Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation. This means it binds Cyprus immediately upon entry into force without requiring national transposition into local law. Cyprus would be required to adopt a national cloud and AI strategy within one year, designate at least one data centre acceleration zone, and appoint a national competent authority to enforce the Union's cloud sovereignty framework. Public-sector bodies in Cyprus would face mandatory procurement rules requiring cloud services to meet specific EU sovereignty assurance levels, while data centre operators could benefit from streamlined permitting within designated zones.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission as COM(2026) 502 final, represents a structural shift in how the EU manages its digital infrastructure and sovereignty. Because CADA is drafted as a Regulation rather than a Directive, it is directly applicable in all Member States, including Cyprus. This legal instrument binds the Republic of Cyprus directly; once the legislative procedure is complete and the Regulation enters into force, its provisions become part of Cypriot law automatically. There is no need for the House of Representatives to pass a separate implementing law to "transpose" the text, although national authorities will need to adjust administrative procedures and designate specific bodies to ensure compliance.

For Cyprus, CADA introduces three primary structural obligations at the national level, alongside significant changes for public procurement and market operators. These obligations are designed to reduce dependencies on third-country providers, increase computing capacity, and safeguard public order.

1. The National Cloud and AI Strategy (Article 7)

Under Article 7, Cyprus must establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This is a binding legal requirement, not a voluntary policy document. The strategy must be coherent with the Regulation's objectives and include specific, actionable measures. According to the text of Article 7(2), the strategy must outline:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development and adoption at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps.
  • Plans to support the deployment of data centre capacity, with a focus on high-value, energy-efficient facilities.
  • Investments in high-intensity computing infrastructure, such as AI factories, AI gigafactories, and quantum computers.
  • Measures to ensure the accessibility of high-quality data for AI development.
  • Measures to support the development of cloud computing stack technologies built upon open hardware and software.

The strategy must be consistent with the associated digital targets established under the Digital Decade Policy Programme. Cyprus will be required to notify the European Commission of its strategy within three months of adoption. Furthermore, the strategy must be assessed at least every three years based on key performance indicators and updated where necessary. The European Artificial Intelligence Board would advise and assist Cyprus in coordinating this strategy.

2. Data Centre Acceleration Zones (Article 10)

Article 10 imposes a specific obligation on Cyprus regarding infrastructure deployment. Where data centre capacity is being deployed within Cypriot territory, the Member State must designate at least one "data centre acceleration zone" within six months of the Regulation's entry into force. These zones are critical for addressing the EU's compute capacity gap.

When designating these zones, Cyprus must consider several factors, including:

  • The location, dimension, and size of potential facilities.
  • Available and future power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity capacity.
  • The capacity to support the phasing out of legacy copper networks.
  • The potential for reusing waste heat.
  • Environmental impacts and climate resilience.

Within these designated zones, the administrative burden for data centre projects would be significantly reduced. Article 13 mandates that the permit-granting procedure for projects in acceleration zones shall not exceed 12 months from the submission of a comprehensive application. Additionally, Cyprus would be required to establish "single information points" to assist data centre operators throughout the project lifecycle, coordinating authorisations ranging from spatial planning to environmental assessments and grid connections.

3. The National Competent Authority (Article 25)

Article 25 obliges Cyprus to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework. This authority would have exclusive competence for enforcing the Chapter on Autonomy for any cloud computing service provider whose main establishment is in Cyprus.

The designated authority's duties include:

  • Recognising cloud computing service providers that meet the Union's sovereignty assurance levels (Levels 1–4).
  • Conducting investigations into suspected infringements, including the power to require information, carry out inspections, and ask for explanations.
  • Imposing penalties and compensation rules for non-compliance, which must be "effective, proportionate and dissuasive."
  • Cooperating with competent authorities in other Member States and the Commission.

Crucially, Article 25(4) clarifies that the Member State where the provider has its main establishment (head office or registered office where principal financial functions and operational control are exercised) has exclusive competence. Cyprus could designate an existing authority, such as a cybersecurity or digital governance body, provided it has the necessary technical, financial, and human resources to perform these tasks impartially.

