Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission's power to adopt delegated acts is conferred for an indeterminate period starting from the Regulation's entry into force, as explicitly stated in Article 45(2). This means the Commission can continuously update technical criteria, audit rules, and assurance levels without needing periodic legislative renewal, a departure from the fixed-term delegations common in other EU digital laws. However, this power is not absolute: the European Parliament and the Council retain the right to revoke the delegation at any time, and any adopted delegated acts remain subject to a two-month objection period before entering into force.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dynamic regulatory framework designed to keep pace with the rapid evolution of cloud infrastructure and artificial intelligence. A cornerstone of this adaptability is the mechanism for delegated acts, which allow the Commission to supplement or amend non-essential elements of the Regulation. A critical feature of this mechanism in CADA is the duration of the delegation itself.

The Indeterminate Period Delegation

Article 45(2) of the CADA proposal sets a distinct precedent for the duration of the Commission's authority. The text states:

"The power to adopt delegated acts referred to in Article 6(4), Article 16(2), Article 20(9), Article 21(1), and Article 31(3) shall be conferred on the Commission for an indeterminate period of time from [date of entry into force]."

This phrasing carries significant legal weight. An "indeterminate period" means that the delegation of power does not have a pre-set expiration date. Unlike legislative instruments that grant authority for a fixed term (e.g., five years) subject to tacit or explicit renewal, the CADA delegation begins on the day the Regulation enters into force and continues indefinitely unless the legislator actively intervenes to stop it.

This approach contrasts sharply with the model used in the EU AI Act (Regulation (EU) 2024/1689). Under the AI Act, delegated powers are typically conferred for a period of five years from the date of entry into force, with provisions for tacit extension unless the European Parliament or the Council objects to the renewal. The CADA proposal, by choosing an indeterminate period, signals a legislative intent to avoid the administrative friction and potential legislative gridlock associated with periodic renewals. This is particularly relevant for cloud and AI infrastructure, where technological shifts can render static technical criteria obsolete within months rather than years.

Scope of the Indeterminate Powers

The power conferred for this indeterminate period covers five specific, high-impact areas where technical agility is essential:

  1. Cloud and AI Leadership Initiatives (Article 6(4)): The Commission may amend Annex I, which lists the "grand challenges" (e.g., frontier AI, physical AI, industrial AI). This allows the EU to pivot its strategic research and innovation focus as new technological bottlenecks or opportunities emerge without requiring a full legislative revision.
  2. Union Assurance Levels (Article 16(2)): The Commission may amend Annex II, which sets the detailed criteria for the four levels of cloud sovereignty assurance. As cybersecurity threats evolve or new data sovereignty risks are identified, the technical requirements for what constitutes a "sovereign" cloud service can be updated to maintain robust protection.
  3. Audit Procedures (Article 20(9)): The Commission may supplement the Regulation by laying down detailed rules on the performance of audits. This includes procedural steps, rules for auditing organisations, technical competences, methodologies, and templates for audit reports, ensuring the audit framework remains rigorous and efficient.
  4. Audit Evidence (Article 21(1)): The Commission may amend Annex III, which lists the specific evidence providers must present to auditors. This ensures that the proof of compliance remains robust against new evasion techniques, emerging software supply chain risks, or changes in data processing technologies.
  5. Private Sector Impact Assessments (Article 31(3)): The Commission may specify the need for impact assessments and risk mitigation measures for private sector entities operating in sectors of high criticality (as defined in the NIS2 Directive), allowing the scope of private sector obligations to expand as risks materialize.

Revocation of Power

While the duration is indeterminate, the power is not unchecked. Article 45(3) provides a crucial safeguard: the delegation of power "may be revoked at any time by the European Parliament or by the Council."

A decision to revoke takes effect the day following its publication in the Official Journal of the European Union, or at a later date specified in the decision. Crucially, revocation does not affect the validity of any delegated acts already in force. This provision ensures legal certainty for cloud service providers, public sector bodies, and auditors who have already adapted their operations to comply with updated standards. Revocation simply prevents the Commission from adopting new delegated acts on those matters going forward.

Procedural Safeguards

To prevent executive overreach during this indeterminate period, the proposal embeds strict procedural controls:

  • Expert Consultation: Under Article 45(4), the Commission must consult experts designated by each Member State before adopting any delegated act, ensuring technical and national perspectives are considered.
  • Notification and Objection: Under Article 45(5) and (6), the Commission must notify the European Parliament and the Council simultaneously upon adoption. The delegated act enters into force only if no objection is expressed by either body within a period of two months of notification. This period may be extended by three months at the initiative of either the Parliament or the Council.

This "negative voting" procedure ensures that democratic oversight remains intact despite the open-ended duration of the delegation.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the indeterminate nature of CADA's delegated powers creates a landscape of permanent regulatory agility. You cannot assume that the technical criteria for cloud sovereignty or audit evidence will remain static once the Regulation is adopted.

  • Continuous Monitoring is Mandatory: Unlike regulations with fixed renewal cycles where stakeholders anticipate legislative debate before a deadline, CADA's delegated acts can be adopted at any time. Compliance teams must establish a continuous monitoring mechanism for the Official Journal to detect new delegated acts amending Annexes I, II, and III immediately upon publication.
  • Audit Readiness Must Be Flexible: Since Article 20(9) allows the Commission to refine audit methodologies indefinitely, cloud service providers must ensure their internal controls are adaptable. A standard that satisfies audit evidence requirements today may be superseded by a more stringent delegated act tomorrow. Providers should avoid "hard-coding" compliance processes that might conflict with future technical updates.
  • Strategic Infrastructure Planning: For providers aiming for Union Assurance Levels 2, 3, or 4, the criteria in Annex II (amendable under Article 16(2)) are not set in stone. Long-term infrastructure investments regarding data localization, personnel citizenship, or software supply chain transparency should account for the possibility that requirements may tighten via delegated act.
  • Private Sector Obligations: Entities in sectors listed in Annex I of the NIS2 Directive must watch for delegated acts under Article 31(3). These acts could transform what is currently a voluntary or guided process into a hard compliance obligation, imposing mandatory impact assessments and specific risk mitigation measures.

Common misconceptions

Misconception 1: "Indeterminate" means "unlimited" or "unchecked." While the duration has no expiry date, the power is subject to strict procedural safeguards. The Commission must consult Member State experts, and the Parliament and Council can revoke the delegation at any time. Furthermore, every delegated act is subject to a two-month objection period before it can enter into force.

Misconception 2: The Commission can change the core legal obligations via delegated acts. Delegated acts can only supplement or amend non-essential elements of the Regulation, such as technical criteria, audit templates, and lists of grand challenges. They cannot alter the fundamental structure of the sovereignty framework, the definition of cloud computing services, or the core rights of public sector bodies. These core elements can only be changed through the ordinary legislative procedure.

Misconception 3: This is similar to the AI Act's delegation model. The EU AI Act generally uses five-year delegations with tacit renewal. CADA's use of an indeterminate period is a distinct legislative choice, reflecting the need for more frequent and less administratively burdensome updates in the cloud infrastructure sector. Compliance teams familiar with the AI Act's renewal cycles must adjust their monitoring strategies for CADA.

Misconception 4: Revocation stops existing rules. If the Parliament or Council revokes the delegation under Article 45(3), any delegated acts already adopted and in force remain valid. Revocation only prevents the Commission from adopting new delegated acts on those matters.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.