Summary The Cloud and AI Development Act (CADA) is a proposal — COM(2026) 502 final, procedure number 2026/0138 (COD) — moving through the ordinary legislative procedure (co-decision). The European Parliament and the Council of the European Union must jointly adopt an identical text for it to become law, after opinions from the European Economic and Social Committee (EESC) and the Committee of the Regions (CoR). It is not yet in force, and the text may change during negotiations.

Detail

As proposed, CADA follows the standard EU path for internal-market regulations. The procedure matters for in-house counsel and compliance teams because the text can change in negotiation, and the application dates depend on when the process concludes.

The ordinary legislative procedure (co-decision)

CADA is subject to the ordinary legislative procedure, formally co-decision. The Parliament and the Council act as co-legislators; neither can adopt the regulation alone, and both must agree on an identical text. The preamble of the proposal records that it is adopted "[a]cting in accordance with the ordinary legislative procedure."

The European Commission adopted the proposal on 3 June 2026 (the document is marked "Brussels, 3.6.2026") under the reference 2026/0138 (COD); the "(COD)" suffix signals the ordinary legislative procedure.

1. European Parliament: Parliament committees scrutinise the proposal, propose amendments and vote on a first-reading position.
2. Council of the European Union: The Council (representing Member States) debates the text and may propose its own amendments.
3. Negotiations (trilogues): Where Parliament and Council differ, informal trilogues between the two institutions and the Commission seek a provisional agreement.
4. Final adoption: Both Parliament and Council must formally adopt the final text before it proceeds to publication.

Consultation of advisory bodies

The preamble records that the proposal was made "[h]aving regard to the opinion of the European Economic and Social Committee" and "[h]aving regard to the opinion of the Committee of the Regions":

• European Economic and Social Committee (EESC): represents organised civil society (employers, workers and other interests).
• Committee of the Regions (CoR): represents local and regional authorities.

These opinions are advisory: they do not block adoption, but they signal stakeholder and political sentiment.

Legal basis and timing

The proposal relies on a dual legal basis:

• Article 114 TFEU: harmonising the internal market (addressing fragmentation in data-centre deployment and cloud procurement).
• Article 173(3) TFEU: enhancing industrial competitiveness and innovation.

Crucially, CADA is not yet law. It is a proposal, and the final text may differ from the Commission's draft. Compliance teams should monitor the file for changes to scope, definitions and deadlines.

Entry into force vs. application

Once adopted, the regulation would follow the timeline in Article 48:

• Entry into force: on the twentieth day following publication in the Official Journal of the European Union.
• Application: from one year after entry into force.

For example, if adopted and published in 2027, it would enter into force shortly after and apply roughly a year later. As drafted, the operative dates in Article 48 and elsewhere are placeholders to be set on adoption.

What this means for you

For in-house counsel and compliance teams, the legislative status shapes the action plan:

1. Do not assume current compliance: because CADA is a proposal, no obligations exist yet — but early preparation is advisable. Article 1 sets out the broad objectives, including the sovereignty framework and accelerated data-centre deployment.
2. Monitor text changes: the Union assurance levels (criteria in Annex II) and the risk-assessment rules (Article 29) may change in trilogues; these details will define the compliance burden.
3. Prepare for national designation: Article 25 would require Member States to designate national competent authorities within one year of entry into force. Identify which authority in your jurisdiction would oversee recognition and enforcement.
4. Audit readiness: the proposal introduces independent third-party audits for higher assurance levels (Article 20). Begin mapping providers' audit status against the proposed Annex II criteria.
5. Procurement strategy: Article 30 would require contracting authorities to procure at least Union assurance level 1 (and levels 2–4 for public-order activities). B2G providers should align offerings with the proposed criteria early.

Common misconceptions

• "CADA is already law." Incorrect. It is a proposal (COM(2026) 502 final), not yet adopted by Parliament or Council.
• "The EESC or CoR can veto the proposal." Incorrect. Their opinions are advisory; only Parliament and Council can adopt or reject.
• "I have until 2026 to comply." Incorrect. The proposal was made in 2026; application would be at least one year after adoption, placing the main deadline in 2028 or later, depending on negotiations.
• "CADA replaces the AI Act." Incorrect. CADA complements the AI Act (Regulation (EU) 2024/1689). CADA focuses on infrastructure, sovereignty and procurement; the AI Act sets risk-based rules for AI systems.
• "The Commission reviews CADA five years after it applies." Not quite. Under Article 47, the Commission would evaluate the Regulation by four years after entry into force, and every five years thereafter, reporting to the Parliament, the Council and the EESC.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• When will CADA be reviewed? Article 47 review clause explained
• CADA Article 31: voluntary private-sector impact assessments explained
• Does CADA apply to SMEs and startups? Scope and reliefs explained
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?

This is general information about a draft EU regulation, not legal advice.