Summary The proposed Cloud and AI Development Act (CADA) is a Regulation, meaning it is "directly applicable in all Member States" under Article 288 of the Treaty on the Functioning of the European Union (TFEU). Unlike a directive, CADA would become binding law across the EU immediately upon its application date, without requiring national parliaments to transpose it into domestic legislation. This ensures a uniform "Union cloud computing sovereignty framework" and prevents regulatory fragmentation. However, while the core obligations apply automatically, Member States retain specific administrative duties—such as designating national competent authorities (Article 25), adopting national cloud and AI strategies (Article 7), and designating data centre acceleration zones (Article 10)—to enable the regulation's enforcement and operationalisation.

Detail

To understand the legal architecture of the Cloud and AI Development Act (CADA), one must distinguish between the two primary legislative instruments available to the European Union: regulations and directives. CADA is proposed explicitly as a Regulation (COM(2026) 502 final). This choice of instrument is deliberate, driven by the need for immediate, uniform application across the single market to address critical dependencies and sovereignty gaps.

The Legal Basis: Article 288 TFEU

The legal force of CADA is grounded in Article 288 of the Treaty on the Functioning of the European Union (TFEU). This article defines the nature of EU legislative acts, stating that a regulation "shall have general application. It shall be binding in its entirety and directly applicable in all Member States."

The phrase "directly applicable" is the defining characteristic of a regulation. It means that the text of the regulation itself becomes part of the national legal order of every Member State simultaneously. There is no "transposition" phase where national legislators must draft, debate, and pass implementing laws to give the act effect. The regulation is the law.

This stands in stark contrast to a directive, which sets out a result to be achieved but leaves the "choice of form and methods" to national authorities. Directives often lead to fragmentation, as 27 different Member States may interpret and implement the same goals differently. For CADA, which aims to establish a harmonised "Union cloud computing sovereignty framework" and a single market for data centre deployment, such fragmentation would be counterproductive. A uniform set of rules is essential to ensure that cloud assurance levels, data localisation requirements, and procurement criteria are identical whether a provider operates in Berlin, Paris, or Athens.

The Final Paragraph of Article 48

The proposal explicitly codifies this status in its final provisions. Article 48 of the CADA proposal, titled "Entry into force and application," concludes with the definitive statement:

"This Regulation shall be binding in its entirety and directly applicable in all Member States."

This clause, combined with the timeline set out in the same article, creates a predictable legal framework. The regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. However, it would apply from one year after that date. This one-year gap is not a grace period for national transposition (as there is none), but a transition period for market participants and public authorities to prepare for the new obligations. Once the application date arrives, the rules on cloud assurance levels, data centre acceleration zones, and open-source reuse become legally enforceable across the entire EU immediately.

Exceptions: Where Member States Must Still Act

While the regulation is directly applicable and does not require transposition, it does not render Member States passive. CADA operates on a hybrid model: the EU sets the substantive rules and criteria, but Member States must perform specific administrative and governance acts to enable the system to function. Compliance officers must monitor national administrative announcements, even though the substantive law is set in Brussels.

1. Designation of National Competent Authorities (Article 25) The sovereignty framework relies on enforcement by national bodies. Article 25 mandates that Member States "designate one or more national competent authorities responsible for enforcing this Chapter." While CADA defines the powers of these authorities (including investigative and enforcement powers under Article 26), the actual appointment of these bodies is a national responsibility.

  • Implication: You cannot assume a single authority exists. You must identify which specific national body has been designated in your jurisdiction to handle recognition applications, audits, and penalties.

2. National Cloud and AI Strategies (Article 7) Article 7 requires Member States to "establish national cloud and AI strategies" within one year of the regulation's entry into force. These strategies must align with CADA's objectives, including the "AI first" principle and measures to support data centre deployment.

  • Implication: While the regulation sets the framework, the specific national priorities, funding mechanisms, and support measures are determined domestically. These strategies will influence where public procurement incentives are strongest.

3. Designation of Data Centre Acceleration Zones (Article 10) Article 10 obliges Member States to "designate at least one data centre acceleration zone" within their territory. The criteria for these zones (e.g., energy grid capacity, sustainability standards, reuse of brownfield sites) are set by CADA, but the geographic designation is a national prerogative.

  • Implication: Operators must monitor national announcements to identify where these zones are located. Only projects within these designated zones benefit from the streamlined permitting processes (e.g., the 12-month permit-granting limit under Article 13).

4. Risk Assessments for Public Procurement (Article 29) Article 29 obliges Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order and therefore require higher Union assurance levels (2, 3, or 4).

  • Implication: While the Commission provides the methodology, the actual assessment and the mapping of national public sector activities to specific assurance levels are national responsibilities. This determines which cloud services public bodies in your country are legally required to procure.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the direct applicability of CADA simplifies legal monitoring but accelerates the compliance clock.

1. Immediate Legal Alignment (No Transposition Wait) You do not need to wait for national parliaments to pass implementing laws. As soon as CADA enters into force and the one-year application period begins, the text of the regulation is the law. Your legal team should begin mapping current cloud contracts, data centre leases, and AI procurement processes against the text of the regulation immediately. The "one-year" period is a countdown to full compliance, not a delay for national legislation.

2. Focus on National Administrative Acts While you do not need to track national laws, you must track national administrative acts. The substantive rules are uniform, but the operational details are national:

  • Identify your Competent Authority: Monitor national gazettes for the designation of the "national competent authority" under Article 25. This body will hold the power to impose fines (Article 24) and conduct audits.
  • Map National Strategies: Review your Member State's national cloud and AI strategy (Article 7) to understand local incentives for data centre deployment or open-source adoption.
  • Locate Acceleration Zones: Identify where your Member State has designated data centre acceleration zones (Article 10) to leverage the streamlined permitting processes (Article 13).

3. Contractual Review and Sovereignty Criteria Because CADA is directly applicable, its definitions and sovereignty criteria (Annex II) become binding contractual standards for public sector procurement. Review existing cloud service agreements for:

  • Subcontractor Transparency: Level 1 assurance requires full transparency around subcontractors (Annex II, 1.1(f)).
  • Data Localisation: Ensure customer data, including metadata, remains exclusively within the Union unless explicitly required otherwise (Annex II, 1.1(c)).
  • Third-Country Control: Verify that providers subject to third-country control have implemented the necessary legal and technical measures to prevent extraterritorial data access (Annex II, 1.1(g)).

Common misconceptions

Misconception 1: "Directly applicable means I don't need to check national law at all." False. While the substantive rules (e.g., assurance level criteria) are uniform, procedural aspects are determined nationally. The specific identity of the competent authority, the location of acceleration zones, and the content of national strategies are all national administrative acts. Ignoring these can lead to non-compliance with reporting or designation requirements.

Misconception 2: "CADA replaces national procurement laws entirely." False. CADA operates alongside existing public procurement directives. It introduces specific "Union added value" criteria (Article 32) and sovereignty assurance levels (Article 30) that must be integrated into national procurement procedures. It does not abolish the need for national tender documents but dictates their content regarding cloud sovereignty.

Misconception 3: "I can wait for national guidance before acting." False. Unlike directives, where companies often wait for national implementing measures, regulations apply from the date of application. While the Commission may issue guidance, the legal obligations are clear in the text. Delaying compliance until national guidance is published could result in penalties under Article 24, as the regulation is already in force.

Related

This is general information about a draft EU regulation, not legal advice.