How many delegated-act empowerments does CADA contain?

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, contains exactly five specific empowerments for the European Commission to adopt del

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, contains exactly five specific empowerments for the European Commission to adopt delegated acts. These are explicitly enumerated in Article 45(2) and refer to Article 6(4), Article 16(2), Article 20(9), Article 21(1), and Article 31(3). As proposed, the power to adopt these acts is conferred for an indeterminate period from the date of entry into force. Crucially, all five empowerments are subject to identical scrutiny conditions: any adopted act enters into force only if neither the European Parliament nor the Council objects within two months (extendable by three months), and the delegation itself may be revoked at any time.

Detail

Under the proposed CADA framework, the distinction between the primary legislative text and the technical rules required for implementation is managed through delegated acts. These acts allow the Commission to amend or supplement non-essential elements of the Regulation, such as technical criteria, annexes, or procedural details, without requiring a full legislative revision by the co-legislators.

The scope of this power is strictly defined in Article 45 of the proposal. Article 45(2) states: "The power to adopt delegated acts referred to in Article 6(4), Article 16(2), Article 20(9), Article 21(1), and Article 31(3) shall be conferred on the Commission for an indeterminate period of time from [date of entry into force]."

This provision establishes a unified regime for all five empowerments. They share the same duration (indeterminate) and are subject to the same procedural safeguards outlined in Article 45(3) through Article 45(6).

The Five Specific Empowerments

The following breakdown details the subject matter of each empowerment listed in Article 45(2), grounded in the text of the referenced articles within the proposal.

1. Article 6(4): Updating the "Grand Challenges"

Subject: Amendment of Annex I.
Context: Article 6(2) establishes that the Cloud and AI Leadership Initiatives are implemented through large-scale, cross-sectoral initiatives addressing "grand challenges" listed in Annex I. These challenges cover areas such as environmental sustainability, cloud stacks, frontier AI, physical AI, and industrial AI.
Empowerment Scope: Article 6(4) empowers the Commission to adopt delegated acts "to amend Annex I in a manner consistent with the objectives of the Cloud and AI Leadership Initiatives set out in Article 4."
Purpose: This allows the Commission to update the list of strategic priorities to reflect technological and market developments, ensuring the initiatives remain relevant without needing a new legislative act.

2. Article 16(2): Amending Sovereignty Criteria and Evidence

Subject: Amendment of Annex II and Annex III.
Context: Article 16 establishes the Union cloud computing sovereignty framework, comprising four assurance levels. The specific criteria for these levels are set out in Annex II, and the evidence required for audits is in Annex III.
Empowerment Scope: Article 16(2) empowers the Commission to adopt delegated acts "to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III."
Purpose: This is a critical mechanism for the evolution of the sovereignty framework. As noted in Article 16(3), the Commission is required to review these annexes at least every 18 months. This empowerment allows the Commission to update the technical and legal criteria for "Union assurance" (e.g., specific cybersecurity standards, data localisation rules, or supply chain transparency requirements) to keep pace with new legal or technical developments.

3. Article 20(9): Rules on Audit Performance

Subject: Detailed rules for independent third-party audits.
Context: Article 20 mandates independent third-party audits for cloud providers seeking recognition at Union assurance levels 2, 3, or 4. It outlines the requirements for auditing organisations and the content of audit reports.
Empowerment Scope: Article 20(9) empowers the Commission to adopt delegated acts "to supplement this Regulation by laying down rules on the performance of audits on the procedural steps, rules for auditing organisations and their technical competences, auditing methodologies and templates for the audit reports."
Purpose: This ensures a harmonised, high-quality auditing process across the Union. It allows the Commission to define the granular operational details of how audits are conducted, ensuring consistency in how sovereignty claims are verified.

4. Article 21(1): Specifying Audit Evidence

Subject: Amendment of Annex III.
Context: Article 21 requires that audit evidence be relevant, sufficient, and reliable. It references Annex III for the list of evidence required to assess compliance with the criteria in Annex II.
Empowerment Scope: Article 21(1) empowers the Commission to adopt delegated acts "to amend Annex III by laying down the necessary evidence needed to assess the audit criteria under Annex II."
Purpose: While Article 16(2) covers the criteria themselves, Article 21(1) specifically targets the proof required. This allows the Commission to update the evidentiary burden on providers (e.g., specific types of logs, contractual clauses, or architectural diagrams) to ensure audits remain effective and robust against evolving threats.

