CADA Entry into Force and Application

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) follows a standard EU legislative timeline with a critical distinction between validity and enforceability. Article 48 stipulates that the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." However, the substantive obligations shall apply from [same day and month as date of entry into force plus 1 year]. This creates a mandatory one-year transition period. During this year, the law is legally valid, but entities are not yet required to comply with its operational duties, such as designating data centre acceleration zones, establishing national competent authorities, or procuring cloud services at specific Union assurance levels.

Detail

The precise timing of CADA's legal effect is governed exclusively by Article 48 of the proposal. Understanding the bifurcation between "entry into force" and "date of application" is fundamental for legal counsel, compliance officers, and public procurement authorities. Unlike some regulations that apply immediately upon publication, CADA as proposed includes a deliberate delay to allow for administrative and technical preparation.

The Two-Stage Timeline

1. Entry into Force (Day 20) According to Article 48, the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union."

• Legal Effect: On this date, the Regulation becomes part of the EU legal order. It is binding in its entirety and directly applicable in all Member States.
• Practical Implication: The text of the law is now fixed (subject to the final legislative text). However, the specific obligations within the text—such as the requirement for cloud providers to undergo audits or for Member States to designate acceleration zones—are not yet active. This date marks the start of the "clock" for the transition period.

2. Date of Application (One Year Later) Article 48 further states that the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]."

• Legal Effect: On this date, the substantive obligations become enforceable.
• Practical Implication: From this day forward, Member States must have designated their data centre acceleration zones (Article 10), appointed national competent authorities (Article 25), and public bodies must have conducted their risk assessments (Article 29). Cloud providers seeking to serve the public sector must have obtained recognition for their Union assurance levels (Article 17). Failure to comply with these requirements after this date constitutes an infringement.

Why the One-Year Gap?

The one-year gap between entry into force and application is not merely administrative; it is a strategic necessity for the ecosystem CADA aims to regulate. The proposal addresses complex structural issues—sovereignty, data localisation, and infrastructure capacity—that cannot be resolved overnight.

• Administrative Setup: Member States require time to designate national competent authorities (Article 25) and single information points for data centre projects (Article 12). These bodies must be established, staffed, and empowered before they can begin supervising the market.
• Infrastructure Planning: The designation of data centre acceleration zones (Article 10) involves spatial planning, energy grid analysis, and environmental assessments. Member States are required to designate these zones within six months of the Regulation's entry into force, but the actual permitting and construction processes rely on the framework being fully operational at the application date.
• Market Adaptation: Cloud computing service providers need time to align their operations with the Union assurance levels defined in Annex II. For Levels 2, 3, and 4, this involves undergoing independent third-party audits (Article 20) and submitting evidence to national authorities. The transition period allows providers to prepare their documentation, engage auditors, and undergo the recognition process (Article 17) before the procurement mandates kick in.
• Public Sector Readiness: Contracting authorities must conduct risk assessments (Article 29) to determine which of their activities contribute to the preservation of public order. This assessment dictates whether they must procure cloud services at Level 1 or at the higher Levels 2, 3, or 4. This process requires internal coordination and potentially new procurement strategies.

Legislative Status and Uncertainty

It is imperative to note that CADA is currently a proposal (COM(2026) 502 final). The timeline described in Article 48 is as drafted by the European Commission.

• Legislative Process: The final text is subject to amendment by the European Parliament and the Council. While the "20 days + 1 year" structure is standard EU practice, the specific wording or duration could theoretically change during negotiations.
• Publication Dependency: The exact calendar dates are not fixed in the proposal. They are relative to the date of publication in the Official Journal. Therefore, no specific date (e.g., "1 January 2028") can be definitively stated until the final Regulation is published.
• Hedging: All references to the timeline in this FAQ use "as proposed" or "would" to reflect the draft status.

What this means for you

For legal and compliance teams, the distinction between entry into force and application dictates a phased action plan. The one-year transition period is a preparation window, not a grace period for inaction.

1. Immediate Action: Monitor the Official Journal

Your first step is to track the publication of the final Regulation.

