Summary The proposed Cloud and AI Development Act (CADA) establishes a rigid, chronological compliance timeline that begins immediately upon publication. As proposed in COM(2026) 502 final, the Regulation would enter into force 20 days after publication in the Official Journal, but would only become generally applicable one year later. Critical intermediate deadlines include the designation of data centre acceleration zones within six months of entry into force, and the designation of National Competent Authorities (NCAs) plus the completion of the first sovereignty risk assessments within one year. In-house counsel must map these milestones to ensure Member States and public bodies are ready to enforce and procure sovereign cloud services before the general application date.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen the EU's cloud and AI ecosystem through a harmonised sovereignty framework. While the text remains subject to the ordinary legislative procedure, the draft Regulation sets out precise temporal obligations for Member States, cloud service providers, and public sector bodies. Understanding the sequence of these deadlines is critical for compliance planning, as the timeline is anchored by Article 48 and cascades into specific operational requirements under Articles 10, 25, and 29.

The timeline is not a single "go-live" date but a phased rollout. The distinction between "entry into force" (when the law becomes binding) and "application" (when obligations must be met) is the defining feature of the CADA schedule.

The Anchor: Entry into Force and Application (Article 48)

The entire timeline is calculated from the date of publication in the Official Journal of the European Union. Under Article 48, the Regulation would enter into force on the twentieth day following that publication. However, the Regulation would apply from a date one year after entry into force.

This one-year gap is a deliberate transition period intended to allow Member States to designate authorities, establish acceleration zones, and conduct initial risk assessments before the substantive procurement and assurance obligations become mandatory for all contracting authorities.

Phase 1: Structural Foundation (0–6 Months Post-Entry into Force)

The first wave of obligations falls on Member States to establish the physical and regulatory infrastructure required for the Act. These deadlines are tied strictly to the entry into force date, meaning they occur approximately six months before the general rules apply to public procurement.

Designation of Data Centre Acceleration Zones Under Article 10(1), Member States are required to designate at least one data centre acceleration zone within their territory. The deadline for this action is six months after the date of entry into force.

Acceleration zones are specific areas where the development, expansion, and modernisation of data centres are facilitated through streamlined permitting and infrastructure support. When designating these zones, Member States must consider site location, power grid capacity, network connectivity, and environmental sustainability. This early deadline is intended to kickstart the physical infrastructure build-out required to support the EU's AI ambitions and reduce the capacity gap. Failure to designate these zones within six months would delay the permitting benefits for data centre operators in that Member State.

Phase 2: Institutional Setup and Initial Risk Mapping (6–12 Months Post-Entry into Force)

As the one-year application date approaches, the focus shifts to institutional designation and the initial mapping of public sector risks. These obligations are also tied to the entry into force date, creating a tight window for Member States to prepare before the Regulation becomes fully applicable.

Designation of National Competent Authorities (NCAs) Under Article 25(1), Member States must designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework. The deadline for this designation is one year after the date of entry into force.

These NCAs are the gatekeepers of the sovereignty framework. They are responsible for:

  • Receiving and assessing applications from cloud computing service providers seeking recognition at Union assurance levels 1 through 4.
  • Supervising recognised providers and auditing organisations.
  • Maintaining the national register of recognised services.

Member States may designate existing authorities for this role but must notify the Commission of the names, tasks, and powers of these authorities. The Commission will then maintain a public register of these authorities. Without a designated NCA, the recognition mechanism for cloud providers cannot function, potentially stalling the entire sovereignty framework in that Member State.

First Sovereignty Risk Assessments Simultaneously, public sector bodies and Union entities must begin assessing their cloud usage. Article 29(1) requires Member States and Union entities to carry out risk assessments within one year of the date of entry into force.

These assessments are the foundation of the procurement rules. They must:

  • Identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order.
  • Determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

The risk assessment must consider the sensitivity, criticality, and magnitude of personal and non-personal data processed, the risk of unlawful access by third countries, and the risk of service disruption. Crucially, Article 29(6) stipulates that if a risk assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months. This creates a potential overlap: if the risk assessment is completed at the 12-month mark (the application date), the migration clock starts immediately, and the entity must be fully migrated within the following year.

Phase 3: General Application and Ongoing Compliance (1 Year+ Post-Entry into Force)

One year after entry into force, the Regulation becomes fully applicable. At this point, all substantive obligations come into effect, and the groundwork laid in the previous phases must be operational.

