apply directly in Belgium without the federal or regional governments passing separate implementing laws. Article 48 provides for entry into force on the twentieth day after publication in the Official Journal and application one year later. Belgium's role would be to perform the administrative tasks the proposal assigns to Member States, within a harmonised EU framework.

The proposal rests on the premise (set out in its explanatory memorandum) that the EU's reliance on non-European cloud providers — three non-EU hyperscalers control over 70% of the European cloud market — poses risks to public order and operational autonomy. For Belgium, it sets out specific Member State duties.

National cloud and AI strategy (Article 7). As proposed in Article 7(1), Belgium would establish a national cloud and AI strategy within one year of entry into force. It must be consistent with the Regulation's objectives (Article 7(3)) and include the eight elements in Article 7(2), among them key objectives in line with the "AI first" principle, measures for SMEs and SMCs, deployment of data centre capacity, investment in high-intensity computing infrastructure, and support for cloud-stack technologies built on open hardware and software. Belgium would notify the Commission within three months of adoption and review the strategy at least every three years (Article 7(5)). Under Article 7(4) the strategy must contribute to the Digital Decade targets in Decision (EU) 2022/2481.

Data centre acceleration zones (Article 10). As proposed in Article 10(1), where data centre capacity is being deployed, Belgium would designate at least one acceleration zone within six months of entry into force, considering the aspects in Article 10(1)(a)–(h): grid capacity, network connectivity, waste-heat reuse, phasing out legacy copper, a preference for brownfield over greenfield sites, permitting acceleration and sustainability. Article 10(2) requires an energy-needs and emissions analysis feeding into network development plans.

National competent authority (Article 25). As proposed in Article 25(1), Belgium would designate one or more national competent authorities to enforce the cloud-sovereignty Chapter within one year of entry into force, and may use an existing authority. The proposal does not name a specific Belgian body — that would be for Belgium to designate. Under Article 25(4) the Member State of a provider's main establishment has exclusive competence, and the Commission maintains a public register of authorities (Article 25(2)).

Public procurement. Under Article 29, Belgium (with Union entities, where relevant) would carry out risk assessments to identify which public-sector activities contribute to public order and which assurance level applies. Under Article 30, activities not contributing to public order would have to use level 1 services; activities that do — in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement — would have to use level 2, 3 or 4. Where a risk assessment requires migrating to a different service, Article 29(6) sets a reasonable transition period not exceeding 12 months. Belgium would also have to monitor and report annually on its procurement of innovation in cloud and AI and pursue the objective that at least 25% of such procurement go to innovative SMEs (Article 33).

What stays the same. As proposed, CADA does not displace the GDPR, the AI Act or national cybersecurity law — the Commission frames it as complementary — and it gives Belgium no power to regulate cloud pricing or to mandate a particular provider. Its leverage runs through procurement rules, the national strategy and the zone framework rather than through direct market regulation.

Timeline: when each duty would bite

The duties do not all start on the same day. Article 48 sets entry into force at 20 days after publication and application one year after entry into force. Within that frame, the proposal measures specific deadlines from entry into force: the national strategy and the designation of a national competent authority are each due within one year (Articles 7(1) and 25(1)); a data centre acceleration zone is due within six months where capacity is being deployed (Article 10(1)); and the first risk assessments are due within one year, repeating every two years thereafter (Article 29(1)). These dates appear in the proposal as placeholders ("[P.O. insert the date ...]"), so the exact calendar dates would be fixed only on adoption — but the relative sequence is set. For Belgium, the practical reading is that zone designation is the earliest hard deadline, followed by the strategy, authority and risk-assessment cluster at the one-year mark.

What this means for you

For public-sector procurement officers and digital leaders in Belgium, CADA would shift cloud buying from a market-driven model toward a sovereignty-aware one.

For procurement officers:

• Risk assessments would be mandatory. The Article 29 assessment would set the required assurance level for your contracts.
• Updated tender criteria. Tenders for innovative cloud and AI would include non-price "Union added value" criteria (Article 32) — for example, use of Union-designed or -manufactured software or hardware. Article 32(2) requires these criteria to be ancillary and not decisive in the award; the proposal does not fix any particular numerical weighting.
• Verify recognition. Check that a provider's service is recognised at the required Union assurance level (drawing on the central repository the proposal envisages).

For cloud providers in Belgium:

• Recognition process (Article 17). Apply to the competent authority of establishment; level 1 rests on an EU statement of conformity (Article 17(3)), while levels 2–4 require an independent audit report and a positive audit opinion (Article 17(4)).
• Transparency. Report material changes that could affect your assurance level, as the proposal's transparency provisions require.
• Competitive landscape. Strong European supply-chain integration would help in public procurement.

For data centre operators in Belgium:

• Acceleration-zone benefits. Operators in a designated zone benefit from facilitated permitting — an aggregated baseline permit per zone and a permit-granting procedure not exceeding 12 months from a comprehensive application (Article 13) — and from the right to be assisted by a single information point across the project lifecycle (Article 12), but must meet the sustainability conditions in Article 11, which bind zone requirements to the KPIs in Delegated Regulation (EU) 2024/1364.
• Strategic projects. Under Article 14, the Commission may, by decision, designate data centre projects (selected through open calls) as strategic projects where they meet at least two of the criteria in Article 14(1).

Common misconceptions

"CADA is a directive Belgium can transpose at its own pace." Incorrect. It is proposed as a Regulation and would be directly applicable; there is no transposition. Certain duties have phased dates (e.g. one year for the national strategy and authority designation; six months for zone designation).

"Only large hyperscalers are affected." Incorrect. The framework applies to any provider seeking to serve the public sector; smaller and mid-sized providers can seek recognition, and SMEs benefit from automatic cross-border recognition of level-1 statements of conformity (Article 17(3)).

"CADA bans non-European cloud providers." Incorrect. It creates four graded assurance levels rather than a ban. Whether a third-country-controlled service can qualify at a higher level depends on the conditions in the proposal and Annex II.

"It is only about cybersecurity." Incorrect. The proposal frames sovereignty more broadly — operational autonomy, control over data and resilience against extraterritorial claims — so a service can be secure yet not meet the sovereignty criteria.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• How does the Cloud and AI Development Act affect Sweden?
• How does the Cloud and AI Development Act affect Spain?
• How does the Cloud and AI Development Act affect Slovenia?
• How does the Cloud and AI Development Act affect Slovakia?
• How does the Cloud and AI Development Act affect Romania?

This is general information about a draft EU regulation, not legal advice.