Summary Under the proposed Cloud and AI Development Act (CADA), Estonia is legally required to adopt a national cloud and AI strategy within one year of the Regulation's entry into force, as mandated by Article 7. This strategy is not a voluntary policy paper but a binding document that must include eight specific mandatory elements, ranging from the adoption of an "AI first" principle to concrete measures for SMEs and SMCs, and investments in high-intensity compute infrastructure like AI factories, gigafactories, and quantum computers. Estonia must notify the European Commission of the adopted strategy within three months and is obligated to review and update it at least every three years to ensure alignment with EU digital targets and sovereignty objectives.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a binding obligation for all Member States, including Estonia, to establish a coordinated national approach to cloud and AI development. Article 7 of the proposal sets out the specific requirements for these "national cloud and AI strategies" (hereinafter "national strategies"). For in-house counsel, compliance officers, and public administrators in Estonia, understanding these requirements is critical. The national strategy will serve as the foundational document guiding public procurement, data centre deployment, sovereign cloud adoption, and the allocation of strategic compute resources within the country.

The Eight Mandatory Elements of the National Strategy

Article 7(2) explicitly lists the minimum content that Estonia's national strategy must include. These are not optional guidelines but mandatory components that the Commission will monitor. The strategy must contain the following eight elements:

  1. Key Objectives, Priorities, and Governance (Art. 7(2)(a)): The strategy must define key objectives and priorities for cloud and AI adoption. Crucially, these must be aligned with the "AI first" principle. As defined in the proposal, this principle urges organizations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account potential risks. The strategy must also include a governance and monitoring framework to achieve these objectives and priorities.

  2. Acceleration Measures for All Levels (Art. 7(2)(b)): Estonia must outline measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. The text specifically highlights the need to support public sector bodies, small and medium-sized enterprises (SMEs), and small mid-caps (SMCs). The strategy must support the "Centres for AI" (established under Article 5) as entry points to the European AI innovation ecosystem.

  3. Strategic Sector Deployment (Art. 7(2)(c)): The strategy must include measures to support the broad deployment and uptake of AI in strategic industrial and public sectors. The proposal specifically names healthcare, energy, and mobility as examples of sectors requiring targeted support.

  4. Data Centre Capacity (Art. 7(2)(d)): Estonia must include measures to support the deployment of data centre capacity. The strategy must focus on "high-value data centres" that deliver significant economic and societal benefits while adhering to high environmental and energy-efficiency standards. This aligns with CADA's broader goal of tripling EU data centre capacity and ensuring sustainable deployment.

  5. High-Intensity Computing Infrastructure (Art. 7(2)(e)): The strategy must include measures to invest in high-intensity computing infrastructure. This explicitly includes AI factories, AI gigafactories, and quantum computers. These are to be treated as strategic national and cross-border assets supporting research, development, and industrial AI deployment across strategic sectors.

  6. Cloud and AI Capabilities via Procurement (Art. 7(2)(f)): The strategy must include measures to support the development of cloud and AI capabilities and promote excellence and innovation. This includes leveraging public procurement measures and the specific "public procurement of innovation" measures set out in Article 33 of CADA.

  7. Open Cloud Stack Technologies (Art. 7(2)(g)): To strengthen technological sovereignty, the strategy must include measures to support the development of cloud computing stack technologies built upon open hardware and software. This aims to enhance the competitiveness of strategic European industries and reduce dependencies on non-EU providers.

  8. Data Accessibility (Art. 7(2)(h)): Finally, the strategy must include measures to ensure the accessibility of high-quality data for AI development. A key focus here is preventing data bottlenecks encountered by organizations, ensuring that data is available for training and deploying AI models.

The "AI First" Principle

The "AI first" principle, referenced in Article 7(2)(a), is a core conceptual pillar of the national strategy. Derived from the EU's Apply AI Strategy, it requires organizations to proactively consider how AI can optimize their processes. However, it is not a blind mandate for adoption; it requires a balanced approach that weighs opportunities against potential risks. For Estonian public bodies and regulated private entities, this means their internal policies and the national strategy must reflect a structured methodology for integrating AI while managing associated legal and operational risks. The principle is not about replacing human decision-making but about ensuring AI is considered as a primary tool for process optimization where appropriate.

