Summary Under the proposed Cloud and AI Development Act (CADA), the Commission is empowered to adopt delegated acts to update technical criteria, such as the Union assurance levels for cloud sovereignty and audit procedures. This power is governed strictly by Article 45. The procedure requires the Commission to consult Member State experts before adoption, notify the European Parliament and Council simultaneously, and wait for a mandatory objection period. A delegated act enters into force only if neither legislative body objects within two months of notification, a period that may be extended by three months at the initiative of either body. The delegation of power is granted for an indeterminate period but can be revoked at any time by the Parliament or Council.

Detail

Article 45 of the CADA proposal (COM(2026) 502 final) establishes the precise legal framework for the delegation of power to the European Commission. This mechanism is critical for the regulation's adaptability, allowing the Commission to amend non-essential elements—specifically technical annexes and criteria—without requiring a full legislative amendment by the Parliament and Council. The procedure is designed to balance the need for technical agility in the rapidly evolving cloud and AI sectors with robust democratic oversight.

1. Empowerment and Scope of Delegation

The power to adopt delegated acts is conferred on the Commission for specific, enumerated provisions within the proposal. As set out in Article 45(2), this power covers:

  • Article 6(4): Amending Annex I to reflect market and technological developments regarding the Cloud and AI Leadership Initiatives (e.g., updating the "Grand Challenges").
  • Article 16(2): Amending Annex II to update the criteria for Union assurance levels (the core sovereignty framework) and Annex III regarding the evidence required for audits.
  • Article 20(9): Laying down detailed rules on the performance of audits, including procedural steps and templates for audit reports.
  • Article 21(1): Amending Annex III to specify the necessary evidence needed to assess audit criteria.
  • Article 31(3): Requiring impact assessments and risk mitigation measures for private companies operating in sectors of high criticality.

This delegation is granted for an indeterminate period starting from the date of the regulation's entry into force. However, this power is not absolute. Article 45(3) explicitly states that the delegation may be revoked at any time by the European Parliament or the Council. A decision to revoke ends the delegation of the specified powers immediately. Crucially, such a revocation "shall not affect the validity of any delegated acts already in force," ensuring legal stability for measures already adopted.

2. Mandatory Expert Consultation

Before a delegated act is adopted, the Commission must engage in a rigorous consultation process. Article 45(4) mandates that "before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making."

This requirement ensures that national technical expertise informs the Commission's decisions, particularly when updating complex technical criteria such as cybersecurity standards, audit methodologies, or the definition of "frontier AI." The consultation is not merely a formality; it is a procedural prerequisite designed to ensure that the technical content of the act is grounded in practical reality and that Member States are aligned with the proposed changes before they are finalized.

3. Simultaneous Notification and Equal Participation

A critical procedural safeguard in Article 45(5) is the requirement for simultaneous notification. As soon as the Commission adopts a delegated act, it must notify it simultaneously to both the European Parliament and the Council.

Furthermore, Article 45(5) explicitly mandates that to ensure equal participation in the preparation of these acts, "the European Parliament and the Council shall receive all documents at the same time as Member States' experts." Their experts must also have access to meetings of Commission expert groups dealing with the preparation of delegated acts. This transparency requirement prevents any legislative body from being disadvantaged in its ability to review the technical and legal merits of the proposed act. It ensures that the Parliament and Council have the same information and access to the preparatory work as the national experts who advised the Commission, maintaining a level playing field in the legislative oversight process.

4. The Objection Window and Entry into Force

The core of the control mechanism lies in the objection period defined in Article 45(6). A delegated act adopted pursuant to the relevant articles "shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and to the Council."

This two-month period is not static. Article 45(6) provides that the period "shall be extended by three months at the initiative of the European Parliament or of the Council." This extension mechanism is vital for complex technical acts, such as those amending the detailed criteria for Union assurance levels or audit evidence, which may require extensive legal and technical scrutiny.

  • If no objection is expressed: The act enters into force automatically after the applicable period (two months, or five months if extended).
  • If an objection is expressed: The act does not enter into force. The objection effectively vetoes the measure, preventing it from becoming binding law.

The Commission cannot unilaterally override an objection; the act simply fails to become law. This "negative procedure" places the onus on the legislators to act if they wish to block a measure, but it provides a powerful veto if they do.

