Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a directly applicable EU Regulation. If adopted, it would bind Hungary automatically without the need for national transposition laws. Hungary would face immediate, binding duties to: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone within six months (Article 10); and (3) appoint a national competent authority to enforce sovereignty rules (Article 25). For Hungarian public bodies, this means mandatory risk assessments and procurement of cloud services only at specific "Union assurance levels." For providers and operators, it introduces strict location, personnel, and sustainability criteria to access the public market.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen Europe's cloud and AI ecosystem by addressing capacity deficits, ensuring sustainable deployment, and enhancing technological sovereignty. Unlike a Directive, which requires Member States to transpose rules into national law, CADA is proposed as a Regulation. Under EU law, a Regulation is directly applicable in all Member States, including Hungary, from the day it enters into force. This means Hungarian authorities, public bodies, and private operators would be bound by its text immediately, without waiting for a Hungarian implementing act.

The proposal establishes a unified framework where national actions must align with Union-wide objectives. For Hungary, the Regulation imposes three distinct categories of obligations: strategic planning, infrastructure acceleration, and regulatory enforcement.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Hungary would be required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This is not a voluntary policy paper but a binding legal requirement. The strategy must be consistent with the Regulation's objectives and contribute to the digital targets set under the Digital Decade Policy Programme.

The national strategy must explicitly include:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development and adoption at national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps.
  • Sectoral deployment plans for AI in strategic areas such as healthcare, energy, and mobility.
  • Data centre deployment plans, focusing on high-value facilities that adhere to high environmental and energy-efficiency standards.
  • Investment plans for high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
  • Measures to support cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Measures to ensure the accessibility of high-quality data for AI development.

Hungary must notify the Commission of this strategy within three months of its adoption. Furthermore, the strategy is not static; Hungary must assess it at least every three years based on key performance indicators and update it where necessary. The European Artificial Intelligence Board (AI Board) would assist in coordinating these strategies across the EU to ensure consistency.

2. Data Centre Acceleration Zones (Article 10)

To address the EU's compute capacity deficit, Article 10 imposes a strict timeline on Hungary. Where data centre capacity is being deployed, Hungary must designate at least one data centre acceleration zone within its territory within six months of the Regulation's entry into force.

When designating these zones, Hungarian authorities must consider specific criteria:

  • Site characteristics: Location, dimension, and minimum/maximum facility sizes.
  • Energy capacity: Available and future power grid capacity, including on-site storage and clean energy generation possibilities.
  • Connectivity: Available and future network connectivity capacity.
  • Legacy networks: The capacity to support the phasing out of legacy copper networks.
  • Waste heat: Facilities capable of reusing data centre waste heat.
  • Permitting: Measures to accelerate the granting of necessary permits.
  • Sustainability: A preference for reusing brownfield sites over greenfield sites and ensuring the site can function sustainably, minimizing environmental impacts.

Additionally, Hungary must conduct a comprehensive analysis of the energy needs and greenhouse gas emission impacts of these zones, reviewing this analysis at least every three years. This analysis must be reflected in national network development plans to ensure anticipatory grid investments.

3. National Competent Authority (Article 25)

Article 25 mandates that Hungary designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the Regulation's entry into force. These authorities may be existing bodies (e.g., a cybersecurity or data protection authority) but must be granted the necessary resources, expertise, and technical means to perform their tasks impartially and transparently.

Crucially, the Member State where a cloud computing service provider has its main establishment (head office or registered office where principal financial functions and operational control are exercised) has exclusive competence for enforcing the sovereignty chapter. If a provider serving Hungary is established in Hungary, the Hungarian authority has exclusive jurisdiction. If the provider is established elsewhere in the EU, the authority of that other Member State has exclusive competence, though Hungarian authorities retain cross-border cooperation powers.

The designated Hungarian authority would have investigative powers, including the ability to require information from providers, carry out inspections, and impose fines or periodic penalty payments for infringements. It would also maintain a public register of competent authorities and cooperate with authorities in other Member States through mutual assistance mechanisms.

