CADA Member State obligations

Summary Before the proposed Cloud and AI Development Act (CADA) becomes applicable, Member States must execute a series of critical preparatory actions within a strict, staggered timeline. As proposed in COM(2026) 502 final, these obligations include: (1) designating at least one data centre acceleration zone within six months of entry into force (Article 10); (2) adopting a comprehensive national cloud and AI strategy within one year (Article 7); (3) designating national competent authorities (NCAs) to enforce the sovereignty framework within one year (Article 25); and (4) laying down penalty rules that are effective, proportionate, and dissuasive (Article 24). While the Regulation generally applies one year after entry into force, the acceleration zone deadline creates an earlier imperative for infrastructure planning. These steps are foundational to the Union's cloud sovereignty and capacity-building objectives.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026, establishes a dual framework: one to boost computing capacity and another to ensure strategic autonomy through a sovereignty framework. While the Regulation is directly applicable as a Regulation, its operational success depends entirely on Member States completing specific legislative and administrative tasks during the transition period.

The proposal stipulates in Article 48 that the Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union. Crucially, it shall apply from one year after that date. However, this "one-year application" rule is punctuated by earlier, mandatory deadlines for specific infrastructure and governance measures.

1. Designating Data Centre Acceleration Zones (Article 10)

The most time-sensitive obligation for Member States concerns the physical deployment of computing infrastructure. To address the EU's compute capacity deficit and reduce reliance on third-country infrastructure, Article 10(1) imposes a strict deadline: Member States must designate at least one data centre acceleration zone within their territory by six months after the date of entry into force.

This deadline precedes the general application date of the Regulation, signaling that infrastructure planning must begin immediately upon entry into force. When designating these zones, Member States cannot act arbitrarily; Article 10(1) mandates a comprehensive assessment of several factors:

• Site characteristics: The location, dimension, and minimum/maximum size of facilities.
• Energy and Grid: Available and future power grid capacity, and the possibility of on-site clean energy generation.
• Connectivity: Available and future network connectivity capacity.
• Sustainability: The ability to function sustainably, including the reuse of waste heat and the preference for brownfield sites over greenfield sites to minimize environmental impact.
• Legacy Networks: The capacity to support the phasing out of legacy copper networks.

Furthermore, Article 10(2) requires Member States to conduct a comprehensive analysis of the energy needs and greenhouse gas emission impacts of these zones. This analysis must be reviewed at least every three years. Crucially, Member States must ensure that network development plans prepared by transmission and distribution system operators take due account of this analysis to facilitate "anticipatory grid investments." This ensures that the grid is ready to support the massive energy demands of new data centres before they are built.

2. Adopting National Cloud and AI Strategies (Article 7)

Parallel to infrastructure designation, Member States must establish a strategic roadmap. Under Article 7(1), Member States must establish national cloud and AI strategies by one year after the date of entry into force.

These strategies are not merely high-level declarations. Article 7(2) explicitly lists the mandatory content, requiring Member States to include:

• Objectives and Priorities: Key goals for cloud and AI adoption, aligned with the 'AI first' principle, including a governance and monitoring framework.
• Adoption Measures: Specific actions to accelerate adoption at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps (SMCs).
• Data Centre Deployment: Measures to support the deployment of data centre capacity, with a focus on high-value, environmentally sustainable facilities.
• High-Intensity Infrastructure: Plans to invest in AI factories, AI gigafactories, and quantum computers as strategic national assets.
• Sovereign Stacks: Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
• Data Accessibility: Measures to ensure the accessibility of high-quality data for AI development, preventing data bottlenecks.

Article 7(3) requires these strategies to be consistent with the Regulation's objectives, while Article 7(4) mandates alignment with the digital targets of the Digital Decade Policy Programme. Member States must notify the Commission of their strategies within three months of adoption (Article 7(5)) and assess them at least every three years. The European Artificial Intelligence Board (AI Board), established under the AI Act, will advise and assist Member States in coordinating these strategies (Article 7(6)).

3. Designating National Competent Authorities (Article 25)

The enforcement of CADA's cloud computing sovereignty framework (Title IV, Chapter I) relies on robust national oversight. Article 25(1) requires Member States to designate one or more national competent authorities (NCAs) responsible for enforcing this chapter by one year after the date of entry into force.

Member States may designate existing authorities, but they must ensure these bodies have the necessary resources, expertise, and technical means to perform their tasks impartially, transparently, and timely (Article 25(3)). The Regulation establishes a clear rule of competence: the Member State where the cloud computing service provider has its main establishment (head office or registered office where principal financial functions and operational control are exercised) holds exclusive competence for enforcing the sovereignty chapter (Article 25(4)).

Once designated, Member States must notify the Commission of the names, tasks, and powers of these authorities. The Commission will maintain a public register of these authorities (Article 25(2)). These NCAs will be responsible for recognizing cloud computing service providers, supervising audits, and enforcing penalties, acting as the primary interface between national enforcement and the Union-wide sovereignty framework.

