Summary As proposed, the Cloud and AI Development Act (CADA) would enter into force 20 days after publication in the Official Journal and apply one year later (Article 48). Within that first year several deadlines fall: Member States must designate at least one data centre acceleration zone six months after entry into force (Article 10), and must adopt national cloud and AI strategies, designate national competent authorities and carry out first risk assessments by the one-year application date (Articles 7, 25 and 29). The Commission would first evaluate the Regulation four years after entry into force, and every five years thereafter (Article 47). All dates are relative placeholders in the draft and will only be fixed at adoption.
Detail
CADA sets out a structured, relative timeline rather than fixed calendar dates. Because it is a proposal (COM(2026) 502 final, of 3 June 2026), every deadline below is expressed in the text as a placeholder pegged to entry into force, and the absolute dates will depend on when the Regulation is finally adopted and published.
Entry into force and application
Under Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal, and would apply from the same day and month one year later. That twelve-month interval is the central implementation window: the law is binding but most substantive obligations are not yet enforceable, giving Member States, providers and public buyers time to get ready.
Six months: acceleration zones
The first hard deadline runs ahead of general application. Under Article 10(1), where data centre capacity is being deployed in a Member State, that State must designate at least one data centre acceleration zone "by [date of entry into force plus 6 months]." Operators therefore get early sight of where the streamlined permitting regime — including the aggregated baseline permit and the 12-month permit-granting limit (Article 13) — will apply.
One year: the application date and the bulk of Member State duties
At the one-year mark, the Regulation starts to apply and a cluster of Member State obligations fall due:
- National cloud and AI strategies. Under Article 7(1), Member States must establish national strategies by entry into force plus one year. These must cover, among other things, objectives for cloud and AI adoption, measures for SMEs and SMCs, data-centre capacity and open cloud-stack technologies, and must be consistent with the Regulation's objectives. Member States must notify the Commission within three months of adoption and review the strategies at least every three years (Article 7(5)). The European Artificial Intelligence Board established under the AI Act would advise on coordination.
- National competent authorities. Under Article 25(1), Member States must designate one or more national competent authorities to enforce the sovereignty chapter by entry into force plus one year; they may designate an existing authority.
- Public-sector risk assessments. Under Article 29(1), Member States and Union entities must carry out their first risk assessments — to determine the required Union assurance level for different public-sector activities — by entry into force plus one year, and thereafter every two years.
Four years, then every five: review
To keep the framework current, Article 47(1) requires the Commission to evaluate the Regulation and report to the European Parliament, the Council and the European Economic and Social Committee "by [date of entry into force plus 4 years], and every 5 years thereafter." The evaluation must pay specific attention to SMEs and to the position of new competitors (Article 47(3)), and the report may be accompanied by a proposal to amend the Regulation (Article 47(2)). (The explanatory memorandum refers more loosely to a review "five years after entry into force"; the operative date in Article 47 is four years, then five-yearly.)
What this means for you
For in-house counsel and compliance officers, the timeline is best read as a countdown that begins at publication, not a grace period.
Public-sector procurement teams. Plan to have your risk assessments done by the one-year application date (Article 29). Where an activity is found to have public-order relevance, you would be limited to procuring services recognised at Union assurance levels 2, 3 or 4; otherwise level 1 is the baseline (Article 30). Start mapping current cloud contracts against the Annex II criteria early to find the gaps.
Cloud service providers. Recognition takes lead time. Level 1 rests on an EU statement of conformity (Article 19); levels 2 to 4 require an independent third-party audit and audit evidence (Articles 20 to 21), then evaluation by a national competent authority (Article 17). Begin during the implementation window so you are recognised when buyers start requiring it.
Data centre operators. Watch the six-month acceleration-zone deadline (Article 10). Siting projects in a designated zone unlocks the aggregated baseline permit and the 12-month permitting limit (Article 13). Engage local authorities early to learn which sites are likely to be designated.
All operators. The placeholder dates only resolve at adoption. Set internal alerts on the Official Journal publication so your compliance clocks start automatically.
Common misconceptions
"CADA applies immediately on publication." No. Entry into force is 20 days after publication; application is one year after entry into force (Article 48).
"The one-year deadline means every service must be fully compliant by then." Not quite. The one-year point is when the rules start to apply and when most Member State set-up duties fall due. Provider recognition is a process that may continue beyond that date; the key risk is being unrecognised when public buyers begin requiring it.
"National strategies are a one-off." No. Article 7(5) requires Member States to assess and, where necessary, update their strategies at least every three years, so national requirements may shift over time.
"The review clause means the law changes every five years." No. Article 47 mandates an evaluation (first at four years, then every five), not an automatic amendment. Any change would have to go through the full legislative procedure.
Official sources
Related
- Why was the Cloud and AI Development Act (CADA) proposed?
- Why is the EU dependent on non-EU cloud providers?
- Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
- Why does CADA focus so heavily on the public sector?
- Why can't existing EU laws already solve cloud sovereignty? (CADA)
This is general information about a draft EU regulation, not legal advice.