Summary As proposed, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation (COM(2026) 502 final), meaning it would bind the Czech Republic immediately upon application without the need for national transposition. If adopted, Czechia would be required to establish a national cloud and AI strategy, designate at least one data centre acceleration zone, and appoint a national competent authority to oversee the Union cloud computing sovereignty framework. These measures would fundamentally change how Czech public bodies procure cloud services, how data centre operators obtain permits, and how cloud providers demonstrate sovereignty to access the Czech public market.

Detail

The Cloud and AI Development Act (CADA), formally the proposal for a Regulation establishing a framework of measures for strengthening Europe's cloud and AI ecosystem (COM(2026) 502 final), represents a structural shift in EU digital governance. Unlike a Directive, which requires Member States to transpose rules into national law, a Regulation is "binding in its entirety and directly applicable in all Member States." Consequently, once CADA enters into force and the application date arrives, the Czech Republic would be bound by its provisions directly. Czech authorities, public bodies, and private operators would not wait for the Czech Parliament to pass implementing legislation; the EU rules would apply immediately.

For the Czech Republic, CADA introduces three primary pillars of obligation: strategic planning, physical infrastructure acceleration, and regulatory oversight of cloud sovereignty.

1. The Obligation for a National Strategy (Article 7)

Under Article 7 of the proposal, Member States must establish "national cloud and AI strategies" within one year of the Regulation's entry into force. For Czechia, this is a mandatory legislative or executive act, not a voluntary policy paper. The strategy must be coherent with the Regulation's objectives and include specific measures to accelerate the development and adoption of cloud and AI technologies at national, regional, and local levels.

The Czech national strategy would be required to address several concrete areas:

  • Adoption and Deployment: Measures to support the broad deployment of AI in strategic industrial and public sectors, including healthcare, energy, and mobility. It must also promote the uptake of cloud computing services provided by European providers.
  • Infrastructure Capacity: Specific plans to support the deployment of data centre capacity, with a focus on high-value data centres that deliver significant economic and societal benefits while adhering to high environmental and energy-efficiency standards.
  • Investment in Critical Assets: Measures to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers as strategic national assets.
  • Technological Sovereignty: Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Data Accessibility: Measures to ensure the accessibility of high-quality data for AI development, preventing data bottlenecks.

The Czech government would be required to notify the European Commission of this strategy within three months of its adoption. Furthermore, the strategy must be consistent with the digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481), such as the target for 75% of enterprises to adopt cloud computing services. The European Artificial Intelligence Board would assist in coordinating these strategies across Member States to ensure consistency.

2. Designating Data Centre Acceleration Zones (Article 10)

A core pillar of CADA is the acceleration of data centre deployment to close the EU's compute capacity gap. Article 10 requires Member States to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed. For Czechia, this involves identifying specific sites or areas that meet strict criteria to facilitate rapid construction.

When designating these zones, Czech authorities must consider:

  • Energy and Connectivity: The available and future power grid capacity, network connectivity, and the possibility for on-site clean energy generation.
  • Sustainability: The ability of the site to function sustainably, including preventing environmental impacts and supporting the reduction of carbon emissions. The proposal explicitly states a preference for reusing brownfield sites over greenfield sites.
  • Permitting Acceleration: Measures taken to accelerate the granting of necessary permits for constructing and operating data centres within the zone.

Once designated, these zones trigger significant procedural changes. Article 13 stipulates that data centre projects deployed in acceleration zones are considered "strategic projects" and benefit from a dedicated toolbox for environmental assessments. Crucially, the permit-granting procedure for these projects must not exceed 12 months from the moment a comprehensive application is submitted. This creates a binding timeline for Czech spatial planning and energy authorities, requiring closer coordination to avoid delays. Additionally, Member States must designate "single information points" to assist operators throughout the project lifecycle.

3. Appointing a National Competent Authority (Article 25)

To enforce the sovereignty framework of CADA, Article 25 requires Member States to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework. For Czechia, this means identifying an existing authority (e.g., within the Ministry of Industry and Trade or the Office for Personal Data Protection) or creating a new body.