4. Laying Down Penalty Rules (Article 24)

To ensure the sovereignty framework has teeth, Member States must establish a robust penalty regime. Article 24(1) mandates that Member States lay down rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be effective, proportionate and dissuasive.

While the general application of CADA is one year after entry into force, the preparatory work to define these penalties must be completed beforehand to ensure immediate enforceability upon application. Member States must notify the Commission of these rules and any subsequent amendments as soon as possible (Article 24(1)).

When determining the specific penalties, Article 24(2) provides a non-exhaustive list of criteria Member States must consider:

• The nature, gravity, scale, and duration of the infringement.
• Any action taken by the infringing party to mitigate or remedy the damage.
• Any previous infringements by the infringing party.
• The financial benefits gained or losses avoided due to the infringement.
• The infringing party's annual turnover in the Union.

Additionally, Article 24(3) establishes a right for recipients of cloud computing services to seek compensation from providers for any damage or loss suffered due to an infringement of the provider's obligations under the sovereignty chapter. This creates a private right of action alongside public enforcement.

Staggered Interim Deadlines: A Timeline for Action

The proposal employs a staggered approach to deadlines, ensuring that infrastructure planning begins before the full regulatory framework is active. The timeline is as follows:

1. Entry into Force: 20 days after publication in the Official Journal (Article 48).
2. Acceleration Zones Deadline: Six months after entry into force. Member States must designate at least one data centre acceleration zone by this date (Article 10(1)). This is the earliest and most urgent deadline.
3. Strategies, NCAs, and Penalties Deadline: One year after entry into force. By this date, Member States must:
   • Adopt their national cloud and AI strategies (Article 7(1)).
   • Designate their national competent authorities (Article 25(1)).
   • Lay down and notify penalty rules (Article 24(1)).
4. General Application: The Regulation applies from one year after entry into force (Article 48). From this date, the full sovereignty framework, procurement obligations, and enforcement powers become operational.

This structure ensures that the physical and administrative foundations (zones, strategies, authorities, penalties) are in place before the sovereignty rules begin to bind cloud providers and public procurers.

What this means for you

For public-sector bodies, procurement officers, and infrastructure stakeholders, the period before CADA applies is a critical preparation phase, not a waiting period.

• Monitor National Strategy Development: Engage with your national government to ensure the Article 7 strategy is being developed with input from public sector stakeholders. This strategy will dictate the roadmap for your organization's cloud and AI adoption, including procurement targets for innovation and SME participation.
• Prepare for Sovereignty Assessments: The designation of NCAs (Article 25) signals the start of the sovereignty framework. Procurement officers should begin internal risk assessments (as required by Article 29) to determine which public sector activities contribute to public order and thus require higher Union assurance levels (2, 3, or 4).
• Engage with Acceleration Zones: If your region is designated as an acceleration zone (Article 10), understand the new permitting processes. Article 13 facilitates permit-granting processes, capping them at 12 months for comprehensive applications. Procurement officers involved in infrastructure projects should familiarize themselves with these streamlined procedures.
• Review Contractual Clauses: With the new penalty regime (Article 24) and sovereignty requirements coming into force, review existing cloud contracts. Ensure they align with the forthcoming Union assurance levels and include clauses for data sovereignty and operational continuity, as these will be audited criteria for levels 2-4.

Common misconceptions

• "CADA applies immediately upon publication." Incorrect. CADA enters into force 20 days after publication but applies one year later. However, specific deadlines, such as the designation of acceleration zones (6 months after entry into force), require action well before the full application date.

• "Member States can ignore national strategies if they have existing digital plans." Partially incorrect. While Article 7(3) states that if a Member State has already adopted a national strategy that adequately covers CADA's objectives, it is not required to adopt another, it must update existing strategies if gaps are identified. The strategy must explicitly include cloud and AI-specific measures, such as data centre deployment and open-source adoption.

• "Penalties are only for private cloud providers." Incorrect. While Article 24 focuses on penalties for cloud computing service providers, the broader enforcement framework involves public sector compliance. Public bodies that fail to procure services meeting the required Union assurance levels (as determined by risk assessments) may face administrative consequences under national law, and the lack of penalty frameworks undermines the entire sovereignty model.

• "Acceleration zones are optional." Incorrect. Article 10(1) uses mandatory language ("shall designate"), requiring each Member State deploying data centre capacity to designate at least one acceleration zone. This is a binding obligation to streamline infrastructure deployment.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• How does a Member State set CADA penalties for cloud providers?
• What happens if another Member State objects to my CADA recognition?
• How does a Member State include cloud and AI procurement in its CADA national strategy?
• How does a Member State designate a national competent authority under CADA?
• How does a Member State designate a data centre acceleration zone under CADA?

This is general information about a draft EU regulation, not legal advice.