Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would enter into force 20 days after its publication in the Official Journal of the European Union. It would become fully applicable one year after that entry into force. Crucially, key Member State obligations—specifically the adoption of national cloud and AI strategies and the designation of national competent authorities—would be due by that same one-year mark. The Commission would conduct its first comprehensive evaluation of the Regulation four years after entry into force.
Detail
Understanding the rollout of the Cloud and AI Development Act (CADA) requires distinguishing between three distinct phases: the legal entry into force, the general date of application, and the specific operational deadlines imposed on Member States and market participants. As a legislative proposal, these dates are conditional on the final adoption of the text by the European Parliament and the Council. If adopted in its current form, the timeline is governed primarily by Article 48 of the proposal, which sets the overarching schedule, while Article 7 and Article 25 define when specific governance structures must be operational.
The Core Legal Timeline: Entry into Force and Application
Article 48 of the CADA proposal establishes the two critical dates that anchor the entire regulatory framework. These dates are calculated relative to the publication of the Regulation in the Official Journal of the European Union (OJ).
- Entry into Force: The Regulation would enter into force on the "twentieth day following that of its publication in the Official Journal of the European Union." This is the moment the law becomes legally binding in its entirety. While the substantive obligations for cloud providers and public bodies are not yet active, the legal instrument exists, and the clock begins ticking for all subsequent deadlines.
- Date of Application: The Regulation would apply "from [same day and month as date of entry into force plus 1 year]." This is the date when the substantive rules, rights, and obligations for market participants and public authorities generally come into effect.
This structure provides a one-year transition period between the law becoming binding and it becoming fully operational. This window is designed to allow stakeholders to prepare their compliance frameworks, update procurement policies, adjust technical architectures, and for Member States to establish the necessary national enforcement bodies.
Member State Deadlines: Strategies and Competent Authorities
While the general application date is one year after entry into force, the proposal imposes specific deadlines on Member States to establish the necessary governance structures. These deadlines are tied to the entry into force date, meaning Member States must act immediately upon the Regulation becoming binding to meet the application deadline.
National Cloud and AI Strategies (Article 7) Article 7(1) requires Member States to establish national cloud and AI strategies by "[same day as entry into force plus one year]." This deadline coincides exactly with the general date of application. This means that by the time the Regulation's substantive rules start applying, every Member State must already have a national strategy in place.
These strategies must include key objectives and priorities for cloud and AI adoption, aligned with the 'AI first' principle, and must contribute to the digital targets established under the Digital Decade Policy Programme. Crucially, Article 7(5) mandates that Member States notify the Commission of their national strategies within three months of their adoption. This ensures the Commission can monitor alignment across the Union well before the application date.
Designation of National Competent Authorities (Article 25) Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty framework (specifically Title IV, Chapter I) by "[P.O. insert date of entry into force plus 1 year]." Like the national strategies, this deadline is set for one year after entry into force.
These authorities are the linchpin of the CADA enforcement mechanism. They are tasked with receiving applications for recognition of Union assurance levels, assessing evidence, and supervising cloud computing service providers. Article 25(2) requires Member States to notify the Commission of the names, tasks, and powers of these authorities. Without these designated bodies, the recognition process for cloud providers cannot legally commence, making this deadline critical for market readiness.
The Sovereignty Framework and Penalties
The sovereignty framework, which establishes the Union assurance levels, becomes operational on the general application date. However, the preparatory work for this framework relies on the timely designation of authorities and the completion of risk assessments.
Recognition of Cloud Services (Article 17) Cloud computing service providers seeking recognition for Union assurance levels must submit applications to the national competent authority of their establishment. While Article 17 details the procedural timelines for recognition (e.g., a 60-day assessment period by the authority), the ability to submit these applications and the validity of the resulting recognitions depend on the Regulation being in force and the authorities being designated. The general application date marks when these recognitions become legally valid and enforceable across the Union.
Penalties and Compensation (Article 24) Article 24 outlines the penalties for infringements of the sovereignty framework. Article 24(1) requires Member States to lay down the rules on penalties applicable to infringements by cloud computing service providers within their competence. While the text does not specify a separate deadline for adopting these penalty rules, they must be in place to enforce the obligations that begin on the application date. Article 24(1) further requires Member States to notify the Commission of these rules "as soon as possible."
