Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) is a directly applicable EU Regulation. It binds Spain immediately upon entry into force, requiring no national transposition law. Spain must adopt a national cloud and AI strategy within one year, designate data centre acceleration zones within six months, and appoint a national competent authority to enforce sovereignty rules. For public bodies, this introduces mandatory procurement tiers based on "Union assurance levels"; for providers, it creates a new recognition regime; and for data centre operators, it offers expedited permitting in designated zones.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission as COM(2026) 502 final, represents a fundamental shift in the governance of Europe's digital infrastructure. Unlike a Directive, which requires Member States to transpose its provisions into national law, CADA is drafted as a Regulation. Under Article 48, it shall be "binding in its entirety and directly applicable in all Member States." This means that once the Regulation enters into force (20 days after publication) and the application date arrives (one year later), its provisions become law in Spain automatically. The Spanish government would not need to pass a separate "CADA Law" to make it effective, though it would need to take specific administrative actions to comply with the obligations outlined in the text.

For Spain, CADA imposes three primary structural obligations that would reshape the national landscape for cloud computing, artificial intelligence, and data centres. These obligations are designed to reduce dependency on non-European providers, increase domestic computing capacity, and ensure that public-sector data remains under Union control.

1. The National Cloud and AI Strategy (Article 7)

Under Article 7, Spain is required to establish a "national cloud and AI strategy" within one year of the Regulation's entry into force. This strategy is not merely advisory; it must be "coherent with the objectives of this Regulation" and include specific measures to accelerate development and adoption.

The strategy must cover several mandatory elements:

  • Adoption Priorities: It must outline objectives for cloud and AI adoption in line with the "AI first" principle, specifically targeting public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs).
  • Infrastructure Deployment: It must include measures to support the deployment of data centre capacity, focusing on high-value data centres that deliver economic and societal benefits while adhering to high environmental and energy-efficiency standards.
  • Investment in High-Intensity Computing: The strategy must address investments in "AI factories, AI gigafactories and quantum computers as strategic national and cross-border assets."
  • Open Source and Sovereignty: It must promote the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Data Accessibility: It must include measures to ensure the accessibility of high-quality data for AI development.

Spain must notify the European Commission of its national strategy within three months of adoption. The strategy must be assessed at least every three years and updated if necessary. The European Artificial Intelligence Board (AI Board) would assist in coordinating these strategies across Member States to ensure consistency.

2. Data Centre Acceleration Zones (Article 10)

To address the EU's compute capacity deficit, Article 10 obliges Spain to designate at least one "data centre acceleration zone" within its territory by six months after the Regulation enters into force, provided that data centre capacity is being deployed.

These acceleration zones are specific geographical areas where the development, expansion, and modernisation of data centres are facilitated. When designating these zones, Spain must consider:

  • Site Characteristics: The location, dimension, and minimum/maximum size of facilities.
  • Energy and Connectivity: Available and future power grid capacity, network connectivity, and the possibility for on-site clean energy generation.
  • Sustainability: The ability of the site to function sustainably, including measures to prevent environmental impacts and support carbon emission reductions. Preference should be given to reusing brownfield sites over greenfield sites.
  • Permitting Acceleration: Measures taken to accelerate the granting of necessary permits for constructing and operating data centres.

Within these zones, Spain must ensure that the allocation and use of resources take place on fair, reasonable, and non-discriminatory terms. Furthermore, Spain must conduct a comprehensive analysis of the energy needs of these zones and review this analysis at least every three years. This analysis must be integrated into national network development plans to ensure that the electricity grid can accommodate future demand.

3. National Competent Authority (Article 25)

Article 25 requires Spain to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework established by CADA. This designation must be made within one year of the Regulation's entry into force.

The national competent authority would have exclusive competence for enforcing the sovereignty rules in the Member State where the cloud computing service provider has its main establishment. This authority would:

  • Recognise Services: Assess applications from cloud providers seeking recognition at specific Union assurance levels (Levels 1–4).
  • Supervise Compliance: Monitor cloud providers to ensure they meet the criteria for their recognised assurance level.
  • Enforce Penalties: Impose fines and corrective measures on providers who infringe on the Regulation's obligations.

