Summary The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is a directly applicable EU Regulation. This means it would bind Slovenia immediately upon entry into force without requiring national transposition legislation. As proposed, CADA would impose three core administrative duties on Slovenia: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone within six months (Article 10); and (3) appoint a national competent authority to enforce sovereignty rules (Article 25). For Slovenian public bodies, this would trigger mandatory procurement of cloud services meeting specific "Union assurance levels," while cloud providers and data centre operators would face new recognition frameworks and streamlined permitting in designated zones.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen Europe's cloud and AI ecosystem by addressing compute capacity deficits, ensuring sustainable deployment, and safeguarding public order through a harmonised sovereignty framework. Because CADA is drafted as a Regulation, it is directly applicable in all Member States, including Slovenia. Unlike Directives, which require national parliaments to pass implementing laws, a Regulation becomes law in Slovenia automatically upon its entry into force. However, while the rules apply directly, Slovenian authorities would still be required to establish specific administrative structures and take active steps to fulfill the obligations set out in the text.

The proposal establishes a dual objective: to ensure the competitiveness and innovation capacity of the Union's cloud and AI ecosystem, and to improve the functioning of the single market by increasing the Union's resilience and strategic autonomy (Article 1). For Slovenia, this translates into a series of concrete deadlines and operational changes affecting public administration, the technology sector, and infrastructure developers.

1. Direct Applicability and Immediate Effect

As stated in Article 1, CADA establishes a framework for strengthening the cloud and AI ecosystem at Union level. It sets out measures to increase computing capacity, enable a sovereign cloud offer to safeguard public order, and foster the adoption of cloud computing services across the public sector. Because it is a Regulation, Slovenian authorities, businesses, and citizens would be subject to these rules uniformly across the EU. This prevents regulatory fragmentation and ensures that Slovenian providers can compete on a level playing field with those in other Member States, provided they meet the Union-wide assurance criteria.

2. National Cloud and AI Strategy (Article 7)

One of the first major tasks for Slovenia would be the adoption of a national cloud and AI strategy. Article 7 requires Member States to establish this strategy within one year of the Regulation's entry into force.

This strategy is not optional; it must include specific elements to align with the EU's broader objectives. As proposed, the Slovenian strategy would need to outline:

  • Key objectives for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps.
  • Plans to support the deployment of data centre capacity, focusing on high-value centres that adhere to high environmental and energy-efficiency standards.
  • Investments in high-intensity computing infrastructure, such as AI factories and quantum computers, as strategic national assets.
  • Measures to support the development of open cloud computing stack technologies to strengthen technological sovereignty.

The strategy must be consistent with the objectives of CADA and contribute to the digital targets set under the Digital Decade Policy Programme. Slovenia would need to notify the European Commission of its strategy within three months of adoption and assess it at least every three years (Article 7(5)).

3. Data Centre Acceleration Zones (Article 10)

To address the EU's compute capacity deficit, CADA introduces a mechanism for accelerating data centre deployment. Article 10 obliges Member States to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed.

For Slovenia, this means identifying specific geographic areas where the regulatory and infrastructure conditions are optimized for data centre construction. When designating these zones, Slovenia would need to consider:

  • The location, dimension, and minimum/maximum size of facilities.
  • Available and future power grid capacity, including possibilities for on-site clean energy generation.
  • Network connectivity capacity.
  • Measures to accelerate permit granting for construction and operation.
  • Environmental sustainability, including the preference for reusing brownfield sites and minimizing environmental impacts.

The designation deadline is tight: within six months of the Regulation's entry into force (Article 10(1)). Once designated, these zones would benefit from streamlined administrative processes. Article 13 establishes that data centre projects deployed in acceleration zones are considered "strategic projects" and benefit from a dedicated toolbox for environmental assessments. Crucially, Article 13(5) sets a hard cap: the permit-granting procedure for data centre projects in these zones "shall not exceed 12 months" from the moment a comprehensive application is submitted. This would significantly reduce the time it currently takes for operators to get projects approved in Slovenia.

Furthermore, Article 11 requires that data centres in acceleration zones meet specific key performance indicators (KPIs) for energy efficiency, as defined in Delegated Regulation (EU) 2024/1364. To facilitate this, Article 12 requires Slovenia to designate one or more "single information points" to assist operators throughout the project lifecycle.

4. National Competent Authority (Article 25)

To enforce the sovereignty framework and supervise cloud computing service providers, Article 25 requires Member States to designate one or more national competent authorities.

