What is comitology and how does CADA use it?

Summary Comitology is the European Union's governance system that ensures Member States supervise the European Commission when it adopts detailed technical rules to implement legislation. Under the proposed Cloud and AI Development Act (CADA), Article 46 establishes a committee of Member State representatives to assist the Commission. This committee reviews "implementing acts"—non-legislative measures that specify how CADA's broad rules should be applied in practice—ensuring that national interests and technical expertise are integrated into the final standards. As proposed, this mechanism prevents the Commission from acting unilaterally on complex technical matters, requiring a qualified majority of Member States to approve or block specific technical specifications.

Detail

To understand how the proposed Cloud and AI Development Act (CADA) functions in the real world, it is essential to distinguish between the primary legislation (the Regulation itself) and the secondary technical rules required to enforce it. The CADA proposal (COM(2026) 502 final) sets out high-level objectives, such as establishing a framework for four Union assurance levels for cloud sovereignty, defining criteria for data centre acceleration zones, or mandating risk assessments for public sector activities. However, these high-level goals require granular technical specifications to be actionable. For instance, the law might state that cloud providers must undergo independent audits, but it cannot possibly list every single piece of evidence an auditor must check, nor can it prescribe the exact template for a risk assessment in the main text without making the law unwieldy and quickly obsolete. Those specific details are filled in by "implementing acts."

Comitology is the governance mechanism that controls how these implementing acts are created. It prevents the Commission from acting unilaterally on complex technical matters and ensures that Member States have a decisive say in the operational details of EU law.

The Legal Basis: Article 46 and Regulation (EU) No 182/2011

Article 46 of the CADA proposal explicitly anchors this process. It states:

"The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011."

Regulation (EU) No 182/2011 is the foundational EU law that standardizes comitology across all policy areas. It defines the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers. While this Regulation provides for several procedures (such as the advisory procedure), CADA primarily relies on the examination procedure. This is the most common and rigorous form of comitology, reserved for measures of general scope or those with significant implications for Member States.

Here is how the process unfolds under the proposed CADA framework:

1. Drafting: The Commission drafts an implementing act. For example, this could be a specific template for the risk assessments public authorities must conduct under Article 29, or the technical specifications for the EuroCloud Federation platform under Article 34.
2. Submission to Committee: This draft is submitted to the CADA Committee, which is composed of representatives from all 27 Member States. These representatives are typically national experts from ministries responsible for digital affairs, economy, or security.
3. Voting: The committee votes on the draft.
   • Positive Vote: If a qualified majority of Member States votes in favour, the Commission adopts the act.
   • Negative Vote: If a qualified majority votes against the draft, the Commission cannot adopt it.
   • No Opinion: If no qualified majority is reached (neither for nor against), the Commission may generally adopt the act, though this is less common in sensitive sovereignty matters.
4. Appeal: In cases of disagreement where the committee votes against the draft, the Commission may refer the matter to the "Appeal Committee." This is a higher-level body comprising representatives from the Member States (often at a more senior political level) to reach a final decision. If the Appeal Committee also fails to reach a qualified majority, the Commission may still adopt the act, but this is a rare and politically significant step.

Why the EU Uses Committees

You might wonder why the EU doesn't just put all these technical details directly into the main CADA law. There are two primary strategic reasons for this separation:

1. Technical Agility and Future-Proofing Cloud computing and AI technologies evolve at a pace that legislative processes cannot match. A law passed in 2026 might be technically obsolete by 2030 regarding specific cybersecurity protocols, audit methodologies, or data centre energy efficiency metrics. By using implementing acts controlled by comitology, the Commission can update these technical details without going through the full, slow legislative process of the European Parliament and the Council (which can take years). This allows the rules to stay current with technological advancements, ensuring that the "sovereign cloud" framework remains relevant as new threats and technologies emerge.

2. Member State Oversight and Sovereignty Cloud sovereignty is a sensitive political issue deeply tied to national security and administrative capacity. Member States have different national security concerns, legal traditions, and administrative structures. Comitology ensures that when the Commission proposes a new technical rule—such as the specific criteria for recognizing a cloud service as "sovereign" or the methodology for assessing public order risks—national experts review it. This prevents the Commission from imposing technical burdens that are impractical or inconsistent with national security strategies. It acts as a critical check and balance, ensuring that the execution of EU law respects the diversity and expertise of the Member States. In the context of CADA, where the goal is to reduce dependence on third-country providers, this oversight is vital to ensure that the resulting standards are robust and politically acceptable across the Union.

