Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is an EU Regulation, meaning it would bind Lithuania directly upon entry into force without requiring national transposition laws. As proposed, Lithuania would be required to adopt a national cloud and AI strategy within one year, designate at least one data centre acceleration zone to streamline permitting, and appoint a national competent authority to enforce the Union cloud computing sovereignty framework. These measures would fundamentally alter how Lithuanian public bodies procure cloud services, how providers demonstrate sovereignty, and how data centre operators navigate permitting and sustainability rules.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen Europe's cloud and AI ecosystem by addressing critical dependencies on third-country providers and accelerating the deployment of sustainable computing capacity. Because CADA is drafted as a Regulation (specifically COM(2026) 502 final), it is directly applicable in all Member States, including Lithuania. Unlike a Directive, which requires national parliaments to transpose the text into domestic law, a Regulation becomes binding law in Lithuania automatically upon its entry into force. This ensures uniform application across the Union and eliminates the risk of fragmentation or delayed implementation at the national level.

For Lithuania, the proposal introduces a specific set of binding obligations aimed at boosting digital sovereignty, increasing local compute capacity, and securing public-sector data. The core duties fall under three primary articles: Article 7 (National Strategies), Article 10 (Data Centre Acceleration Zones), and Article 25 (National Competent Authorities).

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Lithuania would be legally required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This is not a voluntary policy document but a mandatory operational framework that must align with the Union's broader objectives.

The national strategy must include, at a minimum:

  • Key objectives and priorities for cloud and AI adoption, explicitly aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, with a specific focus on public sector bodies, SMEs, and small mid-caps.
  • Support for strategic sectors such as healthcare, energy, and mobility.
  • Plans for data centre deployment, focusing on high-value facilities that adhere to high environmental and energy-efficiency standards.
  • Investment in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers as strategic national assets.
  • Measures to ensure data accessibility for AI development, specifically to prevent data bottlenecks.

Lithuania would be required to notify the European Commission of this strategy within three months of its adoption. Furthermore, the strategy must be assessed at least every three years based on key performance indicators and updated where necessary. The European Artificial Intelligence Board (AI Board) would assist Lithuania in coordinating these efforts and facilitating the exchange of best practices across the Union.

2. Data Centre Acceleration Zones (Article 10)

To address the EU's shortage of computing capacity, Article 10 obliges Member States, including Lithuania, to designate at least one "data centre acceleration zone" within their territory. These zones are specific geographic areas where the deployment of data centre capacity is facilitated through streamlined regulatory frameworks and accelerated permitting.

When designating these zones, Lithuania would need to consider:

  • Site characteristics: Location, dimension, and minimum/maximum facility sizes.
  • Energy and connectivity: Available and future power grid capacity, network connectivity, and the possibility of on-site clean energy generation or waste heat reuse.
  • Sustainability: The ability of the site to function sustainably, minimizing environmental impacts and supporting carbon emission reductions.
  • Permitting acceleration: Measures to speed up the granting of necessary permits for construction and operation.

Crucially, Lithuania would be required to conduct a comprehensive analysis of the energy needs of these zones and their impact on greenhouse gas emissions, reviewing this analysis at least every three years. This ensures that data centre growth is integrated with national energy planning and grid development. Additionally, under Article 13, data centre projects deployed in these zones would benefit from an "aggregated baseline permit," and the permit-granting procedure would be capped at 12 months from the submission of a comprehensive application.

3. National Competent Authorities (Article 25)

Article 25 requires Lithuania to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. These authorities would play a critical role in ensuring that cloud service providers meeting the "Union assurance levels" are properly recognized and monitored.

Key responsibilities for the Lithuanian competent authority would include:

  • Supervision: Ensuring cloud computing service providers comply with the sovereignty criteria set out in Annex II.
  • Recognition: Assessing applications from cloud providers seeking recognition for Union assurance levels 1 through 4. For Level 1, this involves reviewing a self-assessment; for Levels 2–4, it involves validating independent third-party audit reports.
  • Enforcement: Having the power to investigate infringements, order the cessation of non-compliant practices, and impose fines. The authority would have exclusive competence for enforcement if the provider's main establishment is in Lithuania.
  • Cooperation: Collaborating with competent authorities in other Member States and the European Commission to ensure consistent application of the rules across the EU.

