Summary As proposed, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation (COM(2026) 502 final), meaning it binds Luxembourg immediately upon entry into force without the need for national transposition into domestic law. Once adopted, Luxembourg must establish a national cloud and AI strategy, designate at least one data centre acceleration zone, and appoint a national competent authority to enforce the new sovereignty framework. Public bodies will face mandatory procurement rules requiring them to buy only from cloud services meeting specific EU assurance levels, fundamentally changing how the country procures and manages digital infrastructure.

Detail

The Cloud and AI Development Act (COM(2026) 502 final) represents a significant shift in how the European Union approaches digital sovereignty. Because CADA is proposed as a Regulation rather than a Directive, it is directly applicable in all Member States, including Luxembourg. This means that once the legislative procedure is complete and the text enters into force, Luxembourgish authorities and businesses must comply with the rules immediately, without waiting for the Luxembourgish government to pass a separate national law to transpose the requirements. The Regulation itself specifies that it "shall be binding in its entirety and directly applicable in all Member States."

For Luxembourg, a major hub for financial services and data hosting, the Act introduces several concrete obligations aimed at reducing dependence on non-European cloud providers and boosting domestic computing capacity. The key duties falling on the Grand Duchy are outlined in Article 1 (subject matter), Article 7 (national strategies), Article 10 (acceleration zones), and Article 25 (national competent authorities).

Luxembourg's Core Obligations

1. Establishing a National Strategy (Article 7) Article 7 requires Member States to establish national cloud and AI strategies within one year of the Regulation's entry into force. For Luxembourg, this means drafting a coherent plan that aligns with the EU's broader objectives. The strategy must include:

  • Key objectives and priorities for cloud and AI adoption, in line with the 'AI first' principle.
  • Measures to accelerate development at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps (SMCs).
  • Specific plans for supporting the deployment of data centre capacity, with a focus on high-value, energy-efficient data centres.
  • Measures to invest in high-intensity computing infrastructure, including AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

Luxembourg must notify the Commission of this strategy within three months of its adoption and assess it at least every three years based on key performance indicators.

2. Designating Data Centre Acceleration Zones (Article 10) Article 10 mandates that where data centre capacity is being deployed, Member States must designate at least one "data centre acceleration zone" within their territory. Given Luxembourg's high density of data centres, this is particularly relevant. When designating these zones, Luxembourg must consider factors such as:

  • The location and dimension of the site.
  • Available and future power grid capacity and the possibility of on-site clean energy generation.
  • Available and future network connectivity capacity.
  • The capacity to support the phasing out of legacy copper networks.
  • The ability to reuse waste heat.
  • Measures to accelerate permitting and the preference for reusing brownfield sites over greenfield sites.

The goal is to streamline permitting and ensure that new data centres are built efficiently and sustainably, addressing the EU-wide capacity gap.

3. Appointing a National Competent Authority (Article 25) Article 25 obliges Member States to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. In Luxembourg, this means identifying an existing body or creating a new one to supervise cloud service providers, handle recognition applications for EU assurance levels, and investigate infringements. This authority will have exclusive competence for enforcing these rules within the country (specifically, the Member State where the provider has its main establishment). The authority must have sufficient technical, financial, and human resources to supervise all cloud computing service providers within its competence effectively.

Changes for Public Bodies, Cloud Providers, and Data Centre Operators

For Public Procurement Officers The most immediate impact for Luxembourgish public sector bodies is the new procurement framework. Under CADA, public authorities must conduct risk assessments to determine the appropriate level of cloud assurance required for their activities.

  • Baseline Requirement: All contracting authorities must procure cloud services that have been recognised as offering at least Union Assurance Level 1.
  • Higher Assurance for Critical Functions: If a risk assessment determines that an activity contributes to the preservation of public order (e.g., national security, justice, law enforcement, or critical infrastructure), the authority must only procure services recognised as offering Union Assurance Levels 2, 3, or 4.
  • Added Value Criteria: When procuring innovative cloud services, Luxembourgish authorities must include "Union added value" as a quality evaluation criterion. This involves assessing how much the tenderer contributes to strengthening the EU's digital supply chain, such as by using hardware designed or manufactured in the Union.

