Summary As proposed, the Cloud and AI Development Act (CADA) and the EU AI Act both operate within the EU's standard secondary legislation framework, utilizing delegated acts under Article 290 TFEU and implementing acts under Article 291 TFEU, supervised by the committee procedure in Regulation (EU) No 182/2011. However, their governance machinery and empowerment scopes differ significantly. CADA's delegated acts (Article 45) are conferred for an indeterminate period and focus on technical updates to the "Grand Challenges" and the Union Assurance Levels (sovereignty criteria). In contrast, the AI Act's delegated acts (Article 97) are limited to five years (renewable) and cover substantive changes to high-risk classifications and systemic risk thresholds. While both rely on the examination procedure (Regulation 182/2011, Article 5) for implementing acts, CADA's implementing acts (Article 46) govern risk assessment methodologies and EuroCloud Federation fees, whereas the AI Act's focus on sandbox operations and common specifications.
Detail
To understand the distinction between CADA's secondary legislation and the AI Act's, one must first recognize that both instruments are embedded in the same EU constitutional architecture. Both rely on Regulation (EU) No 182/2011 for the committee procedure that controls the Commission's exercise of delegated and implementing powers. Both distinguish between delegated acts (which supplement or amend non-essential elements of the regulation, based on Article 290 TFEU) and implementing acts (which provide for uniform conditions for implementation, based on Article 291 TFEU).
However, the scope of what the Commission is empowered to change, and the procedural nuances of how it does so, diverge sharply between the two proposals. These differences reflect the distinct policy goals: CADA aims to stabilize a long-term sovereignty framework, while the AI Act seeks to adapt rapidly to evolving AI risks.
CADA's Governance Machinery: Articles 45 and 46
Under the proposed CADA (COM(2026) 502 final), the legislative text establishes a lean but technically critical secondary legislation framework. The focus is on maintaining the relevance of the sovereignty criteria and the operational mechanics of the public sector cloud federation.
1. Delegated Acts (Article 45 CADA) Article 45 confers the power to adopt delegated acts on the Commission for an indeterminate period from the date of entry into force. This is a notable deviation from the standard five-year renewable delegation seen in many modern EU regulations (such as the AI Act). The scope of these delegated acts is strictly limited to amending specific annexes and supplementing procedural rules related to the technical evolution of the cloud ecosystem:
- Amending Annex I: Updating the "Grand Challenges" to reflect market and technological developments regarding the Cloud and AI Leadership Initiatives. This allows the Commission to pivot strategic research priorities without full legislative revision.
- Amending Annex II: Updating the criteria for Union Assurance Levels (the sovereignty framework). This is the most critical power, as it allows the Commission to adjust the technical and legal requirements for levels 1 through 4 (e.g., cybersecurity certification levels, personnel requirements) in response to new threats or technologies.
- Supplementing Audit Rules: Laying down detailed rules for the performance of audits under Article 20, including procedural steps, rules for auditing organizations, and templates for audit reports.
- Amending Annex III: Specifying the audit evidence required for the audit procedure.
- Specifying Assurance Levels: Specifying a Union assurance level for a contracting authority where the risk assessment is deemed insufficient.
- Private Sector Impact Assessments: Requiring impact assessments and risk mitigation measures for private companies operating in sectors of high criticality.
The indeterminate duration of this delegation suggests the EU legislature views the technical criteria for cloud sovereignty as requiring long-term stability and flexibility, avoiding the need for periodic parliamentary re-authorization that might disrupt the assurance framework.
2. Implementing Acts (Article 46 CADA) Article 46 establishes that the Commission shall be assisted by a committee acting within the meaning of Regulation (EU) No 182/2011. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 applies. This triggers the examination procedure, meaning the committee can issue a positive or negative opinion on the draft implementing act. If the committee issues a negative opinion, the Commission cannot adopt the act.
The scope of these implementing acts is operational, focusing on the uniform application of the regulation's demand-side and infrastructure measures:
- Centres for AI: Procedures for establishing Experience and Acceleration Centres for AI (Article 5(4)).
