What must Malta include in its national cloud and AI strategy under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Malta, like all Member States, is legally required to adopt a national cloud and AI strategy within one year of the Regulation's entry into force. As set out in Article 7, this is not optional guidance but a mandatory legal instrument. The strategy must explicitly include eight specific elements ranging from the integration of the "AI first" principle to concrete measures for data centre capacity, high-intensity compute infrastructure (including AI factories and quantum computers), and support for small and mid-cap enterprises (SMCs). Malta must notify the European Commission of its adopted strategy within three months and review it at least every three years based on key performance indicators. Failure to comply could trigger Commission monitoring and potential enforcement, as this strategy forms the baseline for Malta's broader obligations under CADA, including public procurement and sovereignty risk assessments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive framework to strengthen the European Union's cloud and AI ecosystem. A cornerstone of this framework is the requirement for Member States to align their national policies with Union-level objectives to ensure a coherent, single-market approach. For Malta, this obligation is codified in Article 7 of the proposed Regulation.

The Obligation and Deadline

According to Article 7(1), Malta must establish its national cloud and AI strategy (referred to in the text as the "national strategy") by the date of entry into force of the Regulation plus one year. This deadline creates a fixed timeline for Maltese policymakers and regulators to draft, approve, and formalize a strategy that meets the stringent criteria set out in the subsequent paragraphs of Article 7.

The national strategy must be consistent with the objectives of CADA and contribute to the digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481), as stated in Article 7(4). This includes targets such as the adoption of cloud computing services, big data, and AI by at least 75% of Union enterprises, and the deployment of at least 10,000 climate-neutral highly secure edge nodes.

The Eight Mandatory Elements

Article 7(2) explicitly lists the minimum content that Malta's national strategy must include. These are not suggestions but mandatory components (a) through (h) that must be present in the final document:

1. Key Objectives and Governance (Art. 7(2)(a)): The strategy must outline key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle. This principle, as defined in the explanatory memorandum and referenced in the Article, urges organisations to reflect on their business processes, considering the needs and opportunities offered by AI, while taking into account potential risks. The strategy must also include a governance and monitoring framework to achieve these objectives and priorities.

2. Acceleration Measures for SMEs and SMCs (Art. 7(2)(b)): Malta must include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This specifically targets public sector bodies, small and medium-sized enterprises (SMEs), and small mid-cap enterprises (SMCs). Crucially, the strategy must include measures to support the "Centres for AI" (established under Article 5 of CADA) as entry points to the European AI innovation ecosystem, ensuring these entities can access expertise and testing facilities.

3. Strategic Industrial and Public Sectors (Art. 7(2)(c)): The strategy must contain measures to support the broad deployment and uptake of AI in strategic industrial and public sectors. The text explicitly lists healthcare, energy, and mobility as priority areas where AI adoption must be accelerated to maintain global competitiveness and increase societal benefits.

4. Data Centre Capacity Deployment (Art. 7(2)(d)): Malta must outline measures to support the deployment of data centre capacity. This must focus on high-value data centres delivering significant economic and societal benefits while adhering to high environmental and energy-efficiency standards. This aligns with CADA's broader goal of tripling EU data centre capacity and ensuring balanced geographic deployment.

5. High-Intensity Computing Infrastructure (Art. 7(2)(e)): The strategy must include measures to invest in high-intensity computing infrastructure. The text specifically mandates the inclusion of AI factories, AI gigafactories, and quantum computers as strategic national and cross-border assets. These assets are intended to support research, development, and industrial AI deployment across strategic sectors, addressing the Union's capacity gap.

6. Cloud and AI Capabilities and Procurement (Art. 7(2)(f)): Malta must include measures to support the development of cloud and AI capabilities and promote excellence and innovation. This explicitly includes public procurement measures and public procurement of innovation measures set out in Article 33 of CADA. This ensures that public spending drives the development of European cloud and AI ecosystems.

7. Open Cloud Computing Stack Technologies (Art. 7(2)(g)): The strategy must support the development of cloud computing stack technologies built upon open hardware and software. The goal is to strengthen technological sovereignty and enhance the competitiveness of strategic European industries, reducing reliance on proprietary, non-EU stacks.

8. Accessibility of High-Quality Data (Art. 7(2)(h)): Finally, the strategy must include measures to ensure the accessibility of high-quality data for AI development. This specifically targets the prevention of data bottlenecks encountered by organisations, ensuring that data is available for training and deploying AI models in line with the Data Act and other Union data strategies.

The Role of the AI Board

Article 7(6) establishes that the European Artificial Intelligence Board (AI Board), established by the AI Act (Regulation (EU) 2024/1689), shall advise and assist Malta regarding the coordination of its national strategy. The AI Board will facilitate the exchange of best practices among Member States, ensuring that Malta's approach is harmonized with the broader EU ecosystem and that national strategies do not fragment the single market.

