What must a national cloud and AI strategy contain under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, every EU Member State is legally required to adopt a national cloud and AI strategy within one year of the Regulation's entry into force. As mandated by Article 7, these are not voluntary policy papers but binding instruments that must contain eight specific elements. These include governance frameworks aligned with the 'AI first' principle, measures to accelerate adoption among SMEs and public bodies, plans for high-intensity computing infrastructure (including AI factories and AI gigafactories), and strategies for open hardware/software stacks. While CADA does not impose direct financial penalties on private entities for a Member State's failure to draft a strategy, the content of these strategies will directly dictate public procurement rules, sovereignty assurance levels, and the availability of sovereign cloud services, fundamentally shaping the compliance landscape for cloud providers and AI developers.

Detail

The Cloud and AI Development Act (CADA) represents a significant shift in EU digital policy, moving from fragmented national approaches to a harmonised framework for cloud sovereignty and AI capacity. Central to this harmonisation is the obligation placed on Member States to coordinate their efforts through a unified national strategy. This requirement is codified in Article 7 of the CADA proposal. For legal professionals, compliance officers, and strategic planners, understanding the precise statutory contents of these strategies is critical. These national documents will define the local regulatory environment, establish the criteria for public procurement, and determine the availability of sovereign cloud services that private entities may be required to use or compete against.

The Deadline and Legal Framework

According to Article 7(1), Member States must establish their national cloud and AI strategies by a deadline of one year after CADA enters into force. The Regulation specifies that these strategies must be consistent with the objectives of the Regulation and contribute to the digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481).

The lifecycle of these strategies is strictly regulated. Article 7(5) requires Member States to notify the Commission of their strategies within three months of adoption. Furthermore, Member States must assess their national strategies at least every three years based on key performance indicators and update them where necessary. The Commission is tasked with monitoring the adoption and revision of these strategies to ensure consistency across the Union.

The Eight Mandatory Elements

The core of the obligation lies in Article 7(2), which explicitly enumerates eight specific components that every national strategy must include. A strategy omitting any of these elements would be non-compliant with the proposed Regulation. The eight required elements are:

1. Key Objectives, Priorities, and Governance (Article 7(2)(a)) The strategy must outline key objectives and priorities for cloud and AI adoption. Crucially, these objectives must be in line with the 'AI first' principle. As defined in the CADA context, this principle urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration potential risks. The strategy must also include a governance and monitoring framework to achieve these objectives and priorities.

2. Measures for Adoption Among SMEs, SMCs, and Public Bodies (Article 7(2)(b)) The strategy must detail measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This element specifically targets public sector bodies, Small and Medium-sized Enterprises (SMEs), and Small Mid-Cap companies (SMCs). It must also include measures to support the broad deployment of AI in strategic sectors. A key mechanism for this is the support of the Centres for AI (Experience and Acceleration Centres for AI), which serve as entry points to the European AI innovation ecosystem.

3. Strategic Sector Deployment (Article 7(2)(c)) Measures must be included to support the broad deployment and uptake of AI in strategic industrial and public sectors. The text explicitly names healthcare, energy, and mobility as priority areas where AI adoption must be accelerated. This ensures that the strategy addresses sectors critical to the Union's economic security and public interest.

4. Data Centre Capacity Deployment (Article 7(2)(d)) The strategy must include measures to support the deployment of data centre capacity. This is not merely a quantitative target; it requires a focus on high-value data centres that deliver significant economic and societal benefits. Crucially, these measures must ensure adherence to high environmental and energy-efficiency standards, aligning with the broader sustainability goals of the Union.

5. High-Intensity Computing Infrastructure (Article 7(2)(e)) This is a critical element for infrastructure planning and technological sovereignty. The strategy must include measures to invest in high-intensity computing infrastructure. The text explicitly mandates the inclusion of AI factories, AI gigafactories, and quantum computers. These are to be treated as strategic national and cross-border assets supporting research, development, and industrial AI deployment across strategic sectors.

6. Cloud and AI Capabilities via Procurement (Article 7(2)(f)) The strategy must outline measures to support the development of cloud and AI capabilities and promote excellence and innovation. This includes specific measures related to public procurement and the public procurement of innovation as set out in Article 33 of CADA. This element links national strategy directly to the Union's ability to leverage public spending to drive market innovation and reduce dependencies.

7. Open Hardware and Software Stacks (Article 7(2)(g)) To strengthen technological sovereignty, the strategy must include measures to support the development of cloud computing stack technologies built upon open hardware and software. This aims to enhance the competitiveness of strategic European industries and reduce reliance on proprietary, non-EU technologies. This aligns with the broader EU Open Source Strategy and the goal of fostering a resilient digital ecosystem.

8. Data Accessibility (Article 7(2)(h)) Finally, the strategy must include measures to ensure the accessibility of high-quality data for AI development. This specifically targets preventing data bottlenecks encountered by organisations. By ensuring data is available for training and development, the strategy aims to unlock the full potential of AI technologies within the Union.

