What must Cyprus include in its national cloud and AI strategy under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Cyprus is legally required to establish a national cloud and AI strategy within one year of the Regulation's entry into force. As set out in Article 7, this is not a voluntary policy paper but a binding instrument that must contain eight specific mandatory elements. These range from the adoption of the 'AI first' principle to concrete measures for deploying data centre capacity, investing in high-intensity compute (including AI factories, AI gigafactories, and quantum computers), and supporting SMEs and small mid-caps (SMCs). Once adopted, Cyprus must notify the European Commission within three months and review the strategy at least every three years based on key performance indicators. Failure to align with these requirements could hinder access to sovereign cloud services and disrupt public procurement compliance.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a significant shift in how the EU approaches cloud sovereignty and AI ecosystem development. For Member States like Cyprus, the Act introduces binding obligations to coordinate national efforts with Union-wide strategic goals. Central to this coordination is the requirement for each Member State to adopt a comprehensive national cloud and AI strategy. This strategy serves as the foundational document for implementing the Act's objectives, ensuring that national policies are consistent with the Union's drive for technological autonomy, competitiveness, and resilience.

The Legal Obligation: Article 7 of CADA

Article 7 of the proposed Regulation places a direct and non-discretionary obligation on Member States to establish these strategies. According to Article 7(1), Cyprus must establish its national cloud and AI strategy by the date that is one year after the Regulation enters into force. The text specifies this deadline as "[same day as entry into force plus one year]".

This strategy is not a mere statement of intent or a high-level vision document. It is a structured policy instrument that must align with the specific objectives of the Regulation and contribute to the digital targets set under the Digital Decade Policy Programme 2030 (Decision (EU) 2022/2481). The strategy acts as the bridge between EU-level ambitions and national implementation, ensuring that Cyprus's digital transformation is synchronized with the broader European ecosystem.

The Eight Mandatory Elements of the Strategy

Article 7(2) explicitly lists the minimum content requirements for the national strategy. Cyprus's strategy must include at least the following eight cumulative elements:

1. Key Objectives, Priorities, and Governance (Art. 7(2)(a)) The strategy must define clear key objectives and priorities for cloud and AI adoption. Crucially, these objectives must be in line with the 'AI first' principle. As defined in the Apply AI Strategy and referenced in CADA, this principle urges organisations to reflect on their business processes by considering the needs and opportunities offered by AI, while taking into account potential risks. The strategy must also include a robust governance and monitoring framework to achieve these objectives and priorities, ensuring accountability and progress tracking.

2. Measures for Acceleration at All Levels (Art. 7(2)(b)) The strategy must outline specific measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This element explicitly targets public sector bodies, SMEs (small and medium-sized enterprises), and SMCs (small mid-cap enterprises). It requires supporting the 'Centres for AI' (established under Article 5 of CADA) as entry points to the European AI innovation ecosystem. These centres are designed to help organisations accelerate their digital transformation and access European providers of cloud and AI technologies.

3. Broad Deployment in Strategic Sectors (Art. 7(2)(c)) The strategy must include measures to support the broad deployment and uptake of AI in strategic industrial and public sectors. The proposal specifically highlights healthcare, energy, and mobility as key areas for focus. This ensures that AI adoption is not limited to generic applications but is directed toward sectors that are critical for the Union's economic security and public welfare.

4. Data Centre Capacity Deployment (Art. 7(2)(d)) Cyprus must include measures to support the deployment of data centre capacity. This requirement goes beyond simple quantity; the strategy must focus on high-value data centres that deliver significant economic and societal benefits. Crucially, these facilities must adhere to high environmental and energy-efficiency standards, aligning with the Union's green transition goals. This element addresses the current shortage of computing capacity in the EU and the need for geographically balanced deployment.

5. High-Intensity Computing Infrastructure (Art. 7(2)(e)) The strategy must address investments in high-intensity computing infrastructure. This includes AI factories, AI gigafactories, and quantum computers. These assets are viewed as strategic national and cross-border assets supporting research, development, and industrial AI deployment across strategic sectors. By prioritizing these investments, Cyprus would contribute to closing the Union's compute capacity gap and reducing dependencies on third-country infrastructure.