For Cloud Service Providers Cloud providers operating in or serving Luxembourgish public bodies must navigate the new sovereignty framework. To win public contracts, they must seek recognition under one of the four Union Assurance Levels.

  • Level 1: Requires a self-assessment and an EU statement of conformity. Providers must demonstrate they are established in the Union, with infrastructure and data remaining exclusively within the Union.
  • Levels 2-4: Require independent third-party audits. Higher levels impose stricter rules on data localisation, personnel citizenship (Union citizens for Levels 3 and 4), and the absence of third-country control. Providers subject to third-country laws that allow extraterritorial data access will face significant hurdles in achieving higher assurance levels.
  • Third-Country Derogation: For Level 3, a provider subject to third-country control may still qualify if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances.

For Data Centre Operators Data centre operators in Luxembourg will benefit from the streamlined processes introduced by Article 10 and Article 13. Projects located in designated acceleration zones will benefit from an "aggregated baseline permit," which covers many common permits required for data centre construction. This should significantly reduce permitting times, which are capped at 12 months for comprehensive applications. However, operators must also meet strict sustainability requirements, using key performance indicators defined under Delegated Regulation (EU) 2024/1364.

What this means for you

If you are a public procurement officer in Luxembourg, your role is evolving from standard tender management to strategic sovereignty oversight. You will need to:

  1. Conduct Risk Assessments: Before any cloud procurement, you must assess whether the service supports public order. This determines whether you need Level 1 or Levels 2-4 assurance.
  2. Update Tender Documents: Your future tenders must explicitly require vendors to hold a valid recognition under the CADA sovereignty framework. You must also include "Union added value" criteria, weighting them appropriately (up to 15 out of 120 points) to favour providers strengthening the EU supply chain.
  3. Coordinate with the National Competent Authority: You will rely on the authority designated under Article 25 to verify the assurance levels of potential suppliers. Ensure you have clear channels of communication with this body.

If you are a cloud provider or data centre operator, you must prepare for the audit and recognition process. Start mapping your infrastructure, data flows, and ownership structures against the criteria in Annex II of the proposal. For data centre operators, engage early with local authorities to identify potential acceleration zones and ensure your projects align with the sustainability and energy efficiency standards that will be enforced.

Common misconceptions

Misconception 1: Luxembourg needs to pass a new national law to implement CADA.

  • Reality: CADA is a Regulation, not a Directive. It is directly applicable. While Luxembourg must take administrative actions (like designating zones and authorities), it does not need to draft and pass a separate transposition law. The EU rules apply automatically.

Misconception 2: Only large hyperscalers are affected by the sovereignty framework.

  • Reality: The framework applies to any cloud computing service provider seeking to serve Union entities and public sector bodies. While SMEs have a streamlined self-assessment process for Level 1, all providers must meet the baseline criteria. Small and mid-sized enterprises (SMCs) are also targeted for support through the national strategies and innovation procurement measures.

Misconception 3: "Sovereign cloud" means all data must physically stay in Luxembourg.

  • Reality: The criteria require data to remain exclusively within the Union, not necessarily within a specific Member State like Luxembourg. However, for certain high-assurance levels, specific restrictions on subcontractors and personnel may apply. The focus is on legal and operational autonomy from third-country jurisdictions, not just geographic location.

Misconception 4: The AI Act replaces the need for CADA.

  • Reality: The AI Act regulates the safety and fundamental rights impacts of AI systems. CADA focuses on the infrastructure, sovereignty, and supply chain resilience of the cloud and AI ecosystem. They are complementary; CADA ensures the underlying infrastructure is secure and autonomous, while the AI Act ensures the models running on that infrastructure are safe.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.