How does the Cloud and AI Development Act (CADA) affect Bulgaria?

Summary As proposed, the Cloud and AI Development Act (CADA), COM(2026) 502 final, is an EU Regulation and would bind Bulgaria directly once it enters into force, without national transposition. Bulgaria would have to designate one or more national competent authorities (Article 25), adopt a national cloud and AI strategy (Article 7), and designate at least one data centre acceleration zone where capacity is being deployed (Article 10). For public-sector buyers, this would introduce mandatory risk assessments (Article 29) and minimum sovereignty assurance levels for cloud services (Article 30), determining which tier of cloud is required for which activities.

Detail

CADA is a proposed Regulation, not yet adopted. Because the Commission chose the Regulation as its instrument, the text would — once adopted and in force — apply directly in Bulgaria without Bulgarian implementing legislation. Article 48 provides for entry into force on the twentieth day after publication in the Official Journal and application one year later. Bulgaria's role would be to perform the administrative tasks the proposal assigns to Member States.

The proposal aims (per its explanatory memorandum) to address the EU's dependence on non-European cloud providers and the shortage of domestic compute capacity. For Bulgaria, it sets out specific Member State duties.

1. National competent authority (Article 25). As proposed in Article 25(1), Bulgaria would designate one or more national competent authorities to enforce the cloud-sovereignty Chapter within one year of entry into force, and may designate an existing authority. The proposal does not name a specific Bulgarian body — that would be for Bulgaria to designate; the authority would supervise providers and handle recognition under the assurance-level framework. Under Article 25(4) the Member State of a provider's main establishment has exclusive competence to enforce the Chapter.

2. National cloud and AI strategy (Article 7). As proposed in Article 7(1), Bulgaria would establish a national strategy within one year of entry into force. It must be consistent with the Regulation's objectives (Article 7(3)) and include the eight elements in Article 7(2) — among them objectives in line with the "AI first" principle, measures for the uptake of AI in strategic sectors such as healthcare and energy, investment in high-intensity computing infrastructure, and support for open-source-based cloud-stack technologies. Where Bulgaria already has a strategy, it would have to satisfy the Article 7 requirements and be updated where it falls short.

3. Data centre acceleration zones (Article 10). As proposed in Article 10(1), where data centre capacity is being deployed, Bulgaria would designate at least one acceleration zone within six months of entry into force, considering the aspects in Article 10(1)(a)–(h): grid capacity, network connectivity, waste-heat reuse, brownfield preference and sustainability, among others. Article 10(2) requires an energy-needs and emissions analysis feeding into network development plans.

4. The assurance-level framework. The cloud-sovereignty Chapter establishes four Union assurance levels (set out with their detailed criteria in Annex II). Under Article 17, a provider applies for recognition to the competent authority of establishment: level 1 rests on an EU statement of conformity, while levels 2–4 require an independent audit report and a positive audit opinion. Bulgaria's national competent authority would carry out these recognition tasks for providers established in Bulgaria. Recognition is designed to be Union-wide: once an evaluating authority recognises a service and the other Member States' authorities do not object within the review period, the service is recognised throughout the Union at that level (Article 17). So a Bulgarian buyer would in principle be able to rely on services recognised in any Member State, not only on those recognised domestically.

What stays the same. As proposed, CADA does not repeal the GDPR, the Data Act or national cybersecurity law — it is presented as complementary — and it does not give Bulgaria new powers to set cloud pricing or to compel use of a particular provider. Its leverage operates through procurement, the national strategy and the zone framework. Its central practical change for Bulgaria is the shift to risk-based, assurance-level-driven public procurement, backed by the administrative machinery (an authority, a strategy and at least one zone) the proposal requires.

Timeline: when each duty would bite

The duties are staggered. Article 48 sets entry into force at 20 days after publication, with application one year after entry into force. Within that frame, specific deadlines run from entry into force: an acceleration zone within six months where capacity is being deployed (Article 10(1)); the national strategy and the designation of a national competent authority within one year (Articles 7(1) and 25(1)); and the first risk assessments within one year, repeating every two years thereafter (Article 29(1)). These dates appear in the proposal as placeholders to be filled in on adoption, so the exact calendar dates are not yet fixed — but the relative sequence is. For Bulgaria, zone designation would be the earliest hard deadline, with the strategy, authority and risk-assessment obligations clustering at the one-year mark.

What this means for you

For public-sector procurement officers and IT leaders in Bulgaria, CADA would add a layer of risk-based compliance to cloud buying.

For public-sector procurement officers: Under Article 29 you would rely on a risk assessment identifying whether your activities contribute to the preservation of public order (in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement).

• If your activity does not preserve public order: under Article 30(2) you must procure services recognised at Union assurance level 1.
• If your activity does preserve public order: under Article 30(3) you are restricted to services recognised at level 2, 3 or 4. The detailed criteria for each level are in Annex II.
• Exceptional circumstances: Article 30(4) allows duly justified derogations, for example where no adequate recognised service exists or compliance would impose disproportionate cost.

For cloud service providers in Bulgaria:

• SMEs: an EU statement of conformity for level 1 issued by an SME is directly and automatically recognised across the EU without prior recognition by the evaluating national competent authority (Article 17(3)).
• Larger providers: levels 2–4 require an independent audit report and a positive audit opinion (Article 17(4)); the evidence requirements are set against Annex II.
• Transparency: providers must report material changes that could affect their assurance level, as the proposal's transparency provisions require.

For data centre operators in Bulgaria:

• Faster permitting: under Article 13(5) the permit-granting procedure for data centre projects in acceleration zones must not exceed 12 months from a comprehensive application, with an aggregated baseline permit per zone (Article 13(2)–(4)).
• Strategic-project status: under Article 14, the Commission may, by decision, designate data centre projects selected through open calls as strategic projects where they meet at least two of the Article 14(1) criteria.
• Sustainability: under Article 11, sustainability requirements use the KPIs in Delegated Regulation (EU) 2024/1364, and resources within zones must be allocated on fair, reasonable and non-discriminatory terms, without speculative reservation or foreclosure (Article 11(2)).
• Single information point: under Article 12, an operator has the right, on request, to be assisted by a single information point throughout the project lifecycle for all the authorisations needed to deploy in a zone.

Common misconceptions

"CADA will replace national laws entirely." Incorrect. The proposal is presented as complementary; it does not repeal the GDPR, the Data Act or national cybersecurity law. It adds a sovereignty layer addressing who controls the infrastructure, not who is protected by data-protection law.

"All public bodies must use the highest level of sovereign cloud." Incorrect. The model is risk-based: most public services need only level 1 (Article 30(2)); only public-order activities identified under Article 29 require levels 2–4.

"Bulgaria has years to prepare." Misleading. As a Regulation it would apply directly, with phased dates — one year for the national strategy and authority designation (Articles 7(1) and 25(1)), six months for zone designation (Article 10(1)). Final dates depend on the legislative procedure.

"Open source is banned or discouraged." Incorrect. Article 41 promotes open standards and open-source components, and Article 43 envisages an EU open-source catalogue to facilitate reuse.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How does the Cloud and AI Development Act affect Sweden?
• How does the Cloud and AI Development Act affect Spain?
• How does the Cloud and AI Development Act affect Slovenia?
• How does the Cloud and AI Development Act affect Slovakia?
• How does the Cloud and AI Development Act affect Romania?

This is general information about a draft EU regulation, not legal advice.