Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is an EU Regulation. As proposed, it would bind Malta directly upon entry into force, requiring no national transposition law. Malta would face three immediate statutory duties: adopt a national cloud and AI strategy within one year, designate at least one data centre acceleration zone if deploying capacity, and appoint a national competent authority to enforce sovereignty rules. For Maltese public bodies, this means mandatory procurement of cloud services meeting specific "Union assurance levels" based on risk. Local data centre operators would benefit from streamlined permitting in acceleration zones, while cloud providers serving Malta would face new independent audit requirements for higher assurance levels.

Detail

The Cloud and AI Development Act (CADA) represents a fundamental shift in the EU's regulatory architecture for digital infrastructure. Unlike EU Directives, which require Member States to enact national legislation to transpose EU goals into domestic law, a Regulation is directly applicable. As stated in Article 48 of the proposal, the Regulation "shall be binding in its entirety and directly applicable in all Member States." Consequently, once adopted, CADA would become part of the Maltese legal order automatically. Malta would not need to pass a new "CADA Act" to implement the rules; instead, existing Maltese administrative bodies would immediately assume the obligations and powers defined in the text.

The proposal aims to address the EU's limited data centre capacity and dependence on third-country providers by establishing a harmonised framework. For Malta, a small island state with strategic geographic positioning and a growing digital economy, these rules create a dual reality: binding regulatory obligations regarding sovereignty and procurement, alongside significant opportunities to attract sustainable data centre investment through streamlined permitting.

Key Obligations for Malta

The proposal imposes three distinct, time-bound obligations on Malta as a Member State.

1. National Cloud and AI Strategy (Article 7) Under Article 7(1), Malta would be required to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This strategy is not optional; it must be "coherent with the Regulation's objectives."

The strategy must explicitly include measures to:

  • Accelerate the adoption of cloud and AI at national, regional, and local levels, with a focus on public sector bodies, SMEs, and small mid-caps.
  • Support the deployment of data centre capacity, prioritising "high-value data centres" that adhere to high environmental and energy-efficiency standards.
  • Invest in high-intensity computing infrastructure, such as AI factories or quantum computers, where feasible.
  • Ensure the accessibility of high-quality data for AI development.
  • Promote the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

Malta would be required to notify the Commission of this strategy within three months of adoption. Furthermore, under Article 7(5), Malta must assess its strategy at least every three years based on key performance indicators and update it where necessary. The European Artificial Intelligence Board, established under the AI Act, would assist Malta in coordinating this strategy with other Member States to ensure consistency.

2. Data Centre Acceleration Zones (Article 10) To address the EU's compute capacity gap, Article 10(1) mandates that "where data centre capacity is being deployed within the territory of a Member State, that Member State shall designate at least one data centre acceleration zone." If Malta proceeds with deploying data centre capacity, it must designate such a zone within six months of the Regulation's entry into force.

When designating these zones, Malta must consider specific criteria, including:

  • The location, dimension, and size of the facilities.
  • Available and future power grid capacity and network connectivity.
  • Measures to accelerate the granting of necessary permits.
  • Environmental sustainability, including the ability to reuse waste heat and reduce carbon emissions.

Crucially, Article 10(2) requires Malta to conduct a comprehensive analysis of the energy needs of these zones and their impact on greenhouse gas emissions. This analysis must be reviewed at least every three years and integrated into national network development plans to ensure anticipatory grid investments.

3. National Competent Authority (Article 25) Article 25(1) requires Malta to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework. This designation must occur within one year of entry into force.

The competent authority in Malta would hold significant powers under Article 26, including:

  • The power to require information from cloud service providers and auditing organisations.
  • The power to carry out inspections of premises to examine or seize information related to suspected infringements.
  • The power to order the cessation of infringements and impose fines or periodic penalty payments.

The authority would be the primary point of contact for cloud providers seeking recognition for their services under the Union assurance levels and would collaborate with authorities in other Member States for cross-border enforcement.

Impact on Public Procurement in Malta

For Maltese public procurement officers, CADA introduces a mandatory, risk-based sovereignty framework. Under Article 29, Malta (as a Member State) and its public sector bodies must carry out risk assessments to identify activities that "contribute to the preservation of public order." These include sectors falling under the NIS2 Directive (Annex I or II) and areas such as national security, internal security, defence, justice, and law enforcement.

