Summary As proposed, the Cloud and AI Development Act (CADA) rests on a cumulative dual legal basis: Article 114 TFEU (internal-market harmonisation) and Article 173(3) TFEU (industrial competitiveness). The preamble cites both. The combination lets the EU remove single-market barriers for cloud services while also actively supporting the Union's industrial cloud and AI capacity. Because CADA is proposed as a Regulation, if adopted it would be binding in its entirety and directly applicable across all Member States, with no national transposition. CADA is still a proposal.
Detail
CADA's legal architecture is distinctive because it relies on two Treaty provisions working together. The preamble of the proposal records that it is adopted "Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 and Article 173(3) thereof." Recital 7 states that the framework pursues separate objectives relying on two distinct legal bases, and recitals 8 and 9 explain each.
Article 173(3) TFEU: industrial competitiveness
Recital 8 invokes Article 173(3) TFEU as the basis for strengthening the competitiveness, capacity and resilience of the Union's cloud and AI technological and industrial base. Importantly, the recital states that such measures "should not entail the harmonisation of national laws or regulations." This is the basis for the supply-side, industrial-support side of CADA — notably the Cloud and AI Leadership Initiatives, which foster cutting-edge cloud and AI technologies and their deployment.
Article 114 TFEU: internal-market harmonisation
Recital 9 invokes Article 114 TFEU on the basis that available compute capacity and the resilience of the cloud and AI ecosystem are best addressed through Union harmonisation measures. A single coherent regulatory framework harmonising certain conditions for providers and deployers of cloud computing services is, the recital says, necessary to ensure the functioning of the internal market. This is the basis for the harmonising elements — the sovereignty framework, the assurance levels and the harmonised conditions for deployment and procurement.
Why a cumulative basis
The two bases do different work. Article 114 supports harmonisation but is not the natural home for active industrial-capacity building; Article 173(3) supports industrial measures but, by its terms here, is not used to harmonise national laws. Combining them lets CADA both dismantle barriers (via harmonisation under Article 114) and build capability (via industrial support under Article 173(3)) within one instrument addressing what the proposal treats as interlinked challenges.
Directly applicable as a Regulation
Because CADA is proposed as a Regulation rather than a Directive, it would, if adopted, be binding in its entirety and directly applicable in all Member States (a point the final clause of the proposal restates expressly). In practice that means:
- No transposition. Member States would not pass national laws to bring CADA into effect; the rules apply directly. Member States would still have roles — designating national competent authorities and acceleration zones, for example — but the substantive rules are set at Union level.
- Uniformity. The sovereignty framework, assurance levels and data-centre rules would apply uniformly, reducing divergent national interpretations.
- Timeline. Under Article 48 the Regulation would enter into force on the twentieth day after publication in the Official Journal and apply one year after entry into force.
What this means for you
For in-house counsel and compliance officers, the dual basis and the Regulation format have concrete consequences.
- Prepare for direct compliance. There is no national transposition to wait for. The obligations apply as written in the EU text once the application date arrives.
- Risk assessments and assurance levels. Member States and Union entities would conduct risk assessments to set the required assurance level (Article 29); providers selling to the public sector must be ready to demonstrate compliance with the relevant level (criteria in Annex II).
- Procurement. As proposed, contracting authorities would procure at least Union assurance level 1, and only levels 2 to 4 where a risk assessment shows public-order relevance (Article 30). Private-sector entities within scope of NIS2 may conduct similar impact assessments (Article 31).
- Data centres. Member States would designate acceleration zones (Article 10) with streamlined permitting (Article 13), applied consistently across the EU.
- Penalties. Member States would lay down penalties for infringements that are effective, proportionate and dissuasive (Article 24); monitor national penalty regimes even though the substantive rules are EU-wide.
Common misconceptions
"CADA is just a market-access rule." No. Article 114 supports harmonisation, but Article 173(3) adds an industrial-policy dimension. CADA actively supports building European capacity, not only removing barriers.
"Member States can transpose CADA differently." No. As a Regulation, CADA is directly applicable. Member States have implementation roles, but the core rules are harmonised at EU level.
"The legal basis lets the EU mandate specific technologies." Not so. CADA sets sovereignty and security criteria and promotes open source (Article 41); it does not mandate particular proprietary products, leaving providers to choose how to meet the criteria.
Related
- What is Article 173(3) TFEU and how does CADA use it as a legal basis?
- Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
- What does CADA mean for compliance and legal teams?
- Does CADA require companies to use EU-only cloud providers?
- Why was the Cloud and AI Development Act (CADA) proposed?
This is general information about a draft EU regulation, not legal advice.