Notification and Review Requirements

The obligation does not end with the adoption of the strategy. Article 7(5) imposes strict reporting and review duties on Malta:

• Notification: Malta must notify the Commission of its national strategy within three months of its adoption.
• Review: Malta must assess its national strategy at least every three years based on key performance indicators.
• Updates: If gaps are identified during the assessment, Malta must update the strategy accordingly.

The Commission will monitor the adoption and revision of these national strategies to ensure consistent implementation across the Union.

What this means for you

For in-house counsel, compliance officers, and strategic planners in Malta, the national cloud and AI strategy is not just a government document; it is the foundational reference point for your organization's compliance with CADA, particularly if your company is a public sector body, an SME, an SMC, or an entity in a critical sector.

1. Strategic Alignment and "AI First" You must monitor the publication of Malta's national strategy. Once published, it will define the local interpretation of the "AI first" principle. Compliance officers should ensure that internal AI governance frameworks align with these national priorities. If your organization is an SME or SMC, you should look for specific support measures outlined in the strategy, such as access to the national "Centres for AI" for upskilling and technical support. The strategy will likely dictate where government funding and incentives are directed.

2. Data Centre and Infrastructure Planning If your organization is involved in infrastructure development or relies heavily on local compute capacity, pay close attention to the measures regarding AI factories, gigafactories, and quantum computers (Article 7(2)(e)). The strategy will likely identify specific zones or initiatives where investment is encouraged. Compliance with environmental and energy-efficiency standards (Article 7(2)(d)) will be a prerequisite for any new data centre projects in Malta, especially those located in designated acceleration zones under Title III of CADA.

3. Public Procurement and Sovereignty For public sector bodies and their suppliers, the national strategy will link directly to the procurement obligations in Article 33 and Article 30. The strategy will outline how Malta intends to use public procurement to drive innovation and reduce dependencies on non-European providers. Compliance officers should prepare for increased scrutiny on the origin of cloud services and AI systems, particularly regarding the "Union assurance levels" for sovereignty. The strategy will likely set the context for how Malta applies the Union added-value criteria in public tenders.

4. Monitoring and Reporting While the primary burden of notification lies with the Maltese government, private entities in critical sectors (as defined in Annex I of the NIS2 Directive) may be required to conduct impact assessments under Article 31. The national strategy will provide context for these assessments. Ensure your internal audit processes are ready to evaluate your organization's contribution to the strategic goals outlined in the national strategy, as this may become a factor in future regulatory reviews or eligibility for state aid and EU funding.

5. Deadlines and Accountability Mark the calendar for the one-year deadline for the strategy's adoption. Once adopted, the three-month notification window is tight. If your organization is involved in public-private partnerships or is a key stakeholder in the AI ecosystem, you may be consulted during the drafting phase. Engaging early can help shape the local implementation of CADA in a way that is favorable to your business model. The three-year review cycle means that the strategy is dynamic; organizations must stay agile to adapt to updates.

Common misconceptions

Misconception 1: The national strategy is optional guidance. Reality: Under Article 7(1), the establishment of the national strategy is mandatory. It is a legal obligation for Malta, and failure to adopt it could lead to infringement proceedings by the European Commission. For businesses, ignoring the strategy means operating out of step with the primary regulatory framework governing cloud and AI in the country.

Misconception 2: The strategy only applies to the public sector. Reality: While the strategy is adopted by the state, its measures explicitly target SMEs, SMCs, and strategic industrial sectors (Article 7(2)(b) and (c)). Private companies must align with the strategy to access support, comply with procurement rules, and ensure their AI deployments meet the expected standards of sovereignty and security. The strategy is designed to drive the entire ecosystem, not just government IT.

Misconception 3: The "AI first" principle means AI must be used everywhere. Reality: The "AI first" principle, referenced in Article 7(2)(a), is about strategic consideration, not mandatory deployment. It urges organizations to reflect on their business processes and consider the opportunities offered by AI, while also taking into account potential risks. It is a framework for decision-making, not a blanket requirement to automate all processes.

Misconception 4: Malta can adopt any strategy it likes. Reality: Article 7(3) states that national strategies must be consistent with the objectives of CADA. Article 7(4) requires consistency with the Digital Decade Policy Programme targets. Malta cannot adopt a strategy that contradicts EU-wide goals for technological sovereignty, sustainability, or data protection. The AI Board also provides advice to ensure coordination (Article 7(6)).

Misconception 5: Once adopted, the strategy is static. Reality: Article 7(5) requires Malta to assess its strategy at least every three years and update it if necessary. Compliance officers must therefore treat the strategy as a living document and monitor for updates that may change regulatory expectations or support mechanisms. The Commission's monitoring role ensures that these updates are not merely formalities.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Data Act (Regulation (EU) 2023/2854)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must Sweden include in its national cloud and AI strategy under CADA?
• What must Spain include in its national cloud and AI strategy under CADA?
• What must Slovenia include in its national cloud and AI strategy under CADA?
• What must Slovakia include in its national cloud and AI strategy under CADA?
• What must Romania include in its national cloud and AI strategy under CADA?

This is general information about a draft EU regulation, not legal advice.