What is Regulation (EU) No 182/2011 and why does CADA rely on it?

Summary Regulation (EU) No 182/2011 is the EU's foundational framework for "comitology," governing how the European Commission adopts implementing acts under the supervision of Member State committees. As proposed, the Cloud and AI Development Act (CADA) relies on this regulation to ensure that critical technical specifications—ranging from audit methodologies to procurement fees—are adopted through the rigorous "examination procedure." Under Article 46(2) of the CADA proposal, the Commission is explicitly bound to Article 5 of Regulation (EU) No 182/2011. This mechanism grants Member States the power to block Commission proposals that conflict with national interests or the CADA text, ensuring that the sovereignty framework remains under strict political control rather than unilateral executive action.

Detail

The Comitology Framework: Regulation (EU) No 182/2011

Regulation (EU) No 182/2011 establishes the general rules and principles for the mechanisms by which Member States control the Commission's exercise of implementing powers. In EU legislative drafting, this system is known as "comitology." When the European Parliament and the Council adopt a legislative act like CADA, they often delegate specific technical, administrative, or updating details to the Commission. These details are codified in "implementing acts."

Comitology ensures that the Commission does not act unilaterally on these delegated powers but is supervised by a committee composed of representatives from the Member States. The regulation defines two primary procedures, distinguished by the weight of the committee's opinion:

1. The Advisory Procedure: The Commission seeks an opinion from the committee. While the Commission must "take the utmost account" of the opinion, it is not strictly bound by it. If the committee delivers a negative opinion, the Commission may still adopt the act, provided it explains its reasoning. This procedure is typically reserved for non-controversial or purely technical matters.
2. The Examination Procedure: This is the stricter, default procedure for acts with significant implications, such as those affecting the internal market, public security, or the rights of third parties. Under this procedure, if the committee delivers a negative opinion, the Commission cannot adopt the implementing act. The proposal may then be referred to an "Appeal Committee" for a final vote. If the Appeal Committee also fails to deliver a positive opinion, the act cannot be adopted.

CADA's Explicit Reliance on the Examination Procedure

CADA explicitly anchors its committee procedures in this framework to ensure high-level oversight for its most sensitive provisions. Article 46(1) of the CADA proposal states:

"The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011."

Crucially, Article 46(2) specifies the exact procedural path:

"Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply."

By referencing Article 5 of Regulation (EU) No 182/2011, CADA mandates the examination procedure for all implementing acts listed in the proposal. This is a deliberate legislative choice. It signals that the technical details of the Cloud and AI Development Act are not merely administrative but are of such strategic importance that Member States must retain a veto power over their adoption.

Why CADA Points to Article 5 (Examination)

The examination procedure is reserved for acts where uniform application across the Union is essential, and where Member States have a vested interest in the technical or operational details. CADA invokes this procedure for a wide array of critical implementing acts, ensuring that the Commission cannot unilaterally alter the rules of the sovereign cloud framework.

Key areas where CADA mandates the examination procedure include:

• Cloud Sovereignty Recognition and Audits:

  • Article 17(12) requires the examination procedure for implementing acts concerning the practical arrangements for the recognition of cloud computing service providers.
  • Article 20(9) mandates the examination procedure for rules on the performance of audits, including the procedural steps, technical competences of auditing organisations, and audit report templates.
  • Article 21(1) requires the examination procedure for amending Annex III to lay down necessary audit evidence.
  • Impact: These acts define the exact criteria for Union Assurance Levels 2, 3, and 4. A negative vote by Member States could block a Commission proposal that sets audit standards deemed too burdensome or technically unfeasible.

• Risk Assessment and Public Order:

  • Article 29(3) mandates the examination procedure for specifying the methodology, templates, and elements Member States must use when conducting risk assessments to determine the appropriate Union assurance level for public sector activities.
  • Impact: This ensures that the definition of "public order" risks and the methodology for assessing them are agreed upon by Member States, preventing the Commission from imposing a one-size-fits-all approach that might not align with national security contexts.

• EuroCloud Federation and Procurement:

  • Article 34(4) and Article 35(6) require the examination procedure for rules on participating in the EuroCloud Federation and the technical/operational measures for sharing services.
  • Article 36(4) and Article 40(5) mandate the examination procedure for determining the fees levied for the administration of the EuroCloud Federation and for common procurement activities.
  • Impact: These acts determine the financial and operational rules for public-sector cloud sharing. The examination procedure ensures that Member States agree on the cost-recovery mechanisms and technical standards before they become binding.

