How often must national cloud and AI strategies be reviewed under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States are required to assess their national cloud and AI strategies at least every three years. This assessment must be based on key performance indicators (KPIs), and strategies must be updated where necessary to ensure consistency with the Regulation's objectives. Member States must notify the European Commission of their strategies (both initial and revised) within three months of adoption. The Commission is tasked with monitoring the adoption and revision of these strategies to ensure EU-wide coherence.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A critical component of this framework is the requirement for Member States to develop and maintain national cloud and AI strategies. While the initial adoption of these strategies is a one-time event triggered by the Regulation's entry into force, the proposal explicitly mandates a continuous cycle of review and adaptation to keep pace with technological evolution and market dynamics.

The Mandatory Three-Year Review Cycle

The core obligation regarding the frequency of review is found in Article 7(5) of the proposal. This provision ensures that national strategies remain living documents rather than static policy statements.

As proposed, Article 7(5) states:

"Member States shall assess their national strategies at least every three years on the basis of key performance indicators and, where necessary, update them."

This clause imposes three distinct duties on Member States:

1. Periodic Assessment: The review is not optional. It must occur at least once every three years. This creates a predictable rhythm for national authorities to evaluate the effectiveness of their cloud and AI policies.
2. KPI-Based Evaluation: The assessment cannot be arbitrary. It must be grounded in key performance indicators (KPIs). While Article 7 does not enumerate the specific KPIs itself, the Regulation's broader context (including the Digital Decade targets and the specific objectives of the Cloud and AI Leadership Initiatives) implies that these metrics will track progress on critical areas such as cloud adoption rates, data centre deployment capacity, AI integration in strategic sectors, and the reduction of dependencies on third-country providers.
3. Update Obligation: The review is not merely a reporting exercise. If the assessment reveals that the current strategy is no longer effective, or if market and technological conditions have shifted such that the strategy no longer aligns with the Regulation's objectives, the Member State must update the strategy. The phrase "where necessary" implies a duty to act if the KPIs indicate a deviation from the required trajectory.

Notification and Commission Monitoring

The review cycle is tightly coupled with transparency and oversight mechanisms. Article 7(5) further establishes the notification timeline and the Commission's supervisory role:

"The Member States shall notify the Commission of their national strategies within three months of their adoption... The Commission shall monitor the adoption and revision of the national strategies."

This creates a clear procedural workflow:

• Initial Notification: When a Member State adopts its first national strategy (which must be done within one year of the Regulation's entry into force under Article 7(1)), it must notify the Commission within three months of that adoption.
• Revised Notification: The same three-month notification window applies to any subsequent updates. If a strategy is revised following the mandatory three-year assessment (or at any other time if a change is deemed necessary), the revised version must be communicated to the Commission within three months of its adoption.
• Active Monitoring: The Commission is not a passive recipient of these documents. It has an explicit mandate to monitor the adoption and revision of the national strategies. This monitoring function allows the Commission to verify that national strategies remain consistent with the Regulation's objectives (Article 7(3)) and contribute to the associated digital targets (Article 7(4)).

Coordination via the AI Board

While the review frequency is a national obligation, the proposal provides a mechanism for EU-level coordination to ensure consistency. Article 7(6) stipulates that the European Artificial Intelligence Board (AI Board), established under the AI Act (Regulation (EU) 2024/1689), shall "advise and assist the Member States as regards the coordination of national strategies."

The AI Board is tasked with facilitating the exchange of best practices among Member States. Although the AI Board does not have the power to enforce the three-year deadline or approve the strategies, its role is pivotal in ensuring that the KPIs used for assessment and the resulting updates are aligned with Union-wide standards. This prevents a "race to the bottom" or fragmented approaches that could undermine the internal market.

What this means for you

For in-house counsel, compliance officers, and strategic planners in the public sector or in industries heavily reliant on public procurement (such as healthcare, energy, transport, and defence), understanding this review cycle is essential for long-term risk management and operational planning.

1. Procurement Roadmap Volatility

National cloud and AI strategies are not just policy documents; they are the foundation for public procurement decisions. Under CADA, contracting authorities must procure cloud services that meet specific Union assurance levels (sovereignty levels) based on risk assessments (Article 30). These risk assessments and the resulting procurement preferences are often embedded within the national strategy.

