Summary As proposed in COM(2026) 502 final, Austria faces three critical, time-bound obligations under the Cloud and AI Development Act (CADA). First, Austria must designate at least one data centre acceleration zone within six months of the regulation entering into force. Second, it must establish a national cloud and AI strategy and designate a national competent authority within one year of entry into force. Finally, once the strategy is adopted, Austria must notify the European Commission within three months. These deadlines are triggered by the regulation's entry into force (20 days after publication), not by the proposal date.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework to strengthen Europe's cloud and AI ecosystem. For Member States like Austria, the regulation imposes specific, sequential obligations designed to accelerate infrastructure deployment, ensure strategic planning, and establish regulatory oversight. These obligations are not optional; they are binding requirements that would apply uniformly across the Union once the regulation is adopted.

The timeline for these obligations is strictly tied to the regulation's entry into force. According to Article 48, the regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. It would then apply from one year after that date. However, several key preparatory obligations for Member States are triggered earlier, starting from the date of entry into force.

1. Designation of Data Centre Acceleration Zones (6 Months)

The most immediate infrastructure-related obligation for Austria is the designation of data centre acceleration zones. Under Article 10(1), Member States must designate at least one data centre acceleration zone within their territory by a specific deadline: six months after the regulation's entry into force.

These zones are not merely geographical markers; they are designated areas where the deployment, expansion, and modernisation of data centres are to be facilitated through streamlined administrative and permit-granting processes. When designating these zones, Article 10(1) requires Austria to consider several critical factors:

  • The location, dimension, and size of the site.
  • Available and future power grid capacity and the potential for on-site clean energy generation.
  • Network connectivity capacity.
  • The ability to reuse waste heat.
  • Measures to accelerate permit granting.
  • The preference for reusing brownfield sites over greenfield sites.
  • The site's ability to function sustainably and minimize environmental impacts.

Failure to designate these zones within the six-month window would delay the application of the accelerated permitting procedures outlined in Article 13, which treats projects within these zones as "strategic projects" eligible for a dedicated environmental assessment toolbox.

2. National Cloud and AI Strategy (1 Year)

Parallel to the infrastructure designation, Austria must develop a comprehensive strategic roadmap. Article 7(1) mandates that Member States establish national cloud and AI strategies within one year of the regulation's entry into force.

This strategy is not a generic policy document; it must be coherent with the objectives of CADA and include specific, actionable measures. Under Article 7(2), the strategy must cover:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate adoption at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps.
  • Measures to support the deployment of data centre capacity, focusing on high-value, energy-efficient facilities.
  • Investments in high-intensity computing infrastructure, including AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies based on open hardware and software.
  • Measures to ensure the accessibility of high-quality data for AI development.

The strategy must also be consistent with the digital targets established under the Digital Decade Policy Programme 2030. Austria would be required to assess its strategy at least every three years and update it as necessary.

3. Notification of National Strategy (3 Months Post-Adoption)

Transparency and consistency are central to the CADA framework. Once Austria adopts its national cloud and AI strategy, it cannot simply file it away. Article 7(5) imposes a strict notification requirement: Austria must notify the European Commission of its national strategy within three months of its adoption.

This notification allows the Commission to monitor the adoption and revision of national strategies across the Union. It ensures that Austria's strategy is consistent with the regulation's objectives and contributes to the associated digital targets. The European Artificial Intelligence Board, established by the AI Act, would also advise and assist Member States in coordinating these strategies.

4. Designation of National Competent Authority (1 Year)

To enforce the sovereignty framework and the Union assurance levels, Austria must establish a regulatory body. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty chapter of CADA.

The deadline for this designation is one year after the regulation's entry into force. These authorities would be responsible for:

  • Receiving and assessing applications for recognition of cloud computing service providers offering Union assurance levels.
  • Supervising recognised providers.
  • Exercising investigative and enforcement powers, including the power to order the cessation of infringements and impose fines.
  • Cooperating with competent authorities in other Member States and the Commission.

The Member State where the cloud computing service provider has its main establishment (head office or registered office) would have exclusive competence for enforcing the chapter. For Austria, this means the designated authority would be the primary point of contact for providers seeking recognition to serve the Austrian public sector.

Summary Timeline for Austria

The following table summarises the key deadlines Austria would face under the proposed CADA, assuming the regulation enters into force on a hypothetical date $T$:

Obligation Deadline Legal Basis Key Requirement
Designate data centre acceleration zone(s) $T + 6$ months Article 10(1) At least one zone; consider grid, connectivity, sustainability.
Adopt national cloud and AI strategy $T + 1$ year Article 7(1) Must include "AI first" principle, data centre measures, open-source support.
Designate national competent authority $T + 1$ year Article 25(1) Authority for enforcing sovereignty framework and assurance levels.
Notify Commission of national strategy 3 months after adoption Article 7(5) Notification required within 3 months of the strategy's adoption.

What this means for you

For stakeholders in Austria, including public sector bodies, cloud providers, and infrastructure investors, these deadlines represent a rapid shift in the regulatory landscape.

  • For Public Sector Bodies and Procurement Officers: The one-year deadline for the national strategy is the first major milestone. This strategy will likely define the baseline for public procurement. Under Article 30, contracting authorities will be required to procure cloud services at Union assurance level 1 as a minimum, and higher levels (2, 3, or 4) for activities contributing to public order. Early engagement with the Ministry responsible for digitalisation is essential to anticipate how the strategy will shape procurement criteria.
  • For Data Centre Operators and Investors: The six-month deadline for acceleration zones is critical. If Austria designates a zone near your planned site, you may benefit from the streamlined permitting process under Article 13, which caps the permit-granting procedure at 12 months. However, you must also be prepared to meet the sustainability requirements defined in Article 11, which references the key performance indicators in Delegated Regulation (EU) 2024/1364.
  • For Cloud Service Providers: The designation of the national competent authority within one year signals the start of the recognition process. Providers aiming to serve the Austrian public sector must prepare for the conformity self-assessment (Level 1) or independent third-party audits (Levels 2–4) required under Articles 19 and 20. The authority will be the gatekeeper for recognition across the Union.

Common misconceptions

  • "The deadlines start from the proposal date (June 2026)." Incorrect. The clock for all deadlines starts only when the regulation enters into force, which is 20 days after its publication in the Official Journal. If the regulation is adopted in late 2026 or 2027, the deadlines shift accordingly.
  • "Austria can delay these obligations if it needs more time." No. The deadlines in Articles 7, 10, and 25 are binding and uniform across the Union. While Member States have discretion in how they meet the objectives (e.g., which sites to designate as acceleration zones), they cannot unilaterally extend the statutory time limits.
  • "The national strategy is just a high-level document with no legal force." The strategy is a foundational legal instrument under CADA. It determines which public sector activities are deemed to contribute to public order (under Article 29), which in turn dictates the mandatory Union assurance level for procurement under Article 30. It directly influences market access for cloud providers.
  • "Only the federal government needs to act." While the national strategy and competent authority are federal responsibilities, the designation of acceleration zones and the implementation of data centre projects will involve regional and local authorities. Article 10(4) explicitly requires the involvement and coordination of all relevant national, regional, and local authorities.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.