Summary Under the proposed Cloud and AI Development Act (CADA), France is legally required to adopt a comprehensive national cloud and AI strategy within one year of the Regulation's entry into force. As set out in Article 7, this strategy must explicitly include eight mandatory elements: objectives aligned with the "AI first" principle, measures for SMEs and SMCs, deployment plans for data centre capacity, and investments in high-intensity computing (AI factories, gigafactories, and quantum computers). France must notify the European Commission of the adopted strategy within three months and review it at least every three years. While CADA does not prescribe direct fines for Member States for failing to adopt the strategy, non-compliance would constitute a breach of EU law, potentially triggering infringement proceedings.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, marks a fundamental shift in EU digital policy from passive market regulation to active industrial capacity building. For France, as for all Member States, the cornerstone of this national implementation is the obligation to establish a coherent, binding national strategy. This obligation is codified in Article 7 of the proposal.

The requirement is not merely advisory; it is a legislative mandate. France must establish its national cloud and AI strategy by the date one year after CADA's entry into force. This strategy must be consistent with the objectives of the Regulation and contribute to the digital targets established under the Digital Decade Policy Programme 2030, as required by Article 7(4).

The Eight Mandatory Elements of the National Strategy

Article 7(2) explicitly enumerates eight mandatory components that France's national strategy must include. These elements are designed to ensure a holistic approach covering adoption, infrastructure, innovation, and supply chain resilience. A strategy omitting any of these elements would fail to comply with the proposed Regulation.

  1. Key Objectives, Priorities, and Governance (Article 7(2)(a)): The strategy must define key objectives and priorities for cloud and AI adoption. Crucially, these must be in line with the "AI first" principle. As defined in the Apply AI Strategy and referenced in CADA, this principle urges organisations to reflect on their business processes by considering the needs and opportunities offered by AI, while taking into consideration potential risks. The strategy must also outline a governance and monitoring framework to achieve these objectives.

  2. Acceleration Measures for Public Sector, SMEs, and SMCs (Article 7(2)(b)): France must include measures to accelerate cloud and AI development and adoption at national, regional, and local levels. The text specifically highlights three target groups:

    • Public sector bodies.
    • Small and medium-sized enterprises (SMEs).
    • Small mid-cap enterprises (SMCs).

    The strategy should support the "Centres for AI" (established under Article 5 of CADA) as entry points to the European AI innovation ecosystem, facilitating digital transformation for these entities.

  3. Strategic Industrial and Public Sector Deployment (Article 7(2)(c)): The strategy must detail measures to support the broad deployment and uptake of AI in strategic industrial and public sectors. The proposal specifically names healthcare, energy, and mobility as priority areas. This aligns with the broader EU goal of ensuring that critical sectors are not reliant on third-country technologies for their core operations.

  4. Data Centre Capacity and Sustainability (Article 7(2)(d)): Given the EU's current compute capacity deficit, the strategy must include measures to support the deployment of data centre capacity. This is not just about quantity; the proposal mandates a focus on "high-value data centres" that deliver significant economic and societal benefits while adhering to high environmental and energy-efficiency standards. This links directly to the sustainability requirements for data centre acceleration zones outlined in Title III of CADA.

  5. High-Intensity Computing Infrastructure (Article 7(2)(e)): This is a critical element for technological sovereignty. France's strategy must include measures to invest in high-intensity computing infrastructure. The proposal explicitly lists:

    • AI factories.
    • AI gigafactories.
    • Quantum computers.

    These are to be treated as strategic national and cross-border assets supporting research, development, and industrial AI deployment across strategic sectors. This reflects the EU's ambition to triple its data centre capacity and reduce dependence on non-European hyperscalers.

  6. Public Procurement and Innovation (Article 7(2)(f)): The strategy must include measures to support the development of cloud and AI capabilities through public procurement. This includes leveraging the "public procurement of innovation" measures set out in Article 33 of CADA. By using its purchasing power, France can drive demand for sovereign and innovative European cloud solutions.

  7. Open Hardware and Software Stacks (Article 7(2)(g)): To strengthen technological sovereignty, the strategy must support the development of cloud computing stack technologies built upon open hardware and software. This is intended to enhance the competitiveness of strategic European industries and reduce vendor lock-in associated with proprietary third-country stacks.

  8. Data Accessibility and Bottleneck Prevention (Article 7(2)(h)): AI development is data-hungry. The strategy must include measures to ensure the accessibility of high-quality data for AI development. Specifically, it must address preventing data bottlenecks encountered by organisations, ensuring that data availability does not become a limiting factor for French AI innovation.

