Summary Under the proposed Cloud and AI Development Act (CADA), Article 47 establishes a periodic legislative review that may trigger a full proposal to amend the Regulation through the ordinary legislative procedure, requiring approval by both the European Parliament and the Council. In contrast, Article 45 empowers the Commission to adopt delegated acts to directly amend non-essential technical elementsβ€”such as updating the criteria for Union assurance levelsβ€”without a new legislative vote, subject only to a limited right of objection by the Parliament and Council. The former is for fundamental policy shifts; the latter is for technical agility.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, recognises that the cloud and AI landscape evolves faster than traditional legislation can adapt. To balance legal certainty with regulatory agility, the proposal establishes two distinct mechanisms for change: the legislative review and the delegated act. Understanding the procedural and substantive differences between these mechanisms is critical for legal counsel, compliance officers, and public procurement authorities who must anticipate regulatory shifts.

The Legislative Review (Article 47)

Article 47 establishes the mechanism for a comprehensive, periodic evaluation of the Regulation. This is a high-level political and legal exercise designed to assess the overall functioning, effectiveness, and relevance of CADA in the context of the evolving digital ecosystem.

Timing and Frequency As proposed, the Commission is required to evaluate the Regulation four years after its entry into force, and every five years thereafter. The Commission must submit a report on this evaluation to the European Parliament, the Council, and the European Economic and Social Committee.

Scope and Outcome The review is broad in scope, examining the Regulation as a whole. Crucially, Article 47(2) states that "where appropriate, the report referred to in paragraph 1 shall be accompanied by a proposal for amendment of this Regulation."

If the Commission proposes amendments following a review, these changes are not automatic. A proposal for amendment initiates the ordinary legislative procedure. This means the European Parliament and the Council must negotiate, amend, and adopt the changes together. This process is subject to full democratic scrutiny, political negotiation, and can take considerable time (often 12–24 months). It is the appropriate vehicle for changing the fundamental objectives, scope, core rights, or the essential balance of the Regulation.

Delegated Acts (Article 45)

Article 45 confers power on the Commission to adopt delegated acts to supplement or amend certain non-essential elements of the Regulation. This mechanism is designed for technical, detailed, or rapidly evolving aspects of the law that do not alter the Regulation's essential framework or political balance.

Scope of Delegation Article 45(2) specifies that the power to adopt delegated acts is conferred on the Commission for an indeterminate period of time from the date of entry into force. The delegation is strictly limited to specific provisions identified in the text:

  • Amending Annex I (Grand Challenges) to reflect relevant market and technological developments (referenced in Article 6(4)).
  • Amending Annex II (Union Assurance Levels) and Annex III (Audit Evidence) to update the criteria for cloud computing sovereignty (referenced in Article 16(2)).
  • Laying down detailed rules for the performance of audits, including procedural steps and templates (referenced in Article 20(9)).
  • Amending Annex III regarding the necessary evidence for audit criteria (referenced in Article 21(1)).
  • Specifying a Union assurance level for a contracting authority or requiring an impact assessment for private companies in high-criticality sectors (referenced in Article 31(3)).

Procedure and Democratic Control Unlike a legislative amendment, a delegated act is adopted solely by the Commission. However, it is subject to a strict control mechanism to ensure democratic oversight. Under Article 45(6), a delegated act enters into force only if no objection has been expressed by either the European Parliament or the Council within a period of two months of notification. This period may be extended by three months at the initiative of either institution.

This "negative voting" procedure is significantly faster and less politically contentious than the ordinary legislative procedure. It allows the Commission to keep technical standards, such as the cybersecurity criteria for Union Assurance Levels or the list of frontier AI technologies, up to date with technological advancements without waiting for a full legislative cycle.

Revocation of Delegation

Article 45(3) provides that the delegation of power may be revoked at any time by the European Parliament or the Council. A decision to revoke ends the delegation of power specified in that decision but does not affect the validity of delegated acts already in force. This ensures that while the Commission has autonomy to update technical details, the co-legislators retain ultimate sovereignty over the regulatory framework.

