Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission is required to conduct a comprehensive evaluation of the regulation and report its findings to the European Parliament, the Council, and the European Economic and Social Committee. The first evaluation must occur four years after the regulation enters into force. Following this initial review, the Commission must repeat this process every five years thereafter. This creates a recurring, quinquennial evaluation cycle designed to ensure the framework remains effective, adaptable to rapid technological shifts, and responsive to market dynamics.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is a legislative instrument designed to strengthen Europe's cloud and AI ecosystem. Given the rapid evolution of cloud computing, artificial intelligence, and the geopolitical landscape surrounding digital sovereignty, the proposal includes robust mechanisms for ongoing monitoring and legislative review. The primary provision governing this long-term oversight is Article 47, titled "Review."
The First Review: Four Years After Entry into Force
According to Article 47(1) of the proposal, the Commission is legally obligated to evaluate the functioning of the Regulation and submit a report to the European Parliament, the Council, and the European Economic and Social Committee. The deadline for this first report is explicitly defined: it must be submitted by the date that is four years after the entry into force of the Regulation.
It is critical to distinguish between "entry into force" and "application," as this distinction determines the timeline for the first review. Article 48 stipulates that the Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union. However, the Regulation applies from one year after that entry into force. Consequently, while the rules become legally binding on providers and public bodies one year post-publication, the clock for the first major evaluation report starts ticking from the entry-into-force date. This means the first comprehensive assessment will be due roughly five years after the rules actually begin to apply in practice, ensuring that the Commission has sufficient operational data to assess the framework's real-world impact.
The Ongoing Cycle: Every Five Years Thereafter
Article 47(1) further mandates that this evaluation and reporting process shall occur "every 5 years thereafter." This establishes a predictable, quinquennial review cycle that continues indefinitely, unless the Regulation is repealed or significantly amended.
The purpose of these periodic reviews extends beyond administrative compliance. Article 47(3) specifies that when carrying out these evaluations, the Commission must pay specific attention to:
- The positions and findings of the European Parliament, the Council, and other relevant bodies.
- The position of small and medium-sized enterprises (SMEs).
- The position of new competitors in the market.
This focus ensures that the review process remains attuned to the health of the single market, specifically checking whether the framework is inadvertently creating barriers for smaller players or stifling competition from new entrants.
Potential for Legislative Amendment
The review process is designed to be actionable, not merely observational. Article 47(2) states that where appropriate, the report accompanying the evaluation "shall be accompanied by a proposal for amendment of this Regulation." This creates a direct feedback loop: if the five-year review identifies gaps, outdated criteria, emerging market failures, or new technological challenges, the Commission is empoweredβand expectedβto propose legal changes to address them. This mechanism ensures that CADA can evolve alongside the technologies it regulates.
Broader Monitoring Context
While Article 47 governs the high-level legislative review, the CADA proposal includes other monitoring mechanisms that feed data into this cycle. For instance:
- Article 15 requires the Commission to monitor the Union's progress in increasing compute capacity and identifying capacity gaps.
- Article 33 requires Member States to report annually on their procurement of innovation in cloud and AI, specifically tracking SME participation.
These ongoing data points provide the evidence base for the comprehensive five-year reviews mandated by Article 47, ensuring that the legislative evaluation is grounded in empirical market data rather than theoretical projections.
What this means for you
For public-sector procurement officers, legal teams, cloud service providers, and industry stakeholders, the five-year review cycle under Article 47 has several practical implications for long-term planning and compliance strategies.
1. Expect Evolution in Sovereignty Criteria
The CADA proposal introduces a "Union cloud computing sovereignty framework" with four assurance levels (Article 16). The criteria for these levels are set out in Annex II. While Article 16(2) empowers the Commission to adopt delegated acts to amend these criteria, and Article 16(3) requires a technical review of Annex II and Annex III at least every 18 months, the five-year cycle under Article 47 is where broader policy shifts will likely be codified. Procurement officers should anticipate that the definition of "sovereign" or "trusted" cloud services may become more stringent or nuanced over time. Contracts signed today for multi-year periods should include clauses that allow for adaptation to future regulatory updates triggered by these reviews.
2. SME and New Competitor Focus
Because Article 47(3) explicitly directs the Commission to consider the position of SMEs and new competitors during each five-year review, procurement authorities should be aware that future amendments may further incentivize the use of smaller, European providers. This aligns with Article 33, which already urges Member States to aim for at least 25% of cloud and AI procurement innovation contracts to be awarded to SMEs. As the five-year reviews progress, we may see stronger enforcement mechanisms or new targets regarding SME inclusion, driven by the Commission's findings on market concentration.
3. Stability for Multi-Year Procurement
The five-year cycle provides a degree of regulatory stability. Unlike industries with annual rule changes, CADA's major legislative reassessment is spaced out. This allows public authorities to plan major cloud migration projects or data center investments with the knowledge that the core legal framework will not be subject to radical legislative overhaul more frequently than every five years. However, stakeholders must remain vigilant regarding the 18-month technical reviews of assurance criteria (Article 16), which mean that operational compliance requirements may shift more frequently than the legislative framework itself.
4. Engagement Opportunities
The requirement for the Commission to consider the findings of the European Parliament, the Council, and other bodies (Article 47(3)) suggests that stakeholder feedback will be integral to each review cycle. Public-sector bodies should document their experiences with the CADA frameworkβparticularly any barriers to procurement, issues with the EuroCloud Federation (Article 34), or challenges in meeting assurance levelsβto ensure these practical challenges are reflected in the Commission's evaluations.
Common misconceptions
Misconception 1: The regulation is reviewed annually. While Member States must report annually on certain metrics (such as SME procurement participation under Article 33), the comprehensive legislative evaluation of the entire Regulation is not annual. Article 47(1) clearly sets the legislative review at four years after entry into force, and then every five years thereafter.
Misconception 2: The review only looks at technical updates. The five-year review under Article 47 is a broad evaluation of the Regulation's functioning. It is not limited to technical criteria (which are reviewed every 18 months under Article 16). It assesses the overall effectiveness of the law, its impact on SMEs, new competitors, and the broader market structure.
Misconception 3: "Entry into force" is the same as the date the rules apply. No. Article 48 states the Regulation enters into force 20 days after publication, but applies one year later. The four-year review clock starts from the entry into force date, not the application date. This distinction is crucial for calculating the exact timeline of the first report.
Misconception 4: The review is purely informational. The review is not just a report for the sake of reporting. Article 47(2) mandates that the report be accompanied by a proposal for amendment "where appropriate." This means the five-year cycle is a built-in mechanism for legislative correction and improvement, not just observation.
Related
- When will the Cloud and AI Development Act (CADA) be reviewed?
- What is the review clause in the Cloud and AI Development Act (CADA)?
- CADA Review vs Delegated Acts: How the EU Cloud and AI Development Act Changes
- When does the Cloud and AI Development Act (CADA) start to apply?
- When does the Cloud and AI Development Act (CADA) enter into force?
This is general information about a draft EU regulation, not legal advice.