Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation. It would bind Poland immediately upon entry into force, requiring no national transposition legislation. Under Article 7, Poland must adopt a national cloud and AI strategy within one year. Under Article 10, it must designate at least one data centre acceleration zone within six months. Under Article 25, it must appoint a national competent authority to enforce sovereignty rules. These measures would fundamentally alter how Polish public bodies procure cloud services, how providers demonstrate sovereignty, and how data centre operators navigate permitting.

Detail

The Cloud and AI Development Act (CADA) represents a structural shift in EU digital policy, moving from voluntary guidelines to binding harmonised rules. For Poland, a Member State with significant growth in its digital infrastructure sector, the proposal introduces specific, time-bound obligations. Because CADA is drafted as a Regulation, it applies directly in all Member States. This means Polish authorities, public bodies, and private operators would be subject to the text of COM(2026) 502 final as soon as it enters into force, without the need for the Polish parliament to pass a separate implementing act.

The proposal establishes a framework to strengthen Europe's cloud and AI ecosystem through three primary mechanisms relevant to national authorities: strategic planning, infrastructure acceleration, and regulatory oversight.

1. National Cloud and AI Strategy (Article 7)

Article 7 imposes a binding obligation on Poland to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This is not a voluntary policy document but a mandatory compliance requirement. The strategy must be consistent with the Regulation's objectives and the "AI first" principle.

Under Article 7(2), Poland's strategy must include at least the following measures:

  • Adoption Acceleration: Measures to accelerate cloud and AI adoption at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
  • Infrastructure Deployment: Specific measures to support the deployment of data centre capacity, with a focus on high-value facilities that adhere to high environmental and energy-efficiency standards.
  • High-Intensity Computing: Investments in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers as strategic assets.
  • Technological Sovereignty: Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Data Accessibility: Measures to ensure the accessibility of high-quality data for AI development, preventing data bottlenecks.

The strategy must be notified to the European Commission within three months of adoption and assessed at least every three years. It serves as the national roadmap for aligning Poland's digital capacity with Union-wide sovereignty goals.

2. Data Centre Acceleration Zones (Article 10)

To address the EU's compute capacity gap, Article 10 requires Poland to designate at least one "data centre acceleration zone" within its territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

These zones are designed to facilitate rapid, sustainable deployment. Under Article 10(1), Poland must consider specific aspects when designating these zones, including:

  • The location, dimension, and size of facilities.
  • Available and future power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity capacity and the ability to phase out legacy copper networks.
  • Facilities for reusing data centre waste heat.
  • Measures to accelerate permitting and the preference for reusing brownfield sites.

Furthermore, Article 10(2) mandates that Poland conduct a comprehensive analysis of the energy needs and greenhouse gas impacts of these zones, reviewing this analysis at least every three years. Crucially, Article 11 requires that sustainability requirements for data centres in these zones use the key performance indicators defined in Delegated Regulation (EU) 2024/1364. Poland must also ensure that resource allocation within these zones is fair, reasonable, and non-discriminatory to prevent speculative reservation.

3. National Competent Authority (Article 25)

Article 25 mandates that Poland designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework. This designation must be completed within one year of entry into force.

The competent authority's primary role is to:

  • Recognise Providers: Assess applications from cloud computing service providers seeking recognition as offering specific "Union assurance levels" (Levels 1–4) under Article 17.
  • Supervise Compliance: Monitor providers to ensure they continue to meet the criteria set out in Annex II.
  • Enforce Penalties: Impose penalties for infringements of the sovereignty chapter, ensuring they are "effective, proportionate and dissuasive" under Article 24.
  • Cooperate: Engage in mutual assistance and cross-border cooperation with other Member States' authorities and the Commission.

The authority must be granted sufficient resources, expertise, and technical means to perform these tasks impartially and independently.

4. Impact on Public Procurement (Article 30)

While the prompt highlights Articles 7, 10, and 25, Article 30 is the operational engine for these national duties. It dictates how Polish public bodies must act once the strategy and authority are in place.

  • Baseline Requirement: All Polish public sector bodies must procure cloud services recognised at least at Union assurance level 1.
  • Public Order Requirement: For activities identified in the national risk assessment (under Article 29) as contributing to the preservation of public order (e.g., national security, defence, justice, law enforcement), authorities must procure services recognised at Union assurance levels 2, 3, or 4.
  • Migration: If a risk assessment requires migration to a higher assurance level, the transition period must not exceed 12 months.

