CADA Secondary Legislation

Summary The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a high-level framework for EU cloud sovereignty but deliberately leaves critical operational details to be defined in secondary legislation. The legal vehicles for this delegation are Article 45 (delegated acts, used to amend non-essential elements like technical criteria) and Article 46 (implementing acts, used to ensure uniform application of methodologies and procedures). Key areas awaiting definition include the precise technical criteria for Union assurance levels (Annex II), detailed audit methodologies and evidence templates (Annex III), risk assessment methodologies for public bodies, fee structures for the EuroCloud Federation and common procurement, and the list of eligible third countries for Level 3 recognition. Compliance officers must monitor these forthcoming acts, as the binding specifics of cloud sovereignty obligations will depend entirely on their adoption.

Detail

The Cloud and AI Development Act (CADA) is structured as a framework regulation. While the proposal establishes the overarching legal architecture for EU cloud sovereignty, data centre deployment, and AI development, it intentionally delegates significant technical and procedural details to secondary legislation. This legislative design ensures the framework remains technologically neutral and adaptable to rapid market evolution without requiring frequent amendments to the primary Regulation.

The legal mechanisms for this delegation are clearly defined in Title V of the proposal:

• Article 45 empowers the Commission to adopt delegated acts to supplement or amend non-essential elements of the Regulation, such as updating technical criteria in the Annexes.
• Article 46 empowers the Commission to adopt implementing acts to ensure uniform conditions for the implementation of the Regulation, such as specifying methodologies, templates, and fee calculation rules.

For legal counsel and compliance teams, identifying these "open points" is essential. The following map details the specific areas where the base Regulation defers to secondary acts, grounded strictly in the text of COM(2026) 502 final.

1. Union Assurance Levels and Sovereignty Criteria

The core of CADA's sovereignty framework is the four-tier system of Union assurance levels (Levels 1–4), the criteria for which are set out in Annex II. However, the specific technical and organizational requirements for these levels are not static.

• Delegated Acts (Article 45): Under Article 16(2), the Commission is explicitly empowered to adopt delegated acts to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III.
• Why it matters: The base Regulation provides the structure of the levels but acknowledges that "new legal or technical developments" may require updates. Consequently, the specific requirements for data localisation, personnel citizenship, and supply chain transparency can be tightened or modified via delegated acts without a full legislative revision. Compliance teams cannot yet rely on a fixed, immutable checklist for Level 3 or 4 assurance; they must await the finalised Annex II criteria and any subsequent delegated amendments to determine exact mandatory controls.

2. Audit Procedures, Methodologies, and Evidence

For Union assurance levels 2, 3, and 4, cloud computing service providers must undergo independent third-party audits to obtain a "positive" audit opinion. While Article 20 mandates these audits, the procedural mechanics are left to secondary law.

• Delegated Acts (Article 45): Article 20(9) empowers the Commission to adopt delegated acts to supplement the Regulation by laying down detailed rules for the performance of audits. This includes procedural steps, rules for auditing organisations, their technical competences, auditing methodologies, and templates for audit reports.
• Delegated Acts (Article 45): Article 21(1) empowers the Commission to amend Annex III by laying down the necessary evidence needed to assess the audit criteria under Annex II.
• Why it matters: Auditors and providers require standardized templates and methodological guidelines to conduct valid audits. Until these delegated acts are published, there is no standardized format for the "positive" audit opinion required for recognition under Article 17, nor is there a definitive list of evidence auditors must request.

3. Risk Assessment Methodologies for Public Sector

Member States and Union entities are required to conduct risk assessments to determine which public sector activities contribute to the preservation of public order and, consequently, which Union assurance level (2, 3, or 4) is appropriate.

• Implementing Acts (Article 46): Article 29(3) mandates that the Commission specify the methodology to be applied, the templates to be used, and the elements to be taken into account by Member States and Union entities for these risk assessments via implementing acts. The text explicitly notes that these acts will specify how Member States use the highest level of assurance for the most critical public sector activities, including defence.
• Why it matters: Public sector bodies and their private cloud providers need these standardized templates to perform compliant risk assessments. Without the implementing acts, there is no uniform way to justify why a specific workload requires Level 4 assurance over Level 3, potentially leading to fragmented national approaches that undermine the single market.

4. Recognition of Third Countries (Derogation Mechanism)

CADA generally prohibits third-country control for higher assurance levels but provides a derogation mechanism. Article 18 allows the Commission to identify third countries where cloud services subject to their control may be audited for Union assurance level 3, provided specific safeguards are met.

• Implementing Acts (Article 46): Article 18(1) states that the Commission may adopt decisions, by means of implementing acts, identifying third countries that fulfil the cumulative criteria (e.g., adequacy decisions, absence of extraterritorial access laws).
• Why it matters: Providers relying on global infrastructure need to know which jurisdictions are eligible for the Level 3 derogation. This list is dynamic; if a country's legal landscape changes (e.g., new data access laws), the Commission can repeal, amend, or suspend the decision via implementing acts under Article 18(2).

5. Fee Structures for EuroCloud and Common Procurement

CADA introduces two major financial mechanisms: the EuroCloud Federation (for sharing public sector cloud capacity) and a common procurement framework for the Commission. Both are funded by fees levied on participating entities to ensure cost recovery.

