Summary The proposed Cloud and AI Development Act (CADA) establishes a strict one-year transitional period between its entry into force and its date of application. Under Article 48, the Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union, but its substantive obligations only apply one year later. This window is not merely a waiting period; it is a critical operational phase for Member States to adopt national cloud and AI strategies (Article 7) and designate national competent authorities (Article 25). Cloud providers and data centre operators must use this time to map services to the Union assurance levels, prepare for independent audits, and align procurement practices, as the regulatory framework will be fully enforceable immediately upon application.

Detail

The legal timeline: Entry into force vs. Application

The legislative architecture of the proposed CADA (COM(2026) 502 final) deliberately separates the moment the law becomes binding from the moment it imposes obligations. Article 48 explicitly states: "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." However, the same article mandates: "It shall apply from [same day and month as date of entry into force plus 1 year]."

This creates a precise one-year gap. During this interval, the Regulation is part of the EU legal order, but the specific duties imposed on cloud computing service providers, data centre operators, and public sector bodies are not yet enforceable. This structure is designed to provide legal certainty and a predictable runway for the complex ecosystem changes required by the Act. It ensures that the administrative machinery of the Member States is operational before the private sector is held to account.

Parallel one-year deadlines for Member States

The transitional period is engineered to force Member States to build the necessary national infrastructure before the Regulation's application date. Two critical statutory deadlines converge exactly one year after the entry into force, creating a synchronized launch for the entire framework.

1. National Cloud and AI Strategies (Article 7)

Under Article 7(1), Member States are required to "establish national cloud and AI strategies" by a specific deadline: "[same day as entry into force plus one year]." These strategies are not optional policy statements; they are mandatory legal instruments that must include:

  • Key objectives and priorities for cloud and AI adoption, aligned with the 'AI first' principle.
  • Measures to accelerate development and adoption at national, regional, and local levels.
  • Specific plans to support the deployment of data centre capacity, with a focus on high-value, energy-efficient facilities.
  • Measures to invest in high-intensity computing infrastructure, including AI factories and quantum computers.
  • Plans to support the development of cloud computing stack technologies built on open hardware and software.

These strategies must be consistent with the objectives of CADA and contribute to the digital targets of the Digital Decade Policy Programme. Member States must notify the Commission of these strategies within three months of adoption and assess them at least every three years.

2. Designation of National Competent Authorities (Article 25)

Simultaneously, Article 25(1) imposes a strict deadline for the establishment of the enforcement architecture. Member States must "designate one or more national competent authorities responsible for enforcing this Chapter" by "[P.O. insert date of entry into force plus 1 year]."

These authorities are the linchpin of the sovereignty framework. They are granted significant investigative and enforcement powers under Article 26, including:

  • The power to require information from cloud providers and auditing organisations.
  • The power to carry out inspections of premises and seize information.
  • The power to order the cessation of infringements and impose fines.

Crucially, Article 25(4) establishes the principle of exclusive competence: the Member State where the cloud provider has its main establishment (head office or registered office) holds exclusive authority for enforcement. By the application date, these authorities must be fully operational, with the necessary technical, financial, and human resources to supervise providers and process recognition applications.

What providers and authorities should prepare in this window

The one-year gap is a preparation phase, not a grace period for inaction. The complexity of the sovereignty framework and the data centre acceleration measures means that readiness requires significant lead time.

For Cloud Computing Service Providers

Providers seeking to serve the public sector must align their operations with the Union assurance levels defined in Annex II well before the application date.

  • Sovereignty Framework Mapping: Providers must determine which assurance level (1, 2, 3, or 4) their services can realistically achieve.
    • Level 1: Requires a conformity self-assessment under Article 19. Providers must prepare an EU statement of conformity demonstrating compliance with criteria such as Union establishment, data localisation, and cybersecurity standards.
    • Levels 2, 3, and 4: Require independent third-party audits under Article 20. Providers must identify and contract accredited auditing organisations, gather the necessary audit evidence (e.g., software bills of materials, data flow diagrams, ownership structures), and remediate any gaps in their supply chain or personnel screening.
  • Subcontractor and Supply Chain Transparency: Annex II imposes strict requirements on subcontractors. Providers must ensure full transparency regarding their supply chain, implement due diligence on third parties, and verify that no third-country control compromises operational autonomy. For higher levels, they must demonstrate effective legal and technical separation from third-country subsidiaries.
  • Data Localisation and Personnel: Providers must verify that infrastructure, assets, and personnel are located in the Union. For Levels 3 and 4, they must prepare to demonstrate that personnel are Union citizens and, where necessary, hold national security clearances.
  • Cybersecurity Certification: Providers must secure a European cybersecurity certificate of at least 'substantial' assurance (Levels 2 and 3) or 'high' assurance (Level 4) under the relevant certification scheme, or demonstrate compliance with the highest cybersecurity standards if such a scheme is not yet established.

