Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) is an EU Regulation, meaning it would bind Portugal directly without requiring separate national transposition laws. Portugal would be required to establish a national cloud and AI strategy, designate at least one data centre acceleration zone, and appoint a national competent authority to oversee sovereign cloud assurance levels. For public-sector bodies, this means future cloud contracts must meet specific EU assurance levels based on risk assessments; for data centre operators, designated zones would offer streamlined permitting; and for cloud providers, a new recognition mechanism would determine market access for public procurement.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission as COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by addressing capacity gaps and reducing dependencies on third-country providers. Because CADA is structured as a Regulation, it is directly applicable in all Member States, including Portugal. This means that once adopted and effective, its provisions become part of Portuguese law automatically, without the need for the Portuguese Parliament to pass a separate transposition bill. This ensures a uniform application across the EU, reducing fragmentation and providing legal certainty for providers and public authorities alike.

For Portugal, CADA introduces several key obligations and opportunities, primarily focused on boosting domestic computing capacity, enhancing technological sovereignty, and simplifying the deployment of critical digital infrastructure. The legal basis for these measures is found in Article 1, which establishes the framework for strengthening the ecosystem through five specific measures, including the accelerated deployment of data centres and the availability of a sovereign cloud offer.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Portugal would be required to establish a national cloud and AI strategy. This strategy must be coherent with the Regulation's objectives and include key priorities for cloud and AI adoption, governance frameworks, and measures to accelerate development at national, regional, and local levels.

The strategy must specifically address:

  • Measures to accelerate development: Including support for the network of Experience and Acceleration Centres for AI (Centres for AI) and the uptake of cloud services by SMEs and public bodies.
  • Data centre capacity: Measures to support the deployment of data centres, with a focus on high-value facilities adhering to high environmental and energy-efficiency standards.
  • High-intensity infrastructure: Investment in AI factories, AI gigafactories, and quantum computers as strategic national assets.
  • Open technology: Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

Portugal would need to notify the European Commission of this strategy within three months of its adoption. Furthermore, the strategy must be assessed at least every three years based on key performance indicators and updated where necessary. This provides a structured framework for Portugal to align its national digital policies with broader EU goals, ensuring that public funding and procurement efforts are directed toward strategic technological sovereignty.

2. Data Centre Acceleration Zones (Article 10)

Article 10 obliges Member States, including Portugal, to designate at least one "data centre acceleration zone" where data centre capacity is being deployed. These zones are designed to facilitate the rapid and sustainable deployment of computing infrastructure.

When designating these zones, Portugal must consider specific aspects, including:

  • The location and dimension of the site, and the minimum/maximum size of facilities.
  • Available and future power grid capacity and the possibility of on-site clean energy generation.
  • Network connectivity capacity and the ability to phase out legacy copper networks.
  • The capacity to reuse waste heat and the preference for reusing brownfield sites over greenfield sites.
  • Measures taken to accelerate permitting and the ability to function sustainably regarding environmental impacts.

Crucially, Article 13 establishes that data centre projects deployed in these acceleration zones shall be considered "strategic projects" for the purpose of environmental assessments. Member States must prepare an "aggregated baseline permit" for each zone, covering the permits commonly required for such activities. The Regulation mandates that the permit-granting procedure for data centre projects in these zones shall not exceed 12 months from the moment a comprehensive application is submitted. This reduction in bureaucratic friction is intended to make Portugal a more attractive location for investment in high-performance computing infrastructure.

3. National Competent Authority (Article 25)

Article 25 requires Portugal to designate one or more national competent authorities responsible for enforcing the sovereignty framework of CADA. These authorities would have exclusive competence for enforcing the Chapter on autonomy in the Member State where the cloud computing service provider has its main establishment (i.e., where its head office or registered office is located).

The designated authority in Portugal would be responsible for:

  • Recognition: Assessing applications from cloud providers seeking recognition at Union assurance levels 1–4.
  • Supervision: Supervising recognised cloud computing service providers within its competence.
  • Investigation and Enforcement: Exercising investigative powers (e.g., requiring information, inspecting premises) and enforcement powers (e.g., ordering cessation of infringements, imposing fines).

The authority must have all necessary resources, including sufficient technical, financial, and human resources, to perform these tasks impartially, transparently, and timely. This centralizes oversight in Portugal, creating a clear point of contact for cloud providers seeking recognition and for public bodies needing guidance on sovereign cloud procurement.

4. Public Procurement and Sovereignty Framework

For public-sector bodies in Portugal, CADA introduces a new layer of requirements for procuring cloud computing services. The Regulation establishes a "Union cloud computing sovereignty framework" with four assurance levels, the criteria for which are set out in Annex II.

Public authorities must conduct risk assessments under Article 29 to determine the appropriate assurance level for their activities.

