Summary As proposed, the Cloud and AI Development Act (CADA) would enter into force 20 days after publication in the Official Journal but would only apply one year later, creating a mandatory 12-month preparation window. During this transition, cloud providers must actively monitor for critical secondary legislation—specifically delegated acts under Article 45 and implementing acts under Article 46—which will define the technical criteria for Union assurance levels, audit methodologies, and fee structures. While substantive compliance obligations (such as procurement mandates and certification) do not legally "bite" until the application date, providers should immediately map their infrastructure against the proposed Annex II criteria. Failure to prepare for the rigorous independent audits required for Levels 2–4 before the application date could result in immediate disqualification from public procurement once the Regulation becomes enforceable.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a distinct temporal architecture designed to balance legal certainty with market readiness. This structure creates a "preparatory gap" between the Regulation's entry into force and its date of application. For cloud computing service providers, this year is not a period of inactivity but a critical strategic window to align with a framework that relies heavily on secondary legislation for its technical execution.

The One-Year Transition Window: Article 48

The timeline is explicitly defined in Article 48 of the proposal. The Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." However, the substantive obligations are deferred: the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]."

This creates a fixed 12-month window. During this period:

  • Legal Existence: The text of the Regulation is law, but the specific obligations regarding sovereignty assurance, data centre acceleration, and procurement mandates are not yet enforceable against providers.
  • No Immediate Sanctions: Providers cannot be penalized for non-compliance with the sovereignty framework or procurement rules before the application date.
  • Preparation Imperative: The complexity of the sovereignty framework—particularly the requirement for independent third-party audits for Levels 2, 3, and 4—means that achieving compliance is a multi-month process. Waiting until the application date to initiate audits would likely result in a provider being unable to serve public sector clients immediately upon entry into force.

The Critical Role of Secondary Legislation

The most significant operational challenge during this transition year is that CADA is a framework regulation. It establishes the structure of the Union cloud computing sovereignty framework (Article 16) and the criteria in Annex II, but it explicitly delegates the technical details to the Commission. Without these secondary acts, providers cannot fully comply, even if they wished to.

Providers must closely monitor the adoption of acts under Article 45 (delegated acts) and Article 46 (implementing acts). These articles empower the Commission to adopt detailed rules that are essential for operational compliance:

1. Defining and Updating Assurance Levels (Article 45)

While Annex II sets out the initial criteria for the four Union assurance levels, Article 45 empowers the Commission to adopt delegated acts to:

  • Amend Annex II to update the criteria for Union assurance levels in light of new legal or technical developments.
  • Amend Annex III to specify the evidence needed to assess audit criteria.
  • Specify a Union assurance level for a contracting authority.

Providers must watch for these updates, as the technical thresholds for "sovereign" status (e.g., specific cybersecurity certification levels, software supply chain controls) may be refined. The proposal notes that the Commission shall review Annex II and III at least every 18 months, but the initial delegated acts will be crucial for the first wave of compliance.

2. Audit Procedures and Methodologies (Article 45)

For Union assurance levels 2, 3, and 4, providers must undergo independent third-party audits to obtain a "positive" audit opinion (Article 20). Article 45 explicitly delegates power to the Commission to supplement the Regulation by laying down detailed rules on:

  • The procedural steps for performing audits.
  • Rules for auditing organisations and their technical competences.
  • Auditing methodologies.
  • Templates for audit reports.

Without these delegated acts, providers cannot select the correct audit methodology, and auditing organisations cannot issue standardized reports. Providers should prepare internal controls based on the proposed criteria in Annex III (e.g., maintaining a complete Software Bill of Materials, mapping data flows) but must remain ready to adapt once the official templates are published.

3. Risk Assessment Methodologies (Article 46)

Member States and Union entities must conduct risk assessments to determine which assurance level is appropriate for specific public sector activities (Article 29). Article 46 empowers the Commission to adopt implementing acts specifying:

  • The methodology to be applied.
  • The templates to be used.
  • The elements to be taken into account.

Providers need to understand these methodologies to align their service offerings with what public buyers will require. If a Member State determines that a specific activity requires Level 3, the provider must be able to demonstrate compliance with the specific criteria for that level.

4. Fee Structures for EuroCloud and Procurement (Article 46)

The proposal introduces fees for the administration of the EuroCloud Federation (Article 36) and the common procurement framework (Article 40). Article 46 empowers the Commission to adopt implementing acts laying down detailed rules for:

  • Determining the estimated costs.
  • The individual amount of the fees.
  • The manner and conditions under which fees are to be paid.

Providers participating in these schemes need clarity on cost recovery mechanisms. While the proposal suggests fees will be cost-recovery based, the specific calculation methods and payment schedules will be defined in these implementing acts.

