Summary Under the proposed Cloud and AI Development Act (CADA), Member States face strict, non-negotiable implementation deadlines tied directly to the regulation's entry into force. As proposed in Article 48, the regulation enters into force 20 days after publication but applies one year later. Crucially, Member States must adopt national cloud and AI strategies and designate national competent authorities within exactly one year of that entry-into-force date. Additionally, Member States must designate data centre acceleration zones within six months. These national actions are prerequisites for the sovereignty framework to function, meaning cloud providers and public bodies must align their compliance roadmaps with these national milestones rather than waiting for the regulation's general application date.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a dual-track timeline: the "entry into force" which triggers national obligations, and the "date of application" when substantive rules for providers and public bodies become binding. For legal counsel and compliance officers, the distinction is critical. The regulation does not wait for the one-year application period to begin requiring national action; the clock starts ticking immediately upon entry into force.

The Entry-Into-Force Baseline

All implementation deadlines in CADA are calculated from the date the regulation enters into force. Article 48 explicitly states: "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union."

However, the regulation's substantive application is deferred. Article 48 continues: "It shall apply from [same day and month as date of entry into force plus 1 year]."

This creates a specific "transitional window" of exactly one year. During this period, Member States must build the national infrastructure required to enforce the regulation. If a Member State fails to meet these deadlines, the sovereignty framework (Title IV) cannot function effectively, as there would be no national authority to recognize providers or enforce penalties, and no national strategy to guide procurement.

Deadline 1: National Cloud and AI Strategies (Article 7)

The first major obligation for Member States is the formulation of a cohesive national strategy. Article 7(1) imposes a strict deadline: "By [same day as entry into force plus one year], Member States shall establish national cloud and AI strategies (the 'national strategies')."

This is not a suggestion; the use of "shall" creates a mandatory obligation. The strategies must be comprehensive, as detailed in Article 7(2), and must include at least the following elements:

  • Objectives and Priorities: Key goals for cloud and AI adoption, explicitly aligned with the "AI first" principle.
  • Acceleration Measures: Actions to accelerate development and adoption at national, regional, and local levels, with specific focus on public sector bodies, SMEs, and small mid-caps (SMCs).
  • Strategic Sectors: Measures to support AI deployment in critical sectors such as healthcare, energy, and mobility.
  • Infrastructure Deployment: Specific measures to support the deployment of data centre capacity, prioritizing high-value data centres that adhere to high environmental and energy-efficiency standards.
  • High-Intensity Computing: Investments in AI factories, AI gigafactories, and quantum computers as strategic national assets.
  • Sovereign Stacks: Measures to develop cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Data Accessibility: Measures to ensure the availability of high-quality data for AI development, preventing data bottlenecks.

Article 7(5) introduces a secondary administrative deadline: "Member States shall notify the Commission of their national strategies within three months of their adoption." This means that once a Member State finalizes its strategy (by the one-year mark), it has a further three-month window to formally notify the Commission. The strategies must also be consistent with the Digital Decade Policy Programme targets.

Deadline 2: Designation of National Competent Authorities (Article 25)

While the prompt references Article 24 regarding penalties, the specific obligation to designate the authorities responsible for enforcing the sovereignty framework is found in Article 25. Article 25(1) mandates: "By [P.O. insert date of entry into force plus 1 year], Member States shall designate one or more national competent authorities responsible for enforcing this Chapter."

This deadline runs parallel to the national strategy deadline. The "Chapter" referred to is Chapter I of Title IV, which establishes the Union cloud computing sovereignty framework. These authorities are the linchpin of the entire regime. Their responsibilities, as outlined in Article 25(3) and Article 26, include:

  • Recognition: Assessing applications from cloud providers to be recognized as offering Union assurance levels 1 through 4 (Article 17).
  • Supervision: Monitoring recognized providers for compliance and handling material changes in circumstances (Article 23).
  • Enforcement: Imposing penalties for infringements and ordering the cessation of non-compliant activities (Article 26).

Article 25(2) requires Member States to "notify the Commission of the names of the competent authorities and of their tasks and powers." The Commission will then maintain a public register of these authorities. Without this designation, the recognition mechanism cannot operate, and public sector bodies cannot legally procure services at the required assurance levels.

Deadline 3: Data Centre Acceleration Zones (Article 10)

A distinct and earlier deadline applies to infrastructure deployment. Article 10(1) states: "Where data centre capacity is being deployed within the territory of a Member State, that Member State shall designate at least one data centre acceleration zone ('acceleration zone') within its territory by [P.O. insert the date of entry into force of this Regulation plus 6 months]."

