When do CADA obligations start for energy and utilities?

Summary As proposed, the Cloud and AI Development Act (CADA) would enter into force 20 days after its publication in the Official Journal, with the bulk of obligations applying one year later. For public-sector bodies in the energy and utilities sectors, this creates a staged timeline: national strategies and data centre acceleration zones must be designated within six to twelve months of entry into force, while sovereignty risk assessments and mandatory procurement rules kick in after the one-year transition. These CADA obligations would run in parallel with existing cybersecurity duties under the NIS2 Directive, which already applies to the sector.

Detail

Understanding the precise timeline for CADA is critical for public-sector bodies in the energy and utilities sectors. The proposal (COM(2026) 502 final) introduces strict new requirements for data centre deployment, cloud sovereignty, and procurement, but it does not impose them all at once. Instead, it outlines a phased implementation to allow Member States and public authorities time to adapt their infrastructure and legal frameworks.

Entry into Force and General Application

The definitive timeline is set out in Article 48 of the proposal. The Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. Crucially, it would then apply from the same day and month as the date of entry into force plus one year.

This one-year gap is not merely a waiting period; it is a structured transition phase designed for Member States to designate competent authorities, establish national strategies, and prepare their public procurement frameworks. For energy and utilities entities, this means that while the law becomes "active" 20 days after publication, the binding obligations to procure sovereign cloud services and conduct specific risk assessments would not legally bind them until the one-year mark.

Staged Deadlines for Member States

While the general application date is one year after entry into force, several specific obligations have earlier or distinct deadlines designed to accelerate infrastructure deployment and sovereignty readiness. These deadlines are binding on Member States, but they directly impact the operational environment for energy and utilities providers.

1. Data Centre Acceleration Zones (Six Months): To address the EU's compute capacity gap, Article 10(1) requires Member States to designate at least one data centre acceleration zone within their territory by six months after entry into force. This is particularly crucial for the energy sector, as Article 10(1)(b) explicitly mandates that Member States consider the "available and future power grid capacity" and the possibility of on-site clean energy generation when designating these zones. Energy utilities must monitor these designations closely, as they will determine where new sovereign compute capacity is prioritized.
2. National Cloud and AI Strategies (One Year): Under Article 7(1), Member States must establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies must align with CADA's objectives, including measures to support the deployment of data centre capacity and high-intensity computing infrastructure. These strategies will likely define the national priorities for energy-intensive data centre projects.
3. Risk Assessments for Sovereignty (One Year): Under Article 29(1), Member States and Union entities must carry out risk assessments to determine which public sector activities contribute to the preservation of public order (including energy infrastructure) and which Union assurance level (2, 3, or 4) is appropriate. This must be completed within one year of entry into force. For energy utilities, this assessment is the trigger that determines whether they must procure higher assurance levels.
4. Competent Authorities (One Year): Member States must designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework by one year after entry into force, as per Article 25(1). These authorities will be the primary point of contact for recognition and enforcement.

Implications for Public Procurement

For procurement officers, the most significant impact arrives when the Regulation fully applies one year after entry into force. Article 30 mandates that public sector bodies whose activities have not been identified as contributing to public order must procure cloud computing services with at least Union assurance level 1.

However, for entities in critical sectors like energy and utilities, whose activities are likely identified as contributing to public order under the NIS2 Directive, Article 30(3) requires them to procure only cloud services recognised as offering Union assurance levels 2, 3, or 4. This means that once the one-year application period begins, public energy and utilities bodies cannot simply renew contracts with non-compliant third-country providers unless they fall under narrow derogations (e.g., no adequate alternative exists, as per Article 30(4)). They must use services from providers recognised in the central repository established under Article 22.

If a migration to a compliant provider is required, Article 29(6) provides a "reasonable transition period that shall not exceed 12 months," taking into account technical feasibility and continuity of service.

Parallel Application with NIS2

It is vital to note that CADA does not replace existing cybersecurity laws. The NIS2 Directive (Directive (EU) 2022/2555) already applies to the energy and utilities sectors, imposing strict cybersecurity risk management obligations. CADA complements this by adding a sovereignty layer. As stated in the Explanatory Memorandum, NIS2 focuses on technical cybersecurity, while CADA addresses broader sovereignty concerns, including operational autonomy and protection against extraterritorial data access. Therefore, energy sector public bodies must comply with both NIS2's technical requirements and CADA's sovereignty assurance levels simultaneously.

What this means for you

As a procurement officer or compliance lead in the energy or utilities public sector, you should take the following steps in preparation for CADA's application:

• Monitor National Strategy Adoption: Keep track of your Member State's national cloud and AI strategy, which must be published within one year of CADA's entry into force. This strategy will outline specific national priorities for data centre deployment and cloud adoption, potentially influencing where your future infrastructure is located.
• Conduct Early Risk Assessments: Begin internal risk assessments now to determine which of your cloud-based activities contribute to public order. If your energy infrastructure is classified as critical under NIS2, it will likely require Union assurance levels 2, 3, or 4 under CADA. Start mapping your current cloud providers against the proposed assurance criteria in Annex II of the proposal.
• Review Current Contracts: Identify any cloud contracts with third-country providers that may not meet the future sovereignty requirements. Plan for migration to recognised EU providers or those with associated third-country status, ensuring you allow for the reasonable transition period (up to 12 months) mentioned in Article 29(6).
• Engage with Grid and Infrastructure Planners: Since CADA mandates the designation of data centre acceleration zones within six months, coordinate with national and regional grid planners. Understanding where new sovereign compute capacity will be located will inform your future procurement and service delivery strategies.
• Prepare for Open Source Requirements: CADA encourages the use of open-source solutions. Familiarise your team with the upcoming EU Open Source Solutions Catalogue (Article 43) and consider how open-source components can be integrated into your cloud stack to reduce vendor lock-in and enhance sovereignty.

Common misconceptions

• "CADA replaces NIS2 for energy companies." Incorrect. CADA complements NIS2. NIS2 handles technical cybersecurity risk management, while CADA handles sovereignty, data localisation, and operational autonomy. Both sets of obligations apply concurrently.
• "All public sector bodies must use the highest sovereignty level." Incorrect. CADA uses a risk-based approach. Only activities identified as contributing to public order (like critical energy infrastructure) require assurance levels 2, 3, or 4. Other public services only require level 1.
• "The rules apply immediately upon publication." Incorrect. There is a one-year application period after entry into force (which is 20 days after publication). This transition period is intended for Member States to set up authorities and for public bodies to conduct risk assessments.
• "Third-country providers are completely banned." Incorrect. Providers from third countries can be audited for Union assurance level 3 if the Commission adopts a decision recognising that country as providing sufficient safeguards under Article 18. This requires an adequacy decision and specific legal guarantees against extraterritorial data access. Note that the criteria in Annex II reference this mechanism, though the proposal text contains a drafting inconsistency referencing Article 19 in the Annex; the legal power resides in Article 18.

Related

• When do CADA obligations start for the telecom sector?
• When do CADA obligations start for the healthcare sector?
• When do CADA obligations start applying to the financial sector?
• When can AI startups start benefiting from CADA support?
• Which CADA obligations bite hardest for fintech companies?

This is general information about a draft EU regulation, not legal advice.