Summary Under the proposed Cloud and AI Development Act (CADA), implementing acts are measures the European Commission would adopt to ensure the Regulation is applied uniformly across the EU. They do not change the law's substance; they fill in operational detail — recognition procedures for cloud services, third-country recognition decisions, risk-assessment methodologies and templates, EuroCloud Federation participation rules, and fee structures. As proposed, the Commission would adopt them with the help of a committee of Member State representatives under the "examination procedure" of Regulation (EU) No 182/2011, which Article 46 of CADA brings into play.
Detail
Implementing acts are the counterpart to delegated acts. Where delegated acts amend or supplement non-essential parts of the Regulation, implementing acts lay down uniform conditions for applying it — so that a provider or public body faces the same procedural rules in Germany, France or any other Member State. They rest on Article 291 TFEU.
The legal basis: Article 46 and the examination procedure
The power to adopt implementing acts is anchored in Article 46 of the proposal, which provides:
"1. The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011. 2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply."
Regulation (EU) No 182/2011 sets the EU's general rules for controlling how the Commission exercises implementing powers. By pointing to Article 5 of that Regulation, CADA mandates the examination procedure — the more rigorous of the two main comitology procedures, reserved for measures of general scope and sensitive areas. In outline:
- The Commission submits a draft implementing act to the committee, composed of representatives of every Member State and chaired by the Commission.
- The committee votes by qualified majority.
- A favourable opinion obliges the Commission to adopt the act.
- A negative opinion blocks adoption; the Commission may then refer the draft to the appeal committee for a further opinion.
- Where the committee gives no opinion (no qualified majority either way), the Commission may generally adopt the act, subject to the limits in Regulation (EU) No 182/2011.
This gives Member States a structured, formal say in how the Regulation is applied in practice — but only over the how, never the substance of CADA itself. Recital 87 of the proposal records the choice of this route, noting that "[i]n order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission" and exercised in accordance with Regulation (EU) No 182/2011.
Where CADA uses implementing acts
The proposal expressly empowers the Commission to act by implementing acts in several operational areas. These are not abstract; they set the day-to-day rules for providers and public buyers.
1. Recognition procedures for cloud services (Article 17(12)).
"The Commission may adopt implementing acts concerning the practical arrangements for the procedures referred to in this Article."
This would standardise the steps, evidence formats and workflow that national competent authorities use to recognise a cloud service at Union assurance levels 1–4, preventing fragmentation across Member States.
2. Third-country recognition (Article 18(1)).
"The Commission may adopt decisions, by means of implementing acts, identifying third countries for which cloud computing service providers subject to the control of that third country... may be audited against the criteria for Union assurance level 3..."
These decisions would formally list which third countries meet CADA's cumulative criteria — a list the Commission can repeal, amend or suspend as legal and geopolitical conditions change.
3. Risk-assessment methodology (Article 29(3)).
"The Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology to be applied, the templates to be used and the elements to be taken into account by the Member States and Union entities for the purpose of carrying out the risk assessments referred to in paragraph 1."
Operationally this may be the most significant: it would define how public-sector risk assessments — which set the required assurance level under Article 29 — must be conducted.
4. EuroCloud Federation participation (Article 34(4)). The Commission could specify the procedure to join the EuroCloud Federation and a template for the participation request.
5. Technical measures for service sharing (Article 35(6)). The Commission could specify the technical, operational and organisational measures a sharing entity must put in place before sharing services in the Federation.
6. Fees (Articles 36(4) and 40(5)). The Commission would lay down the detailed rules for the fees that finance the EuroCloud Federation's administration (Article 36(4)) and the Commission's common procurement activities (Article 40(5)). For Article 40(5), the implementing act would specify, among other things, the estimated costs, the individual fee amounts, and the manner and conditions of payment.
Each of these implementing acts is to be adopted under the examination procedure referred to in Article 46(2).
Two features of this list are worth drawing out. First, it spans the whole architecture of the Regulation — recognition, third-country treatment, public-sector risk assessment, the EuroCloud Federation and procurement financing — which signals that much of CADA's operational substance will arrive only once these acts are adopted. Second, implementing acts come in two textual flavours here: some are framed as the Commission "shall" adopt (e.g. the risk-assessment methodology in Article 29(3), and the fee rules in Articles 36(4) and 40(5)), making them effectively mandatory build-out of the framework; others are "may" adopt (e.g. Article 17(12) on recognition arrangements, Article 18(1) third-country decisions), leaving the Commission discretion over timing and whether to act at all.
What this means for you
For in-house counsel and compliance officers, the lesson is that today's CADA text is the framework, not the finished operating manual. The "how-to" detail will arrive in implementing acts.
1. Track the pipeline. Because these acts go through the examination procedure, drafts are typically circulated to the committee and the results published. Early awareness of risk-assessment templates (Article 29) or fee rules (Articles 36 and 40) lets you plan budgets and processes.
2. Prepare for standardised risk assessments. Once the Article 29(3) implementing act lands, your internal cloud risk-assessment process for public-sector activity will likely need to align with the prescribed methodology and templates, which feed the procurement obligations under Article 30.
3. Understand the fee mechanics. If you participate in the EuroCloud Federation or rely on the Commission's common procurement, the Articles 36(4) and 40(5) implementing acts will define how cost-recovery fees are calculated and paid — relevant for procurement and finance teams.
4. Watch third-country listings. If you use providers controlled from a third country, an Article 18 implementing act removing that country from the recognised list could cost the service its level-3 eligibility, prompting a migration or risk re-assessment.
Common misconceptions
"Implementing acts can change CADA's core rules." No. They cannot amend the substantive assurance-level criteria or the legal obligations themselves; they only set the detail for applying them uniformly. Substantive changes to the criteria come through delegated acts under Article 45.
"Member States can ignore implementing acts." No. Once adopted, an implementing act is binding and applies across the EU like the Regulation itself; it is law, not guidance.
"The Commission adopts them unilaterally." The examination procedure (Article 5 of Regulation (EU) No 182/2011) gives the committee of Member States a formal role: a negative opinion blocks adoption, subject to the appeal-committee mechanism.
Related
- CADA Exam Procedure: How Implementing Acts Are Adopted
- CADA Implementing Acts: Which Rules Will Be Set by Secondary Legislation?
- CADA Delegated Acts: The Article 45 Procedure Explained
- Delegated vs implementing acts in CADA: what's the difference?
- CADA Secondary Legislation: What Remains to be Defined by Delegated and Implementing Acts?
This is general information about a draft EU regulation, not legal advice.