What must Germany include in its national cloud and AI strategy under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Germany, like all Member States, is legally required to adopt a national cloud and AI strategy within one year of the regulation's entry into force. Article 7(2) mandates that this strategy must contain eight specific elements, ranging from adherence to the "AI first" principle to concrete measures for SMEs and small mid-caps (SMCs), and plans for high-intensity computing infrastructure such as AI factories, AI gigafactories, and quantum computers. Once adopted, Germany must notify the European Commission within three months and conduct a formal review of the strategy at least every three years based on key performance indicators.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a structural shift in EU digital policy, moving from voluntary coordination to a harmonised framework for national strategic planning. For Germany, as a major industrial and technological hub within the Union, the immediate operational impact lies in Title II of the proposal, which establishes the framework for research, development, and deployment activities. Central to this framework is Article 7, which imposes a binding obligation on Member States to establish national cloud and AI strategies.

The Obligation and Timeline

As proposed, Article 7(1) of CADA requires Member States to establish national cloud and AI strategies (referred to as "national strategies") by a specific deadline: one year after the date of entry into force of the Regulation. While CADA is currently a proposal and the exact calendar date depends on the final legislative procedure and publication in the Official Journal, the relative timeline is fixed. Germany would have a 12-month window from the moment the Regulation becomes law to draft, adopt, and formalise this strategy.

This strategy is not merely a symbolic policy document; it is a binding legal requirement designed to ensure that national policies align with the Union's broader objectives of technological sovereignty, competitiveness, and resilience. Article 7(3) explicitly states that these national strategies "shall be consistent with the objectives of this Regulation." Furthermore, Article 7(4) requires that they contribute to the associated digital targets established under the Digital Decade Policy Programme 2030 (Decision (EU) 2022/2481), specifically regarding the adoption of cloud computing services and the deployment of edge nodes.

The Eight Mandatory Elements

Article 7(2) provides a detailed, exhaustive list of the components that must be included in the national strategy. For Germany, this means the strategy cannot be a generic digital roadmap; it must explicitly address the following eight areas:

1. Key Objectives, Priorities, and Governance (Art. 7(2)(a)): The strategy must define clear key objectives and priorities for cloud and AI adoption. Crucially, these must align with the "AI first" principle. As referenced in Recital 32 of the proposal, this principle urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account potential risks. The strategy must also include a robust governance and monitoring framework to ensure these objectives are achieved.

2. Acceleration at All Levels (Art. 7(2)(b)): The strategy must include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This specifically targets public sector bodies, SMEs, and small mid-caps (SMCs). It must also support the "Centres for AI" (formerly European Digital Innovation Hubs) as entry points to the European AI innovation ecosystem, ensuring that smaller entities have access to the necessary expertise and infrastructure.

3. Strategic Sector Deployment (Art. 7(2)(c)): Measures must be included to support the broad deployment and uptake of AI in strategic industrial and public sectors. The regulation explicitly highlights healthcare, energy, and mobility as priority areas where AI adoption is critical for maintaining competitiveness and societal benefit.

4. Data Centre Capacity (Art. 7(2)(d)): The strategy must support the deployment of data centre capacity. This is not merely about increasing volume; it must focus on "high-value data centres delivering significant economic and societal benefits while adhering to high environmental and energy-efficiency standards." This aligns with the broader CADA objective of tripling EU data centre capacity while ensuring sustainability.

5. High-Intensity Computing Infrastructure (Art. 7(2)(e)): Germany must include measures to invest in high-intensity computing infrastructure. The regulation explicitly names AI factories, AI gigafactories, and quantum computers as strategic national and cross-border assets. These investments are intended to support research, development, and industrial AI deployment across strategic sectors, addressing the current capacity gap in the Union.

6. Capabilities via Public Procurement (Art. 7(2)(f)): The strategy must support the development of cloud and AI capabilities and promote excellence and innovation. This includes measures related to public procurement, specifically referencing the "public procurement of innovation measures" set out in Article 33 of CADA. This links national strategy directly to the Union's demand-side measures to drive market growth.

7. Open Hardware and Software Stacks (Art. 7(2)(g)): To strengthen technological sovereignty, the strategy must support the development of cloud computing stack technologies built upon open hardware and software. This aims to enhance the competitiveness of strategic European industries by reducing dependency on proprietary, non-European stacks and fostering a resilient, transparent technology ecosystem.

8. Data Accessibility (Art. 7(2)(h)): The strategy must ensure the accessibility of high-quality data for AI development. A specific focus is placed on preventing data bottlenecks encountered by organisations. This ensures that data availability does not hinder AI innovation, addressing a critical barrier to the development of frontier and industrial AI models.

Notification, Review, and the Role of the AI Board

The obligation does not end with the adoption of the strategy. Article 7(5) imposes strict procedural requirements on Germany:

• Notification: Member States shall notify the Commission of their national strategies within three months of their adoption. This ensures the Commission can monitor alignment with Union objectives.
• Review: Member States shall assess their national strategies at least every three years on the basis of key performance indicators. If gaps are identified or if the strategy is no longer consistent with the Regulation's objectives, it must be updated accordingly.
• Monitoring: The Commission shall monitor the adoption and revision of these national strategies to ensure consistency across the Union.