Mapping Obligations to the Application Date

While the substantive duties activate on the application date, the preparatory work is immediate. The "bite" of the Regulation occurs when a contracting authority issues a tender. Under Article 30, contracting authorities whose activities contribute to public order must procure only services recognised at Union assurance levels 2, 3, or 4. If a provider is not recognised by the application date, they are effectively locked out of these markets.

Providers should use this year to:

  • Conduct a Gap Analysis: Compare current service architectures against the cumulative criteria in Annex II. Identify where infrastructure, assets, personnel, or data flows may not meet the requirements for Union assurance levels 1 through 4. For example, Annex II 3.1(d) requires personnel to be Union citizens for Level 3, a significant operational shift for many global providers.
  • Prepare for Audits: For providers targeting levels 2–4, begin internal reviews of software supply chains, data localization practices, and subcontractor agreements. Since the specific audit templates are pending under Article 45, providers should adopt best-practice internal controls that align with the proposed criteria in Annex III (e.g., maintaining a complete SBOM, documenting data flow diagrams, ensuring no remote access from outside the Union).
  • Review Contractual Terms: Update standard service agreements to include clauses related to sovereignty, data residency, and the right to audit. Ensure that subcontractor contracts reflect the new transparency and control requirements, particularly the requirement for Article 20 that audited providers must cooperate with auditing organisations and provide access to all relevant data and premises.
  • Engage with Competent Authorities: National competent authorities will be designated under Article 25. Providers should identify these bodies and prepare to engage with them regarding the recognition process. The recognition procedure under Article 17 involves a 60-day review period by other Member States, which must be factored into the timeline.

What this means for you

For cloud service providers and data centre operators, the year between entry into force and application is a strategic preparation period. You are not yet legally liable for non-compliance, but you are racing against a clock to ensure you can meet the application date.

Immediate Actions:

  1. Monitor Official Journals: Subscribe to updates on delegated acts under Article 45 and implementing acts under Article 46. The specific technical criteria for audits, assurance levels, and fee structures will be published here. These acts are the "missing links" that make the Regulation operational.
  2. Internal Readiness Assessment: Map your current services against the four Union assurance levels in Annex II. Determine which level your current offerings meet and what changes are needed to reach higher levels. Pay special attention to Annex II 3.1(d) (Union citizenship for personnel) and Annex II 3.1(g) (absence of third-country control), which are often the most difficult criteria to meet.
  3. Supply Chain Review: Audit your subcontractors and third-country dependencies. The CADA proposal imposes strict criteria on subcontractors (e.g., location of assets, personnel citizenship for higher levels). Ensure your supply chain contracts allow for the necessary transparency and control, as Article 20 requires audited providers to cooperate with auditing organisations and provide access to all relevant data.
  4. Financial Planning: Prepare for the new fee structures related to the EuroCloud Federation and common procurement. While the exact amounts are pending under Article 46, build budgetary flexibility for these administrative costs. The proposal indicates fees will be set to cover costs, but the specific calculation method will be defined in implementing acts.

Long-Term Strategy: Use this year to position your services as "CADA-ready." Public sector procurement will shift dramatically towards Union assurance levels 1–4 once the application date hits. Providers who have already undergone internal audits and aligned their infrastructure will have a significant competitive advantage in these tenders. The recognition process under Article 17 is not instantaneous; it involves a 60-day review period and potential objections from other Member States. Starting early is essential to secure recognition before the first major tenders are issued.

Common misconceptions

Misconception 1: "No compliance is needed until the application date." While you cannot be fined before the application date, the complexity of achieving sovereignty certification means that waiting until the last month is a business risk. The audit process for levels 2–4 is rigorous and time-consuming. Starting early ensures you can capture the first wave of public procurement opportunities. The recognition process under Article 17 alone can take months due to the cross-border review mechanism.

Misconception 2: "The current proposal text is final and unchangeable." CADA is a proposal. The technical criteria in Annex II and Annex III can be amended via delegated acts under Article 45. Providers must remain flexible and adapt to the final versions of these secondary laws, not just the initial proposal text. The Commission is empowered to update these criteria to reflect technological developments.

Misconception 3: "Sovereignty is only about data location." The CADA framework is multi-layered. Beyond data residency (which is a baseline for Level 1), higher assurance levels require criteria related to personnel citizenship (Annex II 3.1(d)), cybersecurity certification (Annex II 3.1(e)), absence of third-country control (Annex II 3.1(g)), and software supply chain transparency (Annex II 3.1(i)). Focusing solely on data location will not be sufficient for levels 2–4.

Related

This is general information about a draft EU regulation, not legal advice.