Slovenia would need to appoint an authority responsible for:

  • Recognizing cloud computing service providers that offer specific "Union assurance levels" of sovereignty.
  • Enforcing the rules related to the cloud computing sovereignty framework.
  • Cooperating with other Member States' authorities on cross-border issues.

This authority must have the necessary resources, expertise, and technical means to perform its tasks impartially and independently. The Commission would maintain a public register of these authorities, ensuring transparency for providers and public buyers across the EU. The Member State where the cloud provider has its main establishment (e.g., Slovenia for a Slovenian provider) would have exclusive competence for enforcing the chapter (Article 25(4)).

5. Changes for Public Bodies, Providers, and Operators

For Public-Sector Procurement Officers: The most immediate impact on Slovenian public bodies would be in procurement. CADA introduces a "Union cloud computing sovereignty framework" with four assurance levels. Article 30 mandates that contracting authorities must procure cloud computing services that have been recognized as offering at least Union assurance level 1.

For activities identified as contributing to the preservation of public order (such as national security, justice, law enforcement, or critical infrastructure), authorities must only procure services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)). This requires Slovenian procurement officers to:

  1. Conduct risk assessments under Article 29 to determine which activities contribute to public order.
  2. Integrate these assurance levels into their tender documents.
  3. Verify that providers hold valid recognition from the central repository.

For Cloud Service Providers: Providers operating in Slovenia, or aiming to serve Slovenian public bodies, would need to seek recognition under the sovereignty framework. This involves submitting an application to the national competent authority.

  • Level 1: Requires a conformity self-assessment and an EU statement of conformity (Article 19).
  • Levels 2–4: Require independent third-party audits (Article 20).
  • Key Criteria: Providers must demonstrate compliance with criteria such as data remaining within the Union, personnel being Union citizens (mandatory for Levels 3 and 4, conditional for Level 2 if required by the public body), and the absence of third-country control that could compromise security.
  • Third-Country Derogation: For Level 3, a derogation is possible if the Commission has adopted an implementing act under Article 18 identifying a third country with sufficient assurances.

For Data Centre Operators: Operators in Slovenia would benefit from the streamlined permitting in acceleration zones but would also face sustainability requirements. They would need to engage with single information points (designated under Article 12) to navigate the permitting process efficiently. Operators must ensure their facilities meet the KPIs defined in Delegated Regulation (EU) 2024/1364 to qualify for the acceleration zone benefits.

What this means for you

If you are a public-sector procurement officer in Slovenia, you must prepare for a shift in how cloud services are purchased. You will need to:

  1. Update Procurement Policies: Ensure that future tenders for cloud computing services explicitly require providers to hold a valid Union assurance level recognition.
  2. Conduct Risk Assessments: As required by Article 29, your organization will need to carry out risk assessments to determine if your activities contribute to public order. If they do, you must procure services at higher assurance levels (2, 3, or 4).
  3. Engage with the National Strategy: Familiarize yourself with Slovenia's national cloud and AI strategy, as your procurement decisions should support its objectives, such as boosting domestic providers and ensuring sustainability.

If you are a cloud provider or data centre operator, you should:

  1. Prepare for Recognition: Start gathering evidence for compliance with the Union assurance levels. This includes documenting data flows, personnel locations, and ownership structures.
  2. Monitor Acceleration Zones: Keep an eye on the designation of data centre acceleration zones in Slovenia. Deploying in these zones could significantly speed up your time-to-market due to the 12-month permitting cap.
  3. Enhance Sustainability: Ensure your data centre designs meet the energy efficiency KPIs required for acceleration zones to avoid regulatory hurdles.

Common misconceptions

Misconception 1: Slovenia needs to pass a new law to implement CADA. Because CADA is a Regulation, it is directly applicable. Slovenia does not need to transpose it into national law in the same way it does for Directives. However, Slovenia does need to take active steps to fulfill its obligations, such as designating the competent authority and acceleration zones.

Misconception 2: All cloud services will be banned if they are not fully "sovereign." CADA does not ban non-sovereign cloud services entirely. It establishes a tiered system. Level 1 is the minimum for all public procurement. Higher levels are only required for activities deemed critical to public order. Private sector entities are encouraged but not strictly mandated to use these services, though they may be influenced by public sector demand.

Misconception 3: Data centres can be built anywhere without restriction. While CADA aims to accelerate deployment, it does so within designated "acceleration zones" and with strict sustainability requirements. Operators cannot bypass environmental assessments; rather, they benefit from a streamlined, aggregated baseline permit process in these specific zones.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.