How is CADA governed and what committee oversees it?

Summary As proposed, the Cloud and AI Development Act (CADA) would empower the European Commission to keep its technical rules current through delegated and implementing acts, with Member State oversight via a committee operating under the examination procedure of Regulation (EU) No 182/2011. Article 45 would govern the exercise of the delegation of power; Article 46 would establish the committee and trigger the examination procedure; and Article 47 would require the Commission to review the Regulation four years after entry into force and every five years thereafter.

Detail

CADA would establish a governance structure designed to keep its technical criteria agile while preserving democratic oversight. The proposal rests on Articles 114 and 173(3) TFEU. Its governance centres on a limited delegation of powers to the Commission, subject to controls by the European Parliament and the Council.

Delegated acts and the exercise of delegation (Article 45)

CADA would confer power on the Commission to adopt delegated acts to amend or supplement specified, non-essential elements. As listed in the article governing the exercise of the delegation (Article 45 in the proposal's numbering scheme), these powers would be limited to:

• Amending Annex I (Article 6(4)): updating the "grand challenges" for the Cloud and AI Leadership Initiatives to reflect technological and market developments.
• Amending Annex II and Annex III (Article 16(2)): updating the criteria for the Union assurance levels and the related audit evidence, keeping the sovereignty framework aligned with evolving standards.
• Laying down rules on audits (Article 20(9)): supplementing the Regulation with procedural steps, rules for auditing organisations and their technical competences, auditing methodologies, and templates for audit reports.
• Amending Annex III (Article 21(1)): specifying the audit evidence needed to assess the audit criteria under Annex II.
• Requiring impact assessments (Article 31(3)): where duly justified, specifying impact assessments and risk-mitigation measures for non-public-sector entities operating in sectors of high criticality.

These delegated acts would be conferred for an indeterminate period from entry into force. The delegation would not be absolute: the European Parliament or the Council could revoke it at any time, with the revocation taking effect the day after publication in the Official Journal (without affecting acts already in force). Before adopting a delegated act, the Commission would consult experts designated by each Member State in line with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making, and would notify the act simultaneously to the Parliament and the Council. A delegated act would enter into force only if neither institution objected within two months (extendable by three months).

Note: not every technical decision would be a delegated act. For example, where the Commission considers a Member State's identified assurance level inappropriate, it would act by implementing act under Article 29(5), not by delegated act.

Implementing acts and the examination procedure (Article 46)

Implementing acts would ensure uniform conditions for applying CADA - for instance, the practical arrangements for recognising providers (Article 17(12)), the methodology and templates for risk assessments (Article 29(3)), and procedures for the EuroCloud Federation (Article 34(4)). Under Article 46, the Commission would be assisted by a committee within the meaning of Regulation (EU) No 182/2011, and where reference is made to Article 46(2), Article 5 of that Regulation (the examination procedure) would apply.

Under the examination procedure, the committee - composed of Member State representatives - delivers an opinion on a draft implementing act. A favourable opinion lets the Commission adopt the act; an adverse opinion generally bars adoption (with a possible referral to the appeal committee); and where no opinion is delivered, the Commission may usually adopt the act, subject to the exceptions in Regulation (EU) No 182/2011. This gives Member States a direct voice in CADA's operational detail.

The review clause (Article 47)

To ensure long-term efficacy, Article 47 would require the Commission to evaluate the Regulation and report to the European Parliament, the Council, and the European Economic and Social Committee by entry into force plus four years, and every five years thereafter. The Commission would take into account the positions and findings of the Parliament, the Council, and other relevant bodies, paying specific attention to SMEs and the position of new competitors. Where appropriate, the report would be accompanied by a proposal to amend the Regulation.

What this means for you

For in-house counsel and compliance officers, understanding CADA's governance is essential for anticipating change.

• Monitor delegated acts: The criteria for the Union assurance levels (Annex II) and audit evidence (Annex III) would not be static. As the Commission adopts delegated acts under Article 45 (and reviews the annexes at least every 18 months under Article 16(3)), the technical requirements would evolve. Track the Official Journal to keep vendor assessments and audit preparation current.
• Engage with the committee process: Although the examination procedure under Article 46 is intergovernmental, stakeholders can seek to influence outcomes through national experts and trade associations.
• Prepare for the review: With the first review due four years after entry into force, document any disproportionate burdens or market distortions; this evidence could feed the Article 47 review.
• Stay audit-ready: Because the Commission could specify audit methodologies and templates (Article 20(9)), keep internal audit processes flexible.

Common misconceptions

• "CADA is a static law." Incorrect. Its reliance on delegated and implementing acts means technical detail on assurance and audits would change regularly. The Regulation sets the framework; the Commission fills in the technical detail within the limits delegated to it.
• "The Commission can change core sovereignty levels unilaterally." Incorrect. While the Commission could update Annex II/III criteria via delegated acts under Article 45, it would first consult Member State experts, and the Parliament and Council could revoke the delegation or object within two months (extendable by three months).
• "There is no oversight of the Commission's implementing powers." Incorrect. Article 46 subjects implementing acts to the examination procedure, giving Member States a voting role over the detailed rules.

Related

• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
• Why does CADA focus so heavily on the public sector?
• Why can't existing EU laws already solve cloud sovereignty? (CADA)

This is general information about a draft EU regulation, not legal advice.