Summary As proposed, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation (COM(2026) 502 final), meaning it would bind Germany automatically upon entry into force without the need for national transposition laws. Germany would be required to adopt a national cloud and AI strategy within one year, designate at least one data centre acceleration zone to streamline permitting, and establish a national competent authority to enforce sovereignty rules. For public bodies, this introduces mandatory risk assessments and procurement mandates for "Union-assured" cloud services; for providers and operators, it creates a new compliance regime for market access and faster deployment pathways.

Detail

The Cloud and AI Development Act (CADA), currently a proposal (COM(2026) 502 final), represents a structural shift in EU digital governance. Unlike a Directive, which requires Member States to pass national legislation to transpose EU goals, a Regulation is directly applicable. This means that once adopted, CADA would become part of the German legal order immediately, creating direct obligations for German authorities, public bodies, and private entities without intermediate national legislation. The proposal aims to strengthen the EU's cloud and AI ecosystem by addressing capacity deficits, reducing dependencies on third-country providers, and safeguarding public order through a harmonised sovereignty framework.

For Germany, a central hub of the European digital economy, the implications are immediate and operational. The Regulation targets three core pillars: accelerating data centre deployment, fostering a sovereign cloud offer, and establishing a unified framework for public procurement.

Key Duties for Germany

Under the proposal, Germany faces specific, time-bound obligations designed to integrate the country into the EU's strategic digital infrastructure.

1. National Cloud and AI Strategy (Article 7) Germany would be required to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force, as mandated by Article 7. This is not a voluntary policy paper but a binding instrument. The strategy must include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, aligning with the EU's "AI first" principle. Crucially, it must outline plans for deploying data centre capacity, investing in high-intensity computing infrastructure (such as AI factories and gigafactories), and supporting the network of "Centres for AI" (which build on existing European Digital Innovation Hubs). Germany must notify the Commission of this strategy and update it at least every three years based on key performance indicators, ensuring national digital policies remain synchronized with EU-wide objectives.

2. Data Centre Acceleration Zones (Article 10) To address the critical shortage of computing capacity, Article 10 requires Germany to designate at least one "data centre acceleration zone" within its territory where data centre capacity is being deployed. These zones are designed to create a streamlined regulatory environment. When designating these zones, Germany must consider specific factors, including the availability of power grid capacity, network connectivity, and the potential for reusing waste heat. The objective is to facilitate the rapid expansion of infrastructure to meet the surging demand for AI workloads. By creating these zones, Germany would enable faster permitting processes, potentially reducing the time to obtain necessary permits to 12 months for projects located within them, as outlined in Article 13.

3. National Competent Authority (Article 25) To enforce the sovereignty and compliance aspects of the Regulation, Article 25 obliges Germany to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework. These authorities would hold the power to supervise cloud computing service providers, investigate infringements, and impose penalties. The designated authority must possess sufficient technical, financial, and human resources to perform its tasks impartially. A critical function of this authority would be to recognise cloud services that meet the EU's "Union assurance levels," effectively acting as the gatekeeper for which providers can serve the German public sector. The authority of the Member State where the provider has its main establishment (e.g., Germany for German-headquartered providers) would have exclusive competence for enforcement.

Changes for Public Bodies, Cloud Providers, and Data Centre Operators

The introduction of CADA would fundamentally alter the operational landscape for key stakeholders in Germany.

For Public-Sector Procurement Officers The most significant change for German public bodies lies in public procurement. CADA introduces a mandatory "Union cloud computing sovereignty framework" with four assurance levels. Under Article 29, German public authorities must conduct risk assessments to determine which cloud services are used for activities contributing to the preservation of public order. If an activity is deemed to involve public order relevance (e.g., sectors falling under the NIS2 Directive, national security, defence, justice, or law enforcement), contracting authorities must only procure cloud services recognised as offering Union assurance levels 2, 3, or 4. For other public services, a minimum of Union assurance level 1 is required. This means procurement officers can no longer rely solely on price or feature sets; they must verify the provider's sovereignty status. Furthermore, Article 32 introduces "Union added value" criteria, encouraging the selection of services that strengthen the European digital supply chain.

For Cloud Computing Service Providers Cloud providers operating in Germany, whether EU-based or from third countries, must navigate a new recognition mechanism. To serve the public sector, they must apply for recognition under Article 17 by submitting evidence to the German national competent authority. For Union assurance levels 2, 3, and 4, this involves undergoing independent third-party audits. Providers must demonstrate compliance with strict criteria regarding data localisation, personnel citizenship (for higher levels), and the absence of third-country control. If a provider fails to meet these criteria or provides misleading information, they can be excluded from the central repository of recognised services, effectively barring them from public sector contracts across the EU, including in Germany. Notably, for Level 3, a derogation exists under Article 18 allowing providers controlled by a third country if that country has been deemed to provide sufficient assurances by the Commission.

For Data Centre Operators Operators planning to build or expand data centres in Germany will benefit from the streamlined processes in acceleration zones. Article 13 facilitates administrative and permit-granting processes, potentially reducing the time to obtain permits to 12 months for projects in these zones. However, operators must also adhere to strict sustainability requirements, using key performance indicators defined in Delegated Regulation (EU) 2024/1364. They must also ensure fair, reasonable, and non-discriminatory access to resources within acceleration zones, preventing speculative reservation of land or power.

What this means for you

If you are a public-sector procurement officer in Germany, your immediate focus should be on preparing for the mandatory risk assessments and understanding the new sovereignty assurance levels. You will need to collaborate with IT and legal teams to classify your current and future cloud use cases according to the criteria in Article 29. This involves identifying which services process sensitive data or support critical public order functions.

You should also review your existing cloud contracts. If your current provider does not meet the required Union assurance level for your specific use case, you may face a transition period to migrate to a compliant provider. The Regulation allows for a reasonable transition period of up to 12 months for such migrations, but early planning is crucial to avoid service disruption.

For cloud providers and data centre operators, the message is clear: compliance is now a prerequisite for market access in the public sector. Providers should begin internal audits to assess their readiness for the independent third-party assessments required for Union assurance levels 2, 3, and 4. Data centre operators should monitor the designation of acceleration zones in Germany and engage with local authorities to ensure their projects align with the new sustainability and permitting frameworks.

Common misconceptions

Misconception 1: CADA is just another directive that Germany can ignore or delay. This is incorrect. CADA is proposed as a Regulation, which is directly applicable. This means it becomes part of German law automatically upon its entry into force, without waiting for the Bundestag to pass a separate implementation law. Compliance is mandatory and uniform across the EU.

Misconception 2: Only large hyperscalers are affected. While large providers are the most visible target, the sovereignty framework and procurement rules apply to any cloud computing service provider seeking to serve the public sector. Small and medium-sized enterprises (SMEs) can also participate, but they must still meet the relevant assurance levels. In fact, the Regulation includes measures to support SMEs, such as simplified conformity self-assessments for Union assurance level 1.

Misconception 3: Data localisation is the only requirement for sovereignty. Data localisation is a key component, but it is not the only one. The Union assurance levels also consider factors such as the citizenship of personnel (for higher levels), the legal jurisdiction of the provider, the absence of third-country control, and cybersecurity certification. A provider might keep data in Germany but still fail to meet the sovereignty criteria if it is subject to extraterritorial laws from a third country that could allow access to that data.

Related

This is general information about a draft EU regulation, not legal advice.