Review and Evaluation
The proposal includes a mechanism for periodic review to ensure the Regulation remains effective and responsive to rapid technological changes in the cloud and AI sectors.
Review Clause (Article 47) Article 47(1) states that by "[date of entry into force plus 4 years], and every 5 years thereafter, the Commission shall evaluate this Regulation, and report to the European Parliament, the Council and the European Economic and Social Committee."
This means the first comprehensive review of CADA's functioning will occur four years after the Regulation enters into force. Since the Regulation applies one year after entry into force, this first review will take place three years after the rules become fully applicable. This review will assess the effective application and enforcement of the Regulation, paying specific attention to small and medium-sized enterprises and new competitors. The report may be accompanied by a proposal for amendment if necessary.
Summary Timeline
The following table summarizes the key milestones from publication to the first review:
| Event | Timing Relative to OJ Publication | Legal Basis |
|---|---|---|
| Publication in OJ | Day 0 | — |
| Entry into Force | Day +20 | Article 48 |
| Member State Deadlines (National Strategies per Art. 7; NCA Designation per Art. 25) |
Entry into Force + 1 Year | Article 7(1), Article 25(1) |
| General Application Date (Full applicability of CADA obligations) |
Entry into Force + 1 Year | Article 48 |
| First Commission Review | Entry into Force + 4 Years | Article 47(1) |
What this means for you
For public-sector procurement officers, cloud service providers, and legal counsel, this timeline dictates a precise preparation schedule. The one-year gap between entry into force and application is a critical window for operational readiness.
- Immediate Monitoring: As soon as CADA is published in the Official Journal, the clock starts. You should monitor the designation of national competent authorities in your Member State, as these bodies will be the primary point of contact for recognizing sovereign cloud services. Their designation is a prerequisite for any provider to seek recognition.
- Procurement Policy Updates: By the application date (one year after entry into force), you must be ready to procure only cloud services that meet the required Union assurance levels. For activities identified as contributing to the preservation of public order, you must procure services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)). For other public sector activities, the minimum requirement is Union assurance level 1 (Article 30(2)).
- Risk Assessments: Member States must carry out risk assessments to determine which public sector activities require higher assurance levels (Article 29). These assessments must be completed by the application date. Procurement officers must align their tender documents with the outcomes of these national risk assessments, which will define the specific assurance level required for their specific use cases.
- Vendor Engagement: Engage with your current and potential cloud providers early. Providers will need to undergo conformity self-assessments (for Level 1) or independent third-party audits (for Levels 2-4) to gain recognition. This process takes time, and delays in provider recognition could impact your ability to procure compliant services by the application deadline.
Common misconceptions
"The Regulation applies immediately upon publication." No. There is a 20-day period for entry into force, followed by a one-year transition period before the substantive rules apply. However, Member States must meet key governance deadlines (strategies, NCAs) by the end of that first year, meaning the preparation phase starts immediately upon publication.
"All cloud services will be banned if they are not recognized by the application date." Not exactly. The Regulation sets minimum assurance levels for public procurement. Existing contracts may have transition periods, and the Regulation includes derogations for exceptional circumstances where no recognized service is available (Article 30(4)). However, new procurements must comply from the application date.
"The review happens five years after the Regulation starts applying." No. The first review is four years after entry into force, which is three years after the application date. This earlier review allows for quicker adjustments if the initial implementation reveals significant issues.
"Member States have five years to set up their strategies." Incorrect. Article 7 requires Member States to establish national strategies within one year of entry into force, aligning with the general application date.
Official sources
- EU AI Act (Regulation (EU) 2024/1689)
- Data Act (Regulation (EU) 2023/2854)
- Digital Decade Policy Programme (Decision (EU) 2022/2481)
Related
- CADA Review Clause vs AI Act & Data Act: Timeline and SME Focus
- Why does the CADA review pay special attention to SMEs and new competitors?
- Who receives the CADA review report? Parliament, Council & EESC
- When is the first CADA evaluation report due? Article 47 timeline
- CADA procurement: What public buyers must prepare before application
This is general information about a draft EU regulation, not legal advice.