Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation. This means it would bind the Netherlands automatically upon entry into force, without requiring the Dutch parliament to pass national transposition laws. The Netherlands would be required to: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone to streamline permitting (Article 10); and (3) appoint a national competent authority to enforce sovereignty rules (Article 25). For Dutch public bodies, this introduces mandatory cloud sovereignty assurance levels for procurement; for providers, it creates a new recognition regime; and for data centre operators, it offers faster permits in designated zones subject to strict sustainability criteria.

Detail

The Cloud and AI Development Act (CADA), formally the proposal for a Regulation establishing a framework of measures for strengthening Europe's cloud and AI ecosystem (COM(2026) 502 final), represents a fundamental shift in the EU's regulatory approach to digital infrastructure. Unlike EU Directives, which require member states to transpose rules into national law, CADA is drafted as a Regulation. Under Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal and apply one year later.

For the Netherlands, this legal instrument means the text of the Regulation becomes binding law directly. The Dutch government would not need to draft a "CADA Implementation Act." Instead, its primary obligations would be operational: designating authorities, mapping zones, and notifying the Commission of strategic plans. This ensures a harmonised approach to cloud sovereignty and data centre deployment across the single market, preventing regulatory fragmentation.

Strategic Planning: The National Cloud and AI Strategy

Under Article 7, the Netherlands would be legally obligated to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This is not a voluntary policy paper but a binding framework that must align with the Union's objectives of competitiveness, innovation, and strategic autonomy.

The Dutch strategy must include:

  • Key objectives and priorities for cloud and AI adoption, adhering to the "AI first" principle.
  • Measures to accelerate adoption at national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps (SMCs).
  • Sector-specific deployment plans for strategic industries such as healthcare, energy, and mobility.
  • Data centre deployment measures, focusing on high-value facilities that meet high environmental and energy-efficiency standards.
  • Investment in high-intensity computing, including AI factories, AI gigafactories, and quantum computers.
  • Support for open hardware and software to strengthen technological sovereignty.

The Netherlands would be required to notify the European Commission of this strategy within three months of adoption and assess it at least every three years using key performance indicators. The European Artificial Intelligence Board would advise on coordination to ensure consistency with Union policy.

Infrastructure Acceleration: Data Centre Acceleration Zones

To address the EU's compute capacity deficit, Article 10 mandates that the Netherlands designate at least one "data centre acceleration zone" within its territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When selecting these zones, the Dutch authorities would need to consider:

  • Site characteristics: Location, dimension, and the preference for reusing brownfield sites over greenfield sites.
  • Infrastructure capacity: Available and future power grid capacity, network connectivity, and the ability to reuse waste heat.
  • Sustainability: The zone's ability to function sustainably, minimising environmental impacts and supporting climate resilience.

Within these zones, Article 11 requires the Netherlands to apply specific key performance indicators (KPIs) for sustainability as defined in Delegated Regulation (EU) 2024/1364. Crucially, Article 13 introduces a streamlined permitting process: the permit-granting procedure for data centre projects in these zones must not exceed 12 months from the submission of a comprehensive application. Member States must also issue an "aggregated baseline permit" for each zone, covering common administrative authorisations and excluding only installation-specific permits.

Regulatory Oversight: National Competent Authority

Article 25 requires the Netherlands to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework within one year of entry into force. This authority would hold exclusive competence for the Netherlands regarding cloud providers established in the country.

The Dutch competent authority would be empowered to:

  • Recognise services: Assess applications for Union assurance levels (sovereignty tiers) and register recognised services in the central EU repository.
  • Investigate: Require information from providers, carry out inspections of premises, and request explanations from staff.
  • Enforce: Order the cessation of infringements and impose fines or periodic penalty payments.

The authority must be equipped with sufficient technical, financial, and human resources to supervise all cloud computing service providers within its competence.

What this means for you

The impact of CADA on the Netherlands varies significantly across the digital ecosystem.

For Dutch Public-Sector Bodies and Procurement Officers

The most immediate change is the introduction of a mandatory "Union cloud computing sovereignty framework" with four assurance levels. Under Article 29, the Netherlands (as a Member State) must conduct risk assessments to identify which public sector activities contribute to the preservation of public order (e.g., national security, defence, law enforcement).

  • Mandatory Assurance Levels: Under Article 30, Dutch contracting authorities must procure cloud services based on these assessments.
    • Level 1: Required for activities not identified as contributing to public order.
    • Levels 2, 3, or 4: Mandatory for activities identified as contributing to public order (e.g., police, justice, defence).
  • Union Added Value: Under Article 32, Dutch procurement procedures must include non-price award criteria evaluating the tenderer's contribution to the European ecosystem (e.g., use of Union-designed hardware or software).
  • Innovation Targets: Under Article 33, the Netherlands must aim to award at least 25% of relevant cloud and AI procurement innovation procedures to SMEs.

For Cloud Providers Operating in the Netherlands

Providers established in the Netherlands, or those seeking to serve Dutch public bodies, face a new recognition regime.

  • Recognition Process: To sell to the public sector, a provider must be recognised by the Dutch competent authority.
    • Level 1: Requires a conformity self-assessment and an EU statement of conformity.
    • Levels 2–4: Require independent third-party audits and a "positive" audit opinion.
  • Sovereignty Criteria: Providers must meet strict criteria in Annex II. For example, infrastructure and data must remain in the Union. For higher levels, personnel may need to be Union citizens (conditional at Level 2 if required by the public body; mandatory at Levels 3 and 4).
  • Third-Country Control: Providers subject to third-country control face strict limitations. While Article 18 allows for a derogation for Level 3 if the Commission adopts an implementing act for a specific third country, Level 4 generally prohibits third-country control.
  • Transparency: Providers must report material changes to the Dutch authority and auditing organisations immediately.

For Data Centre Operators in the Netherlands

Operators stand to gain from accelerated permitting but must adhere to rigorous sustainability standards.

  • Faster Permits: In designated acceleration zones, operators benefit from the 12-month permit cap and the aggregated baseline permit.
  • Sustainability Compliance: Operators must comply with KPIs from Delegated Regulation (EU) 2024/1364 (e.g., PUE, WUE).
  • Strategic Projects: Operators can apply under Article 14 to have projects designated as "data centre strategic projects" if they meet criteria such as supporting essential public functions, enhancing grid security, or addressing compute shortages. This designation can unlock access to Union funding and support measures.

Common misconceptions

"The Netherlands must pass a new law to implement CADA." Incorrect. As a Regulation, CADA is directly applicable. Once adopted, it binds the Netherlands automatically. The Dutch government's role is limited to operational tasks (designating authorities, zones, and strategies), not legislative transposition.

"All cloud services in the Netherlands must meet the highest sovereignty standards." Incorrect. CADA uses a tiered, risk-based approach. Most public services would only require Union assurance level 1. Higher levels (2, 3, 4) are reserved strictly for activities identified as critical to public order, ensuring proportionality.

"CADA replaces the GDPR or the AI Act." Incorrect. CADA complements existing frameworks. It does not alter GDPR data protection rules or the AI Act's safety requirements. Instead, it adds a layer of sovereignty and operational autonomy, specifically targeting third-country dependencies and infrastructure resilience.

"Only large hyperscalers are affected." Incorrect. While large providers are key targets, CADA explicitly aims to foster a diverse ecosystem. It includes measures to support SMEs, such as the 25% innovation procurement target and the EuroCloud Federation, which facilitates sharing capacity among public bodies.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.