Based on these assessments, Article 30 dictates procurement obligations:

  • Baseline Requirement: All public sector bodies in Malta must procure cloud services recognised as offering at least Union assurance level 1.
  • Public Order Requirement: If a risk assessment determines that a specific activity contributes to the preservation of public order, the contracting authority must procure only services recognised as offering Union assurance levels 2, 3, or 4.

This means Maltese public bodies can no longer select cloud providers based solely on price or technical features. They must verify the provider's status in the central EU repository established under Article 22. Additionally, Article 32 encourages Maltese authorities to include "Union added value" criteria in tenders, evaluating how a provider contributes to strengthening the EU digital supply chain, though these criteria must remain ancillary to technical and financial requirements.

Impact on Cloud Providers and Data Centre Operators

Cloud Service Providers Providers operating in or serving Malta must navigate a formal recognition mechanism. Under Article 17, providers must submit an application for recognition to the Maltese national competent authority.

  • Level 1: Providers must carry out a conformity self-assessment and issue an EU statement of conformity. For SMEs, this statement is directly and automatically recognised across the Union.
  • Levels 2–4: Providers must undergo independent third-party audits to obtain a "positive" audit opinion. The audit must verify compliance with criteria in Annex II, including establishment in the Union, location of infrastructure and personnel, data localisation, and cybersecurity standards.

For providers subject to third-country control, Article 18 offers a potential derogation for Level 3 recognition, but only if the Commission has adopted an implementing act identifying the third country as providing sufficient assurances (e.g., an adequacy decision and no conflicting laws).

Data Centre Operators Operators in Malta stand to benefit significantly from the acceleration zone provisions. Under Article 13, data centre projects deployed in these zones are considered "strategic projects" and benefit from a dedicated toolbox for environmental assessments.

  • Aggregated Baseline Permit: Malta would be required to issue an "aggregated baseline permit" for each acceleration zone, covering common administrative authorisations.
  • Time Limits: The permit-granting procedure for projects in these zones would not exceed 12 months from the submission of a comprehensive application.
  • Sustainability: Operators must comply with key performance indicators defined in Delegated Regulation (EU) 2024/1364 regarding energy efficiency and environmental impact.

What this means for you

For Maltese Public Procurement Officers You must prepare for a rigorous vetting process. Your immediate tasks include:

  1. Conduct Risk Assessments: Determine which of your department's activities fall under "public order" relevance to decide if Level 1 suffices or if Levels 2–4 are mandatory.
  2. Verify Providers: Only award contracts to cloud providers listed in the central EU repository with the appropriate assurance level.
  3. Update Tenders: Include sovereignty criteria and "Union added value" clauses in your procurement documents, as required by Article 32.

For Data Centre Operators in Malta Monitor the designation of acceleration zones closely. If Malta designates a zone where you plan to build, you will benefit from:

  • Faster Permitting: A maximum 12-month timeline for permits.
  • Grid Certainty: Integration of your energy needs into national grid planning.
  • Strategic Status: Potential designation as a "strategic project" by the Commission, unlocking further support measures.

For Cloud Service Providers If you serve the Maltese public sector, you must prepare for the audit and recognition process. Ensure your supply chain, data residency, and personnel screening align with the criteria for the assurance level you intend to offer. If you are an SME, leverage the automatic recognition of your Level 1 self-assessment.

Common misconceptions

Misconception 1: Malta needs to pass a new law to implement CADA. Reality: CADA is a Regulation, not a Directive. It is directly applicable in Malta. While Malta may need to update existing administrative procedures or designate authorities, it does not need to transpose the text into a new national law. The obligations apply automatically upon entry into force.

Misconception 2: All public cloud contracts in Malta must use the highest sovereignty level. Reality: CADA uses a risk-based approach. Only activities deemed to contribute to "public order" (such as national security, justice, or critical infrastructure) require higher assurance levels (2–4). Standard administrative tasks may only require Level 1, which relies on self-assessment.

Misconception 3: Only EU-based providers can offer sovereign cloud services. Reality: While EU establishment is a key criterion for higher assurance levels, Article 18 allows for the possibility of third-country providers being audited for Level 3 if their country meets specific adequacy and safeguard criteria. However, this is subject to strict Commission decisions and is not automatic.

Misconception 4: Data centres in acceleration zones are exempt from environmental rules. Reality: Acceleration zones streamline permitting but do not remove environmental obligations. Article 11 explicitly requires Malta to use key performance indicators for sustainability, including energy efficiency, when setting requirements for data centres in these zones.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.