Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a Regulation, meaning it is directly applicable in Italy without the need for national transposition laws. Once adopted, Italian authorities would be immediately bound to: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone within six months (Article 10); and (3) appoint a national competent authority to enforce sovereignty rules (Article 25). For public bodies, this introduces mandatory risk assessments and procurement rules tied to "Union assurance levels." Cloud providers and data centre operators would face new recognition requirements and streamlined permitting pathways.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 as COM(2026) 502 final, represents a fundamental shift in the governance of Europe's digital infrastructure. Unlike a Directive, which requires Member States to pass national laws to transpose its provisions, CADA is drafted as a Regulation. Under Article 48, it would enter into force on the twentieth day following its publication in the Official Journal and apply directly across the Union.

For Italy, this means that the core obligations of CADA would become binding Italian law automatically. The Italian Parliament would not need to enact a "CADA Implementation Act." Instead, Italian administrative bodies would be required to align their existing procedures with the Regulation's mandates immediately upon its application date (one year after entry into force).

The proposal establishes a dual framework: one to boost capacity and innovation, and another to ensure sovereignty and public order. The following sections detail the specific duties imposed on Italy and the operational changes for stakeholders.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Italy is obligated to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This strategy is not merely a policy paper; it is a binding instrument that must align with the Regulation's objectives and the EU's Digital Decade targets.

The strategy must explicitly include:

  • Objectives and Governance: Clear priorities for cloud and AI adoption, accompanied by a governance framework to monitor progress.
  • Acceleration Measures: Specific actions to deploy cloud and AI at national, regional, and local levels, with a focus on supporting SMEs, small mid-caps (SMCs), and public sector bodies.
  • Data Centre Deployment: Measures to support the rollout of data centre capacity, prioritizing high-value facilities that adhere to high environmental and energy-efficiency standards.
  • High-Intensity Computing: Investments in critical infrastructure such as AI factories, AI gigafactories, and quantum computers.
  • Open Source and Sovereignty: Measures to promote cloud computing stacks built on open hardware and software to strengthen technological sovereignty.

Italy must notify the European Commission of this strategy within three months of its adoption. Furthermore, the strategy must be assessed at least every three years based on key performance indicators and updated where necessary. The European Artificial Intelligence Board (AI Board) would assist Italy in coordinating these efforts with other Member States.

2. Data Centre Acceleration Zones (Article 10)

To address the EU's compute capacity deficit, Article 10 imposes a strict deadline on Italy. If data centre capacity is being deployed within Italian territory, the state must designate at least one "data centre acceleration zone" within six months of the Regulation's entry into force.

When designating these zones, Italian authorities must evaluate specific criteria:

  • Site Characteristics: Location, dimensions, and the minimum/maximum size of facilities.
  • Energy and Grid Capacity: Available and future power grid capacity, including the possibility of on-site clean energy generation and storage.
  • Connectivity: Available and future network connectivity capacity.
  • Sustainability: A preference for reusing brownfield sites over greenfield sites, and measures to minimize environmental impacts and carbon emissions.

Crucially, Italy must conduct a comprehensive analysis of the energy needs of these zones, reviewing this analysis at least every three years. This analysis must be integrated into national network development plans to ensure grid infrastructure can support the data centres. Under Article 13, data centre projects within these zones would benefit from an "aggregated baseline permit," streamlining the permitting process to a maximum of 12 months.

3. National Competent Authority (Article 25)

Article 25 mandates that Italy designate one or more "national competent authorities" responsible for enforcing the sovereignty framework set out in Title IV of CADA. This designation must be made within one year of the Regulation's entry into force.

This authority (or authorities) will hold exclusive competence for enforcing the rules related to the recognition of cloud computing service providers. The competent authority must:

  • Possess sufficient technical, financial, and human resources.
  • Act impartially, transparently, and in a timely manner.
  • Be notified to the European Commission, which will maintain a public register of these authorities.

For cloud providers established in Italy (where they have their main establishment), the Italian competent authority would be the sole regulator for their sovereignty compliance, handling applications for recognition and conducting investigations.

