Summary As proposed, the Cloud and AI Development Act (CADA) would enter into force on the twentieth day following its publication in the Official Journal of the European Union (Article 48). Entry into force is not the same as the date the rules start to apply: CADA would apply one year after entry into force. So the Regulation becomes legally valid on the entry-into-force date, but its substantive obligations — sovereignty assurance levels, procurement duties — only bite a year later. For public-sector procurement officers, that one-year gap is the window to prepare.

Detail

The CADA timeline turns on two distinct legal concepts: entry into force and date of application. As a Regulation of the European Parliament and of the Council, CADA would be directly applicable in all Member States — it would not need national transposition to become part of the legal order.

Entry into force

Under Article 48, the Regulation "shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union."

Entry into force is the moment the act becomes legally valid and binding within the EU legal order. The twenty-day buffer after publication is a long-standing EU convention (rooted in the Treaty rules on publication of acts): it gives those affected a short, predictable interval to become aware of the new law before it formally takes effect. For most regulatory instruments, however, entry into force does not switch on the substantive obligations for businesses and public bodies straight away; a longer transition period follows, so stakeholders can prepare.

In CADA's case the practical consequence is that two clocks start running. From entry into force, the preparatory obligations on Member States and the Commission begin — designating authorities, building registries. The substantive obligations on providers and public buyers wait for the separate application date a year later. Confusing the two is the single most common planning error around any EU regulation.

Date of application

Article 48 continues: the Regulation "shall apply from [same day and month as date of entry into force plus 1 year]."

This creates a mandatory one-year gap between entry into force and the date the duties become enforceable. During that year the framework legally exists, but the specific obligations — recognition of cloud services at the Union assurance levels, the obligation on certain public bodies to procure sovereign services — do not yet apply.

Direct applicability

As a Regulation — not a Directive — CADA would apply directly in every Member State. This is a deliberate choice: a Regulation produces uniform rules across the EU without each Member State enacting its own transposing law, which avoids the fragmentation that varied national implementations could cause in a single market for cloud and compute. Once the application date arrives, procurement officers and national authorities apply the rules directly.

That said, "directly applicable" does not mean "nothing for Member States to do." The Regulation still requires national set-up steps during the transition — for example, designating national competent authorities, which under Article 25(1) must be done "by [date of entry into force plus 1 year]," and laying down national penalty rules under Article 24. These are administrative scaffolding for an EU-level framework, not transposition of the substantive obligations, which are fixed at Union level.

What this means for you

For public-sector procurement officers and IT strategists, Article 48 defines your planning horizon.

1. Preparation phase (entry into force to application date). Once CADA is published and enters into force, you would have about a year to get ready. In that window you should:

  • review existing cloud contracts against the proposed Union assurance levels;
  • identify which of your activities relate to the preservation of public order, since those would require higher assurance levels (2, 3 or 4) once the rules apply; and
  • engage with national competent authorities — which must be designated by the application date under Article 25(1) — to understand the recognition process locally.

2. Compliance phase (from the application date). One year after entry into force, the obligations become enforceable. You would then need to:

  • procure cloud services recognised at the appropriate Union assurance level (level 1 for ordinary activities; higher levels where a risk assessment under Article 29 so requires);
  • ensure public-sector risk assessments follow the methodology the Commission specifies; and
  • use the EuroCloud Federation where relevant, once its sharing framework is operational.

3. Strategic planning. The one-year gap is meant to let the supporting machinery stand up. National authorities must be designated, and the Commission must establish the central repository of recognised cloud services (Article 22). You cannot effectively procure "recognised" services until that repository is populated and the recognition mechanisms work — so the application date is both the start of mandatory compliance and the point by which the enabling infrastructure must be ready.

4. Watch the secondary legislation in parallel. Entry into force is also the moment the Commission's delegated and implementing-act powers become exercisable. Several pieces of detail you will eventually need to comply — the risk-assessment methodology (Article 29(3)), the audit rules (Article 20(9)), the recognition procedure (Article 17(12)) — are expected to be filled in during this period. Track these as they emerge, because they translate the high-level obligations into the concrete steps you will have to follow once the rules apply.

Common misconceptions

"Entry into force means immediate compliance." No. Article 48 separates entry into force (legal validity, 20 days after publication) from the date of application (enforceability, one year later). You would have a one-year window to adjust contracts and processes.

"Member States must pass their own laws first." Because CADA is a Regulation, it is directly applicable — no national transposition is needed for the core rules. Member States do have to take administrative steps, such as designating competent authorities (Article 25) and laying down penalty rules (Article 24), but the substantive obligations are set at EU level.

"The timeline is fixed and unchangeable." The text is a proposal. The final dates could shift during the legislative procedure. The "one year after entry into force" application rule is the current proposal; stakeholders should watch the final adopted text.

"Entry into force and date of application are two words for the same thing." They are deliberately distinct. Entry into force makes the act valid in the legal order; the date of application makes its obligations enforceable. CADA separates them by a year (Article 48), and the preparatory deadlines on Member States — such as designating authorities by entry into force plus one year (Article 25(1)) — are pegged to that structure. Reading "enters into force" as "applies in full" would lead you to start compliance a year too early on some points and, more dangerously, to assume the enforcement machinery exists before it actually does.

Related

This is general information about a draft EU regulation, not legal advice.