Summary As proposed, the Cloud and AI Development Act (CADA) would start to apply one year after it enters into force (Article 48). Since it would enter into force 20 days after publication in the Official Journal, its substantive obligations would bite roughly a year after that. During the gap, cloud service providers and data-centre operators are not yet legally bound by the new rules — but it is the time to prepare, especially for the Union assurance levels and data-centre permitting.

Detail

The timeline sits in Article 48 of the proposal (COM(2026) 502 final), which sets two stages: entry into force, then application.

1. Entry into force. Article 48 states: "This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union." This makes the law part of the EU legal order, but most operational duties are not yet active — the period lets the Commission and Member States stand up the administrative machinery, such as the central repository of recognised cloud services and the national competent authorities.

2. Date of application. Article 48 continues: "It shall apply from [same day and month as date of entry into force plus 1 year]." This is the date that matters for business: on it, CADA's substantive obligations become binding. Cloud service providers must meet the Union assurance levels to serve public-sector bodies; data-centre operators come within the acceleration-zone and single-information-point framework.

3. The one-year transition gap. The gap is a deliberate transition period. During it:

  • Member States must designate national competent authorities — under Article 25(1), by entry into force plus one year — and designate data-centre acceleration zones (Article 10);
  • the Commission must establish the central repository of recognised cloud services (Article 22) and the EuroCloud Federation platform (Article 34); and
  • businesses have time to align their technical, legal and operational arrangements with the new sovereignty and sustainability criteria.

CADA is still a proposal, so the exact calendar dates depend on when the final text is adopted and published; the text uses placeholder language confirming application one year after entry into force.

Why one year, and not more or less? A single uniform transition window keeps the regime simple and predictable, and one year is a common choice for EU acts that require operational readiness rather than deep structural change. It is long enough for Member States to designate authorities and for the Commission to build the central repository, but short enough to deliver the policy's urgency — CADA is framed around closing a compute-capacity gap, so an open-ended delay would undercut its purpose. Providers should treat the year as firm runway: the substantive duties do not phase in gradually, they switch on in full on the application date.

What this means for you

For cloud service providers and data-centre operators, the transition year is for preparation, not waiting.

For cloud service providers:

  • Map your sovereignty profile. Assess your offering against the four Union assurance levels in Annex II — where you are established, where your infrastructure and personnel sit, and whether your subcontractors could meet the criteria for levels 2, 3 or 4.
  • Prepare for audits. Levels 2, 3 and 4 require independent third-party audits (Article 20). Use the year to identify qualified auditing organisations and run internal gap analyses against the Annex II criteria.
  • Review subcontractor chains. CADA's higher levels turn on control and transparency over subcontractors. Make sure your contracts permit the necessary oversight and that subcontractors can meet the relevant sovereignty requirements.
  • Plan recognition early. Recognition by a national competent authority (Article 17) takes time; preparing documentation during the transition helps you secure access to public-sector contracts when the rules apply.

For data-centre operators:

  • Track acceleration-zone designations. Member States must designate data-centre acceleration zones (Article 10). Identify the zones in your target markets so projects can benefit from streamlined permitting.
  • Engage single information points. Member States must designate single information points for data-centre projects (Article 12). Make early contact to understand the administrative requirements.
  • Assess sustainability requirements. Align data-centre designs with the key performance indicators referenced for acceleration zones (Article 11, which points to the KPIs in Delegated Regulation (EU) 2024/1364).
  • Prepare permit applications. Permit-granting in acceleration zones is capped at 12 months from a comprehensive application (Article 13). Gather environmental-assessment and grid-connection documentation in advance.

General preparations:

  • Update internal policies — terms of service, data-processing agreements and governance to reflect the new sovereignty and transparency obligations.
  • Train staff — particularly on the meaning of third-country "control" and its bearing on the assurance levels.
  • Watch the secondary legislation — delegated acts (technical criteria, audit rules) and implementing acts (procedures, templates, fees) will shape practical implementation.

Sequence your work to the recognition lead time. The single most important scheduling point is that recognition is not instantaneous. For level 1, you prepare an EU statement of conformity; for levels 2–4, an auditing organisation must complete an audit and issue a positive opinion before a national competent authority can recognise the service. Each of those steps takes weeks to months, and the authority then has its own assessment period. Working backwards from the application date, a provider that wants to be serving public-sector customers on day one realistically needs its audit engagement under way well before then — not in the final weeks of the transition. Treat the application date as a hard deadline for being recognised, not for starting the process.

Common misconceptions

"The rules apply immediately on publication." No. Article 48 separates entry into force (20 days after publication) from application (one year after entry into force). There is a substantial transition before compliance is mandatory.

"CADA replaces the AI Act or GDPR." No. CADA complements existing law; it does not repeal the AI Act (Regulation (EU) 2024/1689) or the GDPR. Providers would comply with CADA's sovereignty framework in addition to those and to NIS2.

"Only public-sector bodies are affected." The procurement rules (Article 30) target public-sector buyers, but the sovereignty framework and data-centre rules affect providers and operators in the EU market more broadly, and private entities in sectors of high criticality may be required to carry out impact assessments (Article 31).

"The application date is fixed in the text." The proposal uses a placeholder — "[same day and month as date of entry into force plus 1 year]." The exact date depends on when the final Regulation is published in the Official Journal.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.