Summary The proposed Cloud and AI Development Act (CADA) includes a robust governance framework in Title V (Final Provisions) to ensure the law adapts to rapid technological change. The European Commission holds the power to update technical criteriaβ€”such as the definition of "sovereign" cloud servicesβ€”through delegated acts (Article 45), while implementing acts (Article 46) handle uniform procedural details like the EuroCloud Federation. A mandatory review (Article 47) will occur four years after entry into force, followed by evaluations every five years. The regulation would enter into force 20 days after publication but would only apply one year later (Article 48), giving Member States time to designate authorities and prepare national strategies.

Detail

The governance of the Cloud and AI Development Act (CADA) after its adoption is not left to chance; it is codified in Title V (Final Provisions) of the proposal (COM(2026) 502 final). This section establishes the "post-adoption machinery," defining how the regulation is maintained, updated, and enforced over time. Because cloud computing and AI technologies evolve faster than the legislative cycle, the proposal is designed to be dynamic. It separates the core legal principles from the technical details, allowing the latter to be updated without requiring a full new law from the European Parliament and Council.

The Mechanism for Updating Rules: Delegated and Implementing Acts

The proposal grants the European Commission specific powers to adjust the regulation through two distinct legal instruments, each with its own procedure and scope.

1. Delegated Acts (Article 45)

Delegated acts are used to supplement or amend non-essential elements of the regulation. This is the primary tool for updating the technical criteria that define the cloud sovereignty framework.

Under Article 45, the power to adopt delegated acts is conferred on the Commission for an indeterminate period. These acts can be used to:

  • Amend Annex II: Update the criteria for the four Union assurance levels (e.g., changing cybersecurity requirements or personnel conditions as technology evolves).
  • Amend Annex III: Update the list of audit evidence required for independent audits.
  • Specify Assurance Levels: Determine specific assurance levels for contracting authorities in particular contexts.
  • Supplement Audit Rules: Lay down detailed rules for the performance of audits, including procedural steps and templates.
  • Require Impact Assessments: Mandate impact assessments for private companies in sectors of high criticality.

Crucially, a delegated act only enters into force if neither the European Parliament nor the Council objects within a period of two months of notification (which can be extended by three months). If either institution objects, the act does not enter into force. This ensures that while the Commission can act quickly on technical updates, the co-legislators retain a veto power to prevent overreach.

2. Implementing Acts (Article 46)

Implementing acts are used to ensure uniform conditions for implementing the regulation across the EU. These are typically procedural or administrative in nature and are adopted following a committee procedure involving representatives of the Member States.

Under Article 46, the Commission is assisted by a committee (within the meaning of Regulation (EU) No 182/2011). Implementing acts are required for:

  • Recognition Procedures: Setting out practical arrangements for the recognition of cloud computing service providers (Article 17).
  • Risk Assessment Methodology: Specifying the methodology, templates, and elements for risk assessments conducted by Member States (Article 29).
  • EuroCloud Federation: Defining the technical, operational, and organisational measures for the federation, as well as the procedure for participation (Articles 34 and 35).
  • Common Procurement: Establishing the detailed rules for fees, cost determination, and payment conditions for the common procurement framework (Article 40).
  • Third-Country Derogations: Identifying third countries that provide sufficient assurances for Union assurance level 3 (Article 18).

Unlike delegated acts, implementing acts do not require the Parliament and Council to refrain from objecting; instead, they are adopted based on the opinion of the Member State committee.

The Review Clause (Article 47)

To ensure the regulation remains fit for purpose, Article 47 mandates a comprehensive evaluation. The Commission must evaluate the application of the regulation and report to the European Parliament, the Council, and the European Economic and Social Committee.

The timeline for this review is strict:

  • First Review: By the date specified as "[date of entry into force plus 4 years]" in the text.
  • Subsequent Reviews: Every five years thereafter.

The evaluation must take into account the positions and findings of the Parliament, the Council, and other relevant bodies. It must pay specific attention to small and medium-sized enterprises (SMEs) and the position of new competitors. If the evaluation identifies shortcomings or if the market has shifted significantly, the Commission may accompany the report with a proposal for amendment. This ensures that the sovereignty framework does not become a barrier to innovation or competition over time.

