Summary Under the proposed Cloud and AI Development Act (CADA), the two instruments do different jobs. Delegated acts (Article 45 of CADA; Article 290 TFEU) would let the Commission amend or supplement non-essential elements of the Regulation — for example, updating the assurance-level criteria in Annex II — and are policed directly by the European Parliament and the Council, who can object or revoke. Implementing acts (Article 46 of CADA; Article 291 TFEU, Regulation (EU) No 182/2011) would set uniform conditions for applying the Regulation — for example, risk-assessment templates or audit procedural rules — and are scrutinised by a committee of Member State representatives under the examination procedure. In short: delegated acts change the law's substance; implementing acts standardise how it is executed.

Detail

CADA leans on secondary legislation to stay current in a fast-moving sector. The proposal draws a clear line between the two tools the Commission can use, and the distinction matters because it determines who controls a change, how it is made, and what political oversight applies.

The split is not a CADA invention; it is a constitutional division built into the Treaties. Article 290 TFEU lets the legislature hand the Commission a quasi-legislative power to change the rulebook itself (within limits), and keeps the Parliament and Council in the loop because they are, in effect, lending out part of their own legislative authority. Article 291 TFEU addresses a different problem: where Union acts "need uniform conditions for implementation," implementing powers are conferred on the Commission, and it is the Member States — not the co-legislators — who supervise, because implementation is ordinarily their responsibility. CADA mirrors this division precisely: Article 45 channels the Article 290 power, Article 46 the Article 291 power.

Delegated acts: amending and supplementing the law

Delegated acts rest on Article 290 TFEU, which lets the legislature empower the Commission to adopt acts of general application that supplement or amend non-essential elements of a legislative act. In CADA the power is conferred and conditioned by Article 45 ("Exercise of the delegation").

Scope. As proposed, and as summarised in Recital 85, the Commission could use delegated acts to:

  • amend Annex I to reflect market and technological developments in the Cloud and AI Leadership Initiatives (Article 6(4));
  • amend Annex II to update the criteria for the Union assurance levels (Article 16(2));
  • supplement the Regulation with detailed rules on the performance of audits (Article 20(9));
  • amend Annex III on audit evidence (Article 21(1)); and
  • require impact assessments and risk-mitigation measures for certain private entities in sectors of high criticality (Article 31(3)).

Scrutiny. The co-legislators keep a direct check. The Commission notifies each adopted act to the Parliament and Council simultaneously (Article 45(5)). It enters into force only if neither objects within two months — extendable by three months — of notification (Article 45(6)). Either institution can also revoke the delegation entirely at any time (Article 45(3)).

Implementing acts: ensuring uniform application

Implementing acts rest on Article 291 TFEU and are governed by Regulation (EU) No 182/2011. In CADA the power runs through Article 46. They do not amend the law; they supply the procedural and technical detail needed to apply it consistently across Member States.

Scope. Specific uses in CADA include:

  • the methodology, templates and elements for Member States and Union entities to carry out risk assessments (Article 29(3)), and specifying the assurance level for a public-sector activity where a Member State's risk assessment is found inadequate (Article 29(5));
  • the procedure for establishing the Experience and Acceleration Centres for AI (Article 5(4));
  • recognition procedures for cloud computing service providers (Article 17(12));
  • third-country recognition decisions (Article 18(1));
  • the procedure to join the EuroCloud Federation and the request template (Article 34(4)); and
  • fee rules for the EuroCloud Federation (Article 36(4)) and common procurement activities (Article 40(5)).

Control. Implementing acts are not subject to direct Parliament/Council scrutiny. Instead, Article 46(1) provides that the Commission "shall be assisted by a committee... within the meaning of Regulation (EU) No 182/2011," and Article 46(2) triggers Article 5 of that Regulation — the examination procedure. The Commission submits a draft to a committee of Member State representatives, which votes by qualified majority. A favourable opinion obliges the Commission to adopt the act. A negative opinion blocks adoption, though the Commission may refer the matter to the appeal committee for a further opinion. Where the committee delivers no opinion, the Commission may generally still adopt the act, subject to the specific limits in Regulation (EU) No 182/2011. The Parliament and Council retain only a limited "right of scrutiny" — they may indicate that a draft exceeds the implementing powers conferred — rather than the outright veto they hold over delegated acts.

