How does the Cloud and AI Development Act affect Estonia?

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a directly applicable EU Regulation. This means it would bind Estonia immediately upon entry into force, requiring no national transposition legislation by the Riigikogu. As proposed, CADA imposes three core duties on Estonia: adopting a national cloud and AI strategy within one year (Article 7), designating at least one data centre acceleration zone within six months (Article 10), and appointing a national competent authority within one year (Article 25). These measures would fundamentally alter how Estonian public bodies procure cloud services, how data centre operators obtain permits, and how cloud providers demonstrate sovereignty to access the public market.

Detail

The Cloud and AI Development Act (CADA) represents a structural shift in EU digital policy, moving from voluntary guidelines to a harmonised regulatory framework for cloud infrastructure. For Estonia, a nation with a mature digital ecosystem and high cloud adoption, the proposal introduces a binding set of obligations designed to enhance technological sovereignty and reduce reliance on non-EU providers.

Because CADA is drafted as a Regulation, it is directly applicable in Estonia. Unlike a Directive, which requires national parliament to transpose rules into domestic law, a Regulation becomes part of Estonian law automatically. This ensures uniform application across the Union, preventing regulatory fragmentation. The proposal's legal basis combines Article 114 (internal market) and Article 173(3) (industrial competitiveness) of the TFEU, reflecting its dual aim of smoothing the single market for cloud services while bolstering strategic autonomy.

1. Strategic Planning: The National Cloud and AI Strategy

Under Article 7, Estonia would be required to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This is not a voluntary roadmap but a mandatory legal instrument.

The strategy must align with the EU's "AI first" principle and cover specific operational objectives, including:

• Measures to accelerate cloud and AI adoption at national, regional, and local levels, with a focus on public sector bodies, SMEs, and small mid-caps.
• Support for the deployment of data centre capacity, prioritising high-value, energy-efficient facilities.
• Investment in high-intensity computing infrastructure, such as AI factories and quantum computers.
• Measures to strengthen technological sovereignty through open hardware and software stacks.

Estonia would need to notify the Commission of this strategy within three months of adoption and assess it at least every three years based on key performance indicators. The European Artificial Intelligence Board (established under the AI Act) would assist in coordinating these strategies across Member States, ensuring Estonia's plans contribute to the Union-wide "AI continent" vision.

2. Infrastructure Deployment: Data Centre Acceleration Zones

To address the shortage of computing capacity, Article 10 mandates that Estonia designate at least one "data centre acceleration zone" within its territory within six months of entry into force. These zones are geographic areas where the deployment of data centres is prioritised and streamlined.

When designating these zones, Estonia must consider:

• Available and future power grid capacity and clean energy generation potential.
• Network connectivity capacity.
• The ability to reuse waste heat.
• The preference for reusing brownfield sites over greenfield sites.

Once designated, projects within these zones benefit from significant administrative simplification. Article 13 requires Estonia to issue an "aggregated baseline permit" for each zone, covering most standard permits required for construction and operation. The permit-granting procedure for projects in these zones would be capped at 12 months, a strict timeline designed to accelerate deployment.

Furthermore, Article 12 obliges Estonia to designate "single information points" to assist data centre operators throughout the project lifecycle. These points would coordinate spatial planning, environmental assessments, and grid connection applications, acting as a one-stop shop for operators.

3. Regulatory Oversight: National Competent Authority

To enforce the sovereignty framework, Article 25 requires Estonia to designate one or more "national competent authorities" within one year of entry into force. This authority would hold exclusive competence for enforcing the cloud sovereignty chapter for providers established in Estonia.

The competent authority would be responsible for:

• Recognising cloud computing service providers that meet the Union assurance levels (Levels 1–4).
• Conducting investigations and imposing penalties for infringements.
• Cooperating with other Member States' authorities and the Commission.

The authority would need sufficient technical, financial, and human resources to supervise providers effectively. It would also maintain a public register of designated authorities and notify the Commission of its tasks and powers.

4. Public Procurement and Sovereignty Levels

CADA introduces a four-tier "Union assurance levels" framework to classify cloud services based on their sovereignty and security. Article 29 requires Estonia and its public bodies to conduct risk assessments to determine which assurance level is appropriate for specific activities.

• Baseline Requirement: Public bodies must procure cloud services recognised at least at Union assurance level 1.
• Public Order Relevance: For activities contributing to the preservation of public order (e.g., national security, law enforcement, critical infrastructure), Estonia must procure only services recognised at Level 2, 3, or 4 (Article 30).

