How does the Cloud and AI Development Act affect Ireland?

The proposed Cloud and AI Development Act (CADA) is a directly applicable EU Regulation (COM(2026) 502 final), meaning it will bind Ireland automatically u

Summary The proposed Cloud and AI Development Act (CADA) is a directly applicable EU Regulation (COM(2026) 502 final), meaning it will bind Ireland automatically upon entry into force without the need for separate national transposition legislation. As proposed, Ireland would be required to: (1) adopt a national cloud and AI strategy within one year; (2) designate at least one data centre acceleration zone to streamline permitting; and (3) appoint a national competent authority with exclusive enforcement powers. These measures would fundamentally alter procurement rules for Irish public bodies, impose new sovereignty audits on cloud providers, and create a fast-track permitting regime for data centre operators.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 as COM(2026) 502 final, represents a structural shift in EU digital governance. Unlike a Directive, which requires Member States to pass national laws to "transpose" its goals, CADA is drafted as a Regulation. Under Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal and apply directly in all Member States, including Ireland. Consequently, the Oireachtas would not need to enact a separate "CADA Act" to make the law effective; the text itself would become Irish law. However, Ireland would still bear specific administrative duties to establish the necessary infrastructure for enforcement and implementation.

The core purpose of CADA, as defined in Article 1(1), is to strengthen the Union's cloud and AI ecosystem through five measures: establishing Cloud and AI Leadership Initiatives; accelerating data centre deployment; enabling a sovereign cloud offer to safeguard public order; reducing dependencies on critical technologies; and fostering public-sector adoption. For Ireland, a nation with a significant concentration of global cloud infrastructure and a growing AI sector, these provisions translate into concrete, time-bound obligations for the State and transformative compliance requirements for the private sector.

Key Duties for the Irish State

The proposal imposes three primary statutory duties on Ireland as a Member State:

1. Adoption of a National Cloud and AI Strategy (Article 7) Under Article 7(1), Ireland must establish a national cloud and AI strategy within one year of the Regulation's entry into force. This is not a voluntary policy document but a binding requirement. The strategy must align with the "AI first" principle and contribute to the Digital Decade targets, such as the goal that 75% of enterprises adopt cloud computing services.

Content Requirements: The strategy must include objectives for adoption, measures to accelerate deployment at national and regional levels, and specific plans to support data centre capacity deployment with high environmental standards (Article 7(2)).
Flexibility: If Ireland already possesses a strategy that adequately covers these objectives, it may update that existing document rather than creating a new one, provided it addresses any identified gaps (Article 7(3)).
Timeline: The strategy must be notified to the Commission within three months of adoption and assessed at least every three years (Article 7(5)).

2. Designation of Data Centre Acceleration Zones (Article 10) To address the EU-wide compute capacity gap, Article 10(1) mandates that Ireland designate at least one "data centre acceleration zone" within its territory if data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

Criteria: When designating these zones, Ireland must consider power grid capacity, network connectivity, waste heat reuse potential, and the preference for reusing brownfield sites over greenfield ones (Article 10(1)).
Energy Analysis: Ireland must conduct a comprehensive analysis of the energy needs and greenhouse gas impacts of these zones, reviewing this analysis at least every three years (Article 10(2)).
Permitting Streamlining: Projects within these zones benefit from an "aggregated baseline permit" covering common authorisations, and the permit-granting procedure is capped at 12 months from the submission of a comprehensive application (Article 13(2) & 13(5)).

3. Designation of a National Competent Authority (Article 25) Article 25(1) requires Ireland to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework.

Exclusive Competence: Under Article 25(4), the Member State where a cloud provider has its "main establishment" (head office or registered office where principal financial functions and operational control are exercised) has exclusive competence. For providers established in Ireland, the Irish authority acts as the sole enforcer for the entire EU, creating a "single-entry-point" model.
Resources: The authority must be impartial, transparent, and equipped with sufficient technical, financial, and human resources to supervise all providers within its competence (Article 25(3)).

Changes for Public Bodies, Cloud Providers, and Data Centre Operators

For Public-Sector Procurement Officers The most immediate operational change for Irish public bodies concerns procurement. CADA introduces a mandatory "Union assurance level" framework.

