The proposed Cloud and AI Development Act (CADA) is structured into five Titles. Title I sets out general provisions, including subject matter and definitions. Title II establishes the Cloud and AI Leadership Initiatives for research, innovation and large-scale capacity, plus supporting measures. Title III addresses data-centre capacity through acceleration zones and strategic-project designations. Title IV — the most extensive — contains the cloud sovereignty framework, demand-side and procurement rules, the EuroCloud Federation, the common procurement framework and open-source provisions. Title V contains final provisions, including delegated powers, the review clause and entry into force.

Detail

As proposed, CADA moves from foundational definitions to operational mechanisms and finally to final provisions. Understanding the structure helps in-house counsel locate their obligations.

Title I: General provisions Article 1 sets out the subject matter: a framework for strengthening the cloud and AI ecosystem through, among other things, the Cloud and AI Leadership Initiatives, accelerated data-centre deployment, a sovereign cloud and AI offer, reduced dependencies on critical technologies, and fostering cloud adoption across the public sector. It also states two general objectives — competitiveness/innovation (Article 1(2)) and improving the functioning of the single market via a uniform legal framework for resilience and strategic autonomy (Article 1(3)). Article 2 provides definitions for terms such as "cloud computing service," "AI system," "frontier AI," "public sector body" and "data centre operator," largely by cross-reference to other EU instruments. Verifying whether a service or system falls within these definitions is the first step in assessing exposure.

Title II: Research, development and deployment activities This Title focuses on supply-side measures. Article 3 sets the general objective of the Cloud and AI Leadership Initiatives (promoting research and innovation and achieving large-scale capacity). Article 4 details eight operational objectives, from energy-efficient data-centre technologies to frontier, physical and industrial AI and AI agents. Article 5 requires each Member State to establish Experience and Acceleration Centres for AI ("Centres for AI"), building on the European Digital Innovation Hubs. Article 6 sets implementation mechanisms, including delivery through the "grand challenges" in Annex I. Article 7 requires Member States to adopt national cloud and AI strategies within one year of entry into force. Articles 8 and 9 address frontier AI priority projects and the allocation of computing resources.

Title III: Data centre capacities Article 10 requires Member States to designate data centre acceleration zones. Article 11 sets the conditions within those zones, including sustainability requirements. Article 12 requires single information points to assist operators with permits. Article 13 facilitates administrative and permit-granting processes, providing that the permit-granting procedure should not exceed 12 months from a comprehensive application. Article 14 lets the Commission designate data centre strategic projects. Article 15 establishes a Commission mechanism to monitor compute capacity, demand and the capacity gap.

Title IV: Autonomy and adoption Title IV is the largest part, focusing on sovereignty and demand-side measures, divided into chapters and sections:

  • Chapter I — Cloud computing sovereignty framework: Article 16 sets out four Union assurance levels and the Annex II requirements. Article 17 establishes the recognition mechanism. Article 18 allows recognition of associated third countries for Union assurance level 3 under cumulative conditions. Articles 19 and 20 set conformity self-assessment for level 1 and third-party audits for levels 2–4. Article 21 covers audit evidence. Article 22 creates the central repository. Article 23 imposes transparency obligations to report material changes. Article 24 covers penalties and compensation. Articles 25 and 26 designate national competent authorities and define their powers. Articles 27 and 28 establish mutual assistance and cross-border cooperation.
  • Chapter II — Demand-side measures: Article 29 requires risk assessments to determine the necessary assurance level. Article 30 requires public procurement to meet at least Union assurance level 1, with levels 2–4 for public-order activities. Article 31 allows private-sector entities (within the meaning of the NIS2 Directive) to conduct impact assessments. Article 32 introduces Union added value award criteria. Article 33 requires monitoring of innovation procurement, including the objective that at least 25% go to innovative SMEs.
  • Chapter III — European public sector cloud federation: Article 34 establishes the EuroCloud Federation. Article 35 sets conditions for sharing services (the fee not constituting a pecuniary interest). Article 36 covers cost recovery.
  • Chapter IV — Common procurement: Articles 37–40 enable the Commission to carry out procurement for Union entities and Member State contracting authorities, with governance, applicable rules and fee mechanisms.
  • Chapter V — Open source: Article 41 requires Union entities and public sector bodies to encourage and facilitate open-source solutions. Article 42 governs sharing and reuse of software developed by or for them. Article 43 establishes the EU Open Source Solutions Catalogue. Article 44 creates a network of Open Source Programme Offices.

Title V: Final provisions Article 45 grants the Commission power to adopt delegated acts. Article 46 sets the committee procedure for implementing acts. Article 47 is the review clause: the Commission would evaluate the Regulation by four years after entry into force and every five years thereafter, reporting to the Parliament, the Council and the EESC. Article 48 specifies entry into force (twentieth day after publication) and application (one year after entry into force).

What this means for you

For in-house counsel, the structure suggests a phased compliance approach.

  1. Scope assessment (Title I): Review the Article 2 definitions to determine whether your services are "cloud computing services" or your products are "AI systems," which drives exposure to Title IV.
  2. Sovereignty recognition (Title IV, Chapter I): If you serve the public sector, prepare for recognition under Article 17 — self-assessment for level 1 (Article 19) or an auditing organisation for levels 2–4 (Article 20) — against the Annex II criteria referenced in Article 16.
  3. Procurement obligations (Title IV, Chapter II): Public bodies must conduct risk assessments under Article 29 and meet minimum assurance levels under Article 30, integrating Article 32 Union added value criteria.
  4. Open-source compliance (Title IV, Chapter V): Software developed by or for the public sector falls within the sharing/reuse rules in Article 42; manage IP rights accordingly.
  5. Data-centre operations (Title III): Operators should monitor designation of acceleration zones (Article 10) to use streamlined permitting (Article 13).

Common misconceptions

  • Misconception: CADA applies only to AI companies.
    • Reality: Title IV's sovereignty framework applies to cloud computing services broadly (defined in Article 2 by reference to the NIS2 Directive). Even without AI models, hosting data or providing compute to public bodies brings the assurance levels into play.
  • Misconception: The sovereignty levels are optional.
    • Reality: For public procurement, Article 30 sets minimum assurance levels; a public body cannot procure a non-recognised service for activities with public-order relevance. For providers, recognition is a prerequisite for this market.
  • Misconception: Open-source sharing is unconditional.
    • Reality: Article 41 requires encouraging and facilitating open-source use; Article 42 governs how and where software is shared and reused. It is not a blanket mandate to open-source all public-sector code.

Related

This is general information about a draft EU regulation, not legal advice.