What is the review clause in the Cloud and AI Development Act (CADA)?

Summary As proposed, the Cloud and AI Development Act (CADA) carries a mandatory review clause in Article 47. It would require the European Commission to evaluate the Regulation and report four years after entry into force, and every five years thereafter, to the European Parliament, the Council and the European Economic and Social Committee. Where appropriate, the report would be accompanied by a proposal to amend CADA (Article 47(2)), and the evaluation must pay specific attention to SMEs and new competitors (Article 47(3)). The clause keeps the framework under periodic, structured scrutiny without itself rewriting the law.

Detail

A review clause is a standard but important feature of EU legislative drafting: it forces a periodic check that a complex framework still fits its purpose. In CADA the clause sits in Article 47, reflecting the recognition that rules for AI, cloud infrastructure and the surrounding geopolitics can date quickly.

The timing of the review

Under Article 47(1), the Commission must evaluate the Regulation and report "by [date of entry into force plus 4 years], and every 5 years thereafter."

• First review: by four years after entry into force.
• Subsequent reviews: every five years thereafter.

The staggered design allows an initial assessment once there is enough operating data, followed by regular check-ins on longer-term trends. (Note that under Article 48 the Regulation applies one year after entry into force, so the first review falls roughly three years after the rules begin to apply.)

The proposal's own explanatory framing speaks of reviewing "the functioning of this proposed Regulation" and reporting to the Parliament and Council. The operative deadline, however, is the one in the enacting Article 47(1): four years after entry into force, then every five years. Where the explanatory text refers to a five-year mark, it reflects the broader monitoring intent rather than the binding first-review date — so for planning purposes the four-year figure controls.

The reporting obligation

The evaluation is outward-facing. Article 47(1) requires the Commission to report to the European Parliament, the Council and the European Economic and Social Committee — making the findings on CADA's application and effectiveness available to those institutions and, through them, to stakeholders.

Potential for legislative amendment

A review can be a trigger for change. Article 47(2) provides that, "where appropriate," the report "shall be accompanied by a proposal for amendment of this Regulation." If the evaluation reveals gaps, unintended effects or new challenges the current text does not address, the Commission can table a proposal that might, for example:

• adjust the criteria for the Union assurance levels (the sovereignty tiers);
• refine the data-centre acceleration-zone measures;
• update definitions as the technology evolves; or
• recalibrate governance structures such as the EuroCloud Federation or the oversight by national competent authorities.

The "where appropriate" wording makes amendment discretionary — the Commission acts only where the evidence justifies it. It is also worth distinguishing this from CADA's two faster adjustment routes. The five-yearly review feeds the legislative track: any amendment it proposes must run the full ordinary legislative procedure with the Parliament and Council. By contrast, delegated acts (Article 45) and implementing acts (Article 46) let the Commission fine-tune annexes, audit detail and procedures between reviews without a legislative amendment. The review clause is therefore the mechanism for structural change, while the secondary-legislation powers handle technical upkeep — and a review may well recommend that some matters be moved between those tracks.

Scope of the evaluation

Article 47 is concise, but Article 47(3) gives it direction: the Commission must take into account the positions and findings of the Parliament, the Council and other relevant bodies, and must "pay specific attention to small and medium-sized enterprises and the position of new competitors." Read with the proposal's objectives, the evaluation will plausibly examine:

1. Effectiveness of the sovereignty framework — whether the Union assurance levels (1–4) mitigate third-country dependency risks and protect public order.
2. Data-centre deployment — whether acceleration zones and single information points have increased EU compute capacity and cut permitting times.
3. Market impact — competition and the relative position of EU-based providers versus non-EU hyperscalers.
4. Innovation — progress of the Cloud and AI Leadership Initiatives.
5. Administrative burden — compliance costs, especially for SMEs and small mid-caps, and the efficiency of national competent authorities.

Relationship with adjacent reviews

CADA complements, rather than replaces, other EU digital laws, and each has its own review machinery on its own timetable. The AI Act (Regulation (EU) 2024/1689), the Data Act and the NIS2 Directive each contain their own evaluation and reporting provisions, scheduled independently of CADA. The CADA review will need to consider synergies and overlaps — for instance, how its sovereignty requirements interact with NIS2 resilience obligations, or how it works alongside the AI Act's governance framework — but it does not trigger reviews of those instruments.

What this means for you

For in-house counsel and compliance officers, Article 47 signals that CADA is a "living" instrument: your compliance strategy should be adaptable rather than static.

1. Mark the first-review window. The first evaluation falls four years after entry into force. Stakeholder input around that period can influence whether the Commission proposes amendments, so engaging through industry associations or Commission consultations can shape later iterations.

2. Prepare for possible amendments. If the review finds parts of CADA ineffective or burdensome, an Article 47(2) proposal could change the assurance-level criteria, reporting obligations, or — over time — the penalty framework (Article 24 currently leaves penalties to Member States). Run a regular audit cycle that also tracks any delegated or implementing acts.

3. Document your compliance. During the review period the Commission gathers evidence on how the Regulation works in practice. Keep robust records of risk assessments (Article 29), procurement decisions (Articles 30 and 31) and the steps taken to meet the assurance-level criteria, including audit reports and conformity self-assessments. This both demonstrates compliance and feeds the evaluation evidence base.

4. Engage national competent authorities. The authorities designated under Article 25 enforce the framework and are a natural conduit into the review. Open communication helps you anticipate enforcement trends and concerns likely to surface in the Commission's report.

5. Treat the SME/new-competitor focus as a feedback channel. Article 47(3)'s explicit instruction to weigh the position of SMEs and new entrants is more than rhetoric — it tells you the evidence the Commission is obliged to seek. If you are a smaller, EU-based provider, structured evidence of barriers you face (recognition cost, audit burden, procurement access) is directly relevant to what the review must consider, and is best surfaced through associations and national authorities ahead of the four-year mark.

Why a review clause matters here in particular

Review clauses are routine in EU legislation, but CADA's carries more weight than most because the subject matter moves so fast. The framework rests on premises — the size of the compute-capacity gap, the market share of non-EU providers, the technical bar for sovereignty — that may look different within a few years. A built-in evaluation forces the Commission to test whether the assurance levels, acceleration zones and federation mechanisms are actually delivering, and to say so publicly to the Parliament, Council and Economic and Social Committee. It is the formal mechanism by which a framework designed for a fast-changing market is kept honest about whether it still fits that market.

Common misconceptions

"The review means the law will automatically change." No. The clause mandates an evaluation and a report; an amendment proposal follows only "where appropriate" (Article 47(2)). Many EU reviews produce no legislative change.

"The first review is five years after entry into force." No. It is four years after entry into force (Article 47(1)); the five-year cadence applies to subsequent reviews.

"The review concerns only the Commission." The Commission runs the evaluation, but it must weigh input from the Parliament, the Council and other bodies, and its findings can shape how national authorities enforce the rules.

"The review covers all EU digital law." It is specific to CADA. It does not automatically trigger reviews of the AI Act, GDPR or other instruments, each of which has its own timetable — though the Commission may consider synergies.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Review vs Delegated Acts: How the EU Cloud and AI Development Act Changes
• CADA Review Cycle: How often will the Cloud and AI Development Act be evaluated?
• CADA Review Clause vs AI Act & Data Act: Timeline and SME Focus
• When will the Cloud and AI Development Act (CADA) be reviewed?
• When does the Cloud and AI Development Act (CADA) start to apply?

This is general information about a draft EU regulation, not legal advice.