What must Italy include in its national cloud and AI strategy under CADA?

Under the proposed Cloud and AI Development Act (CADA), Italy is legally required to adopt a national cloud and AI strategy within one year of the Regulati

Summary Under the proposed Cloud and AI Development Act (CADA), Italy is legally required to adopt a national cloud and AI strategy within one year of the Regulation's entry into force. Article 7(2) mandates that this strategy must contain eight specific elements, ranging from the "AI first" principle to concrete measures for SMEs and SMCs, deployment of data centre capacity, and investment in high-intensity computing infrastructure such as AI factories, AI gigafactories, and quantum computers. Once adopted, Italy must notify the European Commission within three months and review the strategy at least every three years based on key performance indicators, as stipulated in Article 7(5).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, represents a significant shift in how Member States must coordinate their digital sovereignty and industrial policy. For Italy, as for all Member States, the cornerstone of national implementation is the obligation to develop and maintain a coherent national cloud and AI strategy. This is not a voluntary policy paper; it is a binding legislative requirement designed to ensure that national policies contribute directly to the Union's broader goals of technological sovereignty, competitiveness, and resilience.

The Legal Basis and Binding Deadline

Article 7 of the CADA proposal establishes the specific obligations for Member States regarding national cloud and AI strategies. The timeline is strict and synchronized across the Union. According to Article 7(1), Italy must establish its national strategy by [date of entry into force plus one year]. This deadline ensures that all Member States move in lockstep to create a harmonised environment for cloud and AI adoption, preventing regulatory fragmentation that could hinder the single market.

The strategy is not an isolated document. Article 7(3) requires that national strategies be consistent with the objectives of the CADA Regulation. Furthermore, Article 7(4) mandates that these strategies must be consistent with, and contribute to, the associated digital targets established under Article 4 of Decision (EU) 2022/2481 (the Digital Decade Policy Programme 2030). These targets include specific metrics such as the adoption of cloud computing services, big data, and AI by at least 75% of Union enterprises for their business operations, and the deployment of at least 10,000 climate-neutral highly secure edge nodes in the Union. Italy's strategy must demonstrate how national measures will help achieve these Union-wide benchmarks.

The Eight Mandatory Elements of the Strategy

Article 7(2) explicitly lists the minimum content that Italy's national strategy must include. These eight elements are exhaustive in their scope for the strategy's core content, designed to address both supply-side capacity (infrastructure) and demand-side adoption (usage). Failure to include any of these elements would render the strategy non-compliant with the proposal.

Objectives, Priorities, and Governance (Article 7(2)(a)) The strategy must define key objectives and priorities for cloud and AI adoption. Crucially, these must be in line with the "AI first" principle, as defined in the Apply AI Strategy. This principle urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account potential risks. The strategy must also include a governance and monitoring framework to achieve these objectives and priorities, ensuring there is a clear mechanism for accountability and progress tracking.
Acceleration Measures for All Levels and Entities (Article 7(2)(b)) Italy must include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. The proposal specifically targets public sector bodies, small and medium-sized enterprises (SMEs), and small mid-cap enterprises (SMCs). The strategy must support the Centres for AI (Experience and Acceleration Centres for AI) referred to in Article 5, which act as entry points to the European AI innovation ecosystem. This ensures that support reaches not just large corporations but also the smaller entities that drive local innovation.
Strategic Sector Deployment (Article 7(2)(c)) The strategy must outline measures to support the broad deployment and uptake of AI in strategic industrial and public sectors. While the proposal highlights healthcare, energy, and mobility as key areas, the scope extends to other sectors prioritised under the Apply AI Strategy. This element ensures that AI adoption is not generic but targeted at sectors where it can deliver maximum economic and societal value.
Data Centre Capacity Deployment (Article 7(2)(d)) Italy must include measures to support the deployment of data centre capacity. The focus is explicitly on high-value data centres that deliver significant economic and societal benefits while adhering to high environmental and energy-efficiency standards. This aligns with CADA's broader goal to triple EU data centre capacity and address the current capacity gap, ensuring that Italy's infrastructure growth is sustainable and economically viable.
High-Intensity Computing Infrastructure (Article 7(2)(e)) The strategy must include measures to invest in high-intensity computing infrastructure. This explicitly includes AI factories, AI gigafactories, and quantum computers. These are to be treated as strategic national and cross-border assets that support research, development, and industrial AI deployment across strategic sectors. This element is critical for Italy to secure access to the computational power required for frontier AI and industrial innovation.
Capabilities, Innovation, and Public Procurement (Article 7(2)(f)) Italy must support the development of cloud and AI capabilities and promote excellence and innovation. This includes measures related to public procurement, specifically the procurement of innovation measures set out in Article 33 of CADA. This links national strategy directly to the public sector's purchasing power, using it to drive market demand for innovative European solutions.
Open Source and Technological Sovereignty (Article 7(2)(g)) The strategy must support the development of cloud computing stack technologies built upon open hardware and software. This is aimed at strengthening technological sovereignty and enhancing the competitiveness of strategic European industries. By prioritising open standards and open-source components, Italy can reduce dependencies on non-EU providers and foster a more resilient domestic tech stack.
Data Accessibility and Quality (Article 7(2)(h)) Finally, the strategy must ensure the accessibility of high-quality data for AI development. This involves measures to prevent data bottlenecks encountered by organisations, thereby facilitating the training and deployment of AI models. Without high-quality, accessible data, the other elements of the strategy (such as AI factories and sectoral deployment) cannot function effectively.