This authority would have exclusive competence for enforcing the rules related to Union assurance levels. Its tasks would include:

  • Recognition: Assessing applications from cloud computing service providers seeking recognition as offering Union assurance levels 1 through 4.
  • Supervision: Monitoring recognised providers to ensure ongoing compliance with the criteria in Annex II.
  • Cross-Border Cooperation: Cooperating with competent authorities in other Member States for cross-border enforcement and mutual assistance.

The Czech competent authority would need to be granted sufficient technical, financial, and human resources to carry out these tasks impartially and independently. It would also maintain a public register of recognised sovereign cloud services, facilitating transparency for public sector buyers across the Union.

What this means for you

For Public-Sector Bodies and Procurement Officers

The most immediate impact for Czech public bodies is the new requirement for risk assessments and sovereign procurement. Under Article 29, public sector bodies must conduct risk assessments to determine which "Union assurance level" is appropriate for their cloud services.

  • Baseline Requirement: All Czech public sector bodies must procure cloud services that have been recognised as offering at least Union Assurance Level 1.
  • Critical Activities: If a risk assessment determines that an activity contributes to the preservation of public order (e.g., in sectors like healthcare, energy, national security, or law enforcement), the body must procure services recognised at Union Assurance Level 2, 3, or 4.
  • Transition Period: If a risk assessment requires migrating to a different cloud provider, Czech bodies would have a maximum of 12 months to complete the migration, taking into account technical feasibility and data portability.
  • Union Added Value: Under Article 32, procurement officers must include non-price award criteria evaluating the tenderer's contribution to the EU digital supply chain, such as the use of hardware designed or manufactured in the Union.

For Cloud Providers

Cloud computing service providers operating in or targeting the Czech market must prepare for the recognition mechanism. To sell to the Czech public sector, providers must apply to the Czech competent authority for recognition.

  • Level 1: Requires a self-assessment and an EU statement of conformity. For SMEs, this statement is directly and automatically recognised across the Union.
  • Levels 2–4: Require independent third-party audits against strict criteria. These include data localisation exclusively within the Union, the absence of third-country control (unless a derogation under Article 18 applies), and high cybersecurity standards (at least "substantial" for Level 2/3, "high" for Level 4).
  • Transparency: Providers must report any material changes in circumstances to the auditing organisation and the competent authority, which could lead to a review or revocation of their recognition status.

For Data Centre Operators

Operators looking to build new facilities in Czechia should monitor the designation of acceleration zones. Building within these zones offers significant advantages, including a capped 12-month permitting timeline and access to single information points that assist with administrative coordination. However, operators must also comply with sustainability requirements, using key performance indicators specified in Delegated Regulation (EU) 2024/1364 to ensure energy efficiency. Failure to meet these standards could disqualify a project from strategic status.

Common misconceptions

"CADA replaces the AI Act." No. The AI Act (Regulation (EU) 2024/1689) focuses on the safety and fundamental rights implications of AI systems themselves. CADA focuses on the infrastructure (cloud and data centres) that enables AI and the sovereignty of that infrastructure. They are complementary; an AI system placed on the market must comply with the AI Act, while the cloud service hosting it must comply with CADA's sovereignty framework if used by the public sector.

"Only EU-based providers can win public contracts." CADA does not explicitly ban non-EU providers, but it creates a sovereignty framework that makes it difficult for them to compete for critical public sector contracts. A non-EU provider could theoretically qualify for Union Assurance Level 3 if the Commission determines that their home country provides sufficient safeguards against third-country access (under Article 18). However, for Levels 2 and 4, the criteria are much stricter regarding control and data localisation, effectively favouring EU-based entities or those with substantial EU autonomy.

"Transposition will take years." Because CADA is a Regulation, it does not require transposition into Czech national law. It applies directly. While there are transition periods for certain actions (e.g., one year for national strategies, six months for designating acceleration zones), the legal obligations begin immediately upon the Regulation's application date.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.