SMEs and SMCs: A Specific Focus

CADA places significant emphasis on smaller entities to ensure the benefits of the digital transition are widely distributed. Article 7(2)(b) explicitly requires measures to support SMEs and SMCs (Small Mid-Caps). The proposal defines SMCs in Article 2(9) as enterprises defined in Commission Recommendation (EU) 2025/1099. Compliance officers in Estonia should note that the national strategy cannot solely focus on large incumbents; it must provide pathways for smaller players to access cloud and AI technologies, potentially through the network of "Centres for AI" mentioned in the same provision. This ensures that the "AI first" principle is accessible to the broader economy, not just major corporations.

Deadlines, Notification, and Review Cycles

Article 7(1) sets a strict deadline: Estonia must establish its national cloud and AI strategy by the date of entry into force of the Regulation plus one year. If CADA follows the standard legislative timeline and enters into force shortly after publication, Estonia has a limited window to draft, adopt, and publish this strategy.

Furthermore, Article 7(5) imposes rigorous notification and review obligations:

  • Notification: Estonia must notify the European Commission of its national strategy within three months of its adoption.
  • Review: Estonia must assess its national strategy at least every three years based on key performance indicators.
  • Updates: If gaps are identified during these assessments, the strategy must be updated accordingly. The Commission will monitor the adoption and revision of these national strategies to ensure consistency across the Union.

Consistency and Coordination with EU Frameworks

The national strategy cannot exist in a vacuum. Article 7(3) requires that the strategy be consistent with the objectives of CADA. Article 7(4) further requires consistency with the digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481). This includes targets such as the adoption of cloud computing services by at least 75% of EU enterprises and the deployment of 10,000 climate-neutral, highly secure edge nodes.

Additionally, Article 7(6) establishes the role of the European Artificial Intelligence Board (AI Board), established under the AI Act. The AI Board will advise and assist Member States, including Estonia, in coordinating their national strategies and facilitating the exchange of best practices. This ensures that Estonia's national approach aligns with the broader EU AI governance framework.

What this means for you

For in-house counsel, compliance officers, and strategic planners in Estonia, the national cloud and AI strategy is not just a policy document; it is a compliance roadmap that will dictate future regulatory and procurement environments.

  1. Monitor the Drafting Process: Given the one-year deadline for adoption, engage with relevant Estonian authorities (such as the Ministry of Economic Affairs and Communications) to understand how the eight mandatory elements of Article 7 are being translated into national law or policy. Early engagement allows stakeholders to provide input on the specific measures for SMEs and data centre capacity.
  2. Align Internal Policies: If your organization is a public body or a regulated entity, your internal cloud and AI procurement policies must align with the national strategy. Specifically, ensure your procurement processes incorporate the "AI first" principle and consider the sovereignty levels mandated by CADA's risk assessments (Article 29).
  3. SME/SMC Opportunities: If you are an SME or SMC, look for specific measures in the national strategy that support your access to AI factories, gigafactories, or open-source cloud stacks. The strategy is required to include these support mechanisms, which could translate into grants, technical assistance, or preferential access to compute resources.
  4. Data Centre and Compute Investments: If your company is involved in data centre development or high-intensity computing, the national strategy's focus on AI factories and quantum computers (Article 7(2)(e)) may signal future state aid opportunities or streamlined permitting processes under CADA's data centre acceleration zones (Title III).
  5. Procurement Innovation: Pay attention to how the national strategy implements Article 33 (procurement of innovation). Public bodies will be required to monitor and report on innovation procurement, with a target of awarding at least 25% of such contracts to innovative SMEs. This creates a specific market opportunity for Estonian tech firms.

Common misconceptions

  • Misconception: The national strategy is optional guidance.
    • Reality: Article 7 uses mandatory language ("shall establish," "shall include"). Failure to adopt a compliant strategy could lead to infringement proceedings by the Commission. It is a binding legal obligation, not a voluntary best practice.
  • Misconception: Only large tech companies are affected.
    • Reality: Article 7(2)(b) explicitly requires measures for SMEs and SMCs. The strategy must address their specific needs for digital transformation, ensuring they are not left behind in the AI transition.
  • Misconception: The strategy is a one-time submission.
    • Reality: Article 7(5) requires a review at least every three years. The strategy is a living document that must be updated based on key performance indicators and changing technological landscapes.
  • Misconception: "AI first" means adopting AI everywhere.
    • Reality: The "AI first" principle requires a balanced assessment of opportunities and risks. It is not a mandate to use AI inappropriately, but rather to consider it as a primary tool for process optimization where legally and ethically sound.
  • Misconception: Estonia can ignore the Digital Decade targets.
    • Reality: Article 7(4) explicitly requires consistency with the Digital Decade Policy Programme. The national strategy must contribute to EU-wide targets, such as the 75% cloud adoption rate and the deployment of 10,000 edge nodes.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.