• Implementing Acts (Article 46): Article 36(4) empowers the Commission to adopt implementing acts laying down detailed rules for determining estimated costs, individual fee amounts, and payment conditions for the EuroCloud Federation.
• Implementing Acts (Article 46): Article 40(5) similarly empowers the Commission to adopt implementing acts for the common procurement framework, specifying estimated costs, individual fee amounts, and payment conditions.
• Why it matters: Budget planning for public sector bodies and participating entities depends entirely on these fee structures. The implementing acts will define the cost-recovery models, ensuring fees are "proportionate to the estimated costs" and sufficient to cover direct and indirect expenses.

6. Repository and Participation Procedures

The proposal establishes a central repository of recognised sovereign cloud services (Article 22) and a platform for the EuroCloud Federation (Article 34). The practical arrangements for these digital tools are delegated.

• Implementing Acts (Article 46): Article 34(4) empowers the Commission to adopt implementing acts to specify the procedure to participate in the EuroCloud Federation and the template concerning the content of participation requests.
• Implementing Acts (Article 46): Article 17(12) allows the Commission to adopt implementing acts concerning the practical arrangements for the recognition procedures, including the registration of services in the central repository.
• Why it matters: Providers seeking recognition need to know the exact application process, data submission requirements, and technical interfaces for the central repository. These practical arrangements are not detailed in the base Regulation.

7. Impact Assessments for Private Sector Entities

While mandatory risk assessments target the public sector, the proposal allows for the extension of similar obligations to private entities in critical sectors.

• Delegated Acts (Article 45): Article 31(3) empowers the Commission to adopt delegated acts to supplement the Regulation by specifying the need for impact assessments and the risk mitigation measures for private entities operating in sectors of high criticality (as defined in Annex I of the NIS2 Directive), if deemed necessary after consultation with Member States.
• Why it matters: Private companies in energy, transport, or health sectors need clarity on whether they will be legally required to conduct these assessments. The base Regulation only creates the possibility; the obligation itself is triggered only if the Commission adopts a delegated act under Article 31(3).

What this means for you

For in-house counsel, compliance officers, and procurement teams, the existence of these secondary legislation gaps creates a period of regulatory uncertainty. The base Regulation sets the "what," but the secondary acts will define the "how." Here is how to navigate this interim phase:

1. Monitor the Commission's Work Programme: The Commission is required to consult experts designated by Member States before adopting delegated acts under Article 45. Legal teams should track the work of relevant expert groups and the publication of draft delegated acts related to cloud sovereignty, particularly those amending Annex II and Annex III.
2. Prepare for Modular Compliance: Your compliance framework for cloud sovereignty should be designed to be modular. Since the criteria for assurance levels (Annex II) can be amended via delegated acts, internal controls should be adaptable to stricter technical requirements (e.g., evolving SBOM standards or personnel screening protocols) without requiring a complete system overhaul.
3. Engage Early with Auditing Organisations: As the delegated acts under Article 20(9) are developed, engage early with potential auditing organisations. Understanding the emerging methodologies and templates for audit reports will allow providers to align their internal documentation with the final standards before the first audits are conducted.
4. Budget for Fee-Based Participation: For public sector entities, begin budgeting for the fees outlined in Articles 36 and 40. Although the exact amounts are in implementing acts, the cost-recovery principle is explicit. Entities should anticipate fees for EuroCloud Federation membership and participation in common procurement activities.
5. Draft Internal Risk Methodologies: Public sector bodies should start drafting internal risk assessment methodologies now, even before the implementing acts under Article 29(3) are published. This proactive approach will allow for a smoother transition once the Commission releases the official templates and methodologies.

Common misconceptions

• "The assurance level criteria are fixed in the regulation." Incorrect. While the four levels are defined in the Regulation, the specific criteria in Annex II are subject to amendment via delegated acts under Article 16(2). The Commission can update these criteria to reflect technological advancements or new security threats without a new legislative proposal.

• "Private sector entities are not affected by secondary legislation." Incorrect. While the mandatory risk assessments target the public sector, Article 31(3) allows the Commission to mandate impact assessments for private entities in critical sectors via delegated acts. Furthermore, the audit rules under Article 20(9) apply to all providers seeking recognition for levels 2–4, regardless of whether their customer is public or private.

• "Implementing acts are just guidance or best practices." Incorrect. Implementing acts adopted under Article 46 are legally binding EU law. They specify mandatory methodologies, templates, and fee structures that Member States and entities must follow to ensure uniform application across the Union.

• "Third-country recognition is automatic for adequacy decisions." Incorrect. Recognition of third countries for Union assurance level 3 is not automatic. It requires a specific decision by the Commission via implementing acts under Article 18, based on strict cumulative criteria including adequacy decisions, the absence of extraterritorial data access laws, and guarantees against service disruption.

Related

• CADA Implementing Acts: Which Rules Will Be Set by Secondary Legislation?
• Delegated vs implementing acts in CADA: what's the difference?
• CADA Delegated & Implementing Acts: What the Commission Decides Later
• Which parts of CADA can the Commission change through delegated acts?
• CADA Delegated Acts: The Article 45 Procedure Explained

This is general information about a draft EU regulation, not legal advice.