How is CADA structured? An overview of its Titles

The proposed Cloud and AI Development Act (CADA) is organised into five Titles. Title I sets general provisions and definitions; Title II covers research, development and deployment through the Cloud and AI Leadership Initiatives; Title III governs data centre capacity via acceleration zones and strategic projects; Title IV establishes the autonomy and adoption measures, including the sovereignty framework and procurement rules; and Title V contains final provisions, including delegated powers and entry-into-force dates. The structure balances supply-side capacity building with demand-side sovereignty requirements.

Detail

As proposed in COM(2026) 502 final, CADA splits its requirements across five Titles.

Title I: General Provisions (Articles 1–2)

Article 1 defines the subject matter: a framework for strengthening the cloud and AI ecosystem through five measures — establishing the Cloud and AI Leadership Initiatives; setting a framework for accelerated data centre deployment; enabling a sovereign cloud and AI offer to safeguard public order; reducing dependencies on critical technologies; and fostering cloud adoption across the public sector. Article 2 provides definitions, including "cloud computing service" (aligned with Directive (EU) 2022/2555), "AI system" (aligned with Regulation (EU) 2024/1689), "frontier AI," "AI agent," "public sector body," "SME" and "small mid-cap."

Title II: Research, Development and Deployment Activities (Articles 3–9)

Article 3 sets the general objective of promoting research and innovation to achieve large-scale capacity. Article 4 lays out eight operational objectives, from energy- and water-efficient data centres to open cloud stacks, frontier AI, physical AI, industrial AI and public-sector adoption. Article 5 requires each Member State to establish Experience and Acceleration Centres for AI (building on European Digital Innovation Hubs). Articles 6–9 cover implementation (Article 6), national cloud and AI strategies (Article 7), criteria for frontier AI priority projects (Article 8) and the allocation of AI computing resources (Article 9).

Title III: Data Centre Capacities (Articles 10–15)

Organised into Chapter I (acceleration zones), Chapter II (strategic projects) and Chapter III (monitoring). Article 10 obliges Member States, where data centre capacity is being deployed, to designate at least one acceleration zone. Article 11 sets conditions, requiring the sustainability key performance indicators in Delegated Regulation (EU) 2024/1364. Article 12 requires single information points. Article 13 facilitates permitting, capping the permit-granting procedure at 12 months for projects in acceleration zones (Article 13(5)) and introducing aggregated baseline permits (Article 13(2)). Article 14 lets the Commission designate data centre strategic projects meeting at least two of five criteria. Article 15 empowers the Commission to monitor the compute capacity gap.

Title IV: Autonomy (Articles 16–44)

The most extensive Title, divided into five chapters:

• Chapter I — Cloud Computing Sovereignty Framework (Articles 16–28): Article 16 establishes four Union assurance levels, with criteria in Annex II. Article 17 sets the recognition mechanism via national competent authorities (with automatic EU-wide recognition for SMEs at level 1, Article 17(3)). Article 18 allows the recognition of associated third countries for audit against the level 3 criteria. Articles 19–21 cover conformity self-assessment (level 1) and independent third-party audits (levels 2–4). Article 22 creates a central repository of recognised services. Article 24 sets penalties and compensation rules. Articles 25–28 govern national competent authorities and mutual assistance.
• Chapter II — Demand-Side / Private Sector Measures (Articles 29–33): Article 29 requires Member States and Union entities to carry out risk assessments. Article 30 sets procurement obligations — at least level 1 for non-public-order activities (Article 30(2)), and levels 2–4 for public-order activities (Article 30(3)). Article 31 lets NIS2 Annex I entities that are not public bodies carry out impact assessments. Article 32 introduces "Union added value" criteria. Article 33 requires monitoring of innovation procurement and pursues the objective that at least 25% of cloud and AI procurement go to innovative SMEs (Article 33(4)).
• Chapter III — European Public Sector Cloud Federation (Articles 34–36): Article 34 establishes the EuroCloud Federation; Articles 35–36 set sharing conditions and cost recovery.
• Chapter IV — Procurement by the Commission (Articles 37–40): allows the Commission to run common procurement for Member States and Union entities.
• Chapter V — Open Source (Articles 41–44): Article 41 encourages "open source first." Article 42 governs share and reuse of software via the EU Open Source Solutions Catalogue (Article 43). Article 44 establishes a network of Open Source Programme Offices.

Title V: Final Provisions (Articles 45–48)

Article 45 confers delegated-act powers on the Commission. Article 46 sets the committee (implementing-act) procedure. Article 47 is the review clause: the Commission evaluates the Regulation four years after entry into force and every five years thereafter. Article 48 provides that the Regulation enters into force on the twentieth day after publication and applies one year later.

(Note: the enacting terms of the published proposal contain a numbering slip in Title V; the explanatory memorandum confirms the intended numbering used here — delegated acts as Article 45.)

What this means for you

For in-house counsel and compliance officers, the structure helps map obligations and timelines.

• Public-sector buyers: Focus on Title IV, Chapter II. Carry out risk assessments (Article 29) by one year after the Regulation applies, then procure at the required level (Article 30).
• Cloud providers: Focus on Title IV, Chapter I. Seek recognition under Article 17 — self-assessment for level 1 (Article 19) or independent audit for levels 2–4 (Article 20).
• Data centre operators: Focus on Title III. Identify whether you are in a designated acceleration zone (Article 10), meet the sustainability KPIs (Article 11) and use single information points (Article 12) to benefit from the 12-month permit limit (Article 13(5)).
• All entities: Watch Title II. The Leadership Initiatives (Articles 3–9) drive funding and strategic priorities; aligning R&D may offer advantages.

Common misconceptions

• CADA replaces the AI Act: Incorrect. CADA complements the AI Act (Regulation (EU) 2024/1689), which regulates AI-system risks, while CADA addresses the underlying cloud infrastructure, capacity and sovereignty.
• All cloud providers must be audited: Incorrect. Only providers seeking levels 2, 3 or 4 undergo independent third-party audits (Article 20); level 1 relies on self-assessment (Article 19).
• CADA bans non-EU providers: Incorrect. CADA does not ban third-country providers, but providers subject to third-country control face stringent criteria for higher levels, with a narrow route via Article 18.
• The EuroCloud Federation is mandatory: The Federation is established under Article 34; public bodies must still comply with the sovereignty framework for their procurement regardless.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CADA's two objectives vs its five measures: what's the difference?
• How does CADA define its scope of cloud and AI?
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?

This is general information about a draft EU regulation, not legal advice.