Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a directly applicable EU Regulation. As such, it would bind Slovakia automatically upon entry into force, requiring no national transposition law. As proposed, CADA would impose three immediate structural duties on Slovakia: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone within six months (Article 10); and (3) appoint national competent authorities to enforce cloud sovereignty rules (Article 25). For Slovak public bodies, this introduces mandatory risk assessments and tiered procurement rules for "Union assurance" levels. For cloud providers and data centre operators, it establishes new audit obligations, accelerated permitting in designated zones, and strict transparency requirements regarding third-country control.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen Europe's cloud and AI ecosystem by reducing dependence on third-country providers and increasing domestic computing capacity. Because CADA is proposed as a Regulation under Article 114 and Article 173(3) of the Treaty on the Functioning of the European Union (TFEU), it is directly applicable in all Member States, including Slovakia.

This legal status means that once adopted, CADA's provisions would become part of Slovak law immediately upon their entry into application. The Slovak Parliament would not need to pass separate implementing legislation to transpose the text. Instead, Slovakia would be required to take specific administrative and strategic actions to ensure the Regulation's objectives are met within its territory.

The proposal places specific, time-bound obligations on Slovakia across three main pillars: strategic planning, infrastructure deployment, and regulatory oversight.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Slovakia would be required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This strategy must be coherent with the objectives of CADA and serve as the roadmap for the country's digital transformation in this sector.

The strategy must explicitly include:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps (SMCs).
  • Deployment of data centre capacity, with a focus on high-value data centres that deliver economic and societal benefits while adhering to high environmental and energy-efficiency standards.
  • Investments in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers as strategic national assets.
  • Measures to ensure the accessibility of high-quality data for AI development, preventing data bottlenecks.

Slovakia must notify the European Commission of this strategy within three months of its adoption. The strategy must be assessed at least every three years based on key performance indicators and updated where necessary. The European Artificial Intelligence Board (established by the AI Act) would assist in coordinating these national strategies across the Union.

2. Data Centre Acceleration Zones (Article 10)

To address the EU-wide shortage of computing capacity, Article 10 requires Slovakia to designate at least one data centre acceleration zone ("acceleration zone") within its territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When designating these zones, Slovakia must consider specific criteria to ensure sustainability and efficiency:

  • The location, dimension, and size of the site.
  • Available and future power grid capacity, including the possibility of on-site clean energy generation.
  • Network connectivity capacity and the ability to phase out legacy copper networks.
  • Facilities for reusing data centre waste heat.
  • A preference for reusing brownfield sites over greenfield sites.
  • Climate resilience and the ability to minimize environmental impacts.

Slovakia must also conduct a comprehensive analysis of the energy needs of these zones, reviewing this analysis at least every three years. This analysis must be integrated into national network development plans to ensure grid infrastructure can support future data centre demands. Furthermore, Article 11 mandates that sustainability requirements for data centres in these zones must use the key performance indicators specified in Commission Delegated Regulation (EU) 2024/1364.

3. National Competent Authorities (Article 25)

Article 25 obliges Slovakia to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of the Regulation's entry into force. These authorities may be existing bodies, but they must be granted sufficient technical, financial, and human resources to supervise cloud computing service providers effectively.

The Member State where a cloud provider has its main establishment (head office or registered office) has exclusive competence for enforcement. Slovakia must notify the Commission of the names, tasks, and powers of these authorities, which will be published in a public register. These authorities would have investigative powers, including the ability to:

  • Require information from providers and auditing organisations.
  • Inspect premises and seize information relating to suspected infringements.
  • Order the cessation of infringements and impose fines for non-compliance with sovereignty and transparency rules.

4. Impact on Public Procurement and Sovereignty

While the structural duties above define Slovakia's administrative obligations, the sovereignty framework (Articles 16–30) fundamentally changes how Slovak public bodies procure cloud services.

