What is the legal basis for delegated powers in CADA?

Summary The legal basis for delegated acts in the proposed Cloud and AI Development Act (CADA) is Article 290 of the Treaty on the Functioning of the European Union (TFEU), implemented through Article 45 of the proposal. As proposed, this mechanism allows the European Commission to amend or supplement non-essential elements of the regulation, such as updating the criteria for Union assurance levels in Annex II or refining audit rules in Annex III. These acts enter into force only if neither the European Parliament nor the Council objects within a period of two months (extendable by three months), ensuring that the Commission's regulatory adjustments remain subject to strict democratic oversight.

Detail

The proposed Cloud and AI Development Act (CADA) is designed to operate in a rapidly evolving technological landscape where static legislative text may quickly become obsolete. To address this, the proposal relies heavily on delegated acts to maintain regulatory relevance without requiring a full legislative revision for every technical update. Unlike implementing acts, which merely provide uniform conditions for applying the regulation, delegated acts allow the Commission to amend or supplement the legislative text itself. This distinction is critical for legal counsel, as delegated acts carry the same legal weight as the primary regulation and can alter substantive compliance obligations.

The Constitutional Foundation: Article 290 TFEU

The foundational authority for the Commission to adopt delegated acts under CADA is Article 290 of the Treaty on the Functioning of the European Union (TFEU). This treaty provision establishes the framework for the European Parliament and the Council to delegate to the Commission the power to adopt non-legislative acts of general application to supplement or amend certain non-essential elements of legislative acts.

CADA's preamble explicitly anchors this mechanism in the treaty. Recital 85 of the CADA proposal states: "In order to take account of technological development and maintain an efficient framework of measures for strengthening the cloud and AI ecosystem at Union level, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission."

Recital 85 further delineates the precise scope of this delegation, ensuring it remains confined to technical and adaptive measures rather than core policy choices. The specific areas where the Commission may exercise this power include:

1. Amending Annex I to reflect relevant market and technological developments regarding the Cloud and AI Leadership Initiatives.
2. Amending Annex II to update the criteria for Union assurance levels (the sovereignty tiers).
3. Supplementing the Regulation by laying down detailed rules for the performance of audits.
4. Amending Annex III regarding the audit evidence required for the audit procedure.
5. Specifying a Union assurance level for a specific contracting authority.
6. Requiring an impact assessment and risk mitigation measures for private companies operating in sectors of high criticality.

Operationalizing the Power: Article 45 of CADA

While Article 290 TFEU provides the constitutional authority, Article 45 of CADA (titled "Exercise of the delegation") operationalizes this power within the specific context of the proposal. The text of Article 45 explicitly lists the articles of the regulation that trigger the delegation of power. These include:

• Article 6(4): Amending Annex I regarding the Cloud and AI Leadership Initiatives.
• Article 16(2): Amending the Union assurance levels in Annex II and the evidence in Annex III.
• Article 20(9): Supplementing rules on the performance of audits.
• Article 21(1): Amending Annex III regarding audit evidence.
• Article 31(3): Requiring impact assessments for private companies in high-criticality sectors.

Article 45(2) confers these powers on the Commission for an indeterminate period of time from the date of entry into force of the regulation. This ensures that the Commission can respond to technological shifts indefinitely, provided the delegation is not revoked.

Conditions and Safeguards in Article 45

Article 45 imposes strict procedural conditions to ensure the delegation is exercised transparently and democratically:

• Expert Consultation: Before adopting a delegated act, the Commission must consult experts designated by each Member State. This consultation must be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. This ensures that Member States have a voice in the technical adjustments before they are finalized.
• Simultaneous Notification: As soon as the Commission adopts a delegated act, it must notify it simultaneously to the European Parliament and the Council.
• The Objection Mechanism: A delegated act enters into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification. This period may be extended by three months at the initiative of either the Parliament or the Council. If an objection is raised, the act does not enter into force.
• Revocation: Article 45(3) provides a "nuclear option" for the co-legislators. The European Parliament or the Council may revoke the delegation of power at any time. A decision to revoke puts an end to the delegation specified in that decision, taking effect the day following its publication in the Official Journal. Crucially, revocation does not affect the validity of any delegated acts already in force, ensuring legal certainty for measures already adopted.

