What are delegated acts under the Cloud and AI Development Act (CADA)?

Summary Under the proposed Cloud and AI Development Act (CADA), delegated acts would let the European Commission amend or supplement non-essential parts of the Regulation without reopening the full legislative procedure with the Parliament and Council. The power rests on Article 290 of the Treaty on the Functioning of the European Union (TFEU), and the conditions for using it are set out in Article 45 ("Exercise of the delegation"). As proposed, the Commission would hold this power for an indeterminate period and could use it to update technical criteria — the grand challenges in Annex I (Article 6(4)), the Union assurance levels in Annex II (Article 16(2)), audit rules and audit evidence (Articles 20(9) and 21(1)), and private-sector impact-assessment requirements (Article 31(3)). A delegated act would enter into force only if neither the Parliament nor the Council objected within two months.

Detail

What a delegated act is

A regulation like CADA is adopted by the European Parliament and the Council. But its text contains technical detail — annexes of criteria, audit rules — that can date quickly in a fast-moving sector. Rather than re-running the full legislative procedure each time, the co-legislators can delegate power to the Commission to adopt delegated acts that amend or supplement the Regulation. Crucially, delegated acts may only touch non-essential elements; the essential choices (core objectives, scope, fundamental obligations) stay reserved to the legislature.

The legal basis is Article 290 TFEU, which allows the legislature to empower the Commission to adopt "non-legislative acts of general application to supplement or amend certain non-essential elements" of a legislative act. CADA leans on this mechanism to keep its annexes current.

How the delegation works (Article 45)

Article 45, titled "Exercise of the delegation," sets the conditions. As proposed:

1. Indeterminate duration. The power to adopt delegated acts referred to in Articles 6(4), 16(2), 20(9), 21(1) and 31(3) would be conferred on the Commission "for an indeterminate period of time" from the date of entry into force (Article 45(2)) — rather than the fixed five-year term used in some EU acts.
2. Revocation. The European Parliament or the Council could revoke the delegation at any time; revocation ends the power but does not affect delegated acts already in force (Article 45(3)).
3. Consultation. Before adopting a delegated act, the Commission must consult experts designated by each Member State, in line with the 2016 Interinstitutional Agreement on Better Law-Making (Article 45(4)).
4. No-objection check. Once adopted, the Commission notifies the act to the Parliament and Council simultaneously (Article 45(5)). It enters into force only if neither institution objects within two months of notification; that period can be extended by three months at the initiative of either body (Article 45(6)).

The specific empowerments

CADA's delegated powers are narrowly targeted at technical areas:

• Grand challenges — Annex I (Article 6(4)). The Commission could amend Annex I, which lists the "grand challenges" for the Cloud and AI Leadership Initiatives, "to reflect technological and market developments," keeping the EU's research and industrial priorities current.
• Union assurance levels — Annex II (Article 16(2)). The Commission could amend the criteria for the four Union assurance levels in Annex II and the evidence in Annex III. This is the empowerment most likely to affect sovereignty compliance, because the technical bar for being recognised at a given level could move.
• Audit rules (Article 20(9)). The Commission could supplement the Regulation with rules on "the performance of audits" — procedural steps, requirements for auditing organisations and their technical competences, auditing methodologies and templates for audit reports.
• Audit evidence — Annex III (Article 21(1)). The Commission could amend Annex III "by laying down the necessary evidence needed to assess the audit criteria under Annex II."
• Private-sector impact assessments (Article 31(3)). Where duly justified and after consulting Member States, the Commission could require entities in sectors of high criticality that are not public-sector bodies to carry out impact assessments and adopt risk-mitigation measures.

Recital 85 of the proposal summarises this same list of delegated powers. Two recurring drafting cues tell you which Article 290 sub-type each empowerment is. Where a provision says the Commission may "amend" an annex (Articles 6(4), 16(2), 21(1)), it is changing existing text. Where it says the Commission may "supplement" the Regulation (Articles 20(9), 31(3)), it is adding new normative content the body of the act only sketched. Both are squarely within Article 290 TFEU, and both remain confined to non-essential elements.