5. The Role of Member State Experts

Member State experts play a dual and distinct role in this procedure, as outlined in Article 45(4) and Article 45(5):

  1. Advisory Role in Preparation: They are consulted before adoption. Their input is intended to shape the technical content of the act, ensuring it is feasible and aligned with national implementation realities.
  2. Transparency and Access: Their access to preparatory meetings is guaranteed to ensure they can contribute effectively. However, it is important to note that while they are consulted, they do not have a voting right on the final adoption of the delegated act. The decision to adopt lies with the Commission, subject to the potential revocation of power or objection by the Parliament and Council.

This involvement is crucial for provisions that require deep technical knowledge, such as updating the criteria for Union assurance levels in Annex II or defining the specific audit evidence required in Annex III. The experts ensure that the Commission's technical updates are grounded in the operational realities of the Member States.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, understanding the delegated act procedure is vital for anticipating changes to CADA's technical requirements. The substantive obligations your organization must meet—such as the specific cybersecurity certifications required for Union assurance levels or the detailed audit evidence needed for recognition—are often defined or updated through these delegated acts.

Monitoring Obligations: You must monitor the Official Journal of the European Union for the publication of delegated acts under CADA. Because the objection period can be extended, there is a window of uncertainty after initial notification where the act may still be blocked. However, once published and entered into force, the requirements become binding.

Impact on Compliance Workflows:

  • Audit Readiness: If the Commission adopts a delegated act under Article 20(9) or Article 21(1) to update audit procedures or evidence requirements, your internal audit protocols and third-party auditor contracts may need immediate review. The delegated act will specify new procedural steps or technical competences for auditing organizations.
  • Sovereignty Criteria Updates: Under Article 16(2), the Commission can amend the criteria for Union assurance levels. If these criteria become more stringent (e.g., higher cybersecurity certification thresholds or stricter personnel requirements), you must assess whether your current cloud services remain compliant. Failure to adapt to these updated standards could result in the loss of recognition for a specific assurance level, impacting your ability to bid for public sector contracts.
  • Grand Challenges: Amendments to Annex I under Article 6(4) may shift the focus of EU funding and support. If you are involved in projects related to frontier AI or physical AI, tracking these updates ensures your projects align with the evolving strategic priorities of the Cloud and AI Leadership Initiatives.

Deadlines and Penalties: While the delegated act procedure itself does not impose direct penalties on companies, the acts it produces define the compliance landscape. Non-compliance with the requirements set out in these delegated acts constitutes an infringement of CADA. Under Article 24, Member States must lay down rules on penalties for such infringements, which must be "effective, proportionate and dissuasive." Therefore, staying ahead of the publication of delegated acts is a critical risk mitigation strategy.

Common misconceptions

Misconception 1: Delegated acts are less important than the regulation itself. This is incorrect. While the regulation sets the framework, the delegated acts contain the precise technical specifications that organizations must comply with. For example, the exact criteria for Union assurance level 3 (such as the specific cybersecurity certification level required) are in Annex II, which can be amended by delegated act. Ignoring these updates can lead to non-compliance.

Misconception 2: The Commission can adopt delegated acts unilaterally without legislative oversight. While the Commission drafts and adopts the acts, the European Parliament and Council retain a veto power through the objection mechanism. The two-month (or five-month) objection window is a robust check. If either institution objects, the act does not enter into force. This is distinct from implementing acts, which are adopted under the comitology procedure where the Commission's draft can be rejected but not amended by the committee.

Misconception 3: Member State experts have voting rights in the adoption of delegated acts. Member State experts are consulted and have access to preparatory meetings, but they do not vote on the final adoption. The decision to adopt lies with the Commission, subject to the potential revocation of power or objection by the Parliament and Council. Their role is advisory and technical, ensuring the act is grounded in practical expertise.

Misconception 4: The objection period is always two months. The base period is two months, but it can be extended by three months at the initiative of either the European Parliament or the Council. This extension is common for complex technical acts, providing legislators with up to five months to review. Compliance teams should monitor the status of notified acts to determine if an extension has been requested.

Misconception 5: Delegated acts can be adopted indefinitely. The delegation is granted for an indeterminate period, but Article 45(3) allows the European Parliament or the Council to revoke this power at any time. If revoked, the Commission loses the authority to adopt further delegated acts under the specified provisions.

Related

This is general information about a draft EU regulation, not legal advice.