5. Article 31(3): Impact Assessments for Private Sector Entities

Subject: Mandatory impact assessments and risk mitigation for private entities.
Context: Article 31 currently allows private sector entities operating in sectors listed in Annex I of the NIS2 Directive to carry out impact assessments similar to those required of the public sector. Article 31(3) provides a conditional mechanism for the Commission to intervene.
Empowerment Scope: Article 31(3) empowers the Commission to adopt delegated acts "to supplement this Regulation... specifying the need for such impact assessment and the risk mitigation measures that those entities who are not public sector bodies shall take."
Purpose: This allows the Commission to move from a voluntary or optional framework to a mandatory one for private entities in high-criticality sectors, if specific circumstances warrant it. It enables the Commission to define the scope of these assessments and the specific mitigation measures required.

Scrutiny, Objection, and Revocation

All five empowerments listed above are subject to the same rigorous scrutiny regime defined in Article 45(3) through Article 45(6):

Revocation: Under Article 45(3), the delegation of power for these specific articles "may be revoked at any time by the European Parliament or by the Council." A revocation decision ends the delegation but "shall not affect the validity of any delegated acts already in force."
Consultation: Before adopting any delegated act, the Commission must consult experts designated by each Member State in accordance with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (Article 45(4)).
Notification and Access: The European Parliament and the Council must receive all documents at the same time as Member States' experts, and their experts must have access to meetings of Commission expert groups (Article 45(5)).
Entry into Force: Under Article 45(6), a delegated act enters into force only if no objection is expressed by either the European Parliament or the Council within two months of notification. This period may be extended by three months at the initiative of either institution. If an objection is raised, the act does not enter into force.

What this means for you

For legal counsel, compliance officers, and strategic planners, the existence of these five empowerments signals that the CADA framework is designed to be dynamic rather than static.

Dynamic Compliance Requirements: The technical criteria for "Union assurance" (Levels 1–4) are not frozen in the primary text. Under Article 16(2) and Article 21(1), the Commission can update the criteria and the required evidence via delegated acts. Cloud providers must monitor the Official Journal for these updates, as non-compliance with the amended annexes could jeopardise their recognition status.
Audit Standardisation: The detailed rules for audits under Article 20(9) will define the operational reality for auditing organisations and providers. Providers should anticipate that the "templates for audit reports" and "methodologies" will be standardised at the EU level, reducing the risk of divergent national interpretations.
Private Sector Risk: Entities in high-criticality sectors (NIS2 Annex I) should be aware that Article 31(3) provides a pathway for the Commission to mandate impact assessments and specific risk mitigation measures. While currently optional or conditional, this power could be activated if the Commission deems private sector risks to public order to be significant.
Strategic Alignment: For companies seeking to align with the Cloud and AI Leadership Initiatives, the ability to amend Annex I under Article 6(4) means that "Grand Challenges" can shift. R&D strategies should be flexible enough to adapt to changes in the prioritised technological domains.

Common misconceptions

"Delegated acts can be adopted indefinitely without oversight." Incorrect. While the power to adopt acts is conferred for an indeterminate period, every specific delegated act is subject to a strict scrutiny process. It only enters into force if the European Parliament and the Council do not object within the two-month (or extended three-month) window. Furthermore, the delegation itself can be revoked at any time.

"All Commission rule-making under CADA is via delegated acts." False. CADA also contains numerous empowerments for implementing acts (adopted under the examination procedure in Article 46). Implementing acts are used for different purposes, such as specifying the methodology for risk assessments (Article 29), setting fees for the EuroCloud Federation (Article 36), or defining procedures for the common procurement framework (Article 38). Implementing acts are not subject to the same objection procedure as delegated acts.

"The sovereignty criteria are fixed in the primary law." Misleading. While the four assurance levels and their general structure are defined in the primary text, the specific criteria (Annex II) and the evidence required (Annex III) are subject to amendment via delegated acts under Article 16(2) and Article 21(1). The primary law sets the framework, but the secondary legislation defines the operational reality.

This is general information about a draft EU regulation, not legal advice.