When do CADA obligations start for the healthcare sector?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would enter into force 20 days after publication in the Official Journal, but its substantive obligations would only apply one year later. For the healthcare sector, this creates a critical preparation window: Member States must adopt national cloud and AI strategies and designate competent authorities within that first year. Crucially, the European Health Data Space (EHDS) operates on a completely separate legislative timeline; CADA does not alter EHDS entry dates but would govern the sovereign cloud infrastructure used to host health data once CADA applies.

Detail

Determining when CADA obligations commence for the healthcare sector requires distinguishing between the regulation's formal entry into force, its general application date, and the specific, staggered deadlines imposed on Member States. As CADA is currently a proposal, the dates below reflect the text as drafted in Article 48 and related provisions.

Entry into Force vs. Application Date

The foundational timeline is set by Article 48 of the proposal. This article establishes that the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." However, entry into force is a procedural milestone, not a compliance trigger. Article 48 further stipulates that the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]."

This creates a mandatory one-year transition period. During this year, the law exists formally, but the substantive duties—such as the requirement for public bodies to procure cloud services at specific Union assurance levels or the obligation for providers to undergo independent audits—would not yet be enforceable. For healthcare providers, public hospitals, and national health ministries, the "clock" for actual compliance begins only on this one-year anniversary.

Staged Deadlines for Member States

While the general application date is uniform across the Union, the proposal imposes specific, staged deadlines on Member States that fall within or immediately after this transition year. These deadlines are critical for the healthcare sector because they determine when the necessary national frameworks and risk assessments will be in place.

• National Cloud and AI Strategies: Under Article 7(1), Member States are required to establish national cloud and AI strategies "by [same day as entry into force plus one year]." These strategies are not merely administrative; Article 7(2)(c) explicitly mandates that they include "measures to support the broad deployment of AI in strategic industrial and public sectors, including in healthcare." Healthcare providers must align their digital transformation plans with these national strategies once they are adopted.
• Designation of Competent Authorities: The enforcement of the sovereignty framework relies on national bodies. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the cloud sovereignty framework "by [P.O. insert date of entry into force plus 1 year]." These authorities will be responsible for recognizing cloud services as meeting Union assurance levels. Until these authorities are designated and operational, the formal recognition process for providers cannot be completed.
• Risk Assessments for Public Order: Perhaps the most significant deadline for healthcare is the risk assessment requirement. Article 29(1) mandates that Member States and Union entities carry out risk assessments "by [date of entry into force plus 1 year], and thereafter every two years." These assessments determine which public sector activities "contribute to the preservation of public order." For healthcare, this is pivotal: if a national risk assessment identifies specific health activities (e.g., critical infrastructure, law enforcement-related health data, or crisis management) as contributing to public order, the procurement rules change immediately upon application.

Healthcare-Specific Implications and Procurement Triggers

The healthcare sector is explicitly recognized as a strategic priority within the proposal. Article 4(7)(c) states that the Cloud and AI Leadership Initiatives should "facilitate secure, privacy-enhancing health data reuse for AI models and tools in healthcare." Furthermore, Article 7(2)(c) reinforces that national strategies must address AI deployment in healthcare.

However, CADA does not create a bespoke entry date for healthcare. The sector follows the general one-year application timeline. The distinction lies in the level of assurance required, which is determined by the risk assessment under Article 29.

• Baseline Requirement: Under Article 30(2), public sector bodies whose activities are not identified as contributing to public order must use cloud services recognized at Union assurance level 1.
• Public Order Requirement: Under Article 30(3), contracting authorities whose activities are identified as contributing to public order (which may include critical health infrastructure depending on the Member State's assessment) must procure services recognized at Union assurance levels 2, 3, or 4.

Once the one-year application date arrives, healthcare providers must ensure their cloud contracts meet these levels. If a risk assessment under Article 29 triggers a requirement for higher assurance levels, Article 29(6) provides a migration mechanism: the Member State or entity must migrate within a "reasonable transition period that shall not exceed 12 months," taking into account technical feasibility and continuity of service.

The EHDS Rollout Timeline

It is vital to distinguish CADA from the European Health Data Space (EHDS). The EHDS is a separate legislative initiative with its own entry-into-force and application dates. CADA does not dictate the EHDS timeline, nor does it replace EHDS obligations regarding data sharing, access, or reuse.

Instead, CADA and EHDS are complementary. The EHDS governs the data (how health data is shared and accessed), while CADA governs the infrastructure (the sovereign cloud environment where that data is hosted and processed). A healthcare provider may need to comply with EHDS data-sharing rules immediately upon the EHDS becoming applicable, while simultaneously preparing for CADA's infrastructure sovereignty rules one year after CADA's publication. Procurement officers must track both timelines independently, as CADA's cloud assurance levels would apply to the infrastructure hosting EHDS-compliant data once CADA enters into application.

What this means for you

For public-sector procurement officers, IT directors, and compliance teams in the healthcare sector, the proposed timeline dictates a structured preparation phase:

1. Track Publication: Monitor the Official Journal for the publication of CADA. The 20-day entry-into-force period will immediately start the one-year countdown to application.
2. Prepare for Risk Assessments: Within the one-year window, your organization must engage with national authorities to participate in the risk assessments required by Article 29. Determine if your specific healthcare activities (e.g., emergency response, critical infrastructure support) will be classified as contributing to "public order." This classification will dictate whether you need Union assurance level 1 (baseline) or levels 2–4 (high sovereignty).
3. Align with National Strategy: Ensure your digital strategy aligns with the national cloud and AI strategy, which Member States must adopt within one year of entry into force (Article 7). These strategies will likely prioritize specific AI use cases in healthcare that require sovereign infrastructure.
4. Audit and Plan Migration: Before the one-year application date, audit current cloud providers against the proposed Union assurance criteria in Annex II. If your current provider does not meet the required level (especially if you are classified under public order), begin migration planning immediately. Article 29(6) allows for a maximum 12-month transition period for migration, but this period begins after the risk assessment is complete and the requirement is triggered.

Common misconceptions

"CADA applies immediately upon publication." No. Article 48 explicitly provides a one-year gap between entry into force and application. No substantive compliance obligations exist during this transition year.

"Healthcare has a different deadline than other public sectors." No. The general application date is uniform for all sectors. However, healthcare providers may face stricter procurement requirements (higher assurance levels) sooner if national risk assessments under Article 29 classify their activities as critical to public order.

"CADA replaces or delays the EHDS timeline." No. CADA and EHDS are distinct instruments. EHDS has its own legislative timeline for data sharing and access. CADA governs the sovereign cloud infrastructure hosting that data. Compliance with EHDS data rules does not exempt an organization from CADA infrastructure rules once CADA applies.

"The one-year transition is a grace period for everything." While the one-year period is a transition, Member States have specific deadlines within it (e.g., adopting national strategies and designating authorities). Failure to meet these national deadlines could delay the operational readiness of the sovereignty framework, but it does not extend the final application date for providers.

Related

• When do CADA obligations start for the telecom sector?
• When do CADA obligations start applying to the financial sector?
• When do CADA obligations start for energy and utilities?
• When do CADA provisions affect the automotive sector?
• When can AI startups start benefiting from CADA support?

This is general information about a draft EU regulation, not legal advice.