The Role of the European Artificial Intelligence Board

The implementation of these strategies is not left entirely to Member States in isolation. Article 7(6) assigns a central role to the European Artificial Intelligence Board (AI Board), established under the AI Act (Regulation (EU) 2024/1689). The AI Board is tasked with advising and assisting Member States regarding the coordination of national strategies and facilitating the exchange of best practices. This creates a feedback loop where national strategies are monitored and harmonised at the EU level, ensuring that a strategy in one Member State does not fragment the internal market or create regulatory arbitrage.

Consistency with Digital Decade Targets

Beyond the eight specific elements, Article 7(4) mandates that national strategies must be consistent with and contribute to the associated digital targets established under Article 4 of Decision (EU) 2022/2481. This links CADA directly to the broader Digital Decade Policy Programme 2030, ensuring that cloud and AI strategies are not siloed but are part of a wider digital transformation agenda. The Digital Decade targets include specific metrics for cloud adoption and the deployment of edge nodes, which the national strategies must help achieve.

What this means for you

For in-house counsel, compliance officers, and strategic planners, the national cloud and AI strategy is a foundational document that will influence your organization's operational and legal landscape in four key ways:

1. Public Procurement Eligibility and Sovereignty Requirements CADA introduces strict sovereignty requirements for public sector cloud procurement under Article 30. The national strategy will define which public sector activities are deemed to contribute to the preservation of public order and thus require higher Union Assurance Levels (UAL 2, 3, or 4). If your organization provides cloud or AI services to the public sector, you must monitor the national strategy to understand which assurance levels are required for specific sectors (e.g., healthcare, energy). Failure to align with the sovereignty criteria outlined in the strategy's procurement measures (Article 7(2)(f)) could disqualify you from public tenders or limit your market access.

2. Infrastructure and Investment Opportunities The requirement for Member States to plan for AI factories and AI gigafactories (Article 7(2)(e)) signals significant state-backed investment in high-intensity computing. Compliance officers and business development teams should track these national plans to identify opportunities for partnerships, colocation, or access to compute resources. The strategy will also highlight measures to prevent data bottlenecks (Article 7(2)(h)), which may involve new data-sharing frameworks or public data spaces that your organization could leverage for AI training and model development.

3. Support for SMEs and SMCs If your organization is an SME or SMC, the national strategy is a roadmap for available support. Article 7(2)(b) mandates measures to accelerate adoption among these entities, including support through the Centres for AI. Legal teams should engage with these national initiatives to access upskilling, testing environments, and potential funding, as the strategy is legally required to facilitate this access. Ignoring these national mechanisms could mean missing out on critical resources for digital transformation.

4. No Direct Penalties, but Indirect Compliance Risks CADA does not impose direct fines on private companies for a Member State's failure to draft a compliant strategy. However, the strategy's lack of alignment with CADA could lead to inconsistent enforcement of sovereignty rules across the EU, creating legal uncertainty. Furthermore, if the national strategy fails to properly implement the 'AI first' principle or open-source requirements (Article 7(2)(a) and (g)), your organization may face fragmented expectations from different public buyers. Monitoring the strategy's notification to the Commission (Article 7(5)) is a low-cost way to gauge regulatory readiness in your jurisdiction.

Common misconceptions

Misconception 1: The national strategy is a voluntary best-practice document. Reality: Under Article 7(1) and (2), the national strategy is a mandatory legal obligation for Member States. It must contain the eight specific elements listed in Article 7(2). Failure to adopt it or to include these elements constitutes a breach of EU law by the Member State, potentially leading to infringement proceedings by the Commission.

Misconception 2: The 'AI first' principle is just a slogan. Reality: Article 7(2)(a) explicitly requires the strategy to include objectives and priorities in line with the 'AI first' principle. This is a defined concept in the CADA context, urging organisations to systematically evaluate business processes for AI integration. It is a substantive requirement for the strategy's governance framework, not merely rhetorical.

Misconception 3: AI factories and gigafactories are optional components. Reality: Article 7(2)(e) explicitly requires measures to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers. These are not suggestions; they are mandatory elements of the national strategy's infrastructure planning. Member States cannot opt out of planning for these assets if they wish to be compliant with CADA.

Misconception 4: Private companies are directly penalized if the national strategy is non-compliant. Reality: CADA imposes obligations on Member States to create strategies, not on private companies to draft them. However, private companies are indirectly affected because the strategy drives public procurement rules (Article 30) and sovereignty assessments (Article 29). A non-compliant strategy may lead to unclear procurement criteria, increasing legal risk for bidders and creating market fragmentation.

Misconception 5: The strategy only covers cloud computing. Reality: As the name "national cloud and AI strategy" suggests, and as detailed in Article 7(2), the strategy must cover both cloud infrastructure (data centres, open stacks) and AI adoption (industrial AI, frontier AI, data accessibility). It is an integrated ecosystem approach, not a siloed IT policy. The inclusion of AI factories and the 'AI first' principle underscores this dual focus.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• When must Member States adopt a national cloud and AI strategy under CADA?
• What is a national cloud and AI strategy under CADA?
• What happens if a Member State does not adopt a national cloud and AI strategy on time?
• What does a national cloud and AI strategy mean for public-sector buyers?
• What does a national cloud and AI strategy mean for cloud providers?

This is general information about a draft EU regulation, not legal advice.