• Data Centre Acceleration and Strategic Projects:

  • Article 5(4) requires the examination procedure for implementing acts detailing the procedure for establishing Experience and Acceleration Centres for AI.
  • Impact: This ensures that the operational rules for these innovation hubs are vetted by Member States, aligning with national strategies for AI deployment.

The rationale for using the examination procedure (Article 5) rather than the advisory procedure is that these acts often define the operational reality of the CADA framework. For example, the audit rules for Union Assurance Levels 2–4 directly impact market access for cloud providers. If the Commission were to adopt audit rules that were overly burdensome, technically flawed, or inconsistent with national security priorities, the examination procedure allows a qualified majority of Member States to block the act. This forces the Commission to revise the proposal or refer it to the Appeal Committee, preventing regulatory capture or technical errors from becoming binding EU law.

The Role of the Committee

The committee assisting the Commission under Article 46 is not a new body created by CADA but a standing committee of Member State experts, typically aligned with existing committees related to digital infrastructure, cybersecurity, or the internal market. The committee's role is to review draft implementing acts before they are published.

Under the examination procedure (Article 5 of Regulation (EU) No 182/2011):

1. Positive Opinion: If the committee delivers a positive opinion (or no opinion), the Commission may adopt the act.
2. Negative Opinion: If the committee delivers a negative opinion, the Commission cannot adopt the act.
3. Appeal Committee: In the event of a negative opinion, the Commission may submit the draft to an Appeal Committee. If the Appeal Committee also delivers a negative opinion, the act cannot be adopted. If the Appeal Committee delivers no opinion, the Commission may adopt the act only if it justifies doing so; otherwise, it must revise the draft.

This structure ensures that the Commission acts as a facilitator of Member State consensus rather than a unilateral rule-maker for the cloud sovereignty framework.

What this means for you

For in-house counsel, compliance officers, and policy advisors, the reliance on Regulation (EU) No 182/2011 via Article 46 has three critical practical implications:

1. Regulatory Stability and Predictability: The examination procedure acts as a robust quality control mechanism. Implementing acts adopted under this process have undergone scrutiny by Member State experts, reducing the likelihood of sudden, unvetted technical changes to audit criteria or procurement rules. However, it also introduces a potential for delay. If Member States disagree on a technical detail (e.g., the specific evidence required for a Level 3 audit), the process can stall, delaying the finalization of critical technical standards. Stakeholders must anticipate longer timelines for the adoption of these secondary rules.

2. Monitoring Specific Implementing Acts: You must actively monitor the adoption of implementing acts under the examination procedure, particularly those related to Article 20 (Audits) and Article 29 (Risk Assessments). These acts will define the exact evidence, templates, and methodologies required for compliance. Since these are adopted via the examination procedure, they carry significant legal weight and are less likely to be overturned later than advisory-based acts. Failure to comply with these specific implementing acts would constitute a direct infringement of CADA.

3. Strategic Stakeholder Engagement: Because Member States hold veto power (via qualified majority) in the examination procedure, national governments are the primary gatekeepers for the technical design of these rules. Compliance teams and industry representatives should monitor national positions on key issues, such as the definition of "independence" for auditing organisations (Article 20) or the specific metrics for data centre sustainability (Article 11). Engaging with national competent authorities before the draft implementing act reaches the committee is essential, as the committee vote is often the final political hurdle.

Common misconceptions

"Comitology allows the Commission to legislate freely." Reality: Regulation (EU) No 182/2011 is a control mechanism, not a blank check. Under the examination procedure (Article 5), the Commission cannot adopt an act if the committee votes against it. This ensures Member States retain significant influence over the technical implementation of CADA, preventing the Commission from unilaterally altering the sovereignty framework.

"All CADA technical details are set in the main text." Reality: Much of the operational detail—such as the specific templates for risk assessments (Article 29), the exact fee structures for the EuroCloud Federation (Article 36), or the detailed audit evidence requirements (Annex III)—is left to implementing acts. These acts are legally binding and adopted via the comitology process. Ignoring these secondary texts means missing critical compliance obligations.

"The committee is a judicial body." Reality: The committee is an administrative body composed of Member State representatives. It does not adjudicate disputes or interpret the law in a judicial sense. Its role is to provide a political and technical check on the Commission's drafting of implementing acts, ensuring they align with the interests of the Member States and the text of the CADA proposal.

Related

• Is the Cloud and AI Development Act a Regulation or a Directive?
• Will existing cloud contracts be affected when CADA starts to apply?
• Why does the CADA review pay special attention to SMEs and new competitors?
• Who sits on the CADA comitology committee?
• Who receives the CADA review report? Parliament, Council & EESC

This is general information about a draft EU regulation, not legal advice.