Summary The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is a directly applicable EU Regulation. If adopted, it would bind Finland immediately without the need for national transposition laws. Finland would face three core statutory duties: adopting a national cloud and AI strategy within one year (Article 7), designating data centre acceleration zones within six months (Article 10), and appointing a national competent authority within one year (Article 25). For Finnish public bodies, this triggers mandatory risk assessments (Article 29) and new procurement rules requiring cloud services to meet specific Union assurance levels to safeguard public order (Article 30).

Detail

The Cloud and AI Development Act (CADA) represents a fundamental shift in the EU's approach to digital infrastructure. Unlike EU Directives, which require Member States to pass national legislation to "transpose" EU rules into domestic law, a Regulation is directly applicable. This means that once CADA enters into force, its provisions become binding law in Finland automatically, creating a uniform legal framework across the Union. Finland would not need to draft a new national act to implement CADA; instead, it would need to execute specific administrative and strategic actions mandated by the Regulation itself.

The proposal aims to strengthen Europe's cloud and AI ecosystem by addressing limited computing capacity, reducing dependence on third-country providers, and safeguarding public order. For Finland, this translates into concrete obligations for the state and significant changes for public procurement, cloud providers, and data centre operators.

1. Strategic Planning: The National Cloud and AI Strategy (Article 7)

Under Article 7, Finland is legally required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This is not a voluntary policy paper but a mandatory instrument that must be consistent with CADA's objectives and contribute to the EU's digital targets.

The strategy must explicitly include:

  • Objectives and Priorities: Key goals for cloud and AI adoption, aligned with the "AI first" principle.
  • Acceleration Measures: Actions to speed up development and adoption at national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps.
  • Data Centre Deployment: Specific measures to support the deployment of data centre capacity, with a focus on high-value, energy-efficient facilities.
  • Infrastructure Investment: Plans to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
  • Data Accessibility: Measures to ensure the availability of high-quality data for AI development.

Finland must notify the European Commission of this strategy within three months of its adoption. Furthermore, the strategy must be assessed at least every three years based on key performance indicators and updated if necessary. The European Artificial Intelligence Board (AI Board) will assist in coordinating these strategies across Member States to ensure consistency.

2. Infrastructure Acceleration: Data Centre Zones (Article 10)

To address the EU's compute capacity gap, Article 10 imposes a strict deadline on Finland: it must designate at least one data centre acceleration zone within its territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When designating these zones, Finnish authorities must evaluate specific criteria, including:

  • The location, dimension, and size of potential facilities.
  • Available and future power grid capacity, including on-site clean energy generation.
  • Network connectivity capacity and the ability to phase out legacy copper networks.
  • Measures to accelerate permit-granting processes.
  • A preference for reusing brownfield sites over greenfield sites.
  • Climate resilience and the minimization of environmental impacts.

Crucially, Finland must conduct a comprehensive analysis of the energy needs for these zones and ensure that national network development plans account for future demand. This creates a streamlined regulatory environment where data centres can be built faster, provided they meet high sustainability standards.

3. Regulatory Oversight: National Competent Authority (Article 25)

Article 25 mandates that Finland designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework. This designation must be completed within one year of entry into force.

This authority holds exclusive competence for enforcing CADA's sovereignty rules for cloud computing service providers whose main establishment is in Finland. Its duties include:

  • Recognition: Assessing and recognising cloud services that meet the Union assurance levels (Levels 1–4).
  • Supervision: Monitoring providers for compliance with transparency and audit obligations.
  • Cooperation: Exchanging information and cooperating with competent authorities in other Member States and the Commission.

The authority must be impartial, transparent, and equipped with sufficient technical, financial, and human resources to supervise all relevant providers effectively.

4. Public Procurement and Sovereignty Framework

For Finnish public-sector bodies, CADA introduces a new Union cloud computing sovereignty framework comprising four assurance levels. This framework is established under Article 16, with criteria detailed in Annex II.