• Action: Monitor your Member State's strategy review cycle closely. If a strategy is updated to prioritize higher sovereignty levels (e.g., mandating a shift from Assurance Level 1 to Level 2 or 3 for specific sectors), your organization's procurement roadmap may require immediate adjustment. Failure to align with the updated strategy could render current cloud contracts non-compliant with future public procurement mandates, leading to forced migration or contract termination.

2. Vendor Due Diligence Triggers

The three-year review cycle serves as a natural trigger for re-evaluating cloud providers. As strategies are updated to reflect new KPIs, the criteria for what constitutes a "trusted" or "sovereign" provider may tighten, particularly regarding data localisation, third-country control, and cybersecurity certifications (as detailed in Annex II of CADA).

• Action: Use the publication of a revised national strategy as a signal to re-audit your cloud providers. Ensure that your vendors can meet the evolving KPIs and assurance levels highlighted in the new strategy. If a provider fails to meet the new sovereignty criteria outlined in the updated strategy, you may face significant migration costs and operational disruption.

3. Regulatory Reporting and Internal Deadlines

For public sector bodies, the obligation to notify the Commission within three months of strategy adoption means that national governments will likely impose internal deadlines well before the EU deadline to allow for legal review, translation, and administrative processing.

• Action: If you are part of a public entity involved in drafting or implementing the national strategy, build a project timeline that accounts for the three-year assessment window. Allocate resources for data collection on KPIs (e.g., cloud adoption rates, energy efficiency of data centres, AI deployment metrics) well in advance of the review date to ensure the assessment is robust and the subsequent update is timely.

4. Private Sector Impact Assessments

Private entities, particularly those in sectors listed in Annex I of the NIS2 Directive, may be subject to impact assessments similar to those conducted by the public sector (Article 31). These private-sector assessments are often guided by the national strategy's definition of critical infrastructure and high-criticality sectors.

• Action: When a Member State updates its strategy, it may redefine which sectors or use cases are considered "high criticality." This redefinition could trigger new compliance obligations for private companies, such as mandatory impact assessments or requirements to use specific assurance levels. Stay alert to these shifts during the three-year review windows to avoid non-compliance.

Common misconceptions

Misconception 1: The strategy is a "one-off" submission. Many assume that adopting a national strategy is a single compliance event that concludes the obligation. CADA explicitly rejects this. Article 7(5) creates a continuous obligation to assess and update. A strategy that is not reviewed every three years is technically non-compliant with the Regulation's framework for monitoring and coordination.

Misconception 2: The Commission approves the strategy. The text states that Member States must "notify" the Commission and that the Commission "monitors" adoption and revision. It does not state that the Commission must "approve" or "authorize" the strategy before it takes effect. However, the Commission's monitoring role implies that significant deviations from the Regulation's objectives could lead to political pressure or, in extreme cases, infringement proceedings if the strategy undermines the internal market or sovereignty goals.

Misconception 3: Only the government is affected. While the obligation to draft and review the strategy lies with Member States, the content of the strategy dictates the rules of the game for all market participants. The strategy defines the measures to support the broad deployment of AI in strategic sectors (Article 7(2)(c)). Private companies in these sectors must align their operations with the strategic priorities set out in the document, or risk being left out of public procurement opportunities and innovation funding.

Misconception 4: The AI Board enforces the review. The AI Board (Article 7(6)) has an advisory and coordination role. It does not have the power to sanction a Member State for missing the three-year review deadline. Enforcement of the Regulation's provisions, including penalties for non-compliance by cloud providers, falls under the competence of national competent authorities (Article 25) and the Commission's broader enforcement powers. However, failure to maintain an up-to-date strategy may hinder a Member State's access to certain EU funding streams tied to the Cloud and AI Leadership Initiatives.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• Must national strategies support open hardware and software under CADA?
• Must national strategies include AI factories and gigafactories?
• Must national strategies follow the 'AI first' principle under CADA?
• Must national cloud and AI strategies align with EU Digital Decade targets?
• Who coordinates national cloud and AI strategies across the EU under CADA?

This is general information about a draft EU regulation, not legal advice.