How does the Cloud and AI Development Act affect Greece?

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a directly applicable EU Regulation. This means it would bind Greece automatically upon entry into force, requiring no national transposition laws. As proposed, Greece would be mandated to adopt a national cloud and AI strategy within one year, designate at least one data centre acceleration zone, and appoint a national competent authority to enforce cloud sovereignty. For Greek public bodies, this introduces mandatory risk assessments and procurement rules prioritizing sovereign cloud services to safeguard public order.

Detail

The Cloud and AI Development Act (CADA), formally the proposal for a Regulation of the European Parliament and of the Council establishing a framework of measures for strengthening Europe's cloud and AI ecosystem (COM(2026) 502 final), represents a fundamental shift in the governance of digital infrastructure within the Union. Unlike a Directive, which requires Member States to transpose rules into national law, CADA is structured as a Regulation. Under Article 48, it would enter into force on the twentieth day following its publication in the Official Journal and apply directly in all Member States, including Greece, one year later.

Consequently, the Hellenic Parliament would not need to pass separate legislation to implement the core obligations. The Regulation's provisions would become immediately binding on Greek authorities, public bodies, and market operators. The proposal aims to address the Union's limited data centre capacity and dependence on third-country providers by establishing a harmonised framework for sovereignty, capacity building, and public procurement.

For Greece, CADA imposes three primary categories of national duties: strategic planning, infrastructure acceleration, and regulatory oversight.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Greece would be obligated to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This strategy must be consistent with the Regulation's objectives and contribute to the Digital Decade targets. The strategy must include:

• Adoption Measures: Specific actions to accelerate cloud and AI adoption at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps (SMCs).
• Infrastructure Deployment: Measures to support the deployment of data centre capacity, with a focus on high-value facilities that adhere to high environmental and energy-efficiency standards.
• High-Intensity Computing: Investments in strategic assets such as AI factories, AI gigafactories, and quantum computers.
• Technological Sovereignty: Measures to develop cloud computing stack technologies built upon open hardware and software to strengthen sovereignty.
• Data Accessibility: Actions to ensure the availability of high-quality data for AI development.

The strategy must also align with the "AI first" principle and be notified to the Commission within three months of adoption. The European Artificial Intelligence Board would assist in coordinating these national strategies to ensure consistency across the Union.

2. Data Centre Acceleration Zones (Article 10)

To address the capacity gap, Article 10 requires Greece to designate at least one "data centre acceleration zone" within its territory within six months of the Regulation's entry into force. These zones are specific areas where the deployment of data centres is facilitated through streamlined permitting and infrastructure support.

When designating these zones, Greek authorities must consider:

• Energy and Grid Capacity: The availability of current and future power grid capacity, including the potential for on-site clean energy generation and storage.
• Connectivity: Available network connectivity capacity.
• Sustainability: The ability to reuse waste heat and the site's climate resilience.
• Brownfield Preference: A preference for reusing brownfield sites over greenfield sites.

Furthermore, Article 11 mandates that Member States use the key performance indicators (KPIs) defined in Delegated Regulation (EU) 2024/1364 when setting sustainability requirements for data centres in these zones. Article 13 establishes that projects in these zones benefit from an "aggregated baseline permit," covering most administrative authorisations, with a strict permit-granting procedure not exceeding 12 months.

3. National Competent Authority (Article 25)

Article 25 mandates that Greece designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. The Member State where a cloud computing service provider has its main establishment (head office or registered office) holds exclusive competence for enforcement.

The designated authority in Greece would be responsible for:

• Recognition: Assessing applications from cloud providers seeking recognition at Union assurance levels 1–4.
• Supervision: Monitoring compliance with the sovereignty criteria.
• Investigation and Penalties: Exercising investigative powers (e.g., requesting information, inspecting premises) and imposing penalties for infringements.
• Cooperation: Cooperating with competent authorities in other Member States and the Commission.

The authority must be granted sufficient technical, financial, and human resources to perform these tasks impartially and effectively.

4. Public Procurement and Sovereignty Obligations

For Greek public-sector bodies, CADA introduces a tiered procurement regime linked to risk assessments. Under Article 29, Greece must conduct risk assessments to identify public sector activities that contribute to the preservation of public order (e.g., national security, justice, law enforcement, defence).

