What will the Commission look at when it reviews CADA?

Summary As proposed in COM(2026) 502 final, the European Commission is legally mandated to evaluate the Cloud and AI Development Act (CADA) four years after its entry into force, and subsequently every five years. Article 47(1) establishes this recurring review cycle to assess the regulation's effectiveness. Crucially, Article 47(3) imposes a specific statutory obligation on the Commission: it must "pay specific attention to small and medium-sized enterprises and the position of new competitors" while also taking into account the positions and findings of the European Parliament, the Council, and other relevant bodies. This ensures that the review does not merely assess technical compliance but actively scrutinizes whether the Act is fostering a competitive market or inadvertently cementing the dominance of large incumbents.

Detail

The Cloud and AI Development Act (CADA) is designed as a dynamic instrument to address the rapidly evolving challenges of cloud sovereignty, data centre capacity, and AI ecosystem resilience. Recognizing that the technological landscape shifts faster than the legislative process, the proposal includes a robust review mechanism in Title V, Chapter I, specifically Article 47. This clause ensures that the regulation remains fit for purpose and that its economic impacts are continuously monitored.

The Mandatory Timeline of the Review

The review process is not discretionary; it is a binding obligation triggered by the regulation's entry into force. Article 47(1) states:

"By [date of entry into force plus 4 years], and every 5 years thereafter, the Commission shall evaluate this Regulation, and report to the European Parliament, the Council and the European Economic and Social Committee."

This timeline must be understood in the context of the regulation's application dates. Article 48 specifies that the Regulation shall enter into force on the twentieth day following its publication in the Official Journal of the European Union, but it shall apply from one year after that date. Consequently, the first substantive review will occur four years after entry into force, meaning the Commission will have approximately five years of practical application data to analyze before submitting its first report. This delay is intentional, allowing sufficient time for Member States to designate competent authorities, for cloud providers to seek recognition under the sovereignty framework, and for data centre acceleration zones to be established.

The Scope of the Evaluation

While Article 47(1) mandates the evaluation, the specific criteria for "effectiveness" are derived from the regulation's general and specific objectives outlined in Article 1 and the Explanatory Memorandum. The Commission's report will likely assess whether the proposed measures have achieved their intended outcomes:

1. Capacity and Infrastructure: Whether the measures in Title III (Data Centre Capacities) have successfully accelerated deployment, reduced the capacity gap, and facilitated the designation of acceleration zones and strategic projects.
2. Sovereignty and Autonomy: Whether the Union cloud computing sovereignty framework in Title IV has effectively reduced dependencies on third-country providers and safeguarded public order as required by Article 29.
3. Innovation and Competitiveness: Whether the Cloud and AI Leadership Initiatives under Title II have bridged the gap between research and market deployment, particularly in frontier AI and physical AI.
4. Market Functioning: Whether the harmonised rules have improved the functioning of the single market by reducing fragmentation and facilitating cross-border provision of cloud services.

The Statutory Focus on SMEs and New Competitors

The most distinctive and legally significant aspect of the CADA review is the explicit requirement to focus on market structure and competition. Article 47(3) states:

"In carrying out the evaluation referred to in paragraph 1, to Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors."

This provision is not merely a suggestion; it is a mandatory directive that shapes the entire evaluation methodology. The legislator recognized that the cloud and AI markets are characterized by high barriers to entry and significant concentration among a few non-EU hyperscalers. The review clause serves as a safeguard against regulatory capture or unintended consequences that could stifle competition.

Why the SME and Competition Focus Matters

The requirement to "pay specific attention" to SMEs and new competitors addresses several critical policy risks:

• Barriers to Entry and Compliance Costs: The CADA proposal introduces complex compliance obligations, particularly for the Union assurance levels (Levels 2–4) which require independent third-party audits under Article 20. For small and medium-sized enterprises, the cost of these audits, the administrative burden of maintaining a software bill of materials (SBOM), and the requirements for data localisation could be disproportionately high compared to large incumbents. The review must determine if these costs are creating a "regulatory moat" that protects established players rather than fostering a level playing field.
• Proportionality of Obligations: The review will assess whether the obligations imposed by the sovereignty framework are proportionate to the size and risk profile of the provider. If the evaluation finds that SMEs are unable to meet the criteria for Union assurance levels due to resource constraints, the Commission may be compelled to propose amendments to introduce lighter-touch regimes or specific support mechanisms for smaller providers.
• Innovation Ecosystem Health: New competitors are often the primary drivers of disruptive innovation in the digital sector. If the regulatory framework inadvertently favors large, established providers, the EU risks losing its ability to develop homegrown alternatives to foreign hyperscalers. The review must examine whether the Act is successfully enabling new entrants to challenge incumbents, particularly in niche areas such as sovereign cloud offerings, specialized AI models, or open-source solutions.
• Market Concentration Risks: The Explanatory Memorandum notes that the EU market share for cloud providers has stagnated at 15% since 2022, with three non-EU hyperscalers controlling over 70% of the market. The review under Article 47(3) is a critical tool to monitor whether CADA is reversing this trend or if the new rules are consolidating the market further.

