Summary As proposed, Belgium must designate its data centre acceleration zones within six months of the Cloud and AI Development Act (CADA) entering into force. Subsequently, within one year of entry into force, Belgium must adopt its national cloud and AI strategy, designate its national competent authority, and complete its initial public-order risk assessments. Crucially, these deadlines are calculated from the Regulation's entry into force (20 days after publication), not its date of application, meaning the administrative clock starts ticking immediately upon the law becoming effective across the EU.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised, binding timeline for all Member States to implement structural and strategic obligations. As a Regulation, CADA is directly applicable in Belgium, but it provides specific transition periods for administrative setup to ensure the ecosystem is ready before the full rules apply.

The timeline is anchored to the entry into force of the Regulation. Under Article 48, the Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union. While the general application of the Regulation begins one year after entry into force, several critical administrative milestones are triggered earlier, specifically at the six-month and one-year marks relative to entry into force.

1. Data Centre Acceleration Zones (6 Months)

Under Article 10(1), Member States where data centre capacity is being deployed must designate at least one data centre acceleration zone within their territory. The deadline for this designation is six months after the entry into force of the Regulation.

For Belgium, this creates a tight window to identify suitable sites and formally designate them. The proposal requires Member States to consider specific aspects when designating these zones, including:

  • The location and dimension of the site.
  • Available and future power grid capacity and on-site clean energy generation.
  • Network connectivity capacity.
  • The ability to reuse waste heat.
  • Measures to accelerate permitting.
  • Environmental sustainability and climate resilience.

Once designated, these zones benefit from streamlined administrative procedures. Under Article 13, data centre projects deployed in acceleration zones are considered "strategic projects" and benefit from a dedicated toolbox for environmental assessments. Furthermore, Member States must issue an "aggregated baseline permit" for the zone, and the permit-granting procedure for projects within these zones must not exceed 12 months from the submission of a comprehensive application.

2. National Cloud and AI Strategy (1 Year)

Article 7(1) requires Member States to establish national cloud and AI strategies within one year of the Regulation's entry into force. These strategies must be coherent with the objectives of CADA and contribute to the digital targets established under the Digital Decade Policy Programme.

The national strategy must include at least the following elements:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development and adoption at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
  • Measures to support the deployment of data centre capacity, focusing on high-value, sustainable facilities.
  • Plans to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
  • Measures to support the development of cloud computing stack technologies built upon open hardware and software.
  • Measures to ensure the accessibility of high-quality data for AI development.

Once adopted, Article 7(5) mandates that Member States notify the European Commission of their national strategies within three months of adoption. Belgium must therefore ensure its strategy is not only drafted and approved within the first year but also formally communicated to the Commission shortly thereafter. The strategy must be assessed at least every three years on the basis of key performance indicators and updated where necessary.

3. Designation of National Competent Authority (1 Year)

Article 25(1) stipulates that Member States must designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework (Title IV) within one year of the Regulation's entry into force.

This authority will hold exclusive competence for enforcing the sovereignty chapter in the Member State where the cloud computing service provider has its main establishment. Its responsibilities include:

  • Receiving and assessing applications for recognition of Union assurance levels (1–4).
  • Supervising recognised cloud computing service providers.
  • Conducting investigations and enforcing penalties for infringements.
  • Cooperating with competent authorities in other Member States and the Commission.

Belgium may designate an existing authority or a new one, but the designation must be formalised and notified to the Commission within this one-year window. The Commission will maintain a public register of these authorities.

4. Risk Assessments for Public Procurement (1 Year)

While the procurement rules themselves apply from the general application date, Article 29(1) requires Member States and Union entities to carry out risk assessments to determine the required Union assurance levels for public sector activities. This initial assessment must be completed within one year of entry into force, and thereafter every two years.

These assessments must identify public sector activities that contribute to the preservation of public order in sectors such as national security, internal security, defence, justice, and law enforcement. Based on this assessment, Member States must determine which Union assurance level (2, 3, or 4) is appropriate for these activities. This assessment is the legal prerequisite for Article 30, which mandates that contracting authorities procure only services recognised at the appropriate assurance level for public-order-relevant activities.

Summary of Key Deadlines for Belgium

Obligation Legal Basis Deadline (Relative to Entry into Force)
Designate Data Centre Acceleration Zones Article 10(1) 6 months
Adopt National Cloud & AI Strategy Article 7(1) 1 year
Designate National Competent Authority Article 25(1) 1 year
Complete Initial Risk Assessments Article 29(1) 1 year
Notify Commission of National Strategy Article 7(5) 3 months after adoption

What this means for you

For Belgian public-sector procurement officers, digital strategy teams, and infrastructure planners, these deadlines create a non-negotiable roadmap for preparation.

  1. Immediate Infrastructure Scoping: With the six-month deadline for acceleration zones, Belgian authorities must immediately identify potential sites that meet the criteria for grid capacity, connectivity, and sustainability. Projects located in these zones will benefit from the 12-month permitting cap, making early designation critical for timely deployment.
  2. Strategic Alignment: The one-year deadline for the national strategy means that current digital transformation plans must be reviewed for alignment with CADA's "AI first" principle and open-source objectives. Public bodies should engage with the drafting process to ensure their specific needs (e.g., for AI factories or quantum computing) are reflected in the national plan.
  3. Procurement Readiness: The risk assessment deadline is the trigger for procurement compliance. By the one-year mark, Belgian contracting authorities must have a clear understanding of which of their activities are deemed "public order" relevant. This determines whether they must procure at Union assurance level 1 (baseline) or levels 2–4 (sovereign). Procurement processes for critical services should begin incorporating sovereignty criteria immediately to avoid delays once the rules apply.
  4. Authority Coordination: The designation of the national competent authority will centralise the recognition of cloud providers. Belgian entities should monitor the Commission's public register to identify which authority will handle their specific cases and prepare to submit evidence for recognition once the process opens.

Common misconceptions

  • "The deadlines start from publication." No. The deadlines in Articles 7, 10, and 25 are tied to the entry into force of the Regulation, which occurs 20 days after publication. The application of the rules (when you must actually comply) is one year after entry into force, but the administrative setup (designations and strategies) must happen earlier.
  • "Belgium can skip acceleration zones if it has no new projects." Article 10(1) applies to Member States "where data centre capacity is being deployed." Given Belgium's established data centre market and the proposal's goal to triple capacity, it is highly likely Belgium will be required to designate at least one zone to facilitate future growth.
  • "The national competent authority is automatically the data protection authority." While they will cooperate, Article 25 allows Member States to designate an existing authority or a new one. It is not automatically the data protection authority, though it will work closely with them on data sovereignty and security issues.
  • "Risk assessments are optional for non-critical sectors." Article 29(1) makes risk assessments mandatory for all Member States to determine the baseline for public-order activities. Without a completed assessment, contracting authorities cannot legally determine their procurement requirements under Article 30, potentially stalling public procurement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.