Procurement Obligations Under Article 30, contracting authorities must procure cloud computing services that have been recognised as having at least Union assurance level 1. For activities identified as contributing to the preservation of public order in high-risk sectors (such as national security, defence, and law enforcement), authorities must only procure services recognised as having Union assurance levels 2, 3, or 4.

Ongoing Risk Assessments Article 29(1) also mandates that risk assessments be repeated every two years, or whenever necessary. This ensures that the assurance levels remain appropriate as technologies and threat landscapes evolve. The first assessment must be completed by the application date; subsequent assessments follow the biennial cycle.

Penalties and Enforcement Member States must lay down rules on penalties applicable to infringements of the sovereignty framework by cloud computing service providers. Under Article 24, these penalties must be effective, proportionate and dissuasive. Member States must notify the Commission of these rules as soon as possible. Recipients of cloud services have the right to seek compensation from providers for any damage or loss suffered due to infringements of their obligations under this chapter.

What this means for you

For in-house counsel and compliance officers, the CADA timeline requires immediate proactive planning, even though the regulation is not yet in force. The distinction between "entry into force" and "application" is crucial for scheduling resources, as the most critical preparatory steps occur before the general application date.

1. Monitor the Publication Date Since CADA is a proposal, the exact dates will depend on when the European Parliament and Council adopt the text and when it is published in the Official Journal. Set up alerts for the publication date, as this triggers the 20-day entry into force clock and the subsequent 6-month and 1-year deadlines.

2. Prepare for the "One-Year" Sprint (Article 29) Your organisation must be ready to conduct a comprehensive risk assessment of its cloud computing services within one year of entry into force. This is not a one-time exercise but a biennial requirement.

  • Identify Public Order Activities: Determine which of your public sector activities fall under the scope of public order preservation (e.g., law enforcement, defence, critical infrastructure).
  • Map Data Sensitivity: Assess the sensitivity, criticality, and magnitude of data processed in your cloud environments.
  • Determine Assurance Levels: Based on the assessment, identify the required Union assurance level (1, 2, 3, or 4) for each service.
  • Plan Migrations: If current services do not meet the required assurance level, begin planning migration strategies immediately. Remember that Article 29(6) caps the transition period at 12 months. If the assessment is done at month 12, you have only until month 24 to migrate.

3. Engage with National Competent Authorities (Article 25) Ensure you know which authority in your Member State is designated as the NCA for cloud sovereignty. This authority will be your primary contact for recognition applications and compliance queries. Monitor the public register maintained by the Commission to identify these authorities once designated (deadline: 1 year post-entry into force).

4. Review Procurement Strategies (Article 30) Align your procurement processes with the new assurance level requirements.

  • Baseline Requirement: Ensure all new cloud procurements meet at least Union assurance level 1.
  • High-Risk Sectors: For activities in national security, defence, and law enforcement, ensure contracts specify Union assurance levels 2, 3, or 4.
  • Vendor Due Diligence: Work with your cloud providers to ensure they have the necessary evidence (self-assessment statements or audit reports) to demonstrate compliance with the required assurance levels.

5. Stay Informed on Data Centre Acceleration Zones (Article 10) If your organisation plans to deploy or expand data centre capacity, monitor the designation of acceleration zones in your Member State. These zones offer facilitated administrative and permit-granting processes, which can significantly reduce deployment time. The deadline for designation is six months post-entry into force.

Common misconceptions

Misconception 1: The rules apply immediately upon publication. CADA has a staggered timeline. Entry into force occurs 20 days after publication, but general application is one year later. Some deadlines, such as the designation of acceleration zones, are tied to entry into force (6 months after), while others, like risk assessments, are also tied to entry into force (1 year after). Do not assume obligations are active on day one of publication.

Misconception 2: Risk assessments are a one-time event. Article 29 requires risk assessments to be conducted every two years, or whenever necessary. This is an ongoing compliance obligation, not a one-off project. Organisations must establish a process for regular review and update of their risk assessments.

Misconception 3: Only the public sector is affected by assurance levels. While the mandatory procurement rules in Article 30 apply to public sector bodies, the sovereignty framework and assurance levels create a market signal that affects private sector providers. Private entities in critical sectors (under NIS2) may also be required to conduct impact assessments, and market trends will likely drive private sector adoption of higher assurance levels.

Misconception 4: Migration can take as long as needed. If a risk assessment mandates migration to a different cloud service to meet a higher assurance level, the transition period is capped at 12 months. Organisations must plan migrations well in advance to ensure they meet this deadline without disrupting services.

Related

This is general information about a draft EU regulation, not legal advice.