What must Romania include in its national cloud and AI strategy under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), Romania is required to adopt a national cloud and AI strategy within one year of the Regulation's entry into force. As proposed in Article 7, this strategy must include eight specific mandatory elements, ranging from governance frameworks to measures supporting SMEs and SMCs, and must incorporate the 'AI first' principle. Romania must notify the European Commission of the adopted strategy within three months of adoption and review it at least every three years based on key performance indicators.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a binding framework for Member States to strengthen the EU's cloud and AI ecosystem. A cornerstone of this framework is the obligation for each Member State, including Romania, to develop a cohesive national strategy. Article 7 of the proposal sets out the precise content, timeline, and governance requirements for these strategies, transforming what might have been voluntary policy planning into a legislative mandate.

The Deadline and Notification Requirement

As proposed in Article 7(1), Member States shall establish national cloud and AI strategies by the date of entry into force plus one year. This creates a strict legislative deadline for Romania to formalize its approach to cloud sovereignty and AI adoption. The strategy is not merely a policy paper but a statutory instrument required to align national efforts with Union objectives.

Once adopted, Article 7(5) mandates that Member States notify the European Commission of their national strategies within three months of their adoption. This notification allows the Commission to monitor consistency with the Regulation's objectives and ensure that national approaches do not fragment the internal market. Furthermore, Article 7(5) requires Romania to assess its national strategy at least every three years on the basis of key performance indicators and, where necessary, update them. The Commission shall monitor the adoption and revision of the national strategies to ensure ongoing alignment.

The Eight Mandatory Elements of the Strategy

Article 7(2) explicitly lists the minimum content requirements for the national strategy. Romania's strategy must include at least the following eight elements, which serve as the structural pillars of the national plan:

1. Objectives, Priorities, and Governance (Article 7(2)(a)): The strategy must define key objectives and priorities for cloud and AI adoption. Crucially, these must be in line with the 'AI first' principle, as defined in the Apply AI Strategy. The strategy must also establish a governance and monitoring framework to achieve these objectives and priorities, ensuring that the plan is actionable and measurable.
2. Acceleration Measures for Public Sector, SMEs, and SMCs (Article 7(2)(b)): The strategy must include measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels. This specifically targets public sector bodies, small and medium-sized enterprises (SMEs), and small mid-cap enterprises (SMCs). The strategy must support the 'Centres for AI' (established under Article 5) as entry points to the European AI innovation ecosystem, ensuring that smaller entities have access to expertise and infrastructure.
3. Strategic Sector Deployment (Article 7(2)(c)): Measures must be included to support the broad deployment and uptake of AI in strategic industrial and public sectors. The proposal explicitly cites healthcare, energy, and mobility as examples of sectors requiring focused support, reflecting the critical nature of these domains for public order and economic resilience.
4. Data Centre Capacity Deployment (Article 7(2)(d)): The strategy must include measures to support the deployment of data centre capacity. This focus is particularly on high-value data centres delivering significant economic and societal benefits while adhering to high environmental and energy-efficiency standards. This element directly addresses the Union's capacity gap and the need for sustainable infrastructure.
5. High-Intensity Computing Infrastructure Investment (Article 7(2)(e)): Romania must include measures to invest in high-intensity computing infrastructure. The proposal specifically lists AI factories, AI gigafactories, and quantum computers as strategic national and cross-border assets. These assets are intended to support research, development, and industrial AI deployment across strategic sectors, ensuring Romania has access to the computational power required for frontier AI.
6. Cloud and AI Capability Development and Procurement (Article 7(2)(f)): The strategy must include measures to support the development of cloud and AI capabilities and promote excellence and innovation. This includes leveraging public procurement measures and public procurement of innovation measures as set out in Article 33 of the proposal. This element ensures that public spending is used to drive market growth and technological sovereignty.
7. Open Hardware and Software Technologies (Article 7(2)(g)): Measures must be included to support the development of cloud computing stack technologies built upon open hardware and software. The stated goal is to strengthen technological sovereignty and enhance the competitiveness of strategic European industries, reducing reliance on proprietary, non-EU stacks.
8. Data Accessibility for AI Development (Article 7(2)(h)): The strategy must include measures to ensure the accessibility of high-quality data for AI development. This specifically involves preventing data bottlenecks encountered by organizations, ensuring that data flows freely to fuel innovation while respecting data protection rules.

Consistency and Alignment Requirements

Beyond the eight specific elements, Article 7(3) requires that national strategies be consistent with the objectives of the CADA Regulation. This ensures that Romania's national plan does not diverge from the Union's broader goals of competitiveness, resilience, and strategic autonomy.

Article 7(4) further mandates that Romania's strategy must be consistent with, and contribute to, the associated digital targets established under Article 4 of Decision (EU) 2022/2481 (the Digital Decade Policy Programme 2030). This creates a direct link between CADA and the EU's existing digital targets, ensuring that national strategies contribute to the Union-wide goal of digital transformation.