For Data Centre Operators

Operators must prepare for the data centre acceleration zones regime under Title III.

  • Zone Designation: Operators should engage with national authorities to identify potential sites for acceleration zones, ensuring they meet sustainability and energy efficiency criteria.
  • Permitting Preparation: Under Article 13, permit-granting procedures in acceleration zones must not exceed 12 months. Operators should prepare comprehensive applications, including environmental assessments and grid connection plans, to leverage the streamlined "aggregated baseline permit" system.
  • Sustainability Standards: Operators must align with the key performance indicators defined in Delegated Regulation (EU) 2024/1364, as referenced in Article 11, to ensure their projects qualify for strategic designation.

For Public Sector Bodies and Contracting Authorities

Public entities must prepare to execute their procurement obligations immediately upon application.

  • Risk Assessments: Under Article 29, Member States and Union entities must conduct risk assessments to identify activities that contribute to the preservation of public order. This assessment determines whether a service requires Union assurance Level 1, or Levels 2, 3, or 4. This process must be completed before the application date to avoid procurement delays.
  • Procurement Strategy: Contracting authorities must update their tendering procedures to include Union added value criteria under Article 32. They must be ready to apply these non-price criteria, which evaluate the tenderer's contribution to the European digital supply chain, without making them decisive for the award.
  • Open Source Adoption: Under Articles 41 and 42, public bodies must encourage the use of open source and prepare to share software developed by or for them via the EU Open Source Solutions Catalogue.

For National Competent Authorities (NCAs)

NCAs must be ready to receive and process recognition applications immediately.

  • Procedural Setup: NCAs must establish the administrative workflows for receiving applications under Article 17, including the 60-day review periods and the mechanisms for cross-border cooperation.
  • Audit Oversight: They must verify the independence and competence of auditing organisations and establish protocols for the central repository registration under Article 22.

What this means for you

The one-year transitional period under CADA is a strategic runway. For cloud providers, it is the time to transform your business model to meet the sovereignty criteria. Waiting until the application date to begin self-assessments or audit preparations is a high-risk strategy that could result in exclusion from public procurement markets. You must treat the sovereignty framework as a product requirement, not a compliance afterthought.

For data centre operators, the window is for securing land, engaging with grid operators, and preparing the environmental and technical dossiers required for acceleration zone designation. The streamlined permitting process is only available if you are ready to apply the moment the rules take effect.

For public sector bodies, the priority is the risk assessment. You cannot procure compliant services if you have not yet determined which assurance level your specific activities require. The risk assessment under Article 29 is the prerequisite for all subsequent procurement decisions.

For Member State authorities, the deadline is absolute. The designation of NCAs and the adoption of national strategies must be completed within the year. Failure to do so creates a legal vacuum where the sovereignty framework cannot be enforced, potentially jeopardising the Union's strategic autonomy objectives.

Common misconceptions

"The Regulation is not in force until the application date." This is incorrect. Under Article 48, the Regulation enters into force 20 days after publication. It becomes part of EU law immediately. The distinction is that the obligations are not yet applicable. The legal framework exists, and Member States are already bound to prepare their strategies and authorities.

"Providers can wait until the application date to start preparing." This is a dangerous assumption. The sovereignty framework requires complex evidence gathering, including independent audits, supply chain mapping, and personnel screening. These processes often take months to complete. Starting only when the Regulation applies would likely result in a failure to obtain recognition in time for public procurement tenders.

"Member States have flexibility on the one-year deadline." The deadlines in Article 7 (national strategies) and Article 25 (NCA designation) are fixed at "one year after entry into force." These are not guidelines but mandatory statutory deadlines. The application date of the Regulation is tied to these deadlines; if Member States fail to act, the enforcement mechanism for the entire Union is compromised.

"The transitional period is only for Member States." While Member States have specific legislative tasks, the transitional period is equally critical for private sector actors. The "preparation" phase for providers involves significant operational changes, including potential restructuring of data flows, personnel, and subcontractor relationships.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.