This six-month deadline is significantly shorter than the one-year deadlines for strategies and authorities. It reflects the urgency of addressing the EU's compute capacity gap. Member States must identify sites that meet specific criteria, including:

  • Available and future power grid capacity.
  • Network connectivity capacity.
  • Potential for waste heat reuse.
  • Sustainability measures to minimize environmental impact.

This rapid timeline means that data centre operators must monitor national designations closely, as projects within these zones will benefit from streamlined permitting processes under Article 13.

The Role of Penalties and Enforcement (Article 24)

Once the national structures are in place, the enforcement mechanisms become active. Article 24 outlines the penalties for infringements of the sovereignty framework. Article 24(1) requires Member States to "lay down the rules on penalties applicable to infringements of this Chapter by cloud computing service providers within their competence and shall take all measures necessary to ensure that they are implemented."

While Article 24 does not specify a separate calendar date for laying down these rules (unlike the explicit "by [date]" in Articles 7 and 25), the requirement to "take all measures necessary to ensure that they are implemented" implies that the legal framework for penalties must be ready to support the competent authorities from the moment they begin their supervisory tasks. Article 24(2) provides non-exhaustive criteria for imposing penalties, including the nature, gravity, and duration of the infringement, as well as the financial benefits gained. Article 24(3) also grants recipients of cloud computing services the right to seek compensation for damage caused by provider infringements.

For in-house counsel, this means that once the one-year mark passes, the national competent authorities will have the power to impose fines and order remedial actions. Providers must ensure their compliance mechanisms are robust before this date to avoid exposure to these penalties.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, these deadlines signal a clear, compressed timeline for action. You cannot wait for the regulation to be fully "applicable" to start preparing; the national implementation phase begins immediately upon entry into force.

  1. Monitor National Transposition: Keep a close watch on your home Member State's progress in adopting its national cloud and AI strategy (Article 7) and designating competent authorities (Article 25). The specific details of how your country interprets "AI first" or defines strategic sectors will directly impact your internal AI adoption roadmap and procurement eligibility.
  2. Engage with Competent Authorities: Once designated, these authorities will be your primary point of contact for recognizing your services under the Union assurance levels. If you are a cloud provider, prepare your evidence for conformity self-assessment (Level 1) or third-party audits (Levels 2-4) well in advance of the one-year mark. SMEs should note that Level 1 recognition may be automatic for them under Article 17(3), but the authority must still be designated to manage the process.
  3. Assess Public Sector Procurement: Public sector bodies must conduct risk assessments (Article 29) to determine which assurance levels they need. As a provider, understanding these risk assessments is crucial. If you aim to serve the public sector, you must be recognized at the appropriate level before procurement processes begin.
  4. Review Data Centre Plans: If you are involved in data centre deployment, check if your projects fall within a designated acceleration zone (Article 10). The six-month deadline for designation means these zones will be identified quickly, and compliance with their specific sustainability and permitting rules will be mandatory.
  5. Prepare for Penalties: Ensure your internal controls can demonstrate compliance with the sovereignty criteria. The penalties under Article 24 are not just theoretical; they are designed to be "effective, proportionate and dissuasive." Having a clear audit trail and transparency regarding subcontractors and data flows will be your best defense.

Common misconceptions

  • Misconception: The deadlines start when the regulation becomes "applicable."
    • Reality: The deadlines for national strategies and competent authorities are tied to the "entry into force" date (20 days after publication). The regulation becomes "applicable" one year later. Therefore, Member States have exactly one year from entry into force to meet these obligations, meaning they must be ready by the time the substantive rules start applying.
  • Misconception: National strategies are optional or purely advisory.
    • Reality: Article 7 uses mandatory language ("shall establish"). These strategies are binding national instruments that must align with EU objectives and be notified to the Commission. They will directly influence national procurement and funding priorities.
  • Misconception: Only large hyperscalers need to worry about competent authorities.
    • Reality: Any cloud computing service provider seeking to serve Union entities or public sector bodies must engage with the competent authorities of their establishment to get recognized. This includes SMEs, which may benefit from streamlined recognition for Level 1 assurance under Article 17(3).
  • Misconception: The penalty framework is fully defined in CADA.
    • Reality: CADA sets out the criteria for penalties (Article 24) but leaves the specific rules and fine amounts to Member States. This means there will be some variation in penalty regimes across the EU, requiring localized legal advice.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.