4. Public Procurement and Sovereignty (Articles 29 and 30)

The most immediate operational impact for Italian public-sector procurement officers lies in the new sovereignty framework. Article 29 requires Italy to conduct risk assessments to determine which public sector activities contribute to the preservation of public order (e.g., national security, justice, critical infrastructure). These assessments must identify which "Union assurance level" (1, 2, 3, or 4) is appropriate for each activity.

Article 30 then dictates procurement rules based on these assessments:

  • Level 1 Minimum: All Union entities and public sector bodies whose activities are not identified as contributing to public order must use cloud services recognized as offering at least Union assurance level 1.
  • Higher Levels for Critical Functions: Contracting authorities whose activities are identified as contributing to public order must only procure cloud services recognized as offering Union assurance levels 2, 3, or 4.

This creates a mandatory baseline for trust and sovereignty in Italian public cloud procurement, replacing ad-hoc national standards with a harmonized EU-wide system.

What this means for you

For Italian Public-Sector Procurement Officers

  • Update Your Procurement Policies: You must prepare to integrate "Union assurance levels" into your tender documents. Procurement of cloud services can no longer ignore sovereignty criteria; you will need to verify that providers are recognized in the central EU repository.
  • Conduct Risk Assessments: Work with your IT and security teams to classify your department's activities. If you handle data related to national security, justice, or critical infrastructure, you will likely need to procure from providers offering Union assurance levels 2, 3, or 4.
  • Monitor the National Strategy: Stay informed about Italy's national cloud and AI strategy (Article 7), as it will provide the specific roadmap and targets you are expected to support.
  • Open Source Preference: Be aware that Article 41 encourages the use of open-source solutions. While not strictly mandatory in all cases, you should consider open-source options when building your cloud and AI ecosystem, evaluating them based on security, total cost, and functionality.

For Cloud Providers Operating in Italy

  • Seek Recognition: If you want to sell to the Italian public sector, you must apply for recognition as offering a specific Union assurance level through the Italian competent authority (Article 17). This involves either a self-assessment (for Level 1) or an independent third-party audit (for Levels 2–4).
  • Compliance with Assurance Criteria: Ensure your infrastructure, data localization, and personnel practices meet the strict criteria in Annex II of CADA. For example, Level 2 and above require infrastructure and personnel to be located in the Union, and data to remain exclusively within the Union unless explicitly required otherwise by the public body.
  • Transparency: You must report any material changes that could affect your assurance level to the auditing organization and the competent authority (Article 23).

For Data Centre Operators in Italy

  • Leverage Acceleration Zones: If you are planning to build or expand data centres, prioritize sites within Italy's designated acceleration zones. These zones offer streamlined permitting processes (Article 13), with a maximum permit-granting period of 12 months.
  • Sustainability Requirements: Ensure your facilities meet the key performance indicators for energy efficiency as specified in Delegated Regulation (EU) 2024/1364, as required by Article 11 for data centres in acceleration zones.
  • Strategic Project Designation: Consider applying for designation as a "data centre strategic project" under Article 14 if your project supports essential public sector functions, includes innovative sustainability features, or addresses a major compute capacity shortage. This can unlock additional support and streamlined procedures.

Common misconceptions

"Italy needs to pass new laws to implement CADA." Correction: CADA is a Regulation, not a Directive. This means it is directly applicable in Italy. While Italy must designate authorities and create strategies, the core rules do not require transposition into Italian civil or administrative code.

"Only the highest sovereignty levels are required for all public bodies." Correction: CADA uses a risk-based approach. Most public sector activities will only require Union assurance level 1. Higher levels (2, 3, or 4) are reserved for activities identified as contributing to the preservation of public order, such as national security or critical infrastructure, following a mandatory risk assessment.

"Open source is mandatory for all public sector software." Correction: Article 41 encourages the use of open-source solutions and open standards. Public bodies must take measures to encourage their use, but they are not strictly prohibited from using proprietary software. The choice must be based on objective criteria like security, total cost, and functionality.

"Data centres can be built anywhere in Italy without special zoning." Correction: While not all data centres must be in acceleration zones, Italy is required to designate these zones to facilitate rapid, sustainable deployment. Building in these zones offers significant advantages, including streamlined permitting and guaranteed grid connection planning, making them the preferred route for large-scale projects.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.