Consultation with Relevant Bodies

Article 47(3) also mandates that the Commission "take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources." This ensures that the review is a democratic and multi-stakeholder process, not an isolated administrative exercise.

• European Parliament and Council: As the co-legislators, their positions will reflect the political priorities and any concerns raised during the implementation phase. Their input is essential for aligning the review with the evolving political consensus on digital sovereignty.
• Other Relevant Bodies: This category likely includes the European Artificial Intelligence Board (established under the AI Act, which interacts with CADA), national competent authorities designated under Article 25, and potentially the European Data Protection Supervisor (EDPS) given the overlap with data protection concerns. The review must synthesize these diverse perspectives to form a holistic view of the regulation's impact.

Potential for Legislative Amendment

The review is not an end in itself; it is a mechanism for continuous legislative improvement. Article 47(2) states:

"Where appropriate, the report referred to in paragraph 1 shall be accompanied by a proposal for amendment of this Regulation."

This provision empowers the Commission to propose substantive changes based on the evaluation's findings. If the review reveals that certain provisions are ineffective, overly burdensome for SMEs, or failing to meet their objectives, the Commission can initiate a legislative amendment process. This could involve updating the criteria for Union assurance levels in Annex II, adjusting the timelines for data centre acceleration zones, or refining the procurement rules in Article 30 to better support new competitors.

Connection to Other EU Policies

The review will also need to consider CADA's interaction with the broader EU digital policy framework. The Explanatory Memorandum highlights CADA's consistency with the AI Act, the Data Act, the Digital Markets Act (DMA), and the Cybersecurity Act. The review may assess whether CADA's sovereignty framework complements or conflicts with the DMA's gatekeeper obligations, or whether the CADA's data centre rules align with evolving environmental standards under the Energy Efficiency Directive. The "other relevant bodies" mentioned in Article 47(3) will play a key role in providing this cross-policy context.

What this means for you

For in-house counsel, compliance officers, and strategic planners, understanding the review clause is essential for long-term risk management and advocacy.

1. Monitor the Four-Year Mark

Mark your calendars for four years after the Regulation's entry into force. This is when the Commission will begin its formal evaluation. Your organization should be prepared to provide input during any public consultations that may precede the Commission's report. Stakeholder feedback is a key "source" the Commission must consider under Article 47(3).

2. Leverage the SME and New Competitor Focus

If your organization qualifies as an SME or is a new market entrant, you have a specific statutory interest in this review. Article 47(3) mandates the Commission to pay specific attention to your position.

• Document Burdens: Keep detailed records of the compliance costs and administrative burdens associated with CADA, particularly regarding the sovereignty framework audits (Article 20) and data centre permitting (Title III).
• Advocate for Proportionality: If you find that certain requirements are disproportionately difficult for smaller entities to meet compared to large incumbents, raise these issues with industry associations and national competent authorities. This evidence will feed directly into the Commission's review and could trigger amendments under Article 47(2).

3. Prepare for Potential Amendments

The possibility of amendment under Article 47(2) means that your compliance roadmap should remain flexible. If the review finds that the sovereignty criteria (Annex II) need updating to reflect new technologies, or that the data centre acceleration zones require recalibration, the regulatory landscape could shift. Stay engaged with the European Artificial Intelligence Board and other relevant bodies mentioned in Article 47(3) to anticipate these changes.

4. Engage with National Competent Authorities

The review will rely on data and findings from national competent authorities (Article 25). Engage constructively with these authorities during the implementation phase. Provide accurate information on your compliance efforts and any challenges faced. This direct feedback loop will inform the national contributions to the EU-wide review.

Common misconceptions

"The review is optional." No. The review is mandatory. Article 47(1) uses the imperative "shall evaluate," creating a binding obligation for the Commission to report to the European Parliament and the Council.

"The review will only look at large hyperscalers." Incorrect. Article 47(3) explicitly requires the Commission to "pay specific attention to small and medium-sized enterprises and the position of new competitors." This ensures that the interests of smaller market participants are not overlooked and that the Act does not inadvertently entrench the dominance of incumbents.

"The review will happen immediately after entry into force." No. The first review occurs four years after entry into force (Article 47(1)), providing a substantial period for the rules to take effect and for data to be gathered.

"The review is purely technical." No. The review is political and strategic. Article 47(3) requires the Commission to consider the positions of the European Parliament and the Council, ensuring that political priorities and stakeholder concerns are integrated into the assessment.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Will existing cloud contracts be affected when CADA starts to apply?
• When will the Cloud and AI Development Act (CADA) be reviewed?
• How will the Commission set the procedure for the CADA central repository?
• Who does the Commission consult before adopting a CADA delegated act?
• Which parts of CADA can the Commission change through delegated acts?

This is general information about a draft EU regulation, not legal advice.