Baseline Requirement: Under Article 30(2), all Irish public sector bodies must procure cloud services recognised at least at Union assurance level 1.
Public Order Requirement: If a risk assessment under Article 29 identifies an activity as contributing to the preservation of public order (e.g., national security, justice, law enforcement, critical infrastructure), Article 30(3) mandates that authorities only procure services recognised at Union assurance levels 2, 3, or 4.
Verification: Procurement officers must verify a provider's status in the central EU repository established under Article 22 before awarding contracts.
Union Added Value: Article 32 allows (and encourages) authorities to include "Union added value" as a non-price award criterion, evaluating how a tenderer strengthens the European digital supply chain or uses EU-manufactured hardware.

For Cloud Service Providers Cloud providers operating in Ireland, particularly those targeting the public sector, face a new compliance landscape.

Recognition Process: To sell to Irish public bodies, providers must be recognised under the Union assurance levels. For Level 1, this requires a self-assessment and an EU statement of conformity (Article 19). For Levels 2, 3, and 4, providers must undergo independent third-party audits (Article 20).
Sovereignty Criteria: Audits under Annex II are rigorous. They examine data localisation (data must remain in the Union), personnel citizenship (Union citizens required for Levels 3 and 4, conditional for Level 2), and freedom from third-country control.
Third-Country Control: Providers subject to the control of a third country face stricter hurdles. While Article 18 allows the Commission to designate "associated third countries" that may qualify for Level 3, providers must demonstrate robust safeguards against extraterritorial access and service disruption.
Penalties: Non-compliance is enforced by the Irish competent authority under Article 24, which requires penalties to be "effective, proportionate and dissuasive."

For Data Centre Operators Data centre operators in Ireland will navigate a dual regime of accelerated permitting and stricter sustainability.

Fast-Track Permitting: Operators in designated acceleration zones benefit from the 12-month permitting cap and the aggregated baseline permit under Article 13. They will also receive assistance from a designated "single information point" under Article 12 to coordinate spatial planning, environmental assessments, and grid connections.
Sustainability KPIs: Operators must adhere to sustainability requirements defined by the key performance indicators (KPIs) in Delegated Regulation (EU) 2024/1364, as referenced in Article 11(1). This ensures that accelerated deployment does not come at the cost of environmental standards.
Strategic Projects: Operators may apply to have their projects designated as "strategic projects" under Article 14, potentially unlocking additional support measures if they meet criteria such as enhancing grid stability or addressing compute shortages.

What this means for you

If you are an Irish Public Body: You must prepare for a shift from price-driven to sovereignty-driven procurement. Your teams need to map current cloud services against the proposed Union assurance levels. If your department handles sensitive data or critical functions, you will likely need to migrate to higher-assurance providers (Levels 2–4), which may require significant transition planning. Begin engaging with the designated national competent authority early to understand the risk assessment process under Article 29.

If you are a Cloud Provider in Ireland: Sovereignty is now a market access requirement for the public sector. You should immediately review your operations against the criteria in Annex II, focusing on data localisation, subcontractor transparency, and supply chain security. If you are a provider with a main establishment in Ireland, you will be the primary target for the new national competent authority. Engage with the authority early to navigate the recognition process for your assurance level.

If you are a Data Centre Operator: The creation of acceleration zones offers a pathway to faster approvals, but only if your projects align with the sustainability and grid-integration criteria. Ensure your planning applications are comprehensive to meet the 12-month permitting deadline. Monitor the designation of acceleration zones in Ireland to identify where you can benefit from the "single information point" support.

Common misconceptions

Misconception 1: Ireland needs to pass new laws to implement CADA. Incorrect. Because CADA is a Regulation, it is directly applicable. While Ireland must designate authorities and zones, it does not need to transpose the text into national statute books as it would with a Directive. The rules apply automatically once the Regulation is in force.

Misconception 2: All cloud providers must meet the highest sovereignty standards. Incorrect. CADA uses a tiered approach. Most standard public sector services only require Union assurance level 1, which involves a self-assessment. Higher levels (2–4) are reserved for activities deemed critical to public order through a specific risk assessment process under Article 29.

Misconception 3: CADA replaces the GDPR or AI Act. Incorrect. CADA complements, rather than replaces, existing laws. It focuses on sovereignty, operational autonomy, and infrastructure deployment. It does not replace the data protection rules of the GDPR or the safety and fundamental rights requirements of the AI Act. Providers must comply with all applicable regulations simultaneously.

Misconception 4: The 12-month permit limit applies to all data centres in Ireland. Incorrect. The strict 12-month time limit under Article 13(5) applies specifically to data centre projects deployed within designated "acceleration zones." Projects outside these zones remain subject to existing national permitting timelines.

Official sources

This is general information about a draft EU regulation, not legal advice.