  • Article 30(2) states that entities whose activities have not been identified as contributing to the preservation of public order must use services recognised at Union assurance level 1.
  • Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to public order (e.g., national security, justice, law enforcement, defence) must only procure services recognised at Union assurance level 2, 3, or 4.

This means Portuguese procurement officers must integrate these assurance levels into their tender documents. They cannot simply rely on general cybersecurity certifications; they must verify that the provider is recognised in the central EU repository as offering the required assurance level.

5. Impact on Cloud Providers and Data Centre Operators

For cloud providers operating in Portugal, CADA introduces a formal recognition mechanism. Providers must apply to the national competent authority for recognition.

  • Level 1: Requires a conformity self-assessment and an EU statement of conformity (Article 19).
  • Levels 2–4: Require independent third-party audits by an auditing organisation to obtain a "positive" audit opinion (Article 20).

For data centre operators, the designation of acceleration zones under Article 10 offers significant advantages. Projects located within these zones would benefit from the facilitated administrative processes and the 12-month permitting cap. Additionally, under Article 11, sustainability requirements for data centres in these zones must use the key performance indicators specified in Delegated Regulation (EU) 2024/1364, ensuring alignment with EU energy efficiency goals.

What this means for you

For Public-Sector Procurement Officers in Portugal:

  • Update Tender Requirements: You must begin incorporating the CADA sovereignty framework into your procurement processes. This involves conducting risk assessments for your specific public sector activities to determine the required Union assurance level (1–4).
  • Risk Assessments: By the date of application (one year after entry into force), and every two years thereafter, your entity must carry out risk assessments to identify which activities contribute to the preservation of public order. These assessments will dictate whether you can use standard cloud services or must procure from providers recognised at higher assurance levels.
  • Verify Recognition: Before awarding contracts for cloud services, verify that the provider is recognised in the central EU repository as offering the required assurance level. You cannot simply rely on general cybersecurity certifications; you need specific CADA recognition.
  • Support Innovation: The Regulation encourages the use of open-source solutions and innovation procurement. You may be required to monitor and report on the share of contracts awarded to SMEs and innovative European providers, aiming for at least 25% of relevant innovation procurement to go to SMEs (Article 33).

For Cloud Providers Established in Portugal:

  • Prepare for Recognition: If you aim to serve the public sector, you must prepare for the recognition process. For Union assurance level 1, this involves a conformity self-assessment and issuing an EU statement of conformity. For higher levels, you must undergo independent third-party audits.
  • Engage with the Competent Authority: Identify the Portuguese national competent authority designated under Article 25. Engage early to understand the specific documentation and evidence required for your assurance level application.
  • Demonstrate Sovereignty: Ensure your service architecture, data localisation, and subcontractor chains meet the cumulative criteria for your target assurance level. This includes ensuring that customer data remains within the Union and that you are not subject to control by third-country entities that could compromise service continuity or data confidentiality.

For Data Centre Operators in Portugal:

  • Target Acceleration Zones: Focus your expansion plans on areas designated as data centre acceleration zones by the Portuguese government. These zones offer faster permitting (max 12 months) and better access to energy and connectivity.
  • Sustainability Compliance: Ensure your projects meet the sustainability requirements set out in the Regulation, including using the key performance indicators specified in Delegated Regulation (EU) 2024/1364. This includes energy efficiency (PUE), water usage, and waste heat recovery.
  • Single Information Points: Utilize the single information points designated by Portugal to assist with the lifecycle of your data centre project, including spatial planning, environmental assessments, and grid connections (Article 12).

Common misconceptions

"CADA replaces the GDPR or AI Act." No. CADA complements existing EU laws like the GDPR, the AI Act, and the Data Act. It does not replace them. CADA focuses specifically on cloud sovereignty, data centre deployment, and public procurement of cloud services. You must still comply with all data protection and AI safety regulations alongside CADA.

"All public cloud procurement must use Level 4 services." No. The Regulation uses a risk-based approach. Most public services will only require Union assurance level 1. Higher levels (2, 3, or 4) are reserved for activities identified in risk assessments as contributing to the preservation of public order, such as national security, justice, or critical infrastructure. Using the highest level for all services would be disproportionate and unnecessary.

"Portugal needs to pass a new law to implement CADA." As an EU Regulation, CADA is directly applicable. While Portugal may issue national guidelines or designate authorities, it does not need to transpose CADA into national statute law. The Regulation becomes law in Portugal automatically upon its entry into force.

"Only EU-based providers can qualify for sovereignty levels." While the criteria heavily favor EU establishment and data localisation, the Regulation does allow for the possibility of third-country providers qualifying under strict conditions (e.g., Union assurance level 3), provided the Commission has adopted an implementing act identifying the third country as providing sufficient safeguards (Article 18). However, the default expectation is for EU-based providers to dominate the sovereign cloud market.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.