Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is an EU Regulation, meaning it would apply directly in France without requiring national transposition. Once adopted, it would immediately bind French authorities. As proposed, CADA would require France to: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone to streamline permitting (Article 10); and (3) appoint a national competent authority to enforce the sovereignty framework (Article 25). For French public bodies, this means mandatory procurement of recognized "Union assurance" cloud services; for providers, it introduces a new recognition regime; and for data centre operators, it offers faster permitting in designated zones.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), represents a structural shift in how the EU governs its digital infrastructure. Unlike a Directive, which requires Member States to pass national laws to transpose its goals, CADA is drafted as a Regulation. Under Article 48 of the proposal, the Regulation "shall be binding in its entirety and directly applicable in all Member States." Consequently, once CADA enters into force, its provisions would become part of the French legal framework automatically, without the need for the French Parliament to enact implementing legislation.

This direct applicability ensures a uniform timeline for compliance across the EU, eliminating the fragmentation that often arises when Member States transpose directives at different speeds. For France, this creates immediate obligations to align its national administrative and procurement practices with the Union's cloud sovereignty and capacity-building objectives.

1. The Direct Applicability of CADA in France

The legal nature of CADA as a Regulation is pivotal for French stakeholders. The proposal explicitly states in Article 48 that the Regulation "shall apply from [one year after entry into force]." This creates a "grace period" for preparation, but the legal obligation to comply is direct. French administrative bodies, public sector entities, and businesses operating in France would be subject to CADA's rules directly, rather than through a layer of national law. This mechanism is designed to prevent regulatory arbitrage and ensure that the "Union cloud computing sovereignty framework" functions identically in Paris as it does in Berlin or Rome.

2. Key Obligations for the French State

CADA imposes specific, time-bound duties on Member States. For France, three articles are the primary drivers of national action:

National Cloud and AI Strategy (Article 7)

Article 7 mandates that Member States establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. For France, this means the government must produce a comprehensive document outlining:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate deployment at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Investment plans for high-intensity computing infrastructure, including "AI factories," "AI gigafactories," and quantum computers.
  • Measures to support the deployment of data centre capacity, with a focus on high-value, energy-efficient facilities.
  • Measures to invest in cloud computing stack technologies built on open hardware and software to strengthen technological sovereignty.

The strategy must be consistent with the EU's digital targets (Decision (EU) 2022/2481) and notified to the Commission within three months of adoption. Crucially, Article 7(5) requires France to assess and update this strategy at least every three years based on key performance indicators.

Data Centre Acceleration Zones (Article 10)

To address the critical shortage of computing capacity, Article 10 obliges France to designate at least one "data centre acceleration zone" within its territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When designating these zones, French authorities must consider:

  • Power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity and the ability to phase out legacy copper networks.
  • Environmental sustainability, including waste heat reuse and carbon emission reduction.
  • Preference for brownfield sites over greenfield sites.

Once designated, these zones trigger a streamlined permitting regime. Article 13 stipulates that the permit-granting procedure for data centre projects in these zones "shall not exceed 12 months" from the submission of a comprehensive application. This is a significant acceleration compared to standard French administrative procedures, designed to attract investment and close the EU's compute capacity gap.

National Competent Authority (Article 25)

Article 25 requires France to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework. This authority would be the primary point of contact for cloud providers seeking recognition of their "Union assurance levels."

The proposal specifies that the Member State where a cloud provider has its "main establishment" (head office or registered office where principal financial functions and operational control are exercised) has "exclusive competence" for enforcement. For French-based providers, this means the designated French authority would have sole jurisdiction. France must ensure this authority has "sufficient technical, financial and human resources" to supervise providers effectively and must notify the Commission of the authority's name and powers.

3. Impact on Public Sector Procurement in France

For French public bodies (contracting authorities), CADA introduces a mandatory, risk-based procurement framework.

  • Risk Assessments (Article 29): France must carry out risk assessments to identify public sector activities that "contribute to the preservation of public order." These assessments determine which "Union assurance level" (1, 2, 3, or 4) is appropriate for specific activities. The assessment must consider data sensitivity, the risk of third-country access, and the risk of service disruption.
  • Procurement Rules (Article 30):
    • Baseline: For activities not identified as contributing to public order, French authorities must procure services recognized at Union assurance level 1.
    • Public Order Relevance: For activities identified as critical to public order (e.g., national security, law enforcement, defence), authorities "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."
  • EU Added Value (Article 32): In public procurement for innovative cloud services and AI systems, French authorities must include non-price award criteria evaluating the tenderer's contribution to the European ecosystem. This includes assessing the use of software or hardware designed or manufactured in the Union. The proposal suggests a maximum weighting of 15 out of 120 points for these criteria to ensure they remain ancillary to technical and financial requirements.