Specific Applications in CADA

Article 46 is referenced throughout the CADA text whenever the Commission is granted the power to adopt implementing acts. This delegation of power is not arbitrary; it is tied to specific operational needs:

• Article 5(4): The Commission may adopt implementing acts detailing the procedure for establishing "Experience and Acceleration Centres for AI." This ensures that the operational rules for these hubs are consistent across Member States.
• Article 12(1): While not explicitly citing Article 46 in the same sentence, the designation of single information points and their functions often require harmonized technical guidance that would be adopted via implementing acts.
• Article 29(3): The Commission specifies the methodology to be applied, the templates to be used, and the elements to be taken into account by Member States for the risk assessments. This is a critical area where comitology ensures that the definition of "public order" risks is applied consistently.
• Article 34(4): The Commission specifies the procedure to participate in the EuroCloud Federation.
• Article 36(4) and Article 40(5): The Commission adopts implementing acts laying down detailed rules for determining fees for the EuroCloud Federation and common procurement activities.
• Article 40(2): The Commission adopts implementing acts laying down the practical and operational arrangements for reimbursement by participating entities in the common procurement framework.

In each of these cases, the detailed rules will not be written by the Commission alone. They will be vetted by the committee established under Article 46, ensuring that the final technical guidance reflects a consensus among Member States.

What this means for you

For public-sector bodies, procurement officers, and cloud service providers, understanding comitology is crucial for planning and compliance.

1. Expect a Phased Rollout of Technical Details When CADA enters into force (as proposed, one year after publication), the main framework will be law, but many of the specific tools you need—such as the exact templates for risk assessments, the technical standards for the EuroCloud Federation, or the fee calculation methodologies—will not be immediately available. These will be developed through the comitology process. You should monitor the publication of these implementing acts closely, as they will dictate your day-to-day compliance obligations. The law sets the "what," but the implementing acts set the "how."

2. Opportunity for Influence If your organization is part of a Member State delegation, a national industry association, or a stakeholder group that advises your national representative, you have a channel to influence these technical rules. The committee process is where the granular details of compliance are negotiated. Feedback on the practicality of proposed templates, the feasibility of audit evidence requirements, or the fairness of fee structures can be integrated at this stage before the act is voted on.

3. Uniformity Across the EU Because these implementing acts are adopted at the EU level through a committee of Member States, they create a uniform standard across all 27 countries. This means that a risk assessment template approved in Brussels will be the same template used in Berlin, Paris, and Dublin. This harmonization reduces the burden on public authorities who operate across borders and ensures that sovereignty assessments are mutually recognized, facilitating a true single market for sovereign cloud services.

Common misconceptions

Misconception: Comitology allows the Commission to make new laws. Reality: No. The Commission can only fill in the details that the main CADA law has already delegated to it. It cannot change the fundamental rules, such as the existence of the four assurance levels, the requirement for Member States to conduct risk assessments, or the scope of the EuroCloud Federation. Those are set by the legislators (the European Parliament and the Council). Comitology is strictly for implementation and technical specification.

Misconception: Member States have a veto over all technical rules. Reality: Not exactly. Under the examination procedure, a qualified majority of Member States is required to block a Commission proposal. A single Member State cannot unilaterally veto a technical rule, although a group of Member States representing a significant portion of the EU population (at least 35% of the population and 55% of Member States) can. This prevents small minorities from blocking EU-wide technical progress while still ensuring broad consensus.

Misconception: Comitology is only for technical experts. Reality: While the committee members are often technical experts, the implications of their decisions are political and operational. For procurement officers, the outcome of these committee votes directly determines what specifications can be included in tender documents and what evidence is required to prove a cloud provider's sovereignty status. The decisions made in this committee shape the market reality for the next decade.

Related

• Who sits on the CADA comitology committee?
• CADA Governance: The Steering Committee vs. Comitology and the EuroCloud Federation
• What does the CADA committee procedure (comitology) involve?
• CADA Governance: Comitology Committee vs EuroCloud Steering Committee
• Will existing cloud contracts be affected when CADA starts to apply?

This is general information about a draft EU regulation, not legal advice.