When do CADA defence-related provisions take effect?

Summary The proposed Cloud and AI Development Act (CADA) would enter into force on the twentieth day following its publication in the Official Journal of the European Union, with its substantive provisions applying one year later, as explicitly set out in Article 48. Crucially, CADA does not regulate activities carried out for military, defence, or national security purposes; these remain the sole competence of Member States under Article 4(2) of the Treaty on European Union (TEU). While CADA establishes a Union cloud computing sovereignty framework with four assurance levels, these rules apply only to non-excluded public sector activities. Member States must establish national cloud and AI strategies and designate national competent authorities (NCAs) within one year of the Regulation's entry into force, but these deadlines do not impose CADA compliance on core defence operations.

Detail

Entry into force and general application dates

The timeline for the proposed Cloud and AI Development Act (CADA) is governed strictly by Article 48 of the proposal. As drafted, the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. This is the standard mechanism for EU regulations to become legally binding.

However, the entry into force does not immediately trigger the application of the Regulation's obligations. Article 48 further stipulates that the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]." This creates a mandatory one-year transition period. During this year, the legal framework exists, but the substantive obligations—such as the requirement to procure sovereign cloud services, the designation of national competent authorities, and the establishment of national strategies—are not yet legally enforceable.

This delay is designed to allow Member States and the Commission to prepare the necessary administrative structures, including the designation of authorities and the development of national strategies, before the mandatory procurement and sovereignty rules come into effect.

The scope exclusion for defence and national security

A fundamental aspect of CADA's operation is its limited scope regarding national security. The proposal explicitly excludes activities carried out for military, defence, or national security purposes from its regulatory reach. This exclusion is not merely a policy choice within the text of CADA but is grounded in the primary law of the European Union.

Specifically, Article 4(2) of the Treaty on European Union (TEU) affirms that "national security remains the sole responsibility of each Member State." Consequently, CADA does not regulate the procurement of cloud services for core military operations, classified intelligence activities, or national defence infrastructure. Member States retain full discretion over how they secure and procure these specific systems.

This means that while CADA establishes a robust framework for "sovereign cloud" services, these rules do not automatically apply to the defence sector. A Member State is not required under CADA to apply Union assurance levels (Levels 1–4) to a military command-and-control system or a classified defence communication network. The decision to apply such standards to defence-related activities remains a sovereign choice of the Member State, potentially driven by national law or voluntary alignment with EU standards, but not by CADA itself.

Member State strategy and National Competent Authority deadlines

Although core defence is excluded, CADA imposes strict, timeline-driven obligations on Member States that indirectly affect the broader public sector, including civil services that may support defence-adjacent functions. These deadlines are inextricably linked to the one-year application date defined in Article 48.

1. National Cloud and AI Strategies: Under Article 7, Member States are required to establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies must outline key objectives for cloud and AI adoption, including measures to support the deployment of data centre capacity and the development of sovereign cloud computing stack technologies. While these strategies may reference defence-related digital transformation, they are primarily focused on the general public sector and the broader ecosystem.
2. Designation of National Competent Authorities (NCAs): Under Article 25, Member States must designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework within one year of entry into force. These authorities will oversee the recognition of cloud services meeting Union assurance levels. The designation of these NCAs is a prerequisite for the recognition of any cloud service provider under the CADA framework.
3. Risk Assessments: Under Article 29, Member States and Union entities must carry out risk assessments to determine which public sector activities require higher levels of Union assurance (Levels 2, 3, or 4). These assessments must be completed within one year of entry into force and repeated every two years thereafter. The risk assessment process is critical for determining which activities are deemed to "contribute to the preservation of public order," thereby triggering mandatory procurement of higher assurance levels.

Sovereign cloud standards and public procurement

While core defence is excluded, CADA introduces a Union cloud computing sovereignty framework with four assurance levels, detailed in Annex II. Public procurement officers may choose to apply these standards to defence-adjacent activities, such as civil-military dual-use infrastructure, non-classified defence logistics, or research and development platforms that support the defence sector but do not involve classified data.

Under Article 30, contracting authorities whose activities have been identified as contributing to the preservation of public order (which can include certain security-sensitive but non-classified functions) must procure cloud computing services recognised as having Union assurance level 1 as a minimum. For activities deemed critical to public order, procurement must be limited to services recognised at levels 2, 3, or 4. These requirements apply from the general application date (one year after entry into force).

It is important to note that the risk assessment under Article 29 is the mechanism that determines whether a specific activity falls into the "public order" category. If a Member State determines that a specific defence-adjacent activity (e.g., a civilian logistics platform supporting the military) contributes to public order, the mandatory procurement rules would apply. However, if the activity is classified as a core national security function, it remains outside the scope of CADA.

What this means for you

For public-sector and procurement officers working in or with the defence sector, the CADA timeline and scope imply the following:

• No immediate CADA compliance for core defence: You are not required to comply with CADA's sovereignty assurance levels for strictly military or national security operations. National laws and procurement directives continue to govern these areas. The one-year application period in Article 48 does not trigger CADA obligations for these excluded activities.
• Prepare for national strategy alignment: Within one year of CADA's application date, your Member State will have a national cloud and AI strategy. Even if your department is excluded from CADA, this strategy may influence broader digital procurement guidelines that your organisation must follow, particularly for non-classified, dual-use systems.
• Consider voluntary adoption for dual-use systems: For non-classified, civil-military shared services (e.g., HR systems, logistics platforms, or research infrastructure), you may voluntarily apply CADA's Union assurance levels to reduce dependency on third-country providers. This requires engaging with your national competent authority once it is designated.
• Monitor risk assessment deadlines: If your organisation handles data that intersects with public order (as defined in Annex I or II of the NIS2 Directive), you must participate in the biennial risk assessments mandated by Article 29. These assessments determine whether your services must meet higher sovereignty assurance levels. The first assessment must be completed within one year of the Regulation's entry into force.

Common misconceptions

• "CADA applies to all defence procurement." Incorrect. CADA explicitly excludes military, defence, and national security purposes. Member States retain sovereignty over these areas, and CADA's procurement rules do not apply to core defence operations.
• "The one-year deadline applies to core defence systems." Incorrect. The one-year application period in Article 48 triggers obligations for national strategies, NCA designations, and public procurement rules for non-excluded activities. It does not impose CADA-specific compliance on classified defence operations.
• "Union assurance levels are mandatory for all public sector cloud use." Incorrect. Only Union assurance level 1 is a minimum baseline for public sector procurement under Article 30. Higher levels (2, 3, 4) are required only if a risk assessment under Article 29 identifies the activity as critical to public order. Defence activities are generally excluded from this requirement unless voluntarily included by the Member State.
• "CADA overrides national security laws." Incorrect. CADA is consistent with Article 4(2) TEU and does not encroach on the sole competence of Member States regarding national security.

Related

• When do CADA research-support measures take effect?
• When do CADA provisions affect the automotive sector?
• Which CADA assurance level should defence workloads use?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• When do CADA obligations start for the telecom sector?

This is general information about a draft EU regulation, not legal advice.