• Baseline Requirement: Under Article 30(2), all public sector bodies must procure cloud services recognised at least at Union Assurance Level 1.
• Public Order Requirement: If a risk assessment determines that an activity contributes to public order, the contracting authority must procure only services recognised at Union Assurance Levels 2, 3, or 4 (Article 30(3)).
• Union Added Value: Under Article 32, contracting authorities must include non-price award criteria evaluating the tenderer's contribution to the European digital supply chain, such as the use of EU-designed hardware or integration of Union technologies.

What this means for you

For Public-Sector Procurement Officers in Greece

Your procurement process will undergo a structural change. You can no longer rely solely on price or generic technical specifications.

1. Mandatory Risk Assessment: You must determine if your department's activities fall under "public order" relevance. If they do, you are legally restricted to procuring from providers recognised at Union Assurance Levels 2, 3, or 4.
2. Repository Verification: You must verify that the cloud service provider is listed in the central repository of recognised services maintained by the Commission (Article 22).
3. Sovereignty Criteria: You must apply "Union added value" criteria in tender evaluations, awarding points for providers who strengthen the European supply chain or use EU-manufactured hardware.
4. Open Source Priority: You are encouraged to prioritise open-source solutions over proprietary ones where functionally equivalent, as per Article 41.

For Cloud Service Providers Operating in Greece

If you provide cloud services to Greek public or private entities, you must navigate the new sovereignty framework to access the public market.

• Assurance Levels: To serve the public sector, you must seek recognition. Level 1 requires a self-assessment and proof of EU establishment and data localisation. Levels 2–4 require independent third-party audits.
• Data Localisation: For Levels 1–3, customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise.
• Personnel and Control: Higher assurance levels (2–4) require that personnel involved in service provision are Union citizens (conditional at Level 2 if the public body requires it; mandatory at Levels 3 and 4) and that the provider is not subject to third-country control, unless a specific derogation under Article 18 applies.
• Audit Cooperation: You must cooperate with auditing organisations, providing access to premises and data to verify compliance with criteria such as the software bill of materials (SBOM) and the absence of remote tampering features.

For Data Centre Operators in Greece

Operators will benefit from streamlined permitting but face stricter sustainability mandates.

• Sustainability Metrics: You must comply with the KPIs in Delegated Regulation (EU) 2024/1364, focusing on energy efficiency (PUE) and water usage.
• Permitting Efficiency: If your project is located in a designated acceleration zone, you will benefit from an aggregated baseline permit, significantly reducing administrative burden. You must engage with the single information point designated by Greek authorities to coordinate all necessary authorisations.
• Energy Integration: You are expected to integrate with national grid planning, potentially requiring investments in on-site energy generation or waste-heat recovery systems to meet the energy needs analysis required under Article 10.

Common misconceptions

Misconception 1: Greece needs to pass its own laws to implement CADA. Fact: CADA is a Regulation, not a Directive. It is directly applicable. While Greece must appoint authorities and designate zones, it does not need to transpose the text into national law. The Regulation binds Greece immediately upon its entry into force.

Misconception 2: All cloud providers are banned if they have foreign ownership. Fact: CADA does not ban foreign-owned providers outright. It uses a tiered assurance system. A provider subject to third-country control can still qualify for Union Assurance Level 1 if it demonstrates that no third-country laws compel it to report software vulnerabilities prematurely or access data. For Levels 3 and 4, third-country control is generally prohibited unless the Commission has adopted a specific decision for that third country based on strict adequacy and sovereignty safeguards under Article 18.

Misconception 3: Data centres in acceleration zones have no environmental restrictions. Fact: Acceleration zones are designed to speed up deployment, not bypass sustainability rules. Article 11 explicitly requires Member States to use specific key performance indicators for energy efficiency defined in Delegated Regulation (EU) 2024/1364. Operators must still comply with all existing EU environmental and energy efficiency directives.

Misconception 4: Public bodies can choose any cloud provider as long as it is cheap. Fact: Price is no longer the sole deciding factor. Article 32 introduces "Union added value" as a non-price award criterion in public procurement. Public bodies must evaluate tenders based on how much the provider contributes to the European digital supply chain, integrates EU technologies, and strengthens security of supply.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• How does the Cloud and AI Development Act affect Sweden?
• How does the Cloud and AI Development Act affect Spain?
• How does the Cloud and AI Development Act affect Slovenia?
• How does the Cloud and AI Development Act affect Slovakia?
• How does the Cloud and AI Development Act affect Romania?

This is general information about a draft EU regulation, not legal advice.