When Each Mechanism Is Used

  • Use a Legislative Review (Art 47) when the change affects the fundamental balance of the Regulation. Examples include altering the core definition of a "cloud computing service," changing the legal basis, modifying the penalties regime (Title IV, Chapter I), or significantly expanding the scope of entities covered. These are political decisions requiring democratic legitimacy.
  • Use a Delegated Act (Art 45) when the change is technical, scientific, or market-driven. Examples include updating the list of technologies considered "frontier AI" in Annex I, adjusting the audit evidence required for Union Assurance Level 3 in Annex III, or refining the criteria for data centre strategic projects. These are operational updates requiring agility.

What this means for you

For in-house counsel, compliance officers, and public procurement authorities, the distinction between Article 47 and Article 45 has direct implications for compliance planning, risk management, and resource allocation.

1. Predictability and Long-Term Planning The Article 47 review cycle provides a predictable horizon for major regulatory shifts. You can anticipate that around the four-year mark after CADA's entry into force, the Commission will publish a report. While this does not guarantee changes, it signals a period of potential legislative instability where core obligations might be renegotiated. Plan for strategic reviews of your cloud procurement and sovereignty strategies around these five-year intervals.

2. Agility and Technical Compliance Article 45 delegated acts pose a more immediate and frequent compliance risk. Because the Commission can amend Annex II (Union Assurance Levels) and Annex III (Audit Evidence) at any time during the indeterminate period of delegation, the technical requirements for achieving sovereignty recognition can change with minimal notice beyond the two-month objection period.

  • Action: Monitor the Commission's consultations on delegated acts closely. If the Commission proposes to tighten the audit criteria for Union Assurance Level 3 (e.g., requiring stricter third-country control tests), you have only a short window to adapt your vendor assessments and internal controls before the act enters into force.
  • Audit Preparedness: Ensure your cloud providers are contractually obligated to update their compliance documentation promptly following any new delegated act. A change in delegated act requirements could invalidate a previous audit opinion if the provider fails to re-audit against the new criteria.

3. Democratic Scrutiny and Advocacy

  • For Legislative Reviews: Engage with industry associations and policymakers during the Article 47 review cycle. This is the time to advocate for changes to the Regulation's core structure, such as the definition of public order or the scope of the EuroCloud Federation.
  • For Delegated Acts: The two-month objection period is your primary leverage. If a proposed delegated act imposes disproportionate technical burdens or misinterprets market realities, coordinate with peers to raise objections with the European Parliament or Council during this window. While objections are rare, they are a powerful tool to delay or force revision of technical measures.

4. Penalties and Enforcement Non-compliance with requirements set out in delegated acts carries the same weight as non-compliance with the Regulation itself. For example, if a delegated act under Article 45 updates the audit evidence requirements in Annex III, and your provider fails to meet these new criteria, they may lose their Union Assurance Level recognition. If your organization continues to procure from them in a context requiring that level (per Article 30), you may be in breach of CADA. Member States are required to lay down penalties for infringements (Article 24), which must be effective, proportionate and dissuasive.

Common misconceptions

Misconception 1: Delegated acts are less important than legislative amendments. Incorrect. A delegated act under Article 45 has the same legal force as the Regulation itself. If a delegated act amends the criteria for Union Assurance Level 4, compliance with those new criteria is mandatory. Failure to comply can lead to the revocation of recognition and potential penalties.

Misconception 2: The Commission can change any part of CADA via delegated acts. Incorrect. Article 45 strictly limits the scope of delegation to specific non-essential elements listed in the Regulation (e.g., Annexes I, II, III, and specific procedural details). The Commission cannot use delegated acts to change the core objectives, the definition of key terms, or the fundamental rights balance. These changes require a legislative amendment via Article 47.

Misconception 3: The two-month objection period for delegated acts is a veto. Incorrect. The Parliament and Council do not vote to approve delegated acts; they vote to object. If they do nothing, the act enters into force automatically. This "silent approval" mechanism means that industry stakeholders must be proactive in raising concerns during the consultation phase, as the objection period is short and political capital is required to trigger it.

Misconception 4: Reviews happen automatically every five years. Incorrect. Article 47 mandates that the Commission evaluate the Regulation every five years. However, the accompanying proposal for amendment is only made "where appropriate." The Commission may conclude that no changes are needed, meaning the Regulation remains unchanged despite the review cycle.

Related

This is general information about a draft EU regulation, not legal advice.