Summary Under the proposed Cloud and AI Development Act (CADA), the legal basis for adopting implementing acts is Article 46 of the Regulation, which confers implementing powers on the Commission to ensure uniform conditions for implementation across the EU. These powers are exercised in accordance with Regulation (EU) No 182/2011, specifically the examination procedure, as grounded in Article 291 TFEU and Recital 87. This mechanism allows the Commission to adopt technical rules—such as audit methodologies, risk assessment templates, and fee structures—without altering the essential elements of the law, ensuring consistent enforcement of sovereignty and data centre deployment rules.

Detail

The Constitutional Foundation: Article 291 TFEU and Recital 87

To understand the legal architecture of CADA's governance, one must first look to the Treaty on the Functioning of the European Union (TFEU). Article 291(2) TFEU establishes the fundamental principle that where uniform conditions for implementing legally binding Union acts are needed, those acts shall confer implementing powers on the Commission. This is a distinct legal category from delegated acts (governed by Article 290 TFEU), which are used to supplement or non-essentially amend the legislative act. Implementing acts are strictly for execution, ensuring that the law is applied identically in every Member State.

CADA explicitly anchors its implementing powers in this treaty provision. Recital 87 of the CADA proposal (COM(2026) 502 final) provides the legislative intent and procedural mandate:

"In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council."

This recital serves as the bridge between the Treaty and the specific regulatory text, ensuring that the Commission's exercise of power is not discretionary but strictly bound by the comitology framework. This guarantees legal certainty and uniform application across all Member States, a critical requirement for a regulation aiming to harmonise cloud sovereignty standards.

Article 46: The Specific Provision

The operative legal basis is found in Article 46 of the CADA proposal, titled "Committee procedure." This article is concise but legally potent, establishing the committee structure that oversees the Commission's implementing powers.

Article 46(1) states:

"The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011."

Article 46(2) specifies the procedure:

"Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply."

By referencing Article 5 of Regulation (EU) No 182/2011, CADA invokes the examination procedure. This is the most rigorous form of comitology, typically reserved for measures with significant implications. Under this procedure, the Commission's draft implementing act is submitted to a committee composed of representatives of Member States.

  • If the committee delivers a positive opinion, the Commission adopts the act.
  • If it delivers a negative opinion, the Commission cannot adopt the act (unless it refers the matter to the Appeal Committee, which may overturn the negative opinion).
  • If the committee delivers no opinion, the Commission may still adopt the act, provided it has not been explicitly blocked.

This high threshold ensures that Member States retain significant oversight over the technical rules that will govern the EU's cloud infrastructure and procurement markets.

Scope of Implementing Acts in CADA

Implementing acts under CADA are not used to create new policy but to define the technical details necessary for the regulation's uniform application. Based on the text of the proposal, implementing acts are required in several critical areas where standardisation is essential for the single market:

  1. Risk Assessment Methodologies (Article 29(3)): Member States and Union entities must conduct risk assessments to determine the appropriate Union assurance level for cloud services. The Commission is empowered to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. This ensures that a risk assessment in Germany is comparable to one in France, preventing fragmentation in public procurement standards.
  2. Centres for AI (Article 5(4)): Implementing acts will detail the procedure for establishing Experience and Acceleration Centres for AI, including participant profiles, selection criteria, and implementation details.
  3. EuroCloud Federation (Article 34(4) and Article 35(6)): The Commission will adopt implementing acts to specify the procedure for participating in the EuroCloud Federation and the technical, operational, and organisational measures required for sharing data centre services.
  4. Common Procurement Framework (Article 40(5)): Detailed rules for determining fees for the common procurement platform will be set via implementing acts, ensuring transparency in cost recovery for participating entities.
  5. Recognition Procedures (Article 17(12)): The Commission may adopt implementing acts concerning the practical arrangements for the recognition procedures of cloud computing service providers.

Distinction from Delegated Acts

It is crucial for legal teams to distinguish between implementing acts (Article 46) and delegated acts (Article 45), as they serve different constitutional functions and follow different procedures.

  • Delegated Acts (Article 45): Used to supplement or amend non-essential elements of the regulation (e.g., updating Annex I grand challenges, amending Annex II assurance level criteria, or specifying audit rules under Article 20(9)). These are based on Article 290 TFEU and are subject to a right of objection by the European Parliament and the Council, but not a committee vote.
  • Implementing Acts (Article 46): Used to ensure uniform implementation (e.g., setting the template for a risk assessment or the fee structure for procurement). These are based on Article 291 TFEU and are subject to the committee scrutiny of Member States under Regulation 182/2011.

The legal basis for each is explicitly cited in the respective articles. For example, Article 29(3) explicitly states: "The Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology..." whereas Article 20(9) states: "The Commission is empowered to adopt delegated acts in accordance with Article 45..."

What this means for you

For in-house counsel, compliance officers, and public procurement teams, understanding the legal basis for implementing acts is not merely an academic exercise; it has direct operational implications for compliance timelines and procedural certainty.

  1. Watch for the Templates: The most immediate impact will come from the implementing acts under Article 29(3). These acts will provide the standardized templates and methodologies for the mandatory risk assessments that public sector bodies and critical entities must conduct. Until these acts are adopted, the precise format of your risk assessment is undefined. Monitor the Official Journal for these publications, as they will dictate the evidence you must gather to justify your chosen Union Assurance Level.
  2. Fee Structures for Procurement: If your organization participates in the common procurement framework or the EuroCloud Federation, the financial obligations will be defined by implementing acts under Article 40(5) and Article 36(4). These acts will specify how fees are calculated and paid. Budget planning for cloud procurement must account for these future costs, which will be detailed in secondary legislation.
  3. Legal Certainty in Audits: For cloud providers seeking recognition under Union Assurance Levels 2, 3, or 4, the audit procedures are partly defined by delegated acts (Article 20(9)) and partly by implementing acts (e.g., procedural arrangements under Article 17(12)). Ensure your compliance framework is flexible enough to adapt to the specific procedural rules laid down in these future acts, particularly regarding the interaction with national competent authorities.
  4. Comitology Transparency: Because implementing acts follow the examination procedure (Regulation 182/2011), they are subject to public scrutiny and Member State voting. You can track the progress of these acts through the EU's comitology register. This provides early visibility into upcoming regulatory burdens, allowing for proactive compliance adjustments rather than reactive scrambling.

Common misconceptions

Misconception 1: Implementing acts can change the substance of the law. Correction: No. Implementing acts under Article 46 and Article 291 TFEU are strictly procedural and technical. They cannot alter the essential elements of CADA. Changes to the core criteria for Union Assurance Levels, for example, are handled via delegated acts under Article 45, not implementing acts. Confusing these two leads to errors in tracking which regulatory changes require a full legislative review versus which are administrative updates.

Misconception 2: The Commission can adopt implementing acts unilaterally without Member State input. Correction: While the Commission drafts the acts, the examination procedure under Regulation 182/2011 requires the opinion of the committee composed of Member State representatives. A negative vote can block the act. This ensures that national perspectives are integrated into the uniform implementation rules, particularly important for sovereignty-related measures where national security interests vary.

Misconception 3: Implementing acts are optional guidance. Correction: Implementing acts are legally binding. Once adopted, they form an integral part of the regulatory framework. Failure to comply with the methodology set out in an implementing act under Article 29(3), for instance, could render a risk assessment invalid, potentially exposing the organization to penalties under Article 24 or non-compliance with public procurement rules under Article 30.

Related

This is general information about a draft EU regulation, not legal advice.