Summary The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is a directly applicable EU Regulation. This means it would bind Romania immediately upon entry into force, requiring no national transposition into Romanian law. As proposed, Romania would face three core deadlines: adopting a national cloud and AI strategy within one year, designating at least one data centre acceleration zone within six months, and appointing a national competent authority to enforce cloud sovereignty rules. For public bodies, this introduces mandatory risk assessments and strict "Union assurance levels" for cloud procurement; for providers and operators, it creates a new compliance regime centred on data localisation, personnel citizenship, and supply-chain transparency.

Detail

The Cloud and AI Development Act (CADA) represents a fundamental shift in the EU's approach to digital infrastructure. Unlike a Directive, which requires Member States to pass national laws to transpose its provisions, a Regulation is directly applicable. As proposed, CADA would become part of the Romanian legal order automatically, binding all Romanian authorities, public bodies, and economic operators without the need for intermediate national legislation. The proposal's primary aim is to reduce the EU's dependence on non-European cloud providers, triple data centre capacity, and establish a harmonised "sovereign cloud" framework to safeguard public order.

For Romania, the proposal imposes specific, time-bound obligations across three pillars: strategic planning, infrastructure acceleration, and regulatory oversight.

1. The National Cloud and AI Strategy (Article 7)

Under Article 7, Romania would be required to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This is a binding obligation, not a voluntary guideline. The strategy must align with the EU's "AI first" principle and include:

  • Objectives and Priorities: Clear goals for cloud and AI adoption across national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps.
  • Deployment Measures: Concrete steps to accelerate the deployment of data centre capacity, with a focus on high-value centres that adhere to strict environmental and energy-efficiency standards.
  • Infrastructure Investment: Plans to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
  • Open Source and Sovereignty: Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

Romania must notify the Commission of this strategy within three months of its adoption and assess it at least every three years. The European Artificial Intelligence Board would advise on coordination, ensuring Romania's strategy contributes to the EU's broader digital targets.

2. Data Centre Acceleration Zones (Article 10)

To address the critical shortage of computing capacity, Article 10 mandates that Romania designate at least one data centre acceleration zone within its territory if data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When designating these zones, Romanian authorities must consider:

  • Grid Capacity: The availability of current and future power grid capacity and the possibility of on-site clean energy generation.
  • Connectivity: The availability of network connectivity and the capacity to phase out legacy copper networks.
  • Sustainability: The ability to reuse waste heat and the preference for reusing brownfield sites over greenfield sites to minimise environmental impact.

Crucially, Article 13 establishes that data centre projects within these zones benefit from an aggregated baseline permit and a strict 12-month maximum for the permit-granting procedure from the submission of a comprehensive application. This creates a predictable timeline for investors, provided they meet the sustainability requirements defined in Delegated Regulation (EU) 2024/1364.

3. National Competent Authority (Article 25)

Article 25 requires Romania to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of entry into force. This authority would be the sole point of contact for recognising cloud computing service providers that meet specific "Union assurance levels."

The competent authority must possess sufficient technical, financial, and human resources to supervise providers impartially. It would be responsible for:

  • Assessing applications for recognition of Union assurance levels 1 through 4.
  • Conducting investigations and enforcing penalties for infringements.
  • Cooperating with competent authorities in other Member States and the Commission.

Romania must notify the Commission of the designated authority's name and tasks. The authority would have exclusive competence for enforcement in the Member State where the cloud provider has its main establishment.

4. Impact on Public Procurement and Sovereignty

For Romanian public-sector bodies, CADA introduces a rigorous new procurement framework. Article 29 requires Romania to conduct risk assessments to identify which public sector activities contribute to the preservation of public order (e.g., national security, defence, justice, law enforcement).

Based on these assessments:

  • General Activities: For activities not identified as contributing to public order, contracting authorities must procure cloud services recognised at Union assurance level 1 (minimum baseline).
  • Public Order Activities: For activities identified as contributing to public order, authorities must procure only services recognised at Union assurance level 2, 3, or 4.

This shifts procurement from a purely cost-and-performance evaluation to a sovereignty-driven decision. Article 32 further requires Romanian authorities to include Union added value criteria in tender evaluations, assessing how a provider contributes to the European digital supply chain (e.g., using hardware designed in the Union).

What this means for you

The direct applicability of CADA means Romanian stakeholders must prepare for immediate compliance once the Regulation enters into force.

For Public-Sector Procurement Officers

Your workflow will change fundamentally. You can no longer treat cloud services as generic IT purchases.

  • Risk Assessment First: Before launching a tender, you must consult the national risk assessment to determine the required Union assurance level. If your department handles sensitive data or critical infrastructure, you may be legally barred from using providers that do not meet levels 2, 3, or 4.
  • Mandatory Criteria: You must include "Union added value" criteria in your quality evaluation (Article 32). While not decisive, these criteria must assess the tenderer's contribution to the European supply chain.
  • Verification: You must verify that the provider is recognised in the central repository maintained by the Commission. Procuring a non-recognised provider for public-order activities would be a breach of the Regulation.

For Cloud Providers Operating in Romania

If you wish to serve the Romanian public sector, you must seek recognition under the CADA framework.

  • Level 1 (Self-Assessment): For basic services, you must submit an EU statement of conformity demonstrating compliance with criteria such as EU establishment and data localisation.
  • Levels 2–4 (Audit Required): For higher assurance levels, you must undergo independent third-party audits. You will need to prove that your infrastructure, assets, and personnel are located in the Union, that customer data remains exclusively in the Union, and that you are not subject to third-country control that could compromise service continuity.
  • Personnel Requirements: For levels 3 and 4, personnel involved in the service must be Union citizens (conditional for level 2 if the public body requires it).
  • Consequences: Failure to maintain recognition could lead to revocation and exclusion from public contracts. Penalties for infringements would be set by Romania but must be "effective, proportionate and dissuasive" (Article 24).

For Data Centre Operators

If you are planning to build or expand in Romania, targeting a designated acceleration zone is critical.

  • Permitting Speed: Projects in these zones benefit from a maximum 12-month permitting timeline and an aggregated baseline permit.
  • Sustainability: You must align with the key performance indicators in Delegated Regulation (EU) 2024/1364 regarding energy efficiency and waste heat reuse.
  • Single Information Point: You have the right to be assisted by a designated single information point throughout the project lifecycle, which can coordinate spatial planning, environmental assessments, and grid connections.

Common misconceptions

"Romania can delay implementation by passing national laws." No. As a Regulation, CADA applies directly. While Romania must adopt a strategy and designate authorities, the substantive rules on sovereignty, data localisation, and procurement criteria apply automatically. There is no "transposition period" for the core obligations.

"CADA bans all non-European cloud providers." Not outright. The proposal creates a tiered system. A provider subject to third-country control can still qualify for Union assurance level 3 if the Commission adopts an implementing act identifying that third country as providing sufficient assurances (Article 18). However, for the highest levels (Level 4) and for public-order activities, the criteria are so stringent that only providers with deep EU integration and independence from third-country control will likely qualify.

"The national competent authority must be a new agency." Article 25 explicitly allows Romania to designate an existing authority (e.g., a cybersecurity agency or data protection authority) provided it has the necessary resources and mandate. It does not require creating a new government department.

"Acceleration zones guarantee automatic permits." Designation streamlines the process and sets a 12-month cap, but it does not guarantee approval. Projects must still meet all environmental, spatial planning, and energy efficiency requirements. The "aggregated baseline permit" covers common requirements, but installation-specific permits may still be needed.

Related

This is general information about a draft EU regulation, not legal advice.