The "AI First" Principle

The "AI first" principle is a recurring theme in CADA, referenced in Article 7(2)(a) and reinforced in Article 5(2)(b) regarding the Centres for AI. It is not a mandate to use AI in every situation, but rather a strategic directive for organisations to proactively consider how AI can optimise their processes. For French companies and public bodies, this means integrating AI considerations into business planning and risk assessment from the outset, rather than treating it as an afterthought. The principle requires organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into consideration the potential risks.

Notification, Monitoring, and Review

Adopting the strategy is only the first step. Article 7(5) imposes strict procedural obligations on France:

  • Notification: France must notify the European Commission of its national strategy within three months of its adoption.
  • Review Cycle: France must assess its national strategy at least every three years based on key performance indicators. If gaps are identified, the strategy must be updated accordingly.
  • Monitoring: The Commission will monitor the adoption and revision of these national strategies. The European Artificial Intelligence Board (AI Board), established under the AI Act, will advise and assist Member States in coordinating these strategies (Article 7(6)).

Legal Consequences and Penalties

It is important to distinguish between obligations on providers and obligations on Member States.

  • For Cloud Providers: CADA establishes a robust enforcement regime for cloud computing service providers seeking Union assurance levels. Under Article 24, Member States must lay down rules on penalties for infringements by providers. These penalties must be effective, proportionate, and dissuasive. Recipients of services also have the right to seek compensation for damages caused by provider infringements.
  • For France (Member State): CADA does not specify direct financial fines for France if it fails to adopt its national strategy. However, as a Regulation, CADA is binding in its entirety and directly applicable. Failure to transpose or implement the obligations of Article 7 would constitute a breach of EU law. The European Commission could initiate infringement proceedings against France under Articles 258-260 TFEU, potentially leading to significant financial penalties imposed by the Court of Justice of the European Union.

What this means for you

For in-house counsel and compliance officers in France, the national cloud and AI strategy is not just a government document; it is the roadmap for your organisation's compliance and investment landscape.

  1. Align Internal Strategies with "AI First": Review your company's digital transformation plans. Ensure that AI opportunities and risks are assessed proactively. If your organisation is an SME or SMC, leverage the support mechanisms promised in the national strategy, such as access to Centres for AI.
  2. Procurement Implications: As France aligns its public procurement with CADA's "Union added value" criteria (Article 32), private sector entities supplying to the public sector will face increased scrutiny regarding the sovereignty and origin of their cloud and AI stacks. Ensure your supply chain documentation can demonstrate compliance with open-source and European technology preferences.
  3. Data Centre Investments: If your organisation is investing in data centre capacity, ensure your projects align with the sustainability and energy-efficiency standards highlighted in Article 7(2)(d). France's strategy will likely prioritise permits and support for data centres that meet these high environmental standards.
  4. Monitor the Strategy's Publication: Keep a close watch on the French government's publication of its national strategy within the one-year deadline. The specific measures for SMEs, SMCs, and strategic sectors (healthcare, energy, mobility) will dictate where funding and support will flow. Compliance officers should map their organisation's activities to these priority sectors to maximise access to state aid and innovation grants.
  5. Prepare for Sovereignty Audits: While the national strategy sets the tone, the operational reality will be the Union Assurance Levels. Ensure your cloud providers are pursuing or have obtained the necessary Union assurance recognitions. As France conducts its risk assessments (Article 29), public sector bodies will be required to procure only from services meeting the appropriate assurance level. Private entities in critical sectors should anticipate similar pressures.

Common misconceptions

Misconception 1: The "AI First" principle means AI must be used in all decisions. Correction: No. The "AI first" principle is a strategic approach to consider the opportunities and risks of AI in business processes. It does not mandate the use of AI where it is inappropriate or disproportionate. It encourages proactive integration where beneficial, with due regard for risks.

Misconception 2: France can adopt any strategy it wants as long as it mentions AI. Correction: No. Article 7(2) provides a closed list of mandatory elements. The strategy must specifically address SMEs/SMCs, data centre sustainability, high-intensity compute (AI factories/gigafactories), open stacks, and data accessibility. A generic digital strategy would not comply with CADA.

Misconception 3: There are immediate financial fines for France if it fails to adopt the strategy. Correction: CADA does not impose direct administrative fines on Member States for failing to adopt national strategies. However, failure to comply is a breach of EU law, exposing France to infringement proceedings and potential Court of Justice penalties. The direct financial penalties in CADA (Article 24) apply to cloud service providers, not Member States.

Misconception 4: The national strategy is a one-time requirement. Correction: Article 7(5) requires France to assess and update its strategy at least every three years. It is a living document that must adapt to technological developments and key performance indicators.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.