Summary As proposed, the Cloud and AI Development Act (CADA) is a Regulation, not a Directive. If adopted as proposed, it would be directly applicable in all Member States without national transposition. Article 48 of the proposal states that the instrument "shall be binding in its entirety and directly applicable in all Member States." CADA remains a proposal (COM(2026) 502 final), so it is not yet in force.
Detail
The legal form is set in the proposal itself: it is drafted as a Regulation of the European Parliament and of the Council. The distinction matters for legal and compliance teams because Regulations and Directives operate differently in the EU legal order.
Direct applicability vs transposition A Directive sets goals that Member States must achieve through their own national laws, requiring a transposition process. A Regulation, by contrast, becomes law in every Member State without national implementing legislation, ensuring uniform application and avoiding the fragmentation that can arise where Member States transpose a Directive differently.
Article 1 — subject matter and scope Article 1 of the proposal sets out the subject matter: a framework for strengthening the cloud and AI ecosystem at Union level, through measures including the Cloud and AI Leadership Initiatives, a framework for accelerated data centre deployment, a sovereign cloud and AI offer, reducing dependencies on critical technologies, and fostering public-sector adoption. Because the instrument is a Regulation, these provisions are intended to apply uniformly across the Union.
Article 48 — entry into force and application The final provision, Article 48, confirms the legal status. As proposed, it states:
"This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. It shall apply from [same day and month as date of entry into force plus 1 year]. This Regulation shall be binding in its entirety and directly applicable in all Member States."
So entry into force would be 20 days after publication, while general application would begin one year after entry into force. "Binding in its entirety" means Member States cannot pick and choose among the rules; "directly applicable" means the rights and obligations apply without national laws mirroring them.
Why a Regulation? The explanatory memorandum frames CADA's dual legal basis (Articles 114 and 173(3) TFEU) as a "unified regulatory response" to market fragmentation and strategic capacity-building. A Regulation provides the legal certainty needed to harmonise conditions for cloud providers — particularly on sovereignty and sustainability — and to deliver an EU-wide response to strategic dependencies on third-country providers.
What this means for you
For in-house counsel and compliance officers, CADA being a Regulation simplifies the landscape but compresses the readiness timeline.
No waiting for national transposition You would not need to track national transposing laws. Once the proposed application date arrives (one year after entry into force, per Article 48), the obligations apply directly. Align your compliance programme to the EU text, not a delayed national version.
Uniform obligations Core obligations — data centre acceleration zones, sovereignty risk assessments, public-procurement criteria — would be the same in Germany, France and Ireland, allowing a centralised compliance strategy rather than country-by-country adaptation.
Deadlines and penalties Because a Regulation is directly applicable, the text's deadlines bind directly. For example, Member States must designate data centre acceleration zones within six months of entry into force (Article 10(1)), and carry out initial risk assessments within one year (Article 29(1)). While CADA primarily targets Member States and providers, public bodies and critical-sector entities face direct duties around risk assessment and procurement. Penalties for provider infringements, laid down by Member States under Article 24, must be "effective, proportionate and dissuasive."
Action item Start mapping your cloud and AI infrastructure against the proposed Union assurance levels (1-4) and data centre sustainability requirements now — there is no transposition buffer once the application date is reached.
Common misconceptions
"I can wait for my country to pass its own law." Incorrect for a Regulation. If CADA is adopted as proposed, there is no separate national law to wait for — the EU text is the law.
"Directives are harder to comply with because they vary." Directives can produce fragmentation, but Regulations can be stricter precisely because they leave no room for national deviation. They do offer greater legal certainty for cross-border operators.
"CADA is already in force." No. CADA is a proposal (COM(2026) 502 final). It must still be adopted by the European Parliament and the Council, and the text may change in negotiation. The dates and obligations above reflect the current proposal.
Related
- Why was the Cloud and AI Development Act (CADA) proposed?
- Why is the EU dependent on non-EU cloud providers?
- Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
- Why does CADA focus so heavily on the public sector?
- Why can't existing EU laws already solve cloud sovereignty? (CADA)
This is general information about a draft EU regulation, not legal advice.