It also matters that the list is closed. Article 45(2) names exactly five provisions; nothing else in CADA can be altered by delegated act. That is a feature, not a gap — it lets regulated entities see, in advance, precisely which parts of the framework are liable to administrative change.

How delegated acts differ from implementing acts

Both are adopted by the Commission, but they do different jobs:

• Delegated acts (Article 290 TFEU; Article 45 of CADA) amend or supplement the law — they change its substance, e.g. updating a criterion in an annex — and are policed by the Parliament and Council, who can object or revoke.
• Implementing acts (Article 291 TFEU; Article 46 of CADA) set uniform conditions for applying the law without changing it, and are scrutinised by a committee of Member State representatives under the examination procedure.

In short: delegated acts can change the rules you must follow; implementing acts standardise how you follow them.

The consultation and scrutiny backstop

Two of CADA's procedural safeguards deserve emphasis because they shape when and how you can influence a delegated act. First, Article 45(4) requires the Commission, before adopting any delegated act, to consult experts designated by each Member State, "in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making." Recital 86 reinforces this, stressing that the Parliament and Council "should receive all documents at the same time as Member States' experts" and that their experts "should always have access to meetings of Commission expert groups dealing with the preparation of delegated acts." Second, the no-objection mechanism in Article 45(6) is the hard check: even a technically sound act fails to enter into force if either co-legislator objects in time. Together these mean a delegated act is consulted on before adoption and vetoable after it.

What this means for you

For in-house counsel and compliance officers, the delegated-act regime makes CADA a moving target. The published text is not the whole rulebook — you have to track what the Commission does next.

1. Watch Annex II and Annex III most closely. The sharpest impact on cloud procurement and sovereignty compliance would come from delegated acts under Articles 16(2) and 21(1) amending Annex II (assurance levels) and Annex III (audit evidence). If the criteria for a level tighten, a provider that qualifies today may need new controls or new evidence tomorrow. Note that Article 16(3) separately requires the Commission to review Annexes II and III at least every 18 months, so changes are foreseeable.

2. Expect audit detail to arrive later. Under Article 20(9), the detailed audit methodology, procedural steps and report templates for levels 2–4 would come through a delegated act. Until then the Annex II criteria apply at a high level, but the practical execution detail is still to be filled in.

3. Critical-sector firms: watch Article 31(3). If you operate in a sector of high criticality, the Commission could — where justified — extend impact-assessment and risk-mitigation duties to private entities. This is a contingent power, not an automatic obligation.

4. Engage during consultation. Article 45(4) requires the Commission to consult Member State experts before adopting a delegated act. Industry input typically flows through national authorities and associations during that phase.

5. Build for fast adaptation. Because a delegated act can take effect roughly two months after notification (unless extended or blocked), your compliance function should monitor the Official Journal and be able to absorb annex changes quickly.

Common misconceptions

"Delegated acts are less important than the Regulation." They have the same binding force. Once in force, a delegated act amending Annex II is as much law as the main text.

"The Commission can change anything by delegated act." No. The power is confined to non-essential elements. Core objectives, the definition of a cloud computing service and fundamental obligations can be changed only by the Parliament and Council through a new legislative act.

"Delegated acts are adopted in secret." The process is structured and transparent: expert consultation beforehand, simultaneous notification to the Parliament and Council, a two-month (extendable to five-month) objection window, and publication in the Official Journal.

"Delegated acts and implementing acts are interchangeable." They are not. Delegated acts change the law's substance (Article 45); implementing acts ensure uniform application (Article 46). CADA uses both.

Related

• CADA Review vs Delegated Acts: How the EU Cloud and AI Development Act Changes
• Who does the Commission consult before adopting a CADA delegated act?
• Which parts of CADA can the Commission change through delegated acts?
• When will the Cloud and AI Development Act (CADA) be reviewed?
• When does the Cloud and AI Development Act (CADA) start to apply?

This is general information about a draft EU regulation, not legal advice.