When does CADA enter into force and start to apply?

Summary As proposed, the Cloud and AI Development Act (CADA) would enter into force on the 20th day following its publication in the Official Journal of the European Union, and would then apply from one year after entry into force (Article 48). That creates a one-year gap between the Regulation becoming legally binding and its substantive obligations taking effect. Because CADA is a Regulation, it would be directly applicable in all Member States with no national transposition. CADA is still a proposal, so the actual dates are not yet known — they depend on when the text is finally adopted and published.

Detail

The timeline is governed by Article 48 ("Entry into force and application"). It distinguishes, as EU regulations typically do, between the moment the instrument becomes legally binding and the moment its operative rules must be complied with.

Entry into force

Article 48 provides that the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." Once the European Parliament and the Council adopt the text and it is published, the 20-day clock runs and the instrument is then formally in force. From that point the Regulation exists as binding Union law, but most of its concrete obligations are not yet due.

Date of application

Article 48 then states that the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]." The bracketed placeholder is the Commission's drafting convention for a date that will be fixed at adoption. In substance, it creates a one-year period between entry into force and application. For illustration only: if CADA entered into force in July of a given year, it would apply from July of the following year.

During that year the framework exists in law but its substantive duties — the sovereignty framework, the procurement obligations, the data-centre rules — are generally not yet enforceable. The period is an implementation window, intended to let Member States stand up the necessary authorities and structures and to let providers prepare.

How the one-year window lines up with other deadlines

Several of CADA's own deadlines are pegged to the same one-year point, so that the supervisory machinery is ready when the rules bite:

• National competent authorities. Member States would designate one or more national competent authorities "by [date of entry into force plus 1 year]" (Article 25(1)).
• National cloud and AI strategies. Member States would establish national strategies "by [same day as entry into force plus one year]" (Article 7(1)).
• Public-sector risk assessments. Member States and Union entities would carry out their first risk assessments "by [date of entry into force plus 1 year]," and thereafter every two years (Article 29(1)).

One deadline runs ahead of the application date. Member States would designate at least one data centre acceleration zone "by [date of entry into force plus 6 months]" (Article 10(1)) — six months after entry into force, and so roughly six months before the Regulation starts to apply. That gives data-centre operators earlier visibility of where streamlined permitting will be available.

There is no separate, longer transition or "grace period" for cloud providers in the text beyond the general one-year window — the proposal as drafted does not grant providers an additional migration period.

What this means for you

For in-house counsel and compliance teams, the entry-into-force / application distinction is the backbone of any CADA readiness plan.

1. Track publication, not just adoption. Adoption by the Parliament and Council is not the trigger. The 20-day entry-into-force clock starts at publication in the Official Journal; the one-year application clock starts at entry into force. Set internal alerts on publication.
2. Treat the year as preparation, not slack. Once the application date arrives, substantive obligations become enforceable. Use the window to scope compliance, not to defer it.
3. Start assurance-level work early. Recognition at Union assurance level 1 rests on a conformity self-assessment and an EU statement of conformity (Article 19); levels 2 to 4 require an independent third-party audit (Articles 20 to 21) and the gathering of audit evidence. Those audits take time, so beginning them during the window is prudent if you intend to sell to the public sector when the rules apply.
4. Watch the zone designations. If you operate data centres, the six-month acceleration-zone deadline (Article 10(1)) gives you an earlier signal than the general application date.

Common misconceptions

• "The law applies as soon as it is adopted." No. Adoption is not publication, and publication is not application. The Regulation enters into force 20 days after publication and applies one year after that.
• "Member States have two years to transpose CADA." No. CADA is a Regulation, not a Directive. It is directly applicable and there is no transposition period. The one-year gap is an implementation period, not a transposition period.
• "I can wait until the application date to start audits." Risky. The third-party assessment for levels 2 to 4 involves substantial evidence-gathering and an audit opinion. Leaving it until the rules apply could leave a service unrecognised — and so excluded from public-sector procurement — when buyers start requiring recognition.
• "Entry into force means I must comply immediately." No. Until the application date, the substantive obligations are generally not yet enforceable, though preparatory steps should begin earlier.

Related

• Who does the Cloud and AI Development Act (CADA) apply to?
• When will CADA be reviewed? Article 47 review clause explained
• When was the Cloud and AI Development Act (CADA) proposed?
• When must Member States act under CADA? Key deadlines
• What is the Apply AI Strategy and how does CADA support it?

This is general information about a draft EU regulation, not legal advice.