4. Impact on Public Procurement and Sovereignty

While the specific articles requested focus on national duties, the broader framework of CADA (particularly Articles 29 and 30) fundamentally alters how Hungarian public bodies procure cloud services.

Hungarian public sector bodies would be required to conduct risk assessments to determine the appropriate "Union assurance level" for their cloud services.

  • General Services: Most public services would require at least Union Assurance Level 1.
  • Critical Services: Activities contributing to the preservation of public order (e.g., national security, justice, law enforcement, defence) would require Union Assurance Levels 2, 3, or 4, depending on the risk assessment.

Hungarian contracting authorities would be legally obliged to procure only from cloud services recognised as meeting these assurance levels. This creates a direct link between the national competent authority's recognition process and public procurement decisions. Failure to procure at the correct level would constitute an infringement of the Regulation.

What this means for you

For stakeholders in Hungary, CADA represents a shift from voluntary best practices to mandatory regulatory compliance with strict deadlines.

For Hungarian Public-Sector Officers and Procurement Specialists:

  • Mandatory Strategy Alignment: Your entity's operations must align with the national strategy adopted under Article 7. This includes adhering to the "AI first" principle and ensuring data centre deployments meet strict sustainability standards.
  • Sovereignty as a Procurement Requirement: You can no longer treat cloud sovereignty as a "nice-to-have." Procurement files must explicitly reference the required Union Assurance Level based on your entity's risk assessment.
  • Risk Assessments: You must participate in or conduct risk assessments to determine if your activities fall under "public order" relevance. This dictates whether you need Level 2, 3, or 4 assurance.
  • Award Criteria: You will need to apply "European added value" criteria in procurement procedures for innovative cloud and AI services, evaluating tenders on their contribution to strengthening the EU digital supply chain.

For IT and Infrastructure Managers:

  • Open Source First: The Regulation encourages the use of open-source solutions. You should prepare to assess and potentially migrate to open-source components where they offer better security, interoperability, and autonomy.
  • Data Localisation: For higher assurance levels, customer data must remain exclusively within the Union. You must verify that your current providers can guarantee this, including metadata and telemetry data.

For Data Centre Operators in Hungary:

  • Acceleration Zones: If you are planning new data centres, locating them within designated acceleration zones is critical. These zones offer streamlined permitting processes, with a maximum permit-granting procedure of 12 months from the submission of a comprehensive application.
  • Sustainability Compliance: You must adhere to the key performance indicators for sustainability defined in Delegated Regulation (EU) 2024/1364, focusing on Power Usage Effectiveness (PUE) and waste heat reuse. These KPIs are not optional for projects in acceleration zones.
  • Single Information Points: You will interact with designated single information points for all authorizations. These points will assist you throughout the project lifecycle, coordinating spatial planning, environmental assessments, and grid connections.

Common misconceptions

Misconception 1: Hungary needs to pass new national laws to implement CADA.

  • Reality: CADA is a Regulation, not a Directive. Regulations are directly applicable in all Member States. Hungary does not need to transpose it into national law, though it may need to adjust existing administrative procedures to comply with the new deadlines (e.g., designating zones within six months).

Misconception 2: Only large hyperscalers are affected by the sovereignty framework.

  • Reality: The sovereignty framework applies to any cloud computing service provider aiming to serve Union entities and public sector bodies. Hungarian public bodies must procure only from recognised services, which affects both international providers and local EU-based providers.

Misconception 3: Data centre acceleration zones allow for unrestricted building.

  • Reality: Acceleration zones streamline permitting but do not remove environmental or sustainability requirements. Operators must still meet strict energy-efficiency standards and undergo environmental assessments, albeit through a faster, aggregated baseline permit process.

Misconception 4: The national cloud and AI strategy is a one-time document.

  • Reality: Under Article 7, the strategy must be assessed at least every three years and updated if necessary. It is a living document that must evolve with technological and market developments.

Misconception 5: The national competent authority can fine any provider in Hungary.

  • Reality: Under Article 25, the Member State where the provider has its main establishment has exclusive competence. If a provider serving Hungary is established in Germany, the German authority has exclusive enforcement power, though Hungarian authorities can request cross-border cooperation.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.