What is the role of the European Commission under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission acts as the central coordinator for EU cloud sovereignty, infrastructure deployment and public procurement. Its core roles would include designating data centre strategic projects (Article 14), monitoring the Union's compute capacity gap (Article 15), establishing and maintaining the central repository of recognised cloud services (Article 22), and carrying out common procurement activities for Union entities and contracting authorities (Article 37). The Commission would also hold delegated and implementing powers to update technical criteria and procedures. Day-to-day enforcement against providers, however, sits with national competent authorities.

Detail

As proposed, CADA establishes a framework to strengthen Europe's cloud and AI ecosystem. National competent authorities would handle local recognition and enforcement, while the Commission retains executive, coordinative and supervisory powers. For in-house counsel, understanding these roles matters for strategic-project designations, procurement opportunities and evolving obligations.

Designating strategic data centre projects

Under Article 14, the Commission may, by decision, designate as strategic projects data centre projects selected through open calls for expressions of interest that fulfil at least two of several criteria, including:

• directly supporting and enhancing essential public-sector functions (research and education, healthcare, public safety and security);
• including highly sustainable or innovative features, such as technologies developed under Title II;
• contributing to the security, safety and stability of the electricity grid, in particular through colocation of large clean-energy generation and storage;
• integrating chips, processors, accelerators, servers or quantum computers designed and/or manufactured in the Union, strengthening Union supply chains; or
• addressing a major compute-capacity shortage in an area identified under Article 15 while significantly supporting the local economy.

The duration of a designation is based on the project's predicted lifetime (Article 14(3)). Under Article 14(4), the Commission may withdraw a designation where a project no longer fulfils the criteria, or where designation was based on an application containing incorrect information — in which case the project loses all rights connected to that status.

Monitoring the capacity gap

Article 15 requires the Commission, for the purpose of monitoring progress toward the Digital Decade objectives (Decision (EU) 2022/2481), to identify and monitor:

1. the compute capacity available in the Union, including edge computing;
2. the volume of demand for data centre capacity; and
3. the size of the capacity gap and underserved areas, which the Commission — in cooperation with the Member States — could identify and which could then be used as acceleration zones for data centre deployment.

Maintaining the central repository

Article 22 requires the Commission to establish and maintain a dedicated central repository of cloud computing services recognised under Article 17 as offering the Union assurance levels (1–4). National competent authorities of establishment register recognised services in it (Article 22(2)). The repository must be publicly available and regularly updated by the Commission and those authorities on a dedicated, easily accessible website (Article 22(4)). Where an auditing organisation revokes an audit report and opinion, or a competent authority revokes a recognition, that revocation must be published in the repository and remain available for five years (Article 22(3)). For compliance officers, this is the reference point for verifying a provider's recognised assurance level.

Managing common procurement activities

Under Article 37, the Commission may carry out procurement activities for Union entities and contracting authorities of the Member States — for example procuring data centre services, cloud computing services, software and AI systems on their behalf, acting as a wholesaler that acquires and resells services, and providing ancillary support such as technical infrastructure and procurement advice. These activities are managed through agreements with participating entities and overseen by a Steering Committee (Article 38), with costs recovered through fees (Article 40). This lets smaller public authorities access solutions they might not procure independently.

Adopting delegated and implementing acts

To keep CADA current, the Commission would hold powers to adopt secondary legislation.

• Delegated acts (Article 45): Among other things, the Commission may amend Annex I (grand challenges) under Article 6, and amend the Union assurance levels in Annex II and the evidence in Annex III under Article 16. It may also act under Articles 20(9), 21(1) and 31(3).
• Implementing acts (Article 46): The Commission sets uniform conditions of implementation — for example the methodology, templates and elements for risk assessments (Article 29(3)), procedures for the Centres for AI (Article 5), and arrangements for the EuroCloud Federation and common procurement.

These acts let the Commission update technical and procedural rules without amending the primary legislation.

What this means for you

For in-house counsel and compliance officers, the Commission's role translates into concrete implications:

1. Strategic-project eligibility: If you are developing a large data centre, assess whether it meets at least two Article 14 criteria. Designation can facilitate deployment, but ensure your application data is accurate — the Commission can withdraw designation for incorrect information.
2. Sovereignty verification: When procuring cloud services for public-sector activities, rely on the central repository (Article 22). Verify the service is listed at the required Union assurance level, and watch for revocations, which remain visible for five years.
3. Procurement opportunities: Public-sector entities can engage with the Commission's common procurement framework (Article 37), which may offer better pricing and recognised services; be prepared for cost-recovery fees (Article 40).
4. Regulatory agility: Track delegated and implementing acts under Articles 45 and 46, which will refine the assurance-level criteria and audit and risk-assessment procedures. Keep compliance programmes flexible enough to absorb them.

Common misconceptions

• "The Commission enforces CADA directly against cloud providers." Largely incorrect. Recognition and supervision of providers run through national competent authorities; the Commission coordinates between authorities and maintains the central repository, but does not itself recognise individual services or impose national penalties (penalties are set and applied by Member States under Article 24).
• "The Commission approves every cloud service." Incorrect. National competent authorities evaluate applications and recognise services under Article 17. The Commission's role is to maintain the central repository of already recognised services (Article 22) and to set the technical criteria via Annexes II and III.
• "Strategic-project designation is automatic." Incorrect. The Commission designates projects selectively, by decision, from open calls, where at least two Article 14 criteria are met — and may withdraw designation if the criteria cease to be met.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What policy options did the Commission consider for CADA?
• What is the role of public order in CADA?
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?

This is general information about a draft EU regulation, not legal advice.