How does the Cloud and AI Development Act affect Croatia?

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a directly applicable EU Regulation. Once adopted, it would bind Croatia automatically without requiring national transposition by the Croatian Parliament. As proposed, Croatia would be required to: (1) adopt a national cloud and AI strategy within one year; (2) designate at least one data centre acceleration zone within six months; and (3) appoint a national competent authority to enforce the Union cloud sovereignty framework. For Croatian public bodies, this introduces mandatory risk assessments and procurement rules prioritising sovereign cloud services. Cloud providers would face new audit and recognition requirements, while data centre operators in designated zones would benefit from streamlined permitting.

Detail

The Cloud and AI Development Act (CADA), formally proposed as Regulation COM(2026) 502 final, represents a fundamental shift in how the European Union governs its digital infrastructure. Unlike a Directive, which requires Member States to transpose rules into national law, CADA is structured as a Regulation. Under Article 48, it would enter into force on the twentieth day following its publication in the Official Journal and apply one year later. As a Regulation, it is binding in its entirety and directly applicable in all Member States, including Croatia. This means that once in force, CADA's provisions would become part of Croatian law automatically, ensuring a uniform framework across the EU and preventing regulatory fragmentation that could hinder cross-border cloud services.

For Croatia, CADA imposes three primary structural obligations that would reshape the national digital landscape: the creation of a comprehensive national strategy, the designation of specific zones for data centre deployment, and the appointment of a supervisory authority to enforce sovereignty standards.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Croatia would be required to establish a national cloud and AI strategy. This strategy must be adopted within one year of the Regulation's entry into force. The national strategy is not merely a policy document; it is a binding instrument that must include concrete objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.

Specifically, Croatia's strategy must outline measures to:

• Accelerate adoption: Drive the development and uptake of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
• Support strategic sectors: Facilitate the deployment of AI in critical areas such as healthcare, energy, and mobility.
• Deploy data centres: Support the deployment of data centre capacity, focusing on high-value facilities that deliver significant economic and societal benefits while adhering to high environmental and energy-efficiency standards.
• Invest in infrastructure: Invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers, as strategic national assets.

The strategy must be consistent with the objectives of CADA and contribute to the digital targets set under the Digital Decade Policy Programme. Croatia would be required to notify the Commission of its strategy within three months of adoption and assess it at least every three years based on key performance indicators.

2. Data Centre Acceleration Zones (Article 10)

To address the EU-wide shortage of computing capacity, Article 10 obliges Member States, including Croatia, to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When designating these zones, Croatia must consider several critical factors:

• Site characteristics: The location, dimension, and preference for reusing brownfield sites over greenfield sites.
• Energy and grid capacity: Available and future power grid capacity, including the possibility for on-site clean energy generation and waste heat reuse.
• Connectivity: Available and future network connectivity capacity.
• Sustainability: The ability of the site to function sustainably, particularly regarding environmental impacts and climate resilience.

Within these acceleration zones, Croatia must ensure that the allocation and use of resources take place on fair, reasonable, and non-discriminatory terms. The aim is to streamline permitting processes and ensure sufficient energy supply, thereby making Croatia a more attractive destination for sustainable data centre investment.

3. National Competent Authority (Article 25)

Article 25 requires Croatia to designate one or more "national competent authorities" responsible for enforcing the sovereignty framework established by CADA. This designation must be made within one year of the Regulation's entry into force.

The national competent authority in Croatia would have exclusive competence for enforcing the sovereignty framework for cloud computing service providers established in Croatia. Its key responsibilities would include:

• Recognition: Assessing and recognising cloud computing services that meet the Union assurance levels (1–4).
• Supervision: Supervising and enforcing obligations related to the cloud sovereignty framework.
• Cooperation: Cooperating with competent authorities in other Member States through mutual assistance and cross-border cooperation mechanisms.

The authority must be impartial, transparent, and timely, with sufficient technical, financial, and human resources to supervise all cloud computing service providers within its competence.

Changes for Public Bodies, Cloud Providers, and Data Centre Operators

For Public-Sector Bodies: Croatian public authorities would face new, mandatory procurement obligations. Under CADA, public bodies must conduct risk assessments to determine which cloud services require higher levels of sovereignty assurance.