- Provider Recognition: Practical arrangements for the recognition of cloud computing service providers (Article 17(12)).
- Risk Assessment Methodologies: Methodologies, templates, and elements for risk assessments by Member States and Union entities (Article 29(3)). This is crucial for public procurement, as it dictates how authorities determine which assurance level is required.
- Public Sector Assurance Levels: Specifying Union assurance levels for public sector activities where a Member State's assessment is deemed inappropriate (Article 29(5)).
- EuroCloud Federation: Procedures for participating in the EuroCloud Federation and templates for participation requests (Article 34(4)), as well as technical, operational, and organizational measures for the federation (Article 35(6)).
- Fee Structures: Detailed rules for fees related to the EuroCloud Federation (Article 36(4)) and joint procurement activities (Article 40(5)).
The AI Act's Governance Machinery: Articles 97 and 98
The AI Act (Regulation (EU) 2024/1689), already in force, employs a more extensive and time-bound secondary legislation framework. This reflects the rapid evolution of AI technology and the need for precise, periodic recalibration of risk thresholds and classification criteria.
1. Delegated Acts (Article 97 AI Act) Article 97 of the AI Act confers the power to adopt delegated acts on the Commission for a period of five years from 1 August 2024. This delegation is tacitly extended for identical periods unless the European Parliament or the Council opposes it. The scope is broader and more substantive than CADA's, touching directly on the core regulatory obligations:
- High-Risk Classifications: Amending the conditions under which an AI system is not considered high-risk (Article 6(6) and (7)), and adding or modifying use-cases in the list of high-risk AI systems (Article 7(1) and (3)).
- Technical Documentation: Amending the content of technical documentation (Article 11(3)).
- Conformity Assessment: Amending the conformity assessment procedures (Article 43(5) and (6)).
- EU Declaration of Conformity: Amending the content of the declaration (Article 47(5)).
- Systemic Risk Thresholds: Amending thresholds for high-impact capabilities and supplementing benchmarks and indicators for general-purpose AI models with systemic risk (Article 51(3) and 52(4)).
- General-Purpose AI Documentation: Detailing measurement methodologies for computational resources (Article 53(5) and (6)).
The five-year limit ensures that the European Parliament and Council retain frequent oversight over the substantive expansion of regulatory burdens, reflecting the high-stakes nature of AI risk classification.
2. Implementing Acts (Article 98 AI Act) Article 98 of the AI Act also establishes a committee procedure under Regulation (EU) No 182/2011. Like CADA, it references Article 5 of Regulation (EU) No 182/2011, triggering the examination procedure. The scope includes:
- Common Specifications: Establishing common specifications for high-risk AI systems and general-purpose AI models when harmonized standards are lacking (Article 41).
- AI Regulatory Sandboxes: Specifying detailed arrangements for the establishment, development, implementation, operation, and supervision of sandboxes (Article 58).
- Real-World Testing: Specifying detailed elements of the real-world testing plan (Article 60).
- Post-Market Monitoring: Laying down a template for the post-market monitoring plan (Article 72).
- Codes of Practice: Approving codes of practice for general-purpose AI models (Article 56(6)) and providing common rules if codes are inadequate (Article 56(9)).
- Fines and Procedures: Containing detailed arrangements and procedural safeguards for proceedings regarding fines for general-purpose AI model providers (Article 101(6)).
Key Comparative Differences
| Feature | CADA (Proposed) | AI Act (In Force) |
|---|---|---|
| Delegation Duration | Indeterminate period (Article 45(2)) | 5 years, renewable (Article 97(2)) |
| Committee Procedure | Examination Procedure (Reg 182/2011 Art 5) | Examination Procedure (Reg 182/2011 Art 5) |
| Delegated Act Scope | Technical updates to Annexes (Grand Challenges, Assurance Levels, Audit Rules) | Substantive changes to High-Risk lists, Systemic Risk thresholds, Conformity Assessment |
| Implementing Act Scope | Risk assessment methodologies, EuroCloud procedures, Fee structures | Sandbox operations, Real-world testing plans, Common specifications, Code of Practice approval |
| Focus of Secondary Law | Operationalizing sovereignty assurance and public procurement | Calibrating risk-based obligations and market surveillance |
What this means for you
For in-house counsel and compliance officers, the difference in secondary legislation scope dictates your monitoring strategy and engagement priorities.