Furthermore, Article 7(6) introduces the European Artificial Intelligence Board (AI Board), established under the AI Act (Regulation (EU) 2024/1689), as a key advisory body. The AI Board shall advise and assist Member States, including Germany, regarding the coordination of national strategies. It is tasked with facilitating the exchange of best practices among Member States to ensure a cohesive EU-wide approach, preventing fragmentation in the internal market.

What this means for you

For in-house counsel, compliance officers, and strategic planners in Germany, the national cloud and AI strategy is a critical benchmark for regulatory alignment and future-proofing business operations.

1. Monitor the Strategy's Publication: Keep a close watch on the German Federal Ministry for Digital and Transport (or the designated competent authority) for the publication of the national strategy. Once published, you have a three-month window to ensure your internal policies align with its directives, particularly regarding data access and open-source adoption. The strategy will likely dictate where public funding and procurement priorities lie.
2. Align with the "AI First" Principle: Review your organization's digital transformation roadmap. Does it proactively consider AI opportunities while managing risks? The "AI first" principle is not just a suggestion; it is a mandated component of national policy. Demonstrating alignment with this principle may be beneficial in public procurement tenders, as Article 32 encourages the use of Union-added-value criteria, which often reward alignment with national strategic goals.
3. SME and SMC Engagement: If your organization is an SME or SMC, look for specific support measures outlined in the strategy. Article 7(2)(b) and (h) indicate that the strategy will include measures to accelerate adoption among these entities and prevent data bottlenecks. Compliance officers should identify and leverage these national support mechanisms, such as grants, technical assistance, or access to "Centres for AI," which are designed to bridge the gap between research and market application.
4. Public Procurement Implications: Article 7(2)(f) links the national strategy to public procurement of innovation. If you are bidding for public contracts in cloud or AI services, ensure your tender documentation explicitly references how your solution supports the national strategy's goals, such as using open hardware/software stacks (Art. 7(2)(g)) or contributing to the development of European cloud ecosystems (Art. 32). This alignment could be a decisive factor in award decisions.
5. Data Governance and Bottlenecks: The requirement to prevent data bottlenecks (Art. 7(2)(h)) suggests that Germany will implement measures to improve data sharing and accessibility. Compliance teams should prepare for potential new data-sharing frameworks or mandates that may emerge from this strategic pillar, ensuring that existing data governance structures are flexible enough to accommodate these changes. This may involve revising data classification policies to facilitate safe sharing for AI training.
6. Infrastructure Planning: For data centre operators and cloud providers, the explicit mention of AI factories, gigafactories, and quantum computers in Article 7(2)(e) signals where national investment and permitting acceleration will be focused. Strategic planning for new infrastructure should align with these high-intensity computing priorities to maximise eligibility for support measures and acceleration zones.

Common misconceptions

• Misconception 1: The national strategy is optional or advisory.
  • Reality: Article 7(1) uses the mandatory language "Member States shall establish." It is a binding legal obligation under CADA. Failure to adopt a strategy, or adopting one that is inconsistent with the regulation's objectives (Art. 7(3)), could lead to infringement procedures by the European Commission.
• Misconception 2: The "AI first" principle means AI must be used in all processes.
  • Reality: The "AI first" principle, as referenced in Recital 32 and Article 7(2)(a), is about considering the opportunities and needs offered by AI, while also taking into account potential risks. It is a strategic lens for decision-making, not a blanket mandate to automate every process regardless of suitability or risk.
• Misconception 3: The strategy only applies to the public sector.
  • Reality: While the strategy is adopted by the state, its scope is broad. Article 7(2)(b) explicitly mentions supporting SMEs and SMCs, and Article 7(2)(c) targets strategic industrial sectors. The strategy aims to shape the entire national ecosystem, including private sector adoption and infrastructure deployment.
• Misconception 4: Once adopted, the strategy is static.
  • Reality: Article 7(5) mandates a review "at least every three years." The strategy is a living document that must be updated based on key performance indicators and changing technological landscapes. Compliance officers should not treat the initial publication as the final word; ongoing monitoring is required.
• Misconception 5: The strategy is purely about data centres.
  • Reality: While data centre capacity is a key element (Art. 7(2)(d)), the strategy is holistic. It covers open-source stacks, procurement, data accessibility, and specific industrial applications. Ignoring the non-infrastructure elements could lead to missed opportunities in public procurement and innovation funding.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must Sweden include in its national cloud and AI strategy under CADA?
• What must Spain include in its national cloud and AI strategy under CADA?
• What must Slovenia include in its national cloud and AI strategy under CADA?
• What must Slovakia include in its national cloud and AI strategy under CADA?
• What must Romania include in its national cloud and AI strategy under CADA?

This is general information about a draft EU regulation, not legal advice.