Summary Under the proposed Cloud and AI Development Act (CADA), there is a one-year gap between the Regulation's entry into force and its date of application (Article 48). As proposed, CADA enters into force on the twentieth day after publication in the Official Journal — the law then legally exists — but its substantive obligations apply only one year later. The gap is a deliberate compliance window: Member States designate authorities and run initial risk assessments, and businesses align their systems, before the binding sovereignty requirements and any penalties take effect.

Detail

The distinction between "entry into force" and "date of application" is standard in EU drafting, but it carries real operational weight in CADA. Understanding which obligations attach to which date is what lets you plan the transition.

The legal basis: Article 48

Article 48 of the proposal sets the two milestones:

  1. Entry into force: the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union."
  2. Date of application: the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]."

So the law becomes legally valid 20 days after publication, but becomes legally operative for regulated entities one year after that.

Why EU regulations separate the two dates

The split balances legal certainty against practical feasibility:

  • Entry into force fixes the text and brings the instrument into the legal order. It does not yet impose substantive duties on market participants; it mainly activates preparatory obligations for public authorities.
  • Date of application is when the substantive obligations, prohibitions and rights become enforceable. Before it, a company is not in breach of CADA for not yet meeting the assurance-level or data-centre requirements.

The gap creates the transition window in which Member States designate national competent authorities (Article 25), set up single information points for data centres (Article 12) and establish national cloud and AI strategies (Article 7) — work that could not realistically be completed on day one.

There is also a rule-of-law dimension. An obligation should not bite before those it binds have had a fair chance to comply, and before the institutions that enforce it exist. By keying the substantive duties to a later application date, CADA ensures that when a provider is first required to hold recognition at a Union assurance level, both the recognising authorities (Article 25) and the central repository through which recognised services are listed (Article 22) are already in place. Switching on duties without that machinery would make compliance practically impossible — and unenforceable — on day one.

Which provisions hinge on each date

Obligations keyed to entry into force. Several preparatory deadlines run from entry into force, and in CADA they cluster at the entry-into-force-plus-one-year mark — the same point as the application date:

  • National strategies: Member States must establish national cloud and AI strategies by entry into force plus one year (Article 7(1)).
  • Designation of authorities: Member States must designate national competent authorities "by [date of entry into force plus 1 year]" (Article 25(1)).
  • Initial risk assessments: Member States and Union entities must carry out their first risk assessments "by [date of entry into force plus 1 year]" (Article 29(1)).

Obligations keyed to the date of application. On the application date, the substantive regime becomes enforceable, including:

  • Sovereignty recognition: providers must hold recognition at the relevant Union assurance level to serve the public sector (Article 17).
  • Public procurement: contracting authorities must procure services recognised at the appropriate assurance level (Article 30).
  • Data-centre framework: the acceleration-zone and single-information-point mechanisms (Articles 10 and 12) are in place, so operators can rely on the accelerated permitting.
  • Penalties: Member States must lay down penalty rules (Article 24); the obligation to comply with the substantive rules that those penalties back applies from the application date.

Implications for compliance officers

The one-year gap is a runway, not a pause:

  • Audit lead time. Conformity self-assessment (level 1) or third-party audit (levels 2–4) must begin well before the application date; the audit process takes time, and recognition cannot be granted overnight.
  • Procurement strategy. Public buyers should review existing contracts. Where a risk assessment requires migration to another cloud service, Article 29(6) provides that migration must occur "within a reasonable transition period that shall not exceed 12 months" — a further period that can extend the practical compliance horizon for affected services.
  • Legislative finalisation. As a proposal, CADA's exact dates may change, but the Article 48 structure is standard; assume the one-year gap and plan accordingly.

How the secondary-legislation clock interacts

A subtlety worth flagging: the application date sets when the substantive obligations bite, but much of CADA's operational detail arrives through delegated and implementing acts that may be adopted on their own timetables. The risk-assessment methodology (an implementing act under Article 29(3)), the audit rules (a delegated act under Article 20(9)) and the recognition procedure (an implementing act under Article 17(12)) are all examples. In principle these can be prepared during the one-year transition so they are ready by the application date; in practice, where they lag, regulated entities may face a window in which the primary obligation applies but the detailed rules for satisfying it are still pending. The pragmatic response is a "compliance-ready" posture — controls robust enough to map onto whatever final form the secondary legislation takes — rather than waiting for every act to be published before acting.

What this means for you

For in-house counsel and compliance officers, Article 48 implies a two-phase roadmap.

Phase 1 — entry into force (roughly months 0–12).

  • Monitor the designation of national competent authorities in your relevant Member States.
  • Run internal gap analyses against the Union assurance levels (Annex II).
  • Engage auditing organisations early; level 2–4 audits are resource-intensive.
  • Risk: no penalties yet for substantive breaches, but failing to prepare can lock you out of public contracts when the application date arrives.

Phase 2 — date of application (month 12 onward).

  • Ensure cloud services used by, or offered to, public-sector entities hold valid recognition.
  • Complete any required migration where current providers do not meet the necessary level (mindful of the up-to-12-month transition period in Article 29(6)).
  • Risk: penalties and compensation claims (Article 24) become live, and non-compliant procurement can be challenged.

Common misconceptions

"The law doesn't apply until the application date, so I can wait." You can't be penalised for substantive breaches before the application date, but waiting is risky: recognition (Article 17) takes months, so starting late can leave you unrecognised — and shut out of the public-sector market — when the rules apply.

"Entry into force means I must change my contracts immediately." No. Entry into force mainly triggers preparatory deadlines for Member States. Your contractual obligations with providers do not change until the application date, absent specific clauses tied to publication.

"The one-year period is fixed for everything." Article 48 sets a one-year application gap, but specific provisions can run on their own clocks. Migration under Article 29(6), for instance, allows a reasonable transition period of up to 12 months after a risk assessment identifies the need — effectively extending the deadline for those specific cases.

Related

This is general information about a draft EU regulation, not legal advice.