1. CADA: Focus on Sovereignty and Procurement Criteria Under CADA, you must monitor delegated acts under Article 45 primarily for changes to Annex II (Union Assurance Levels). These acts will update the technical and legal criteria required to achieve sovereignty levels 1–4. As a cloud provider, your compliance roadmap depends on these updates; a change in the cybersecurity certification requirement (e.g., from "substantial" to "high") could fundamentally alter your certification strategy. Additionally, watch for implementing acts under Article 46 that specify the risk assessment methodology (Article 29(3)). Public sector buyers will use these templates to determine which assurance level they must procure. If you are targeting public sector contracts, you must align your internal audits with the templates and methodologies issued via these implementing acts.
2. AI Act: Focus on Risk Classification and Systemic Thresholds Under the AI Act, delegated acts under Article 97 are critical because they can expand or contract the list of high-risk AI systems (Annex III). If the Commission amends the conditions under which a system is not high-risk, your product's regulatory burden could change overnight. Similarly, for providers of general-purpose AI, the delegated acts amending systemic risk thresholds (Article 51) are vital. These acts will update the floating-point operation thresholds and benchmarks that trigger stricter obligations. The five-year renewal cycle means you must be prepared for potential shifts in the regulatory landscape every five years.
3. Procedural Risks and Committee Engagement Both regulations use the examination procedure (Regulation 182/2011, Article 5) for implementing acts. This means the EU committee can block the Commission's draft acts. For CADA, this affects the rollout of EuroCloud Federation rules and fee structures. For the AI Act, it affects the availability of common specifications and sandbox rules. Counsel should engage with industry associations to influence committee opinions during the consultation phases for these acts. While the committee procedure is legally identical, the composition of the committees will differ: the AI Act committee involves national AI regulators and data protection authorities, while CADA's committee will likely involve cloud infrastructure and cybersecurity experts.
Common misconceptions
Misconception 1: CADA and the AI Act have identical secondary legislation timelines. Correction: CADA's delegated acts are conferred for an indeterminate period (Article 45(2)), whereas the AI Act's are limited to five years (Article 97(2)). This suggests the EU legislature views the technical criteria for cloud sovereignty as requiring more long-term flexibility without periodic parliamentary re-authorization, whereas AI risk classifications require more frequent democratic oversight due to their rapid evolution.
Misconception 2: Implementing acts in both regulations are merely administrative. Correction: While implementing acts cannot amend the essential elements of the regulation, they define critical operational realities. In CADA, implementing acts define the risk assessment methodology for public sector procurement (Article 29(3)). In the AI Act, they define the sandbox procedures (Article 58). Getting these wrong can mean a public sector contract is invalid or a sandbox application is rejected.
Misconception 3: The committee procedure is the same in practice. Correction: While both cite Article 5 of Regulation 182/2011, the committees assisting the Commission differ. The AI Act has a dedicated committee structure involving national AI regulators and data protection authorities. CADA's committee will likely involve cloud infrastructure and cybersecurity experts. The composition affects the political and technical scrutiny of the draft acts.
Official sources
Related
- CADA Implementing Acts: Which Rules Will Be Set by Secondary Legislation?
- CADA Secondary Legislation: What Remains to be Defined by Delegated and Implementing Acts?
- Who does the Commission consult before adopting a CADA delegated act?
- Where in CADA are the final provisions on governance found?
- When will the Cloud and AI Development Act (CADA) be reviewed?
This is general information about a draft EU regulation, not legal advice.