The operational process for Finland involves two distinct steps:

  1. Risk Assessment (Article 29): By one year after entry into force, and every two years thereafter, Finland must conduct risk assessments to identify public sector activities that contribute to the preservation of public order (e.g., national security, defence, law enforcement, critical infrastructure). These assessments determine which assurance levels are appropriate for specific activities.
  2. Procurement Obligations (Article 30): Based on the risk assessment, procurement rules are triggered:
    • Baseline Requirement: All public sector bodies must procure cloud services recognised at least at Union Assurance Level 1.
    • Public Order Requirement: For activities identified as contributing to public order, contracting authorities must only procure services recognised at Union Assurance Levels 2, 3, or 4.

This framework is designed to mitigate risks associated with third-country control, such as unauthorized data access under foreign laws (e.g., the US CLOUD Act) or service disruption.

What this means for you

For Finnish Public Bodies and Procurement Officers

  • Mandatory Risk Assessments: You will be required to participate in national risk assessments to determine the sensitivity of your data and the criticality of your services. This dictates whether you need Level 1, 2, 3, or 4 assurance.
  • New Procurement Rules: You can no longer award contracts based solely on price or technical features. Your tender documents must specify the required Union Assurance Level. You may only award contracts to providers listed in the central EU repository of recognised sovereign services.
  • Union Added Value: Under Article 32, you must include non-price award criteria evaluating the tenderer's contribution to the European ecosystem (e.g., using EU-designed hardware or software).
  • SME Targets: Under Article 33, Finland must pursue an objective of awarding at least 25% of its cloud and AI procurement to innovative SMEs.
  • Open Source: You will be encouraged to prioritise open-source solutions. Under Article 42, software made available for reuse must be listed in a catalogue connected to the EU Open Source Solutions Catalogue (established in Article 43).

For Cloud Providers Serving Finland

  • Compliance Pathway: To serve the Finnish public sector, you must undergo a conformity self-assessment for Level 1 or an independent third-party audit for Levels 2–4.
  • Audit Requirements: For Levels 2–4, you must obtain a "positive" audit opinion from an independent auditing organisation. This involves rigorous checks on establishment, data localisation, personnel (Union citizenship requirements apply conditionally at Level 2 and mandatorily at Levels 3–4), and software supply chain security.
  • Transparency: You must report any material changes to your status to the Finnish competent authority and the Commission.

For Data Centre Operators in Finland

  • Acceleration Zones: If you operate in a designated acceleration zone, you benefit from streamlined permitting (aggregated baseline permits) and faster grid connections.
  • Sustainability Standards: You must adhere to strict sustainability requirements, including the use of key performance indicators defined in Delegated Regulation (EU) 2024/1364 (e.g., PUE, WUE).
  • Strategic Projects: You may apply to be designated as a "strategic project" under Article 14 if you meet criteria related to innovation, grid stability, or addressing capacity shortages, potentially unlocking EU funding.

Common misconceptions

"Finland needs to pass a new national law to implement CADA." No. CADA is a Regulation, not a Directive. It is directly applicable in Finland. While Finland must take specific administrative actions (designating authorities, zones, and strategies), it does not need to transpose the text into national legislation.

"Sovereignty means data must never leave the EU." Not exactly. While data localisation is a strict criterion for higher assurance levels, the framework is nuanced. Annex II, Section 1.1(c) states that for Level 1, data must remain exclusively within the Union, unless the public sector body explicitly requires otherwise. However, for Levels 2–4, the rules are stricter, and data generally cannot leave the Union under any circumstances. The core goal is preventing third-country control and unauthorized access, not just physical location.

"CADA replaces the GDPR or the AI Act." No. CADA complements existing laws. It does not replace the GDPR's data protection rules or the AI Act's safety and transparency requirements. A cloud provider must comply with all applicable EU regulations simultaneously. The AI Act governs the AI system itself, while CADA governs the cloud infrastructure beneath it.

"Only large hyperscalers are affected." No. CADA affects all cloud computing service providers seeking to serve the Finnish public sector. It also includes specific measures to support smaller EU-based providers and SMEs through innovation procurement targets and the EuroCloud Federation.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.