Notification, Review, and Coordination Obligations

Once the strategy is adopted, Italy cannot keep it internal. Article 7(5) imposes a strict notification deadline: Member States must notify the Commission of their national strategies within three months of their adoption. This allows the Commission to monitor the adoption and revision of these strategies across the Union, ensuring consistency and identifying any gaps early.

Furthermore, the strategy is not a static document. Article 7(5) requires that Member States assess their national strategies at least every three years on the basis of key performance indicators. If necessary, Italy must update the strategy to reflect new technological developments, market conditions, or shifts in EU policy priorities. The Commission will actively monitor this process to ensure consistency across the Union.

Article 7(6) establishes a coordination mechanism involving the European Artificial Intelligence Board (AI Board), established by the AI Act. The AI Board shall advise and assist Member States regarding the coordination of national strategies and facilitate the exchange of best practices among Member States. This ensures that Italy's approach is aligned with peers and contributes to a cohesive European AI landscape, preventing divergent national interpretations of the "AI first" principle or sovereignty requirements.

What this means for you

For in-house counsel, compliance officers, and strategic planners operating in Italy, the development of the national cloud and AI strategy under Article 7 is not just a government exercise; it sets the regulatory and operational context for your organisation for the next decade.

1. Strategic Alignment with the "AI First" Principle The mandatory inclusion of the "AI first" principle in Italy's strategy signals a definitive shift in how businesses should approach digital transformation. Compliance officers should begin assessing whether their organisation's business processes are structured to leverage AI opportunities while managing associated risks. This may involve internal audits of current workflows to identify areas where AI integration is feasible and compliant with both CADA and the AI Act. The strategy will likely provide the national interpretation of this principle, which will guide future procurement and investment decisions.

2. SME and SMC Support Mechanisms If your organisation qualifies as an SME or SMC, the national strategy will likely outline specific support measures, such as access to Centres for AI or funding opportunities. Legal teams should monitor the final text of Italy's strategy to identify these entry points for innovation support. These measures may include assistance with regulatory compliance under CADA and the AI Act, as well as access to testing facilities and skills training.

3. Procurement and Innovation Criteria Article 7(2)(f) links national strategies directly to public procurement of innovation. For companies bidding on public sector contracts, understanding how Italy plans to implement Article 33 is crucial. The strategy will likely define how "European added value" and "open source" criteria will be weighted in tenders. Compliance teams should prepare documentation that demonstrates alignment with these emerging criteria, particularly regarding the use of EU-designed hardware and software.

4. Data Centre and Compute Infrastructure Planning For organisations involved in or dependent on data centre infrastructure, the strategy's focus on AI factories, gigafactories, and quantum computers (Article 7(2)(e)) indicates a national push for high-intensity compute. Legal and operational teams should anticipate new regulations or incentives related to energy efficiency, sustainability, and grid integration, as these are tied to the deployment measures in the strategy. Early engagement with national authorities on these infrastructure projects could be advantageous.

5. Data Governance and Accessibility The requirement to ensure high-quality data accessibility (Article 7(2)(h)) underscores the importance of robust data governance. Compliance officers should review internal data management practices to ensure they prevent bottlenecks and facilitate the high-quality data needed for AI development. This must be done while keeping in mind both CADA and existing data protection laws like the GDPR, ensuring that data sharing mechanisms are legally sound.

Common misconceptions

Misconception 1: The national strategy is optional or advisory. Some may assume that Article 7 is a soft-law recommendation. However, the use of "shall" in Article 7(1) and 7(2) creates a binding legal obligation. Italy must establish the strategy within the specified timeframe, and failure to do so could result in infringement proceedings by the European Commission. The strategy is a prerequisite for accessing certain EU funds and for the harmonised application of CADA's sovereignty framework.

Misconception 2: The strategy only affects the public sector. While the strategy involves public sector adoption, its elements—such as supporting SMEs/SMCs, deploying data centre capacity, and investing in high-intensity compute—have significant implications for the private sector. Private companies will benefit from the infrastructure and support measures outlined, but they must also adapt to the evolving regulatory landscape shaped by these national priorities, particularly in procurement and data accessibility.

Misconception 3: The "AI first" principle means AI must be used in all processes. The "AI first" principle does not mandate the use of AI in every business process. Rather, it urges organisations to reflect on their processes and consider the opportunities and risks AI presents. It is a directive for strategic consideration, not a blanket requirement for implementation. Compliance teams should focus on risk-aware evaluation rather than forced adoption.

Misconception 4: Once adopted, the strategy is set in stone. Article 7(5) explicitly requires a review at least every three years. The strategy is a living document that must adapt to technological advancements and market changes. Organisations should not treat the initial strategy as the final word; continuous monitoring of updates is essential for long-term compliance. The Commission's monitoring role ensures that these updates are not merely formalities but substantive revisions.

Official sources

This is general information about a draft EU regulation, not legal advice.