6. Cloud and AI Capabilities via Procurement (Art. 7(2)(f)) The strategy must include measures to support the development of cloud and AI capabilities and promote excellence and innovation. This explicitly references public procurement measures and the public procurement of innovation measures set out in Article 33 of CADA. This element ensures that public spending is leveraged to drive market innovation and support European providers, rather than simply purchasing off-the-shelf solutions.

7. Open Hardware and Software Stacks (Art. 7(2)(g)) To strengthen technological sovereignty, the strategy must support the development of cloud computing stack technologies built upon open hardware and software. This aims to enhance the competitiveness of strategic European industries and reduce lock-in to proprietary third-country solutions. By fostering open standards and open-source components, the strategy would help build a resilient and transparent digital ecosystem.

8. Accessibility of High-Quality Data (Art. 7(2)(h)) The strategy must include measures to ensure the accessibility of high-quality data for AI development. This involves preventing data bottlenecks encountered by organisations, which is critical for training effective AI models. Without access to diverse and high-quality datasets, the development of frontier AI and industrial AI models would be severely hampered.

The 'AI First' Principle in Practice

The 'AI first' principle is a recurring and mandatory theme in CADA. It is not just a slogan but a required component of the national strategy's objectives. It requires a fundamental shift in how public and private entities design their processes—considering AI integration from the outset rather than as an afterthought. For in-house counsel and policy makers in Cyprus, this means reviewing existing digital transformation plans to ensure they are not just compliant with legacy IT standards but are actively designed to leverage AI opportunities while managing associated risks. The principle mandates a proactive approach where AI is considered a primary tool for solving business and public service challenges.

Deadlines, Notification, and Review Cycles

Once adopted, the strategy is not set in stone. Article 7(5) imposes strict timelines for notification and review to ensure the strategy remains relevant and effective:

• Notification: Member States must notify the Commission of their national strategies within three months of their adoption. This ensures the Commission can monitor alignment with Union objectives and provide guidance if necessary.
• Review: Member States must assess their national strategies at least every three years on the basis of key performance indicators. If gaps are identified or if the strategy no longer aligns with Union objectives, it must be updated accordingly.
• Monitoring: The Commission shall monitor the adoption and revision of the national strategies, ensuring a consistent approach across the Union.

Role of the European Artificial Intelligence Board

Article 7(6) assigns a specific role to the European Artificial Intelligence Board (the 'AI Board') established under the AI Act. The AI Board shall advise and assist Member States as regards the coordination of national strategies. It will facilitate the exchange of best practices among Member States. This suggests that Cyprus will not be acting in isolation; it will be part of a coordinated EU-wide effort, with the AI Board serving as a central platform for cooperation and standardisation.

Consistency and Alignment with EU Targets

Article 7(3) states that national strategies must be consistent with the objectives of this Regulation. Furthermore, Article 7(4) requires that these strategies contribute to the associated digital targets established under Article 4 of Decision (EU) 2022/2481. These targets include the adoption of cloud computing services, big data, and AI by at least 75% of Union enterprises for their business operations, and the deployment of at least 10,000 climate-neutral highly secure edge nodes in the Union. Cyprus's strategy must therefore be calibrated to help meet these broader EU metrics, ensuring that national efforts contribute to the collective digital transformation of the Union.

What this means for you

For in-house counsel, compliance officers, and strategic planners in Cyprus, the adoption of the national cloud and AI strategy is a critical compliance milestone. While the strategy itself is a government document, its requirements cascade down to public sector bodies and private entities operating in critical sectors.

1. Monitor the Strategy's Publication and Content You must track the publication of Cyprus's national strategy. Once published, it will serve as the benchmark for compliance in public procurement and public sector AI deployment. Ensure your organisation's digital and AI roadmaps are aligned with the strategy's stated priorities, particularly regarding the 'AI first' principle and data accessibility. If your organisation is a public body, your procurement plans must reflect the strategy's focus on sovereign cloud and open-source stacks.