Lithuania must designate these authorities within one year of the Regulation's entry into force and notify the Commission of their names, tasks, and powers.

What this means for you

The impact of CADA varies significantly depending on your role in the Lithuanian digital ecosystem. Below is a breakdown of the specific changes for public-sector bodies, cloud providers, and data centre operators.

For Public-Sector Bodies and Procurement Officers

As a public-sector body in Lithuania, your procurement practices for cloud computing services would undergo significant changes. CADA introduces a "Union cloud computing sovereignty framework" with four assurance levels.

  • Mandatory Risk Assessments: You would be required to conduct risk assessments to determine which cloud services are necessary for preserving public order. This includes assessing activities related to national security, internal security, defence, justice, and law enforcement.
  • Procurement Restrictions: Based on these risk assessments, you would be obligated to procure cloud services that meet specific Union assurance levels. For instance, activities contributing to public order in critical sectors would require services recognized at Union assurance levels 2, 3, or 4. For activities not identified as contributing to public order, a minimum of Union assurance level 1 would be required.
  • EU Added Value: In public procurement procedures, you would need to include non-price award criteria that evaluate the tenderer's contribution to the European cloud and AI ecosystem. This includes factors such as the use of hardware designed or manufactured in the Union and the integration of Union-developed technologies.
  • Open Source Promotion: You would be encouraged to use open standards and components released under open-source licenses when building your cloud and AI ecosystems, reducing vendor lock-in and increasing transparency.

For Cloud Computing Service Providers

If you provide cloud services to Lithuanian public bodies or Union entities, you must navigate the new sovereignty framework.

  • Recognition Process: To serve public-sector clients, you would need to apply for recognition of a Union assurance level. This involves submitting evidence to the Lithuanian national competent authority. For Level 1, this may involve a self-assessment statement of conformity. For Levels 2–4, independent third-party audits would be required.
  • Compliance with Assurance Levels: You must meet cumulative criteria for each level, such as establishing infrastructure and assets within the Union, ensuring customer data remains exclusively within the Union, and demonstrating that you are not subject to the control of a third country in a way that compromises sovereignty.
  • Transparency Obligations: You would be required to report any material changes that could affect your recognized assurance level to the auditing organization and the competent authority.

For Data Centre Operators

For operators building or expanding data centres in Lithuania, the designation of acceleration zones offers both opportunities and regulatory requirements.

  • Access to Acceleration Zones: If you operate within a designated acceleration zone, you would benefit from facilitated administrative and permit-granting processes. The aim is to reduce permitting times to a maximum of 12 months for comprehensive applications.
  • Sustainability Requirements: You would need to adhere to sustainability requirements set by Lithuania, using key performance indicators specified in Delegated Regulation (EU) 2024/1364. This includes energy efficiency, water usage, and waste heat recovery.
  • Single Information Points: You would have the right to be assisted by a single information point throughout the lifecycle of your data centre project, helping to coordinate spatial planning, environmental assessments, and network connections.

Common misconceptions

Misconception 1: Lithuania needs to pass a new national law to implement CADA. Fact: CADA is an EU Regulation, not a Directive. This means it is directly applicable in Lithuania. While Lithuania may need to take administrative steps (such as designating authorities or zones), it does not need to transpose the text into a separate national statute. The Regulation itself becomes the law.

Misconception 2: Only large hyperscalers are affected by the sovereignty framework. Fact: The sovereignty framework and assurance levels apply to any cloud computing service provider seeking to serve Union entities and public sector bodies. This includes smaller European providers who can now compete on a level playing field by demonstrating compliance with Union assurance levels, potentially gaining an advantage over non-EU incumbents in public procurement.

Misconception 3: Data centre acceleration zones are only for new builds. Fact: While focused on new deployment, the framework also supports the expansion and modernization of existing data centres. The goal is to increase overall capacity and ensure it is geographically balanced and sustainable, which can include upgrading existing facilities to meet higher efficiency standards.

Misconception 4: The national strategy is a one-time exercise. Fact: Article 7 requires Lithuania to review and update its national cloud and AI strategy at least every three years. It is a living document that must adapt to technological developments and market changes, ensuring continued alignment with EU objectives.

Related

This is general information about a draft EU regulation, not legal advice.