Scope: Non-Essential Elements Only

The delegation of power under CADA is strictly limited to non-essential elements. This is a core principle of Article 290 TFEU. The "essential elements" of the regulation—such as the fundamental decision to establish four Union assurance levels, the creation of the EuroCloud Federation, or the core penalty regimes—remain the exclusive domain of the legislator (the European Parliament and the Council).

The Commission's role is therefore technical and adaptive. For instance, while the legislator decides that a "Union assurance level 3" exists, the Commission may use delegated acts under Article 16(2) to update the specific technical criteria within Annex II that a provider must meet to achieve that level (e.g., updating cybersecurity certification requirements as new standards emerge). Similarly, under Article 20(9), the Commission can refine the procedural steps for audits without altering the fundamental requirement that audits must be independent.

What this means for you

For in-house counsel, compliance officers, and legal teams, understanding the legal basis and mechanics of delegated acts is a practical necessity for long-term regulatory strategy.

1. Monitor the Official Journal, Not Just the Statute

The substantive obligations in CADA—particularly those related to sovereignty assurance levels, audit methodologies, and the criteria for frontier AI priority projects—are subject to change via delegated acts. Because these acts amend the regulation itself, they do not require national transposition. They become directly applicable law upon entry into force. You must monitor the Official Journal of the European Union for published delegated acts. A change in Annex II (sovereignty criteria) via a delegated act under Article 16(2) could immediately alter the compliance requirements for your cloud service providers, potentially rendering a previously compliant service non-compliant overnight.

2. The Critical Two-Month Objection Window

The two-month period for the European Parliament and the Council to object to a delegated act (Article 45(6)) is a critical timeline for stakeholder engagement. While private entities cannot formally object, this window often coincides with intense political scrutiny and lobbying. If a proposed delegated act threatens your business model—for example, by tightening the audit evidence requirements under Article 21(1) or introducing new risk mitigation measures for private companies under Article 31(3)—this is the period to engage with industry associations to influence the political response. If no objection is raised within the two-month (or extended three-month) window, the act becomes binding law.

3. Impact on Sovereignty Assessments and Procurement

Compliance officers conducting risk assessments under Article 29 must stay alert to delegated acts that specify Union assurance levels for contracting authorities. The Commission may use its power to specify which assurance level applies to specific public sector activities. If your organization supplies cloud services to the public sector, a delegated act could suddenly elevate the required assurance level from Level 1 to Level 3, triggering significant contractual and technical re-engineering costs. The ability to update these specifications without a new legislative process means the "sovereignty bar" can be raised dynamically.

4. Audit Methodologies and Evidence

For cloud computing service providers seeking recognition under Article 17, the detailed rules for audits will be defined by delegated acts under Article 20(9) and Article 21(1). Until these acts are adopted, the regulatory landscape for audits remains partially undefined. Compliance teams should prepare for rigorous, standardized audit procedures that may exceed current industry norms, as the Commission will have the power to mandate specific auditing methodologies, templates, and evidence requirements that are binding across the Union.

Common misconceptions

Misconception 1: Delegated acts are merely technical guidelines. Delegated acts are legally binding legislative instruments. They amend or supplement the regulation itself. Unlike guidelines, which interpret the law, delegated acts change the law. Failure to comply with a requirement introduced by a delegated act (e.g., a new criterion in Annex II) is an infringement of CADA itself, subject to the penalties laid down in the regulation.

Misconception 2: The Commission can use delegated acts to change core policy. Article 290 TFEU and Article 45 of CADA restrict delegated powers to "non-essential elements." The Commission cannot use delegated acts to create new sovereignty levels, change the fundamental structure of the EuroCloud Federation, alter the penalty regimes, or redefine the scope of the regulation. Those changes require a new legislative act via the ordinary legislative procedure.

Misconception 3: Delegated acts and implementing acts are the same. They are distinct legal instruments. Implementing acts (governed by Article 291 TFEU and CADA Article 46) provide uniform conditions for applying the regulation but do not amend its text. Delegated acts (Article 290 TFEU and CADA Article 45) amend or supplement the text. For compliance purposes, delegated acts often carry greater weight because they modify the substantive obligations directly, whereas implementing acts merely clarify how to execute existing obligations.

Related

• What is the legal basis for implementing powers in CADA?
• Can the European Parliament or Council revoke the Commission's delegated powers under CADA?
• Who does the Commission consult before adopting a CADA delegated act?
• Which parts of CADA can the Commission change through delegated acts?
• CADA Delegated Acts: The Article 45 Procedure Explained

This is general information about a draft EU regulation, not legal advice.