CADA Delegated & Implementing Acts

Summary The proposed Cloud and AI Development Act (CADA) establishes a high-level framework for cloud sovereignty but leaves critical technical and procedural details to the European Commission to define later. This flexibility is achieved through two specific legal instruments: delegated acts (under Article 45) and implementing acts (under Article 46). As proposed, the Commission would use these powers to update the criteria for Union assurance levels, refine audit methodologies, and set fee structures for the EuroCloud Federation and joint procurement. Until these secondary acts are adopted, the precise rules for "sovereign" cloud services and the costs of participation remain subject to future Commission decisions.

Detail

CADA is designed as a framework regulation. While Article 1 sets out the strategic objectives—strengthening the EU's cloud and AI ecosystem, ensuring data sovereignty, and reducing dependencies—it intentionally avoids locking in rapidly evolving technical standards. Instead, the proposal grants the Commission the authority to fill in the operational gaps through secondary legislation. This approach ensures the law remains adaptable to technological shifts without requiring a full legislative revision every time a new cloud architecture or cybersecurity threat emerges.

The legal toolkit for this flexibility is explicitly defined in Article 45 (Delegated Acts) and Article 46 (Implementing Acts) of the proposal. Understanding the distinction between these two powers is essential for public-sector bodies, cloud providers, and auditors, as they determine how the rules of the game will be written.

Article 45: Delegated Acts (The "Policy & Technical Update" Power)

Article 45 confers on the Commission the power to adopt delegated acts. These are legally binding measures that supplement or amend non-essential elements of the regulation. Delegated acts are typically used for broader policy choices or technical updates that require a higher level of political oversight. Under the proposal, the European Parliament and the Council retain the right to object to a delegated act within a specific period (two months, extendable by three months), effectively giving them a veto power.

As proposed, the Commission would use delegated acts to modify the following key areas:

• Updating the "Grand Challenges" (Annex I): The Commission could amend Annex I to reflect market and technological developments regarding the Cloud and AI Leadership Initiatives. This ensures the strategic priorities for research and innovation remain relevant as the AI landscape evolves.
• Refining Sovereignty Criteria (Annex II): Crucially, Article 16(2) empowers the Commission to amend Annex II, which sets out the criteria for the four Union assurance levels. As cybersecurity threats change or new cloud architectures emerge, the Commission could update the specific requirements for what constitutes a "Level 3" or "Level 4" sovereign service without passing a new law.
• Updating Audit Evidence (Annex III): Similarly, the Commission could amend Annex III to update the list of audit evidence required to assess compliance with the assurance levels.
• Defining Audit Methodologies: Under Article 20(9), the Commission could adopt delegated acts to supplement the regulation by laying down detailed rules for the performance of audits. This includes specifying procedural steps, rules for auditing organisations, their technical competences, auditing methodologies, and templates for audit reports.
• Specifying Assurance Levels for Activities: Under Article 29(5), the Commission could specify the Union assurance level required for specific contracting authorities or public sector activities, ensuring a consistent approach to risk assessment across the EU.
• Mandating Private Sector Impact Assessments: Under Article 31(3), the Commission could adopt delegated acts to specify when private sector entities in high-criticality sectors must conduct impact assessments and what risk mitigation measures they must take.

Article 46: Implementing Acts (The "Procedural & Administrative" Power)

Article 46 confers on the Commission the power to adopt implementing acts. These are used to ensure uniform conditions for implementing the regulation, particularly where detailed procedures, formats, or administrative rules are needed. Unlike delegated acts, implementing acts do not amend the law itself but provide the "how-to" for its execution. They are adopted in accordance with the "examination procedure" laid down in Regulation (EU) No 182/2011, meaning they are subject to a committee of Member State experts (comitology) rather than a direct veto by the Parliament and Council.

As proposed, the Commission would use implementing acts to define:

• Risk Assessment Methodology: Under Article 29(3), the Commission would specify the methodology, templates, and elements to be taken into account by Member States and Union entities when conducting risk assessments. This ensures that the determination of which assurance level is appropriate for a given public sector activity is consistent across the Union.
• EuroCloud Federation Procedures: Under Article 34(4), the Commission would specify the procedure for public sector bodies to participate in the EuroCloud Federation and the templates concerning the content and details of the request for participation.
• Technical Measures for Sharing Services: Under Article 35(6), the Commission would specify the technical, operational, and organisational measures required for sharing data centre and cloud services within the federation.
• Fee Structures: Under Article 36(4) and Article 40(5), the Commission would lay down detailed rules for determining the fees levied on participating entities. This includes calculating the estimated costs, setting individual fee amounts, and defining the manner and conditions under which fees are to be paid for both the EuroCloud Federation and the common procurement framework.
• Recognition Procedures: Under Article 17(12), the Commission would adopt implementing acts concerning the practical arrangements for the procedures related to the recognition of cloud computing service providers.