The Role of the AI Board

Article 7(6) assigns a specific role to the European Artificial Intelligence Board (the 'AI Board') established by the AI Act. The AI Board shall advise and assist Member States as regards the coordination of national strategies. The AI Board shall facilitate exchange of best practices among Member States. This suggests that Romania may engage with the AI Board to align its strategy with broader EU coordination efforts, ensuring that national priorities are harmonized with Union-wide initiatives.

What this means for you

For in-house counsel, compliance officers, and strategic planners operating in Romania, the CADA proposal introduces a new layer of strategic compliance that extends beyond operational data governance. The national strategy is not just a government document; it is the blueprint for future public procurement, infrastructure investment, and regulatory support.

1. Strategic Alignment is Mandatory Compliance is no longer just about adhering to GDPR or the AI Act's risk classifications. Your organization's digital transformation roadmap must align with Romania's national strategy. As the strategy must include measures for SMEs and SMCs (Article 7(2)(b)), companies in these categories should monitor the national strategy for specific support mechanisms, such as access to 'Centres for AI' or simplified procurement routes. The 'AI first' principle will likely influence how public bodies prioritize AI solutions, creating a market advantage for compliant providers.

2. Procurement and Innovation Opportunities The national strategy must include measures for public procurement of innovation (Article 7(2)(f) and Article 33). This signals that public tenders for cloud and AI services will increasingly favor innovative solutions, particularly those from European SMEs and start-ups. Compliance officers should prepare for procurement processes that evaluate 'European added value' and innovation criteria, as mandated elsewhere in the proposal. The strategy will likely define the specific criteria for these tenders, offering a preview of future market opportunities.

3. Infrastructure and Data Access The requirement to invest in high-intensity computing (Article 7(2)(e)) and ensure data accessibility (Article 7(2)(h)) indicates that the Romanian government will likely develop or partner on AI factories and gigafactories. Organizations should anticipate new opportunities for accessing high-performance computing resources and high-quality datasets, which may be facilitated through the national strategy's implementation measures. This could be particularly relevant for research institutions and large-scale industrial AI projects.

4. Monitoring the Timeline With the strategy due within one year of entry into force and notification to the Commission within three months of adoption, there will be a period of intense policy development. Legal teams should track the draft strategy and any public consultations to anticipate regulatory shifts in cloud sovereignty, data localization, and AI adoption requirements. The three-year review cycle means that the strategy is a living document, and organizations must remain agile to adapt to updates.

5. The 'AI First' Principle in Practice The inclusion of the 'AI first' principle in the national strategy means that Romanian public bodies will be expected to consider AI solutions as the default option for new digital projects. This could lead to a surge in demand for AI systems and cloud services that meet the CADA's sovereignty criteria. Organizations should ensure their offerings are positioned to meet these emerging national priorities.

Common misconceptions

Misconception 1: The 'AI first' principle is a voluntary best practice. Under CADA, the 'AI first' principle is not merely a suggestion; it is a mandatory component of the national strategy's objectives and priorities (Article 7(2)(a)). While the principle itself is defined in the Apply AI Strategy, its inclusion in the national strategy is a binding requirement of the CADA proposal. Member States cannot opt out of this principle when drafting their strategies.

Misconception 2: The national strategy is a one-time document. Article 7(5) requires Romania to assess its national strategy at least every three years and update it where necessary. This creates a recurring compliance and monitoring obligation for both the state and entities relying on the strategy's stability. The strategy is a dynamic instrument that must evolve with technological and market developments.

Misconception 3: Only large corporations are affected by the strategy's SME/SMC provisions. Article 7(2)(b) explicitly requires measures to accelerate adoption among SMEs and SMCs. Therefore, smaller entities are not peripheral to the strategy; they are a primary target for acceleration measures, including support through the network of Centres for AI. The strategy is designed to ensure that the benefits of the cloud and AI ecosystem are accessible to businesses of all sizes.

Misconception 4: The strategy is independent of the Digital Decade targets. Article 7(4) mandates that the national strategy must be consistent with and contribute to the digital targets set under the Digital Decade Policy Programme 2030. The strategy cannot exist in isolation from these broader EU digital benchmarks. Romania's strategy must actively contribute to the Union's digital targets, ensuring a cohesive approach to digital transformation.

Misconception 5: The strategy only covers public sector adoption. While the strategy includes measures for public sector bodies, it also explicitly covers the private sector, including SMEs and SMCs (Article 7(2)(b)), and strategic industrial sectors (Article 7(2)(c)). The strategy is a comprehensive framework for the entire national ecosystem, not just government IT.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• What must Sweden include in its national cloud and AI strategy under CADA?
• What must Spain include in its national cloud and AI strategy under CADA?
• What must Slovenia include in its national cloud and AI strategy under CADA?
• What must Slovakia include in its national cloud and AI strategy under CADA?
• What must Portugal include in its national cloud and AI strategy under CADA?

This is general information about a draft EU regulation, not legal advice.