CADA Application Date: What Organisations Must Do Before Compliance Kicks In

Summary The proposed Cloud and AI Development Act (CADA) would apply one year after its entry into force, as explicitly set out in Article 48. However, this "one-year runway" is not a period of inaction. Member States face critical interim deadlines: designating data centre acceleration zones within six months of entry into force (Article 10) and establishing national competent authorities within one year (Article 25). Organisations must use this window to map cloud dependencies, conduct preliminary sovereignty risk assessments, and align procurement strategies with the upcoming Union assurance levels. Failure to prepare now risks missing the migration transition periods mandated for public sector bodies.

This is general information about a draft EU regulation, not legal advice.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a fundamental shift in the EU's approach to cloud infrastructure, moving from voluntary guidelines to a mandatory sovereignty framework. While the Regulation is designed to be directly applicable across all Member States without national transposition, its operational timeline is staggered. Understanding the distinction between the entry into force (when the law exists) and the application date (when obligations become binding) is critical for legal and compliance teams.

The Application Timeline: Article 48

The definitive timeline for CADA is anchored in Article 48. The text states that the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." Crucially, it further stipulates that the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]."

This creates a precise twelve-month transition period. During this year, the substantive obligations regarding Union assurance levels, public procurement mandates, and data centre acceleration zones are not yet legally enforceable against providers or buyers. However, the legislative text does not grant a "grace period" for administrative preparation. Instead, it imposes immediate, binding deadlines on Member States to construct the regulatory architecture required for CADA to function. For organisations, this means the regulatory landscape will be defined and operationalised well before the general application date.

Critical Interim Deadlines for Member States

While private entities and public buyers have a full year before the core rules bite, Member States must act immediately upon entry into force. These state-level actions directly impact the readiness of the market.

Designation of Data Centre Acceleration Zones (Article 10): Article 10 imposes a tight deadline on Member States. They must designate at least one data centre acceleration zone within their territory "by [P.O. insert the date of entry into force of this Regulation plus 6 months]."
- Impact: These zones are the primary mechanism for accelerating data centre deployment through streamlined permitting and specific sustainability requirements. For cloud providers and data centre operators, the identification of these zones within six months is a strategic imperative. Site selection, grid connection applications, and investment planning must align with these designated areas to benefit from the accelerated permitting regime. Waiting until the application date to identify suitable locations could result in missing the window for streamlined approvals.
Designation of National Competent Authorities (Article 25): Under Article 25, Member States must designate one or more national competent authorities (NCAs) responsible for enforcing the cloud computing sovereignty framework. The deadline is "by [P.O. insert date of entry into force plus 1 year]."
- Impact: This deadline coincides with the general application date. However, the process of identifying, resourcing, and empowering these authorities begins immediately. The NCAs will be the bodies responsible for recognising cloud providers at Union assurance levels (1–4). Organisations must monitor the designation of these authorities to know where to submit applications for recognition and which body will conduct audits or handle objections.
National Cloud and AI Strategies (Article 7): Member States are required to establish national cloud and AI strategies "by [same day as entry into force plus one year]." These strategies must outline measures for data centre deployment, AI adoption, and sovereign cloud stack development.
- Impact: Public sector bodies and private entities operating in strategic sectors must align their long-term IT roadmaps with these national strategies. The strategies will likely define the specific risk assessment methodologies and priority sectors for higher assurance levels.

Preparatory Steps for Cloud Computing Service Providers

For providers, the one-year application period is a critical window to assess eligibility for the Union assurance levels established in Article 16. The criteria for these levels are detailed in Annex II, and the evidence required is specified in Annex III.

Conduct a Gap Analysis Against Annex II: Providers must immediately map their current infrastructure, data flows, and subcontractor chains against the cumulative criteria for each assurance level.
- Level 1: Requires a self-assessment and an EU statement of conformity. Providers must verify that they are established in the Union and that infrastructure/assets are located there (unless explicitly required otherwise).
- Levels 2–4: Require independent third-party audits. Providers must assess their readiness for the "substantial" (Levels 2 & 3) or "high" (Level 4) cybersecurity certification requirements. Crucially, they must evaluate personnel requirements: Level 2 allows for conditional Union-citizen personnel (only if the public body requires it), whereas Levels 3 and 4 mandate Union citizens for all personnel involved in the service.
Prepare for Independent Audits: Article 20 mandates that providers seeking Levels 2–4 undergo independent third-party audits. Auditing organisations must be independent, free of conflicts of interest, and possess specific technical competence. Providers should begin engaging with potential auditing organisations early. The audit process is evidence-intensive, requiring Software Bills of Materials (SBOMs), detailed data flow diagrams, and proof of legal/technical separation from third-country entities.
Review Subcontractor Contracts: CADA places significant liability on providers for their subcontractors. Annex II requires that subcontractors meet the same assurance criteria. Providers must review existing contracts to ensure they include enhanced transparency clauses, data localisation guarantees, and rights for the provider to audit the subcontractor's compliance.
Assess Third-Country Control: Providers subject to control by a third country must evaluate if they can meet the criteria for Level 3 (which allows a derogation if the Commission has adopted an implementing act under Article 18). They must demonstrate that no third-country laws compel them to report vulnerabilities or disrupt service.

