When is the first CADA evaluation report due? Article 47 timeline

Summary Under Article 47(1) of the proposed Cloud and AI Development Act (CADA), the European Commission would be required to submit its first evaluation report four years after the regulation enters into force. Subsequent reports would follow every five years thereafter. These reports would be submitted to the European Parliament, the Council, and the European Economic and Social Committee (EESC). As CADA is currently a proposal, these dates are contingent on the final adoption and entry into force of the regulation.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. To ensure this framework remains effective, adaptable, and aligned with market realities, the proposal includes a robust "Review" mechanism. This mechanism is codified in Article 47, which dictates the timing, frequency, and recipients of the Commission's evaluation reports.

The Statutory Timeline: Article 47(1)

The core timeline is explicitly defined in Article 47(1). The provision states:

"By [date of entry into force plus 4 years], and every 5 years thereafter, the Commission shall evaluate this Regulation, and report to the European Parliament, the Council and the European Economic and Social Committee."

This clause establishes two critical temporal markers for the legislative lifecycle of CADA:

1. The First Evaluation Point: The clock for the first report begins on the date the regulation enters into force. It is not tied to the date the regulation becomes applicable (which, under Article 48, is typically one year after entry into force). Therefore, the first comprehensive assessment of the regulation's functioning would be due exactly four years after its publication in the Official Journal of the European Union.
2. The Recurring Cycle: Following the initial four-year assessment, the obligation becomes periodic. The Commission must evaluate the regulation and report every five years thereafter. This creates a predictable rhythm of legislative scrutiny (e.g., Year 4, Year 9, Year 14, etc.), ensuring that the framework is regularly tested against the rapidly evolving landscape of cloud computing and artificial intelligence.

The Recipients of the Evaluation

Article 47(1) mandates a specific tripartite reporting structure. The evaluation report must be submitted to:

• The European Parliament: The directly elected legislative body, ensuring democratic oversight.
• The Council: Representing the Member States' governments, ensuring intergovernmental alignment.
• The European Economic and Social Committee (EESC): The advisory body representing organized civil society (employers, workers, and other interest groups).

Including the EESC is significant. It ensures that the evaluation of CADA's impact on the "cloud and AI ecosystem" is not limited to political or technical metrics but also incorporates the socio-economic perspectives of stakeholders who are directly affected by the regulation's market and procurement measures.

Content and Scope of the Evaluation

While Article 47(1) sets the schedule, Article 47(2) and Article 47(3) define the substance and potential outcomes of the review.

Legislative Follow-up (Article 47(2)) The evaluation is not merely an informational exercise. Article 47(2) stipulates:

"Where appropriate, the report referred to in paragraph 1 shall be accompanied by a proposal for amendment of this Regulation."

This means the Commission is empowered to propose legislative changes if the evaluation reveals that the regulation is not achieving its objectives, if market conditions have shifted, or if the sovereignty framework requires adjustment. This provision transforms the evaluation into a potential catalyst for future legislative amendments.

Specific Focus Areas (Article 47(3)) The proposal explicitly directs the Commission to pay specific attention to certain market dynamics during the evaluation. Article 47(3) states that the Commission shall:

"take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors."

This focus aligns with CADA's broader policy goals. One of the primary drivers for the proposal is to reduce dependence on non-European hyperscalers and to foster a competitive, diverse European cloud market. Consequently, the evaluation reports would likely scrutinize whether the proposed measures—such as the Union assurance levels, data centre acceleration zones, and open-source mandates—are successfully lowering barriers for SMEs and enabling new competitors to enter the market.

Distinction: Entry into Force vs. Application

A critical nuance in the CADA timeline is the distinction between "entry into force" and "application," which directly impacts the evaluation deadline.

• Entry into Force: Under Article 48, the regulation enters into force on the twentieth day following its publication in the Official Journal. This is the date the law becomes binding.
• Application: Article 48 further states that the regulation shall apply from one year after the date of entry into force. This grace period allows Member States and stakeholders to prepare for compliance.

The evaluation timeline in Article 47 is tied strictly to the entry into force. Therefore, the four-year countdown begins immediately upon publication, even though the substantive obligations for cloud providers and public authorities may not be fully applicable until a year later. This ensures that the Commission has sufficient time to assess the regulation's implementation and impact once it is fully operational.

What this means for you

For stakeholders ranging from cloud service providers to public procurement officers, the Article 47 timeline has several strategic implications:

1. Regulatory Stability vs. Adaptability: The five-year review cycle offers a degree of stability. Organizations can plan long-term investments in data centre infrastructure or sovereign cloud adoption with the assurance that the core legal framework will not be subject to frequent, ad-hoc changes. However, the four-year mark represents a critical inflection point where the Commission may propose amendments based on early implementation data.
2. Stakeholder Engagement Opportunities: The evaluation process is a formal channel for stakeholder input. Article 47(3) requires the Commission to consider the positions of relevant bodies. Public sector bodies, industry associations, and SMEs should prepare to document their experiences with CADA's requirements—such as the administrative burden of risk assessments under Article 29 or the operational realities of the EuroCloud Federation under Article 34—to influence the Commission's findings.
3. Focus on Market Competition: Since the evaluation must pay "specific attention" to SMEs and new competitors, market participants should monitor how the Commission assesses the effectiveness of Article 32 (Union added value criteria) and other demand-side measures. If the evaluation finds that barriers remain high for smaller EU providers, it could trigger legislative amendments to strengthen these provisions.
4. Long-Term Infrastructure Planning: For data centre operators and investors, the evaluation timeline suggests a stable regulatory horizon for at least four to nine years. This supports the business case for long-term capital expenditure in data centre acceleration zones, as the regulatory environment is designed to be reviewed and adjusted only at predictable intervals.

Common misconceptions

• Misconception 1: The report is due four years after the regulation applies.
  • Correction: The report is due four years after the regulation enters into force. As Article 48 establishes a one-year gap between entry into force and application, the evaluation clock starts earlier than the compliance deadline.
• Misconception 2: The evaluation automatically changes the law.
  • Correction: The evaluation report itself is not a legislative act. Article 47(2) states that the report may be accompanied by a proposal for amendment. Any actual changes to the law would require the full ordinary legislative procedure, involving the European Parliament and the Council.
• Misconception 3: The evaluation is a one-time event.
  • Correction: Article 47(1) explicitly mandates a recurring cycle: "every 5 years thereafter." This ensures continuous monitoring of the regulation's effectiveness in a fast-moving technological sector.
• Misconception 4: Only the Parliament and Council receive the report.
  • Correction: The European Economic and Social Committee (EESC) is a mandatory recipient. This ensures that the socio-economic impact of the regulation is formally reviewed by representatives of civil society.

Related

• CADA Compliance Timeline: When do obligations start?
• Are CADA evaluation reports made public? Transparency under Article 47
• Will existing cloud contracts be affected when CADA starts to apply?
• Who receives the CADA review report? Parliament, Council & EESC
• When will the Cloud and AI Development Act (CADA) be reviewed?

This is general information about a draft EU regulation, not legal advice.