Summary The Cloud and AI Development Act (CADA) is proposed as a Regulation, not a Directive. As stated in the final clause of Article 48, the text would be "binding in its entirety and directly applicable in all Member States." This means that, unlike a Directive, CADA would not require national parliaments to pass implementing laws (transposition) to become effective. For businesses and public authorities, this ensures a single, uniform legal framework for cloud sovereignty, data-centre deployment, and procurement across the entire EU immediately upon the application date.

Detail

The legislative instrument proposed by the European Commission on 3 June 2026 is explicitly titled a "Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL." This classification is not merely semantic; it is the foundational mechanism that determines how the law operates within the European Union's legal order.

The definitive proof of this status is found in Article 48, titled "Entry into force and application." The article concludes with the mandatory legal formula for Regulations:

"This Regulation shall be binding in its entirety and directly applicable in all Member States."

This final clause is the defining characteristic of an EU Regulation. It distinguishes CADA fundamentally from a Directive, which would typically state that the act is "binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods."

Regulation vs. Directive: What is the difference?

To understand the strategic choice behind CADA's form, it is essential to contrast the legal mechanics of a Regulation with those of a Directive.

1. Direct Applicability vs. Transposition

  • Regulation (CADA): A Regulation is "directly applicable." This means that once it enters into force (20 days after publication) and its application date arrives (one year later), it automatically becomes part of the national legal system of every EU Member State. National parliaments do not need to pass new laws to implement it. The rules in CADA are immediately enforceable by national authorities and courts.
  • Directive: A Directive sets out a goal that all EU countries must achieve, but it is up to the national governments to devise their own laws on how to reach those goals. This process is called "transposition." Because each country transposes directives differently, the resulting national laws can vary, leading to fragmentation and legal uncertainty.

2. Uniformity vs. Harmonization

  • Regulation (CADA): Because it is directly applicable, a Regulation ensures strict legal uniformity. The definition of "cloud computing service" in Article 2, the criteria for "Union assurance levels" in Annex II, and the procurement obligations in Article 30 would be identical in France, Germany, Spain, and Poland. This removes the risk of a cloud provider facing 27 different interpretations of "sovereignty."
  • Directive: Directives aim for "harmonization" of laws, but they often result in a patchwork of slightly different national rules. For a cloud provider, this means complying with 27 different sets of national implementation laws, which increases compliance costs and creates barriers to the single market.

3. Rights and Obligations

  • Regulation (CADA): Regulations can create rights and obligations for individuals and businesses that can be invoked directly in national courts. For example, a public procurement officer could cite CADA directly to justify a procurement decision, and a cloud provider could cite CADA to claim recognition of their sovereignty status without waiting for national legislation.
  • Directive: Directives generally only create rights for individuals if they have been properly transposed into national law. If a Member State fails to transpose a directive, or transposes it incorrectly, individuals may face difficulties enforcing their rights until the national law is corrected.

Why CADA is a Regulation

The Commission explicitly chose a Regulation for CADA to address the specific structural failures of the current cloud market. The explanatory memorandum notes that the current landscape is characterized by "fragmentation in data centre deployment driven by divergent national approaches" and "inconsistent sovereignty criteria."

A Regulation is the optimal instrument to:

  1. Remove Single Market Barriers: By providing a uniform legal framework, it prevents Member States from creating divergent national sovereignty standards that could hinder the internal market. As the proposal states, a Regulation is "essential to remove single market barriers, particularly in areas such as sovereignty and sustainability standards, where divergent national rules could otherwise undermine the EU's technological sovereignty."
  2. Ensure Rapid Implementation: Given the "geopolitical urgency" and the need to reduce strategic dependencies, a Regulation ensures a "rapid, coordinated, and EU-wide response," preventing delays that could arise from Member States acting independently or at different speeds.
  3. Level the Playing Field: It ensures that all cloud computing service providers, whether European or third-country, compete under the same sovereignty and sustainability standards across the entire Union, rather than navigating a fragmented regulatory landscape.

What this means for you

For public-sector procurement officers, legal teams, and cloud service providers, the fact that CADA is a Regulation has several critical practical implications:

1. No Waiting for National Transposition You do not need to wait for your national parliament to pass an implementing law. Once CADA is adopted and its application date arrives (set as one year after entry into force in Article 48), the rules are immediately active. You can begin aligning your procurement procedures with the CADA requirements, such as the mandatory use of Union assurance level 1 for cloud services (Article 30), as soon as the Regulation applies. There is no "transposition period" where national law might lag behind or deviate.

2. Uniform Procurement Criteria The sovereignty framework, including the four Union assurance levels (Article 16), will be identical across the EU. This means that a cloud service recognized as offering "Union assurance level 3" in one Member State is recognized as such in all others. This simplifies cross-border procurement and allows for joint procurement initiatives (Article 37) without worrying about conflicting national definitions of sovereignty. A provider recognized in Ireland is automatically recognized in Greece.

3. Direct Legal Basis for Decisions When drafting tender documents, you can cite CADA directly as the legal basis for your award criteria, such as the "Union added value" criteria (Article 32). You do not need to reference a national transposition law, which may not exist or may be ambiguous. This provides greater legal certainty and defensibility for your procurement decisions, as the source of the obligation is the EU Regulation itself.

4. Compliance for Suppliers Cloud providers will not be able to claim ignorance of differing national laws. They must comply with the CADA requirements uniformly. This reduces the risk of suppliers arguing that they complied with local national rules that deviate from the EU standard. It also facilitates the central repository of recognized services (Article 22), as the criteria for recognition are uniform and the repository is maintained by the Commission.

Common misconceptions

Misconception 1: "A Regulation means the EU is taking over national sovereignty."

  • Reality: A Regulation harmonizes rules to ensure the single market functions correctly. Member States still retain significant discretion in areas such as conducting risk assessments to determine which public sector activities require higher assurance levels (Article 29). The Regulation sets the framework and criteria, but national authorities apply them to their specific contexts. The "sovereignty" CADA protects is the Union's strategic autonomy, not the removal of national administrative powers.

Misconception 2: "We can ignore CADA until our national government passes a law."

  • Reality: Because CADA is a Regulation, it is directly applicable. There is no "transposition period" for national parliaments. Once the application date in Article 48 arrives, the Regulation is law. Public authorities must comply with it directly. Failure to do so would constitute a breach of EU law, regardless of whether national legislation has been updated.

Misconception 3: "Directives are always better for flexibility."

  • Reality: While directives allow for national flexibility, this flexibility can be a disadvantage in areas requiring strict interoperability and trust, such as cloud sovereignty. For CADA, uniformity is essential to ensure that data sovereignty and security standards are not undermined by divergent national interpretations. A Regulation ensures that "sovereign cloud" means the same thing in Brussels as it does in Berlin, which is critical for the proposed EuroCloud Federation (Article 34).

Related

This is general information about a draft EU regulation, not legal advice.