It is worth stressing what this means in practice: under the examination procedure the content of CADA is never up for grabs. The committee cannot rewrite an assurance-level criterion or a substantive obligation; it can only shape, accept or reject the detail of how an already-decided rule is applied. Substantive change is reserved to delegated acts (for non-essential elements) or to the legislature itself.

Key differences at a glance

Feature Delegated acts (Article 45) Implementing acts (Article 46)
Legal basis Article 290 TFEU Article 291 TFEU + Reg (EU) No 182/2011
Function Amend or supplement non-essential elements Set uniform conditions for applying the law
Who controls Parliament and Council (object / revoke) Member States (examination-procedure committee)
Mechanism Adopt after notification; no-objection in 2 months Adopt after committee opinion under Article 5 of Reg 182/2011
CADA examples Update Annex II (assurance levels); amend Annex I Risk-assessment templates; audit procedural rules; fee rules
Reach Can change substantive criteria Limited to procedural / technical detail

What this means for you

For in-house counsel and compliance officers, the distinction shapes how you monitor change and where you direct engagement.

Monitor both, for different reasons. Delegated acts under Article 45 can shift your substantive obligations — a change to the Annex II criteria for a Union assurance level could force changes to infrastructure, data-localisation arrangements or audit evidence, and is binding once it survives the objection window. Implementing acts under Article 46 supply the operational detail; the Article 29(3) risk-assessment methodology, for instance, will dictate the exact templates and inputs you must provide to authorities. Both are binding.

Direct engagement to the right forum. For delegated acts, industry feedback flows to the Parliament and Council during the objection period and, earlier, to Member State experts in the consultation under Article 45(4). For implementing acts, the leverage is with your national authority and its representative on the examination-procedure committee.

Link to enforcement. CADA's penalties (Article 24) attach to infringements of the substantive Chapter obligations. The detailed compliance path — what counts as a compliant audit or risk assessment — will often be fixed in secondary legislation, so deviating from a prescribed audit-evidence format (Annex III) or risk-assessment template can carry real consequences.

A worked example: the assurance levels

The two instruments are easiest to tell apart by tracing a single subject — the Union assurance levels — through both. The criteria that define what each level requires live in Annex II; changing them is substantive, so it is done by delegated act under Article 16(2), with the Parliament and Council able to object. The evidence an auditor must gather to test those criteria lives in Annex III; updating it is likewise substantive and uses the delegated route under Article 21(1). But the procedure a national authority follows to recognise a provider against those criteria — the steps, the forms, the timelines — is about uniform application, so it is set by implementing act under Article 17(12). And the audit rules sit in a third position: the high-level audit duty is in the body of the Regulation, while the detailed methodology and templates are supplemented by delegated act under Article 20(9), because they add new normative content rather than merely standardising a procedure. One policy area, three different secondary-legislation routes — chosen according to whether the change is substantive or merely about uniform application.

Common misconceptions

"Delegated acts are just administrative detail." They can amend the Regulation's substantive criteria — for example, the technical requirements for a Union assurance level. That is a substantive change, not housekeeping.

"Implementing acts are merely procedural, so they don't matter." The procedure is the compliance path. If the Commission prescribes a risk-assessment template under Article 29(3), departing from it can amount to non-compliance regardless of the quality of your own analysis.

"The Commission acts without oversight." Both routes have checks: delegated acts face Parliament/Council objection and revocation; implementing acts face the Member State examination-procedure committee.

"The two have the same legal nature." Both are binding, but delegated acts modify the legislative text (supplementing or amending it), while implementing acts operate alongside it to secure uniform application.

Related

This is general information about a draft EU regulation, not legal advice.