4. Impact on Cloud Providers and Data Centre Operators

For cloud providers and data centre operators established in or serving France, CADA creates a new compliance landscape.

  • Recognition Process (Article 17): Providers aiming to serve the French public sector must apply for recognition under one of the four Union assurance levels.
    • Level 1: Requires a conformity self-assessment and an EU statement of conformity. For SMEs, this statement is "directly and automatically recognised in all Member States."
    • Levels 2–4: Require an independent third-party audit resulting in a "positive" audit opinion.
  • Audit Requirements (Article 20): Providers seeking higher assurance levels must undergo audits covering criteria such as data localization, personnel citizenship (conditional for Level 2, mandatory for Levels 3/4), and cybersecurity standards. The audit report must be submitted to the French national competent authority.
  • Data Centre Deployment (Article 13): Operators building in French acceleration zones benefit from the 12-month permitting cap. However, they must also adhere to sustainability requirements defined in Delegated Regulation (EU) 2024/1364, using specific key performance indicators (KPIs) for energy efficiency.

What this means for you

For Public-Sector Procurement Officers in France

If you work in a French ministry, agency, or local authority, CADA would fundamentally alter your procurement workflow. You can no longer evaluate cloud providers solely on price or technical features. You must first determine the "public order relevance" of your use case based on the national risk assessment.

  • Action: Verify the "Union assurance level" of any potential provider before launching a tender.
  • Constraint: If your project involves sensitive data or critical infrastructure, you may be legally barred from procuring services below Level 2.
  • New Criteria: You must include "EU added value" criteria in your tender documents, explicitly asking bidders to demonstrate how their solution strengthens the European digital supply chain.

For Cloud Providers Established in France

If you are a French cloud provider, you are the primary target for the "Union assurance" recognition regime.

  • Action: Prepare for the recognition process. If you are an SME, leverage the automatic recognition for Level 1 self-assessments. For higher levels, engage an accredited auditing organisation immediately.
  • Jurisdiction: Be aware that as a provider with your main establishment in France, you are subject to the exclusive enforcement competence of the French national competent authority.
  • Strategy: Consider how your infrastructure and personnel composition align with the criteria for Levels 2–4, particularly regarding data localization and third-country control.

For Data Centre Operators

For operators planning new facilities in France, the designation of acceleration zones offers a strategic advantage.

  • Opportunity: Locate projects within designated acceleration zones to benefit from the 12-month permitting cap and streamlined administrative support via single information points.
  • Requirement: Ensure your project meets the sustainability KPIs (e.g., PUE, WUE) mandated by Delegated Regulation (EU) 2024/1364.
  • Caution: Avoid "speculative reservation" of resources within these zones, as Article 11 explicitly prohibits practices that impede effective competition or development.

Common misconceptions

"France needs to pass a new law to implement CADA." This is incorrect. As an EU Regulation, CADA is directly applicable. France does not need to transpose it into national law. While France must take administrative actions (designating zones, appointing authorities, adopting a strategy), the legal obligations themselves flow directly from the EU text.

"All cloud services must be European-owned." CADA does not ban non-European providers outright. Instead, it creates a tiered system based on "Union assurance levels." Providers from third countries may still access the market, but they must meet stringent criteria. For example, a provider controlled by a third country may be eligible for Level 3 only if the Commission has adopted an implementing act under Article 18 recognizing that third country as providing sufficient assurances (e.g., no extraterritorial access laws).

"Only large hyperscalers are affected." While large providers are significantly impacted, SMEs and small mid-caps are also covered. In fact, CADA includes specific provisions to support SMEs, such as the automatic recognition of Level 1 self-assessments for SMEs (Article 17(3)) and a target for Member States to award at least 25% of innovation procurement to SMEs (Article 33).

"Data centres can be built anywhere without restriction." While data centres can be built outside acceleration zones, those within zones benefit from faster, more predictable administrative processes. Conversely, operators outside these zones do not benefit from the 12-month permitting cap. Furthermore, Article 10 requires France to consider environmental and grid capacity factors when designating zones, meaning not all locations are equally viable for accelerated deployment.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.