Key Areas of Commission Discretion

For stakeholders, the most impactful areas of discretion relate to the definition of sovereignty, the rigour of audits, and the cost of participation.

1. Sovereignty Criteria (Annex II): The current text of Annex II outlines the criteria for Union assurance levels 1 through 4. However, Article 16(2) explicitly allows the Commission to amend these criteria via delegated acts. This means the definition of a "sovereign" cloud could become stricter, more nuanced, or adapted to new technologies over time. For instance, the specific cybersecurity certification levels required for Level 3 or 4 could be updated as the European cybersecurity certification scheme evolves.
2. Audit Rules and Standards: For Assurance Levels 2, 3, and 4, providers must undergo independent third-party audits. Article 20(9) grants the Commission the power to define the specific rules for these audits. Until these delegated acts are adopted, the framework lacks the granular detail needed for auditors to operate uniformly. The Commission would determine what auditors must check, how they must report, and what qualifications they need.
3. Fees and Costs: CADA introduces fees for the EuroCloud Federation and the common procurement platform to ensure financial sustainability. Article 36(4) and Article 40(5) allow the Commission to set the exact amount of these fees and the payment conditions via implementing acts. Public bodies will need to wait for these acts to know the precise cost of participating in the federation or joint procurement schemes.
4. Risk Assessment Templates: Member States must conduct risk assessments to decide which cloud services their critical infrastructure can use. Article 29(3) allows the Commission to provide the mandatory methodology and templates for these assessments via implementing acts, ensuring consistency across the EU and preventing divergent national approaches.

What this means for you

As a public-sector procurement officer, a cloud provider, or a compliance officer, you cannot rely solely on the current text of the CADA proposal to plan your long-term strategies. The "rules of the road" for sovereignty, auditing, and costs are not yet fully paved.

• Monitor the Official Journal: You must actively watch for the publication of delegated and implementing acts. The criteria for what constitutes a "Level 3" or "Level 4" sovereign cloud will be refined in amendments to Annex II via delegated acts.
• Prepare for Standardised Risk Assessments: Once the Commission publishes the risk assessment methodology under Article 29(3), your organisation will likely be required to use these specific templates to justify your cloud procurement choices. Divergent national approaches may be harmonised by these acts.
• Budget for Future Fees: The Commission will determine the fees for the EuroCloud Federation and joint procurement via Article 36(4) and Article 40(5). Include a variable cost line in your budgets for these future fees, as the exact amounts are not fixed in the proposal.
• Engage with Auditing Standards: If you are procuring services at Assurance Levels 2–4, the specific audit requirements will be defined in delegated acts under Article 20(9). Ensure your suppliers are aware that these detailed audit rules are forthcoming and that their current compliance frameworks may need to adapt.
• Track "Grand Challenge" Updates: For those involved in research and innovation, the scope of the Cloud and AI Leadership Initiatives could shift as the Commission updates Annex I via delegated acts to reflect new technological frontiers.

Common misconceptions

"The current text of CADA is final." No. CADA is a proposal, and even if adopted, it relies heavily on secondary legislation. The technical criteria in the Annexes are subject to change via delegated acts. The law is designed to be a living framework, not a static document.

"Delegated and implementing acts are the same." No. They serve different purposes and follow different procedures. Delegated acts (Article 45) amend or supplement the law and can be blocked by the European Parliament or the Council. Implementing acts (Article 46) provide uniform procedural rules and are adopted via a committee of Member State experts (comitology).

"The Commission can change anything it wants." No. The Commission's power is strictly limited to the specific areas listed in Article 45 and Article 46. It cannot change the fundamental rights protections, the core structure of the sovereignty framework, or the basic obligations of public bodies without a primary legislative amendment by the Parliament and Council.

"The rules will be ready immediately after CADA is adopted." No. The adoption of delegated and implementing acts takes time. The Commission must consult experts, draft the acts, and go through the relevant procedures (objection periods for delegated acts, committee votes for implementing acts). There will be a transition period where the high-level rules of CADA are in force, but the detailed operational rules are still being developed.

Related

• Which parts of CADA can the Commission change through delegated acts?
• Delegated vs implementing acts in CADA: what's the difference?
• CADA Secondary Legislation: What Remains to be Defined by Delegated and Implementing Acts?
• CADA Delegated Acts: How Long Does the Commission Keep Its Power?
• Does CADA give the Commission too much power through delegated acts?

This is general information about a draft EU regulation, not legal advice.