2. Prepare for Public Procurement Changes Article 7(2)(f) links the national strategy to public procurement of innovation. As a compliance officer, you should anticipate that future public tenders for cloud and AI services will explicitly reference the national strategy. Bids that do not demonstrate alignment with the strategy's goals—such as using open-source stacks, contributing to EU technological sovereignty, or supporting SME participation—may be disadvantaged or rejected.

3. Leverage SME and SMC Opportunities If your organisation is an SME or SMC, pay close attention to Article 7(2)(b). The strategy must include measures to accelerate AI adoption among these entities through the 'Centres for AI'. Identify these centres early, as they will likely offer subsidies, technical support, and access to computing resources that can lower your barriers to AI adoption. The strategy is designed to ensure that smaller players are not left behind in the AI transition.

4. Data Centre and Compute Infrastructure Planning If your organisation is involved in infrastructure, real estate, or energy, note the emphasis on AI factories, gigafactories, and quantum computing (Article 7(2)(e)). The national strategy will likely include incentives or regulatory frameworks for these investments. Compliance officers in the energy and real estate sectors should prepare for new sustainability and efficiency standards linked to data centre deployment (Article 7(2)(d)), as the strategy must focus on high-value, energy-efficient facilities.

5. Open Source and Sovereignty Compliance The requirement to support open hardware and software stacks (Article 7(2)(g)) signals a shift away from proprietary, non-EU solutions in the public sector. Legal teams should review vendor contracts for potential lock-in risks and begin evaluating open-source alternatives that meet the sovereignty criteria outlined in CADA's Annex II. This is not just a technical preference but a strategic requirement for future public contracts.

6. Data Governance and Quality Article 7(2)(h) highlights the need for high-quality, accessible data. Compliance officers must ensure that data governance frameworks are robust enough to support AI training while adhering to GDPR and the Data Act. This includes implementing measures to prevent data bottlenecks and ensuring data quality for AI development. The strategy will likely mandate specific data-sharing mechanisms or repositories to facilitate this.

Common misconceptions

Misconception 1: The national strategy is just a guideline. Reality: Under Article 7, the strategy is a binding obligation for the Member State. While it is a policy document, it forms the basis for subsequent legal obligations, including public procurement rules and risk assessments under Article 29. Non-alignment can lead to compliance failures in public sector contracts and hinder access to Union funding.

Misconception 2: SMEs are exempt from the strategy's influence. Reality: Article 7(2)(b) explicitly requires measures to accelerate AI adoption among SMEs and SMCs. While SMEs may not draft the strategy, they are the primary target of its support mechanisms. Ignoring the strategy means missing out on state-supported resources and potentially failing to meet future regulatory expectations for AI readiness.

Misconception 3: The 'AI first' principle means AI must be used in every process. Reality: The 'AI first' principle requires organisations to consider AI opportunities and risks in their process design, not to force AI into every workflow. It is a strategic assessment tool, not a mandate for ubiquitous AI deployment. The strategy must balance opportunity with risk management, ensuring that AI is used where it adds value and is safe.

Misconception 4: Cyprus can adopt an existing digital strategy without changes. Reality: Article 7(3) requires consistency with CADA's objectives. If an existing strategy lacks specific elements like AI factories, open-source stacks, or the 'AI first' principle, it must be updated. Article 7(1) implies a new or significantly updated document is required, not just a reference to old plans. The strategy must be comprehensive and address all eight mandatory elements.

Misconception 5: The strategy is set in stone after adoption. Reality: Article 7(5) mandates a review at least every three years. The dynamic nature of AI technology and the EU's evolving geopolitical stance on sovereignty mean the strategy will require regular updates. Compliance officers must treat the strategy as a living document that evolves with technological and market developments.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must Sweden include in its national cloud and AI strategy under CADA?
• What must Spain include in its national cloud and AI strategy under CADA?
• What must Slovenia include in its national cloud and AI strategy under CADA?
• What must Slovakia include in its national cloud and AI strategy under CADA?
• What must Romania include in its national cloud and AI strategy under CADA?

This is general information about a draft EU regulation, not legal advice.