Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is a directly applicable EU Regulation. This means it would bind Sweden immediately upon entry into force without requiring national transposition by the Riksdag. Under the proposal, Sweden would be mandated to: (1) adopt a national cloud and AI strategy within one year (Article 7); (2) designate at least one data centre acceleration zone within six months to streamline permitting (Article 10); and (3) appoint a national competent authority to enforce cloud sovereignty rules (Article 25). For Swedish public bodies, this would introduce strict procurement obligations requiring cloud services to meet specific Union assurance levels based on risk assessments. Cloud providers and data centre operators would face new audit requirements, data localisation rules, and a faster permitting pathway within designated zones.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal by the European Commission designed to strengthen Europe's cloud and AI ecosystem by addressing capacity gaps, reducing dependencies on third-country providers, and safeguarding public order. Crucially, CADA is proposed as a Regulation, not a Directive. Under EU law, a Regulation is directly applicable in all Member States, including Sweden. This legal instrument binds the entirety of Sweden immediately upon its entry into force, meaning Swedish law would automatically align with CADA's requirements without the need for the Riksdag to pass a separate implementing act.

While the text is directly applicable, it imposes specific, binding obligations on Member States to take administrative and strategic actions. For Sweden, these duties are central to the proposal's goal of harmonising the internal market for cloud services while enhancing strategic autonomy. The key obligations for Sweden are detailed below.

1. National Cloud and AI Strategy (Article 7)

Under Article 7, Sweden would be required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. This is not a voluntary policy paper; it is a mandatory legal obligation. The strategy must be coherent with the Regulation's objectives and include specific, actionable elements:

  • Key objectives and priorities for cloud and AI adoption, explicitly aligned with the "AI first" principle.
  • Measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, with a specific focus on public sector bodies, SMEs, and small mid-caps.
  • Plans to support the deployment of data centre capacity, prioritising high-value data centres that adhere to high environmental and energy-efficiency standards.
  • Investment in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers as strategic national assets.

Sweden must notify the Commission of this strategy within three months of its adoption. Furthermore, the strategy is not static; Sweden must assess it at least every three years based on key performance indicators and update it where necessary. The European Artificial Intelligence Board (AI Board), established under the AI Act, would assist in coordinating these national strategies across the EU to ensure consistency.

2. Data Centre Acceleration Zones (Article 10)

To address the critical shortage of computing capacity in the EU, Article 10 imposes a strict deadline on Sweden: it must designate at least one "data centre acceleration zone" within its territory where data centre capacity is being deployed. This designation must occur within six months of the Regulation's entry into force.

When designating these zones, Swedish authorities must conduct a comprehensive analysis considering:

  • The location, dimensions, and size of the site.
  • Available and future power grid capacity and network connectivity.
  • The ability to reuse data centre waste heat.
  • Measures to accelerate permit-granting processes.
  • A preference for reusing brownfield sites over greenfield sites.
  • The site's ability to function sustainably, minimising environmental impacts and carbon emissions.

Within these zones, Sweden must ensure that resource allocation is fair, reasonable, and non-discriminatory to prevent speculative reservation. Crucially, Article 13 (linked to acceleration zones) mandates that permit-granting procedures for data centre projects in these zones must not exceed 12 months from the submission of a comprehensive application. This provision aims to drastically reduce the bureaucratic delays that currently hinder data centre construction in Sweden, creating a "fast-track" regulatory environment for strategic infrastructure.

3. National Competent Authority (Article 25)

Article 25 requires Sweden to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. These authorities would be granted significant powers, including:

  • Recognition: Assessing and recognising cloud computing service providers that meet specific Union assurance levels (1–4).
  • Investigation: Exercising investigative powers to request information, carry out inspections, and examine premises to detect suspected infringements.
  • Enforcement: Imposing fines and periodic penalty payments for non-compliance, ensuring penalties are "effective, proportionate and dissuasive."

Sweden must notify the Commission of the names, tasks, and powers of these authorities. The Regulation specifies that the Member State where a cloud provider has its main establishment has exclusive competence for enforcement. This means that if a Swedish cloud provider operates across the EU, the Swedish competent authority would be the primary regulator for that provider's compliance with CADA, rather than the authorities in other Member States where the provider offers services.