The criteria for these levels are detailed in Annex II:

• Level 1: Requires establishment in the Union and data localisation, with a self-assessment by the provider.
• Level 2: Requires independent third-party audits, infrastructure and personnel in the Union, and a European cybersecurity certificate of at least "substantial" assurance. Personnel citizenship requirements are conditional (only if the public body explicitly requires them).
• Level 3: Requires mandatory Union citizenship for all personnel involved in the service, a "substantial" cybersecurity certificate, and strict controls on third-country influence. A derogation allowing third-country control is possible only if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances.
• Level 4: The highest tier, requiring a "high" cybersecurity certificate, mandatory Union citizenship, and strict separation from third-country subsidiaries.

Additionally, Article 32 requires Estonian contracting authorities to include "Union added value" criteria in procurement tenders, evaluating how a provider contributes to the EU digital supply chain, such as using hardware designed or manufactured in the Union.

What this means for you

For Public-Sector Bodies and Procurement Officers

Estonian public bodies would face a new compliance track. You would need to:

1. Conduct Risk Assessments: Determine which of your activities contribute to "public order" under Article 29. This classification dictates whether you can use Level 1 services or must mandate Level 2–4.
2. Update Tender Documents: Incorporate Union assurance level requirements and "Union added value" criteria into all cloud procurement procedures.
3. Verify Recognition: Ensure that any cloud provider you engage is listed in the central repository of recognised services maintained by the Commission.
4. Adopt Open Source: Under Article 41 and Article 42, you would be encouraged to use open-source solutions and make any software you develop available for reuse via the EU Open Source Solutions Catalogue.

For Cloud Service Providers

If you are a cloud provider operating in or targeting Estonia:

• Seek Recognition: To serve the public sector, you must apply for recognition from the Estonian national competent authority.
• Prepare for Audits: For Levels 2, 3, and 4, you must undergo independent third-party audits. This involves demonstrating compliance with strict criteria on data localisation, personnel citizenship, and supply chain transparency.
• SME Advantage: If you are an SME, Article 17(3) provides a derogation: your Level 1 self-assessment (EU statement of conformity) would be automatically recognised across all Member States without prior national review, lowering the barrier to entry.
• Third-Country Control: If you are controlled by a non-EU entity, you face significant hurdles. For Level 3, you can only qualify if the Commission has specifically recognised your home country under Article 18. For Level 4, third-country control is generally prohibited.

For Data Centre Operators

Operators planning to build in Estonia would benefit from the acceleration zone framework:

• Faster Permits: Projects in designated zones would benefit from the 12-month permitting cap and the aggregated baseline permit.
• Single Point of Contact: You would have access to a designated single information point to navigate administrative hurdles.
• Sustainability Mandates: You must adhere to strict sustainability requirements, using key performance indicators defined in Delegated Regulation (EU) 2024/1364 (e.g., PUE, WUE).
• Strategic Projects: If your project meets specific criteria (e.g., supporting essential public functions or integrating Union-made chips), you could apply to the Commission for designation as a "strategic project" under Article 14, potentially unlocking additional support.

Common misconceptions

"CADA is a Directive that Estonia must transpose." Incorrect. CADA is proposed as a Regulation. It is directly applicable in Estonia, meaning it becomes law automatically without the need for the Riigikogu to pass a separate implementing act.

"The third-country derogation for Level 3 is in Article 19." Incorrect. The mechanism for recognising third countries for Union assurance level 3 is found in Article 18 ("Associated third countries"). Article 19 covers conformity self-assessment for Level 1. A provider controlled by a third country can only qualify for Level 3 if the Commission has adopted an implementing act under Article 18 for that specific country.

"Personnel must be EU citizens for all assurance levels." Incorrect. For Level 2, personnel citizenship requirements are conditional; they apply only if the public sector body explicitly determines they are necessary. For Levels 3 and 4, Union citizenship for all personnel involved in the service is mandatory.

"CADA replaces the GDPR or the AI Act." Incorrect. CADA complements existing frameworks. It does not replace the GDPR's data protection rules or the AI Act's safety and transparency requirements for AI systems. CADA specifically targets the infrastructure and sovereignty of cloud services, filling a gap the AI Act explicitly leaves open regarding "aspects of sovereignty."

"Data centre KPIs are listed in CADA itself." Incorrect. CADA refers to external standards. The specific key performance indicators for sustainability (such as PUE and WUE) are defined in Delegated Regulation (EU) 2024/1364, not enumerated in the text of CADA itself.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• How does the Cloud and AI Development Act affect Sweden?
• How does the Cloud and AI Development Act affect Spain?
• How does the Cloud and AI Development Act affect Slovenia?
• How does the Cloud and AI Development Act affect Slovakia?
• How does the Cloud and AI Development Act affect Romania?

This is general information about a draft EU regulation, not legal advice.