• Trigger: Once published, count 20 days to establish the entry into force date.
• Action: Mark the application date (entry into force + 1 year) on your compliance calendar. This is your hard deadline for full operational compliance.

2. Strategic Preparation During the Transition

Do not wait until the application date to begin compliance activities. The complexity of CADA's requirements means that a "day one" start is impossible for many entities.

• For Cloud Providers:

  • Gap Analysis: Map your current infrastructure, personnel, and supply chain against the criteria in Annex II. Identify gaps in establishment, data localisation, and cybersecurity certification.
  • Audit Readiness: If you aim for Union assurance Levels 2, 3, or 4, engage with potential auditing organisations early. The audit process (Article 20) and the subsequent recognition procedure (Article 17) can take several months.
  • SME Advantage: If you are an SME, note that Article 17(3) provides for automatic recognition of Level 1 statements of conformity. Ensure your self-assessment is robust and publicly available.

• For Public Sector Bodies & Contracting Authorities:

  • Risk Assessment: Initiate the risk assessment process required by Article 29 immediately upon entry into force. You must identify which activities contribute to the preservation of public order (e.g., law enforcement, defence, critical infrastructure) to determine if you are restricted to Level 2, 3, or 4 procurement.
  • Procurement Strategy: Review upcoming tenders. If your risk assessment dictates a higher assurance level, you must ensure your tender specifications reflect this before the application date.
  • National Strategies: Monitor your Member State's development of the national cloud and AI strategy (Article 7), which must be adopted within one year of entry into force. This strategy will guide your local implementation.

• For Data Centre Operators:

  • Acceleration Zones: Track the designation of data centre acceleration zones (Article 10) in your jurisdiction. These zones offer streamlined permitting (Article 13), but you must apply within the designated framework.
  • Permitting: Prepare your applications for the aggregated baseline permits (Article 13) which are designed to reduce the permitting timeline to 12 months.

3. Track Secondary Legislation

Many operational details are delegated to the Commission.

• Delegated Acts: The Commission is empowered to amend Annexes (e.g., updating assurance level criteria) and specify audit rules (Article 45).
• Implementing Acts: Methodologies for risk assessments (Article 29) and technical measures for the EuroCloud Federation (Article 35) will be defined via implementing acts (Article 46).
• Action: Subscribe to the Commission's notifications for these acts, as they will provide the granular rules necessary for compliance.

Common misconceptions

Misconception 1: "CADA applies immediately upon publication." This is incorrect. Publication triggers the 20-day countdown to entry into force, but the obligations do not apply until one year after entry into force. Confusing publication with application can lead to premature panic or, conversely, a false sense of security.

Misconception 2: "The one-year gap is a grace period where nothing matters." While obligations are not enforceable during the transition, the gap is a critical preparation phase. Key milestones, such as the designation of acceleration zones (Article 10) and national strategies (Article 7), occur during this year. Waiting until the application date to start these processes will result in non-compliance from day one.

Misconception 3: "The dates are fixed calendar dates in the proposal." The proposal uses relative dates ("twentieth day following publication" and "plus 1 year"). It does not specify a calendar date like "1 January 2028." The actual dates depend entirely on when the final text is published in the Official Journal.

Misconception 4: "Only large hyperscalers need to worry about the timeline." The timeline affects the entire ecosystem. Public sector bodies must complete risk assessments; SMEs must prepare Level 1 self-assessments; and data centre operators must align with acceleration zone designations. The one-year window is essential for all these actors to adapt.

Misconception 5: "Entry into force and application are the same legal concept." They are distinct. Entry into force makes the law valid and binding as a legal instrument. Application makes the specific duties within the law active and enforceable against entities. Article 48 explicitly separates these two events.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• CADA Key Dates & Deadlines: A Chronological Compliance Timeline
• CADA Application Date: What Organisations Must Do Before Compliance Kicks In
• What should a public-sector body do before CADA's application date?
• What should a cloud provider do before CADA's application date?
• What goes into a CADA audit report and audit opinion?

This is general information about a draft EU regulation, not legal advice.