• Minimum Requirement: All public bodies must procure cloud services that have been recognised as meeting at least Union Assurance Level 1.
• Higher Assurance: If a risk assessment determines that a public sector activity contributes to the preservation of public order (e.g., in sectors related to national security, defence, justice, or law enforcement), the public body must only procure services recognised as meeting Union Assurance Levels 2, 3, or 4.
• Open Source: Public bodies are encouraged to use and facilitate the reuse of open-source solutions over proprietary ones when building their cloud and AI ecosystems.

For Cloud Providers: Cloud providers operating in Croatia must comply with the Union cloud computing sovereignty framework. To serve Croatian public bodies, they must seek recognition for their services at specific Union assurance levels.

• Level 1: Providers must submit a self-assessment statement of conformity.
• Levels 2–4: Providers must undergo independent third-party audits to obtain a positive audit opinion.
• Transparency: Providers must report any material changes that could affect their assurance level status to the Croatian competent authority and their auditing organisation.

For Data Centre Operators: Operators building data centres in Croatia's designated acceleration zones would benefit from streamlined administrative processes. They have the right to be assisted by a single information point throughout the lifecycle of their project. Permit-granting procedures for projects in these zones would not exceed 12 months. Operators must also adhere to sustainability requirements, using key performance indicators defined under Delegated Regulation (EU) 2024/1364.

What this means for you

As a public-sector procurement officer, IT manager, or infrastructure investor in Croatia, CADA would fundamentally change how you evaluate and purchase cloud and AI services or develop infrastructure. You can no longer treat cloud procurement as a purely technical or financial decision; it is now a sovereignty and security imperative.

1. Check the Repository: Before issuing a tender, you must consult the central repository of recognised cloud computing services maintained by the Commission. You can only procure from services listed there that meet the required Union assurance level.
2. Conduct Risk Assessments: You are required to carry out risk assessments for your department's cloud usage. If your activities involve sensitive data or critical public order functions, you must mandate Union Assurance Levels 2, 3, or 4 in your tender documents.
3. Prioritise European Added Value: In your procurement criteria, you must include non-price award criteria that evaluate the tenderer's contribution to the European cloud and AI ecosystem. This includes the use of hardware designed or manufactured in the Union and the integration of Union-developed technologies. While this criterion cannot be decisive, it can account for up to 15 out of 120 points in the evaluation.
4. Plan for Migration: If your current cloud provider does not meet the required Union assurance levels, you must plan a migration. CADA allows for a reasonable transition period, not exceeding 12 months, to move to a compliant service.
5. Engage with Acceleration Zones: If you are a data centre operator, identifying and applying for sites within Croatia's designated acceleration zones is critical to accessing streamlined permitting and administrative support.

Common misconceptions

• "CADA replaces the GDPR." This is incorrect. CADA complements existing data protection laws. While CADA focuses on sovereignty, operational autonomy, and supply chain resilience, the GDPR continues to govern the processing of personal data. A cloud service must comply with both frameworks.
• "Only large corporations need to worry about CADA." This is incorrect. CADA explicitly aims to create opportunities for smaller EU-based providers, including SMEs and start-ups. The Act includes measures to facilitate their access to public procurement and innovation funding, with a target for Member States to award at least 25% of innovation procurement to SMEs.
• "Croatia can choose its own sovereignty criteria." This is incorrect. CADA establishes a harmonised EU-wide framework with four specific Union assurance levels. Croatia cannot create its own divergent criteria for cloud sovereignty; it must apply the EU standards to ensure a single market.
• "Data centres can be built anywhere without restriction." This is incorrect. While data centres can operate outside acceleration zones, CADA incentivises deployment within designated zones through streamlined permitting and support. Operators outside these zones may face longer permitting times and less administrative support, as the "toolbox" for accelerated environmental assessments applies specifically to projects within acceleration zones.
• "CADA is just about data localisation." This is incorrect. While data localisation is a component, CADA also covers the entire cloud stack, including personnel requirements, software supply chain transparency, and the absence of third-country control. It addresses operational autonomy and resilience, not just where data is stored.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• How does the Cloud and AI Development Act affect Sweden?
• How does the Cloud and AI Development Act affect Spain?
• How does the Cloud and AI Development Act affect Slovenia?
• How does the Cloud and AI Development Act affect Slovakia?
• How does the Cloud and AI Development Act affect Romania?

This is general information about a draft EU regulation, not legal advice.