Spain must notify the Commission of the names, tasks, and powers of these authorities. The Commission would maintain a public register of these authorities. The authority must perform its tasks in an impartial, transparent, and timely manner, with sufficient technical, financial, and human resources.

4. Impact on Public Procurement and Sovereignty

For public-sector bodies in Spain, CADA introduces a mandatory framework for procuring cloud computing services. Under Article 30, contracting authorities must procure services that have been recognised as offering at least "Union assurance level 1."

Furthermore, Spain must conduct risk assessments (under Article 29) to identify public sector activities that contribute to the preservation of public order. For these activitiesβ€”such as those in national security, defence, justice, or critical infrastructureβ€”Spain must only procure cloud services recognised at Union assurance levels 2, 3, or 4. This ensures that sensitive data and critical operations are protected from extraterritorial access by third-country authorities.

What this means for you

For Public-Sector Procurement Officers in Spain

Your procurement processes for cloud services and AI systems would undergo significant changes. You can no longer select cloud providers based solely on price or technical features. You must now verify that the provider has been recognised by a national competent authority as offering a specific Union assurance level.

  • Minimum Baseline: For general administrative tasks, you must procure services recognised at Union assurance level 1.
  • Critical Functions: For activities identified in your national risk assessment as critical to public order, you must procure services at levels 2, 3, or 4.
  • Risk Assessments: Your organisation must participate in or align with the national risk assessment process to determine which of your services fall into the higher assurance categories.
  • Open Source Preference: You are encouraged to use open-source solutions and components released under open-source licences when building your cloud and AI stack, as promoted by the Regulation's push for technological sovereignty.

For Cloud Service Providers Operating in Spain

If you are a cloud provider offering services to Spanish public bodies, you must seek recognition under the Union cloud computing sovereignty framework.

  • Level 1: Requires a self-assessment and an EU statement of conformity. Your infrastructure and data must remain in the Union unless the public sector body explicitly requires otherwise.
  • Levels 2–4: Require independent third-party audits. These levels impose stricter requirements on data localisation, personnel citizenship (Union citizens for levels 3 and 4), and the absence of third-country control.
  • Transparency: You must report any material changes that could affect your assurance level to the auditing organisation and the national competent authority.

For Data Centre Operators in Spain

Operators looking to build or expand data centres should target the acceleration zones designated by Spain.

  • Expedited Permitting: Projects in acceleration zones benefit from streamlined administrative processes. The permit-granting procedure would not exceed 12 months from the submission of a comprehensive application.
  • Energy Planning: You must engage with national grid planning processes. The analysis of energy needs for acceleration zones would inform grid investments, potentially easing connection delays.
  • Sustainability Standards: You must comply with sustainability requirements using the key performance indicators defined in Delegated Regulation (EU) 2024/1364.

Common misconceptions

Misconception 1: Spain needs to pass a new law to implement CADA. Correction: CADA is a Regulation, not a Directive. It is directly applicable. While Spain must take administrative actions (like designating an authority or zones), it does not need to transpose the text into national law. The Regulation becomes part of Spanish law automatically upon its application date.

Misconception 2: All cloud services used by the public sector must be "sovereign" in the highest sense. Correction: CADA uses a tiered approach. Most public services only require Union assurance level 1. Only activities identified as critical to public order through a risk assessment require levels 2, 3, or 4. This ensures proportionality and avoids unnecessary costs for non-critical administrative tasks.

Misconception 3: CADA bans non-European cloud providers entirely. Correction: CADA does not ban non-European providers. However, it creates a framework where public-sector procurement is restricted to services that meet specific sovereignty criteria. Non-European providers can still operate in Spain if they are established in the Union, meet the assurance level criteria, and are not subject to third-country control that conflicts with Union law.

Misconception 4: Data centres can be built anywhere in Spain. Correction: While data centres can be built outside acceleration zones, the Regulation incentivises deployment within designated zones through streamlined permitting and grid planning support. Operators outside these zones may face longer permitting times and less coordinated energy infrastructure planning.

Related

This is general information about a draft EU regulation, not legal advice.