What this means for you

The implementation of CADA would create distinct compliance tracks for different actors within the Polish digital ecosystem.

For Public Sector Bodies and Procurement Officers

  • Mandatory Sovereignty Verification: You can no longer award cloud contracts based solely on price or technical merit. You must verify that the provider holds a valid recognition for the required Union assurance level. For standard administrative tasks, this is Level 1. For sensitive sectors like defence or justice, you will require Level 2, 3, or 4.
  • Risk Assessments: Under Article 29, your institution must participate in or rely on the national risk assessment to determine which activities contribute to public order. This determines the minimum assurance level you must procure.
  • Strategy Alignment: Your procurement decisions must align with Poland's national cloud and AI strategy. You may be required to apply "Union added value" criteria (under Article 32) to evaluate how a tenderer contributes to the EU digital supply chain, potentially prioritising providers using hardware or software designed in the Union.
  • Open Source Preference: Article 41 encourages public bodies to use and facilitate the reuse of open standards and open-source components. You should assess whether open-source solutions can reduce vendor lock-in in your cloud stack.

For Cloud Computing Service Providers

  • Recognition Process: To sell to the Polish public sector, you must apply for recognition of your Union assurance level through the Polish national competent authority (Article 17).
    • Level 1: Requires a self-assessment and an EU statement of conformity. Note: For SMEs, this statement is directly and automatically recognised in all Member States without prior approval by the competent authority.
    • Levels 2–4: Requires an independent third-party audit and a "positive" audit opinion.
  • Sovereignty Criteria: You must ensure your infrastructure, assets, and personnel meet the cumulative criteria in Annex II. For higher levels, this includes strict requirements on data localisation (exclusively within the EU), personnel (Union citizens for Levels 3 and 4), and the absence of third-country control.
  • Transparency and Reporting: You must maintain full transparency regarding subcontractors. Under Article 23, you must promptly notify the competent authority and the auditing organisation of any material changes that could affect your recognition status.
  • Penalties: Non-compliance with the sovereignty framework can lead to penalties imposed by the Polish competent authority under Article 24. These penalties are determined by national law but must be effective, proportionate, and dissuasive.

For Data Centre Operators

  • Acceleration Zones: If you plan to build a new data centre, locating it within a designated acceleration zone is critical. Under Article 10, these zones benefit from streamlined permitting processes.
  • Permitting Speed: Article 13 mandates that the permit-granting procedure for data centre projects in acceleration zones shall not exceed 12 months from the submission of a comprehensive application.
  • Single Information Point: You have the right to be assisted by a single information point throughout the project lifecycle (Article 12). This point coordinates spatial planning, environmental assessments, and grid connections.
  • Sustainability Compliance: You must comply with sustainability requirements using the key performance indicators from Delegated Regulation (EU) 2024/1364. Failure to meet these standards could disqualify a project from acceleration zone benefits.
  • Strategic Projects: Large-scale projects that contribute significantly to the EU's digital or energy sectors may be designated as "strategic projects" by the Commission under Article 14, potentially unlocking additional support measures.

Common misconceptions

Misconception 1: Poland can delay implementation by passing national laws. Reality: CADA is a Regulation, not a Directive. It is directly applicable. Poland does not need to (and cannot) pass a separate national law to implement it. The obligations apply to Polish entities immediately upon the Regulation's entry into force. National authorities must prepare their administrative structures, such as the competent authority, immediately to avoid non-compliance.

Misconception 2: Only large hyperscalers are affected. Reality: The proposal includes specific provisions for SMEs. For example, under Article 17(3), SMEs seeking Union assurance level 1 benefit from a derogation where their self-assessment statements are automatically recognised across the Union without prior approval. Additionally, Article 33 encourages Member States to award at least 25% of innovation procurement contracts to SMEs.

Misconception 3: Sovereignty means all data must stay in Poland. Reality: The criteria generally require data to remain within the Union, not necessarily within Poland. For Union assurance level 1, data must remain exclusively within the EU unless the public sector body explicitly requires otherwise (Annex II, Section 1.1(c)). This supports the single market by allowing cross-border data flows within the EU while preventing extraterritorial access by third countries.

Misconception 4: Existing contracts are automatically void. Reality: The proposal includes transition mechanisms. Public authorities are not forced to immediately terminate all existing contracts with non-sovereign providers. However, new procurements must comply with the assurance levels. If a risk assessment under Article 29 requires migration to a higher assurance level, the transition period must not exceed 12 months (Article 29(6)).

Related

This is general information about a draft EU regulation, not legal advice.