  • Risk Assessments (Article 29): Slovak public authorities must conduct risk assessments to determine which cloud services require higher levels of "Union assurance" (sovereignty levels 2, 3, or 4) to protect public order. This applies to sectors like national security, justice, law enforcement, and critical infrastructure.
  • Procurement Rules (Article 30): Public bodies whose activities are identified as contributing to public order preservation must only procure cloud services recognized as meeting Union assurance levels 2, 3, or 4. Other public bodies must use services meeting at least Union assurance level 1.
  • EU Added Value (Article 32): Slovak contracting authorities must include non-price award criteria in public procurement for innovative cloud and AI services that evaluate the tenderer's contribution to strengthening the European digital supply chain, such as using hardware designed or manufactured in the Union.

What this means for you

For Slovak Public-Sector Procurement Officers

Your procurement processes for cloud computing and AI systems would become more structured and sovereignty-focused.

  • Conduct Risk Assessments: You must perform risk assessments to determine the sensitivity of the data and the criticality of the services you procure. This determines whether you can use standard cloud services (Level 1) or must procure sovereign services (Levels 2–4).
  • Update Procurement Documents: Your tender documents must include specific non-price award criteria that evaluate "European added value," such as the use of Union-designed hardware or software. You cannot use these criteria as the decisive factor, but they must be part of the quality evaluation.
  • Check the Central Repository: When procuring cloud services, you must verify that the provider is recognized in the central repository of cloud computing services offered by the Commission. You can only procure from providers with a valid recognition status.
  • Migration Planning: If a risk assessment requires you to migrate to a more sovereign cloud service, you must plan this migration within a reasonable transition period, not exceeding 12 months, ensuring data portability and service continuity.

For Cloud Computing Service Providers Operating in Slovakia

If you provide cloud services to Slovak public bodies, you must comply with the Union cloud computing sovereignty framework.

  • Seek Recognition: You must apply to the Slovak national competent authority (if established there) for recognition under one of the four Union assurance levels. Level 1 requires a self-assessment and an EU statement of conformity. Levels 2–4 require independent third-party audits.
  • Transparency and Audits: You must be prepared for independent audits that verify your infrastructure location, data residency, personnel citizenship (for higher levels), and absence of third-country control. You must provide full transparency on subcontractors.
  • Report Changes: You must promptly report any material changes in circumstances that could affect your assurance level to the auditing organization and the competent authority.

For Data Centre Operators in Slovakia

  • Accelerated Permitting: If your data centre is located in a designated acceleration zone, you benefit from streamlined administrative procedures. The permit-granting procedure for projects in these zones must not exceed 12 months from the submission of a comprehensive application.
  • Single Information Point: You have the right to be assisted by a single information point throughout the lifecycle of your project, helping coordinate spatial planning, environmental assessments, and grid connections.
  • Sustainability Compliance: You must meet specific sustainability key performance indicators related to energy efficiency (e.g., Power Usage Effectiveness) as defined in EU delegated acts. Slovakia may also require you to contribute to grid stability and waste heat reuse.

Common misconceptions

"Slovakia needs to pass a new law to implement CADA." This is incorrect. As an EU Regulation, CADA is directly applicable. While Slovakia must take administrative actions (like designating authorities and zones), it does not need to transpose the text into the Slovak Collection of Laws. The Regulation applies automatically.

"All cloud services must be 100% European-owned." CADA does not ban non-European providers outright. Instead, it creates a tiered "Union assurance" system. A provider controlled by a third country may still qualify for Union assurance level 3 if the Commission determines that the third country provides sufficient safeguards (e.g., via an adequacy decision) and the provider demonstrates effective legal and technical separation from third-country control. However, for the highest assurance levels (Level 4), providers and subcontractors must not be subject to third-country control.

"Data centres can be built anywhere in Slovakia." While data centres can be built outside acceleration zones, the proposal incentivizes deployment in designated acceleration zones through faster permitting (12-month limit) and better grid planning integration. Building outside these zones may involve longer, more fragmented permitting processes under existing national laws.

"Public bodies can choose any cloud provider they want." No. Public bodies are bound by the results of their risk assessments. If an activity is deemed to contribute to public order preservation, the authority must procure services with Union assurance levels 2, 3, or 4. They cannot simply choose a cheaper, non-recognized provider if it does not meet the required assurance level.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.