4. Public Procurement and Sovereignty Levels

While the articles above define Sweden's state-level duties, CADA fundamentally alters how Swedish public bodies procure cloud services. Article 30 mandates that contracting authorities whose activities contribute to the preservation of public order (such as defence, justice, law enforcement, or critical infrastructure) must only procure cloud computing services recognised as offering Union assurance levels 2, 3, or 4. Other public bodies must use services recognised as Union assurance level 1.

This creates a direct operational link between the national strategy (Article 7) and procurement practices. Swedish authorities will be required to conduct risk assessments (under Article 29) to determine which of their activities involve public order relevance. Based on this assessment, they must procure only from providers recognised at the appropriate assurance level, driving demand for sovereign, EU-based cloud services and reducing reliance on third-country providers.

What this means for you

For Swedish Public Sector and Procurement Officers

As a procurement officer in a Swedish municipality, region, or national agency, CADA would significantly change your tendering processes. You would no longer be able to select cloud providers based solely on price or technical features without considering their sovereignty assurance level.

  • Risk Assessments: You must participate in or conduct risk assessments to determine if your agency's activities involve public order relevance. If they do, you are legally required to procure only from providers recognised at Union assurance levels 2, 3, or 4.
  • New Award Criteria: Under Article 32, you must include non-price award criteria that evaluate a tenderer's contribution to the European cloud and AI ecosystem. This includes evaluating whether the provider uses hardware designed or manufactured in the Union and whether they integrate Union-developed technologies.
  • Open Source Preference: Article 41 encourages the use of open-source solutions. While not a strict ban on proprietary software, you would be expected to prioritise open standards and components to reduce vendor lock-in and enhance security.

For Cloud Service Providers Operating in Sweden

If you are a cloud provider established in Sweden or offering services to Swedish public bodies, you must navigate the new sovereignty framework.

  • Recognition Process: To sell to the public sector, you must apply for recognition at a specific Union assurance level (1–4) through the Swedish national competent authority.
  • Audits and Compliance: For levels 2, 3, and 4, you must undergo independent third-party audits. These audits will scrutinise your data localisation practices, personnel citizenship, and freedom from third-country control. For example, at Level 3 and 4, personnel involved in service provision must be Union citizens, and data must remain exclusively within the Union.
  • Transparency: You must report any material changes that could affect your assurance level status and maintain a high degree of transparency regarding subcontractors and data flows.

For Data Centre Operators in Sweden

Data centre operators in Sweden would benefit from the streamlined permitting process within acceleration zones.

  • Faster Permits: By locating in designated acceleration zones, you can benefit from the 12-month maximum permit-granting timeline.
  • Sustainability Requirements: You must comply with strict sustainability requirements, using key performance indicators defined in EU delegated regulations. This includes optimising energy efficiency (PUE) and water usage.
  • Strategic Project Status: If your project meets certain criteria (e.g., supporting public sector functions or using innovative sustainable technologies), you may apply for designation as a "data centre strategic project" under Article 14, which could unlock additional support and prioritised processing.

Common misconceptions

Misconception 1: Sweden needs to pass a new law to implement CADA. Correction: CADA is a Regulation, not a Directive. This means it is directly applicable in Sweden. Once adopted by the EU, it becomes part of Swedish law automatically. However, Sweden still needs to designate authorities and create strategies as required by the text.

Misconception 2: All cloud providers will be banned if they are non-EU. Correction: CADA does not ban non-EU providers outright. However, for public sector contracts, especially those involving public order, only providers recognised at specific Union assurance levels can be used. Non-EU providers may still compete for Level 1 services or private sector contracts, but they face significant hurdles for higher assurance levels due to strict data localisation and control requirements.

Misconception 3: Acceleration zones are only for large hyperscalers. Correction: While large data centres will benefit, the acceleration zones are designed to facilitate the deployment of capacity broadly. The rules ensure fair, non-discriminatory access to resources within these zones, preventing speculative reservation and supporting smaller operators as well.

Misconception 4: The national strategy is a one-time document. Correction: Under Article 7, the national strategy must be reviewed and assessed at least every three years. It is a living document that must adapt to technological changes and evolving security risks.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.