Entry into Force and Application (Article 48)

Article 48 sets the critical timeline for when the law becomes active. It distinguishes between when the law exists and when it applies.

  • Entry into Force: The regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union. This is the date the law becomes part of the EU legal order.
  • Application: The regulation applies from one year after the date of entry into force.

This one-year application period is a deliberate "grace period." It allows Member States to:

  1. Designate their national competent authorities (required by Article 25).
  2. Adopt their national cloud and AI strategies (required by Article 7).
  3. Set up the necessary administrative and technical infrastructure for the recognition of cloud services and the EuroCloud Federation.
  4. Public sector bodies to conduct their initial risk assessments (Article 29) and align procurement processes.

National Enforcement and Cross-Border Cooperation

While the Commission manages the EU-wide framework and updates the rules, enforcement is primarily a national responsibility.

  • National Competent Authorities: Under Article 25, Member States must designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework. These authorities have investigative powers (e.g., requesting information, inspecting premises) and enforcement powers (e.g., ordering cessation of infringements, imposing fines).
  • Mutual Assistance: Article 27 establishes principles for mutual assistance, requiring competent authorities to cooperate and exchange information to apply the regulation consistently.
  • Cross-Border Cooperation: Article 28 allows a competent authority in one Member State to request an investigation or enforcement action from the authority of another Member State if a provider is suspected of non-compliance.

The Role of the AI Board

Although not part of Title V, the governance structure interacts with existing AI governance. Article 7 explicitly states that the European Artificial Intelligence Board (AI Board), established under the AI Act, shall advise and assist Member States regarding the coordination of national cloud and AI strategies. This ensures that the governance of cloud infrastructure aligns with broader EU AI policy goals.

What this means for you

For public-sector bodies, cloud providers, and legal teams, understanding this governance structure is essential for long-term compliance and strategy.

  1. Expect Evolving Criteria: The technical definition of a "sovereign" cloud service is not static. The criteria in Annex II can be updated via delegated acts. If you are a cloud provider, you must monitor these updates to ensure your service remains compliant with the highest assurance levels. If you are a public buyer, your procurement requirements may change as the Commission refines the technical standards.
  2. Prepare for the One-Year Transition: The one-year gap between entry into force and application is not a delay; it is a preparation window. Use this time to:
    • Identify your national competent authority.
    • Draft your national cloud and AI strategy.
    • Begin the risk assessment process for your public sector activities as required by Article 29.
    • Review existing contracts to determine if they will meet the future Union assurance level requirements.
  3. Engage in the Review Process: The mandatory review every five years (starting four years after entry into force) is a critical opportunity for feedback. If the current criteria are too burdensome for SMEs or fail to address emerging technologies, your input during the evaluation phase could shape future amendments.
  4. Coordinate with National Authorities: Since enforcement is national, maintain open lines of communication with your designated competent authority. They are the first point of contact for recognition procedures, audit questions, and compliance disputes.

Common misconceptions

"The sovereignty criteria are permanent."

  • Correction: The criteria for Union assurance levels are set in Annex II but can be amended by the Commission through delegated acts (Article 45). This means the definition of a "sovereign" cloud service can evolve to address new threats or technologies without passing new legislation.

"The Commission enforces the law directly in Member States."

  • Correction: The Commission sets the framework and can intervene in specific cross-border disputes or disputes between Member States. However, day-to-day enforcement, including audits, investigations, and fines, is the responsibility of national competent authorities designated by each Member State (Article 25).

"The regulation applies immediately upon publication."

  • Correction: There is a one-year application period (Article 48). The law enters into force 20 days after publication, but it only applies one year later. This grace period is intended to allow public sector bodies to adapt their procurement strategies and national authorities to set up their enforcement mechanisms.

"Delegated acts can change the core law."

  • Correction: Delegated acts are limited to non-essential elements (like technical criteria in Annex II). They cannot change the fundamental objectives, scope, or legal basis of the regulation. Any change to the core law would require a full legislative amendment by the Parliament and Council.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.