Preparatory Steps for Public Buyers and Contracting Authorities

Public sector bodies are the primary drivers of demand under CADA. Article 30 mandates that contracting authorities procure cloud services meeting specific Union assurance levels based on risk assessments.

Initiate Preliminary Risk Assessments: Article 29 requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine whether a service requires the baseline Level 1 or the higher Levels 2–4. Public buyers should begin mapping their IT services to these risk categories immediately. Activities in national security, defence, justice, law enforcement, and critical infrastructure will almost certainly require higher assurance levels.
Update Procurement Guidelines: Article 32 introduces "Union added value" as a non-price award criterion. Buyers must update their procurement documents to evaluate tenderers on their contribution to the European cloud ecosystem, use of Union-designed hardware/software, and security of supply.
Plan for Migration: If current cloud providers do not meet the required assurance levels, public bodies must plan migration strategies. Article 29(6) states that if a risk assessment requires migration, it must occur within a reasonable transition period not exceeding 12 months. This transition period runs from the completion of the risk assessment, not necessarily from the application date. Early identification of non-compliant services is essential to avoid last-minute disruptions or service interruptions.

Preparatory Steps for Private Sector Entities

While CADA primarily targets public procurement, Article 31 extends the framework to the private sector for entities in sectors listed in Annex I to the NIS2 Directive (critical infrastructure).

Voluntary Impact Assessments: Private entities may carry out impact assessments similar to those required for public bodies. While not immediately mandatory, the Commission may issue guidance or require these assessments via delegated acts. Proactive assessment of cloud dependencies and third-country risks is advisable.
Supply Chain Due Diligence: Private buyers should update vendor due diligence processes to include questions about data localisation, third-country control, and auditability. The market will increasingly favour providers with Union assurance certifications, creating a competitive advantage for compliant suppliers.

What this means for you

For in-house counsel and compliance officers, the period before CADA's application date is a strategic preparation phase, not a waiting room.

Inventory Your Cloud Services: Create a comprehensive inventory of all cloud computing services and AI systems. For each, identify the provider, data storage locations, and any third-country involvement.
Assess Sovereignty Gaps: Compare your inventory against the CADA assurance level criteria in Annex II. Identify which services would fail to meet Level 1 or higher levels. Prioritise high-risk services for immediate remediation.
Monitor Member State Actions: Track the designation of national competent authorities (Article 25) and data centre acceleration zones (Article 10). These will provide country-specific guidance and opportunities.
Update Procurement Clauses: Review standard procurement contracts to include clauses related to data localisation, audit rights, and compliance with Union assurance levels. Ensure vendors warrant their ability to meet these requirements.
Plan for Audit Readiness: If you are a provider, begin assembling the documentation required for audits (SBOMs, data flow diagrams, personnel records). If you are a buyer, verify that your providers can produce this evidence upon request.

Common misconceptions

"CADA only applies to public sector bodies." While public procurement rules are central, CADA establishes a sovereignty framework that affects all cloud providers seeking to serve the public sector. Furthermore, private entities in critical sectors may be required to conduct impact assessments, and market dynamics will push private buyers towards sovereign providers.
"We have one full year to do nothing." The one-year application period in Article 48 is for the enforcement of obligations. However, the preparatory work—risk assessments, audit preparations, and strategic planning—must begin immediately. Migration to compliant services can take significant time, and the 12-month transition period for migration (Article 29(6)) runs from the risk assessment, not necessarily from the application date.
"Assurance Level 1 is just a self-declaration with no consequences." While Level 1 relies on self-assessment, providers must issue an EU statement of conformity and assume responsibility for compliance. Infringements can lead to penalties under Article 24, and the statement must be publicly available. Misrepresentations can result in revocation of recognition and legal liability.
"Data localisation means data cannot leave the EU for any reason." CADA allows for data to remain exclusively within the Union unless the public sector body explicitly requires otherwise. This provides flexibility for specific cross-border use cases, but the default is strict localisation for assured services.