What does CADA mean for a Member State's compliance team?

Summary As proposed, the Cloud and AI Development Act (CADA) would impose a strict, binding timeline on Member States to adopt comprehensive national cloud and AI strategies. Under Article 7, Member States must draft these strategies within one year of the Regulation's entry into force, covering eight mandatory elements ranging from infrastructure deployment to open-source adoption. Compliance teams must coordinate closely with national authorities to ensure these strategies are notified to the Commission within three months of adoption and are reviewed every three years, with the European Artificial Intelligence Board facilitating cross-border coordination.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a binding framework for Member States to align their national policies with the EU's broader objectives for cloud sovereignty and AI leadership. For in-house counsel and compliance officers operating within Member State institutions or advising them, the most immediate legislative obligation stems from Article 7, which mandates the creation of "national cloud and AI strategies." This provision transforms what might have been voluntary policy planning into a statutory requirement with specific deadlines and content mandates.

Deadlines and Notification Article 7(1) sets a hard deadline: Member States must establish their national strategies by "[same day as entry into force plus one year]." This creates a fixed compliance window that begins the moment the Regulation enters into force. Once the strategy is adopted, Article 7(5) requires Member States to notify the Commission of these strategies within three months. Failure to meet these deadlines would constitute a breach of the Regulation, potentially triggering infringement procedures. The timeline is rigid; there is no provision for extension in the text of the proposal.

Mandatory Content of the Strategy The strategy is not merely a policy statement; it must contain specific, actionable measures. Article 7(2) lists eight mandatory elements that the national strategy must include. Compliance teams must verify that the draft strategy addresses each of these points explicitly:

1. Objectives and Governance: Key objectives and priorities for cloud and AI adoption, in line with the "AI first" principle, as well as a governance and monitoring framework to achieve those objectives and priorities.
2. Acceleration Measures: Measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps (SMCs), including by supporting the Experience and Acceleration Centres for AI referred to in Article 5 as entry points to the European AI innovation ecosystem.
3. Strategic Sector Deployment: Measures to support the broad deployment and uptake of AI in strategic industrial and public sectors, including in healthcare, energy, and mobility.
4. Data Centre Capacity: Measures to support the deployment of data centre capacity, with a particular focus on high-value data centres delivering significant economic and societal benefits while adhering to high environmental and energy-efficiency standards.
5. High-Intensity Computing: Measures to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers as strategic national and cross-border assets supporting research, development, and industrial AI deployment across strategic sectors.
6. Procurement Support: Measures to support the development of cloud and AI capabilities and promote excellence and innovation, including through public procurement measures, and public procurement of innovation measures set out in Article 33.
7. Open Technology Stack: Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty and enhance the competitiveness of strategic European industries.
8. Data Accessibility: Measures to ensure the accessibility of high-quality data for AI development, notably by preventing data bottlenecks encountered by organisations.

Ongoing Compliance and Review Compliance does not end with adoption. Article 7(5) mandates that Member States assess their national strategies at least every three years on the basis of key performance indicators and, where necessary, update them. The Commission shall monitor the adoption and revision of the national strategies. This creates a recurring compliance cycle where the strategy must be treated as a living document rather than a static policy paper.

Coordination with the AI Board To ensure consistency and prevent fragmentation of the internal market, Article 7(6) assigns a central role to the European Artificial Intelligence Board (the "AI Board"), established under the AI Act. The AI Board is tasked to advise and assist the Member States as regards the coordination of national strategies and facilitate the exchange of best practices among Member States. This implies that national compliance teams must engage with the AI Board's processes to ensure their national strategies do not diverge from EU-wide priorities and that they leverage shared expertise.

What this means for you

For in-house counsel and compliance officers within public sector bodies or entities advising Member States, Article 7 shifts cloud and AI strategy from a voluntary policy exercise to a statutory obligation with enforceable deadlines.

1. Immediate Action on Strategy Drafting Your legal and policy teams must begin drafting or updating the national cloud and AI strategy immediately upon the publication of CADA. The one-year deadline is absolute. You must ensure the strategy addresses all eight elements listed in Article 7(2). Omitting any element, such as the specific focus on open-source stacks or data centre sustainability, could render the strategy non-compliant. The "AI first" principle mentioned in Article 7(2)(a) must be explicitly integrated into the strategic objectives.

2. Notification and Documentation Establish a clear internal process to notify the Commission within three months of the strategy's adoption. Maintain robust documentation of the adoption date and the notification submission to prove compliance during any Commission monitoring or audit. The notification requirement in Article 7(5) is a distinct procedural step that must not be conflated with the adoption itself.

3. Integration with Existing Frameworks Ensure the new strategy is consistent with the Digital Decade Policy Programme targets (Article 7(4)) and aligns with existing national digital strategies. If a Member State already has a strategy that covers these objectives, Article 7(1) allows for the use of the existing strategy, but it must be updated to fill any gaps identified by CADA. The proposal does not require a new document if the existing one is adequate, but it does require that the existing one be updated to meet the specific CADA criteria.

4. Engagement with the AI Board Compliance teams should monitor the activities of the AI Board. Since the Board facilitates coordination under Article 7(6), active participation in its exchanges can help your Member State avoid regulatory missteps and leverage best practices from other jurisdictions. The Board's role is advisory and coordinative, not legislative, but its guidance will be critical for interpreting the "AI first" principle and other broad mandates.

5. Three-Year Review Cycle Build a recurring calendar event for the triennial review of the strategy. This review must be based on key performance indicators. Compliance teams should define these KPIs early to ensure they are measurable and aligned with the Regulation's objectives. The requirement to update the strategy "where necessary" (Article 7(5)) implies that if the KPIs show a deviation from targets, an update is mandatory, not optional.

Common misconceptions

Misconception 1: The strategy is purely aspirational. Reality: Article 7 imposes binding obligations. The strategy must include concrete measures, not just goals. Failure to adopt or update the strategy is a breach of EU law, subject to the general enforcement mechanisms of the Regulation.

Misconception 2: Existing digital strategies are automatically compliant. Reality: While Article 7(1) allows Member States to rely on existing strategies if they adequately cover CADA's objectives, most existing strategies will lack specific provisions on AI factories, open-source cloud stacks, or the detailed data centre deployment measures required by Article 7(2). A gap analysis is essential to determine if an update is required.

Misconception 3: Compliance is a one-time task. Reality: The obligation is continuous. Strategies must be reviewed every three years (Article 7(5)) and updated as necessary. The Commission actively monitors these revisions, and the requirement to notify the Commission applies to the initial adoption and implies ongoing transparency regarding updates.

Misconception 4: The AI Board has enforcement powers over national strategies. Reality: The AI Board advises and facilitates coordination (Article 7(6)). It does not enforce. Enforcement lies with the Commission, which monitors compliance and can initiate infringement proceedings for non-adoption or non-notification. The Board's role is to ensure consistency, not to sanction non-compliance.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What happens if a Member State does not adopt a national cloud and AI strategy on time?
• When must Member States adopt a national cloud and AI strategy under CADA?
• What does the Leadership Initiatives framework mean for EU competitiveness?
• What does CADA mean for European cloud service providers specifically?
• What does CADA mean for cloud providers overall?

This is general information about a draft EU regulation, not legal advice.