4. Changes for Public Sector Procurement

The most immediate operational impact for Cypriot public bodies lies in the procurement rules established in Title IV, Chapter II. CADA introduces a "Union cloud computing sovereignty framework" with four assurance levels.

Under Article 30, Cypriot contracting authorities and public sector bodies must procure cloud computing services that have been recognised as offering at least Union assurance level 1. However, the rules are stricter for activities contributing to the preservation of public order. Article 29 requires Cyprus to carry out risk assessments to identify public sector activities in sectors such as national security, defence, justice, or law enforcement. For these identified activities, Article 30(3) mandates that authorities must only procure services recognised at Union assurance levels 2, 3, or 4.

This means Cypriot ministries can no longer choose cloud providers based solely on price or convenience; they must verify the provider's status in the central EU repository and ensure the service meets the assurance level dictated by their risk assessment.

What this means for you

For Public-Sector Procurement Officers in Cyprus

Your procurement procedures will need a fundamental overhaul to align with the proposed Regulation.

  • Mandatory Risk Assessments: You must conduct or rely on the national risk assessment to determine if your department's activities contribute to public order. If they do, you are legally restricted to procuring only from providers with Union assurance levels 2, 3, or 4.
  • Verification of Status: You cannot award contracts without verifying the provider's status in the central repository of recognised services established by the Commission.
  • Tender Criteria: Your tender documents must include non-price award criteria evaluating the "Union added value" of the tender, such as the use of hardware designed in the Union or the strengthening of the European digital supply chain.
  • Transition: If your current provider does not meet the required assurance level, you must migrate to a compliant service within a transition period that shall not exceed 12 months.

For Cloud Providers Operating in Cyprus

If you are a cloud provider established in Cyprus, or a third-country provider with a main establishment in Cyprus, you must engage with the newly designated national competent authority.

  • Recognition Process: To sell to the Cypriot public sector, you must apply for recognition. For Level 1, you can issue a self-assessment (EU statement of conformity). For Levels 2, 3, and 4, you must undergo an independent third-party audit and obtain a "positive" audit opinion.
  • SME Advantage: If you are an SME, your EU statement of conformity for Level 1 is directly and automatically recognised in all Member States without prior recognition by the competent authority, reducing administrative friction.
  • Compliance Costs: Prepare for the costs associated with audits, legal compliance, and potential infrastructure changes to ensure data remains within the Union and that you can demonstrate the absence of third-country control.

For Data Centre Operators in Cyprus

Operators planning to build or expand data centres in Cyprus should target the designated acceleration zones.

  • Faster Permits: Projects within these zones benefit from a streamlined permitting process, with a maximum 12-month timeline for the grant of permits.
  • Single Point of Contact: You will work with a designated single information point that coordinates all necessary authorisations, reducing administrative friction and uncertainty.
  • Sustainability Requirements: You must adhere to strict sustainability requirements, including the use of key performance indicators defined in Delegated Regulation (EU) 2024/1364 regarding energy efficiency and environmental impact.

Common misconceptions

Misconception 1: Cyprus has time to pass its own laws before CADA applies. Correction: No. As a Regulation, CADA is directly applicable. While there are implementation deadlines (e.g., one year for the national strategy), the legal obligation exists from the date of application. National transposition is not required, but administrative alignment is.

Misconception 2: Only large hyperscalers are affected. Correction: CADA applies to all cloud computing service providers offering services to Union entities and public sector bodies. SMEs and smaller providers can also seek recognition, particularly under Union assurance level 1, which allows for automatic recognition of EU statements of conformity for SMEs without prior recognition by the competent authority.

Misconception 3: Data localisation means data must never leave Cyprus. Correction: CADA focuses on sovereignty and control, not just physical location within Cyprus. While data must generally remain within the Union, the framework allows for specific exceptions if the public sector body explicitly requires otherwise. The key is ensuring that third-country laws cannot compel data access or service disruption.

Misconception 4: The national competent authority is a new body that must be created from scratch. Correction: Article 25 states that Member States may designate an existing authority. Cyprus could potentially assign these duties to an existing cybersecurity or digital governance body, provided it has the necessary resources and independence.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.