CADA Deadlines for Croatia

Summary As proposed in COM(2026) 502 final, Croatia would face three critical, harmonised deadlines under the Cloud and AI Development Act (CADA). First, the designation of at least one data centre acceleration zone would be due within six months of the Regulation's entry into force. Second, the establishment of a national cloud and AI strategy and the designation of national competent authorities would both be due within one year of entry into force. Finally, Croatia would be required to notify the European Commission of its adopted national strategy within three months of its adoption. These timelines are conditional on CADA being adopted in its current form; until then, they remain proposed obligations.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous, time-bound framework for Member States to align their national infrastructure and regulatory landscapes with Union-wide sovereignty and capacity goals. For Croatia, as for all Member States, the Regulation creates a "race against the clock" to prepare the legal and physical foundations for a sovereign cloud ecosystem. Because CADA is currently a proposal (COM(2026) 502 final), these deadlines are not yet legally binding. They would only become enforceable once the Regulation is formally adopted by the European Parliament and the Council, published in the Official Journal, and enters into force.

The timeline is anchored to a single pivotal date: the entry into force of the Regulation. According to Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. It would then apply from one year after that date. However, specific preparatory obligations for Member States trigger much earlier, creating a phased implementation schedule.

1. Data Centre Acceleration Zones: The 6-Month Sprint

The most immediate physical infrastructure obligation for Croatia is the designation of data centre acceleration zones. Under Article 10(1) of the proposal, Member States "shall designate at least one data centre acceleration zone" within their territory.

The deadline for this action is strict: it must be completed by a date calculated as "entry into force plus 6 months." This means that within half a year of the Regulation becoming law, Croatia would be required to formally identify and designate specific geographic areas where the development, expansion, and modernisation of data centres are to be facilitated.

The proposal mandates that these designations consider a comprehensive set of factors to ensure viability and sustainability. Article 10(1) explicitly requires Member States to assess:

• The location, dimension, and size of the site.
• Available and future power grid capacity, including on-site storage and clean energy generation.
• Network connectivity capacity and the ability to phase out legacy copper networks.
• Facilities for reusing data centre waste heat.
• Measures already taken to accelerate permitting.
• The preference for reusing brownfield sites over greenfield sites.
• The ability of the site to function sustainably, minimising environmental impacts and supporting carbon emission reductions.

This early deadline reflects the urgency of addressing the EU's compute capacity gap. By forcing Member States to identify these zones quickly, CADA aims to remove administrative bottlenecks and signal to investors where the EU intends to concentrate its data centre deployment efforts.

2. National Cloud and AI Strategy: The 1-Year Strategic Plan

Parallel to the physical designation of zones, Croatia would be required to formulate a comprehensive strategic roadmap. Article 7(1) of the proposal mandates that Member States "establish national cloud and AI strategies" by "entry into force plus one year."

This strategy is not merely a high-level document; Article 7(2) outlines specific mandatory content. The Croatian strategy must include:

• Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
• A governance and monitoring framework to achieve these objectives.
• Measures to accelerate adoption at national, regional, and local levels, particularly for SMEs and public sector bodies.
• Strategies for deploying data centre capacity, with a focus on high-value, environmentally efficient facilities.
• Measures to invest in high-intensity computing infrastructure, such as AI factories, AI gigafactories, and quantum computers.
• Measures to support the development of cloud computing stack technologies built upon open hardware and software.
• Measures to ensure the accessibility of high-quality data for AI development.

The strategy must be consistent with the objectives of CADA and the digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481). Furthermore, Article 7(5) establishes a cycle of continuous improvement: Member States must assess their national strategies at least every three years based on key performance indicators and update them where necessary.

3. Notification to the Commission: The 3-Month Reporting Window

Once Croatia has drafted and formally adopted its national cloud and AI strategy, the clock starts on a reporting obligation. Article 7(5) states that "Member States shall notify the Commission of their national strategies within three months of their adoption."

This notification is a critical transparency mechanism. It allows the Commission to monitor the adoption and revision of national strategies across the Union, ensuring consistency and identifying gaps. The Commission is tasked with monitoring these strategies, and the European Artificial Intelligence Board (established by the AI Act) is required to advise and assist Member States in coordinating them (Article 7(6)).

4. Designation of National Competent Authorities: The 1-Year Regulatory Deadline

To enforce the sovereignty framework and oversee the recognition of cloud computing services, Croatia must also establish its regulatory oversight body. Article 25(1) requires Member States to "designate one or more national competent authorities responsible for enforcing this Chapter" (Title IV, the sovereignty framework) by "entry into force plus one year."

This deadline coincides with the deadline for the national strategy. The competent authority could be an existing body or a newly created entity, but it must possess the necessary resources—technical, financial, and human—to supervise cloud computing service providers effectively. Article 25(3) emphasises that these authorities must perform their tasks in an impartial, transparent, and timely manner.

Once designated, Croatia must notify the Commission of the names, tasks, and powers of these authorities (Article 25(2)). The Commission will then maintain a public register of these authorities. These bodies will wield significant powers under Article 26, including the ability to require information, carry out inspections, order the cessation of infringements, and impose fines.

What this means for you

For Croatian public-sector bodies, procurement officers, and infrastructure planners, these proposed deadlines represent a compressed timeline for preparation.

Immediate Infrastructure Scouting: Although the Regulation is not yet in force, the six-month deadline for acceleration zones is extremely tight. Croatian authorities should proactively identify potential brownfield sites with robust grid capacity and connectivity. Waiting until the Regulation enters into force to begin this assessment could jeopardise the ability to meet the six-month statutory deadline.

Strategic Drafting and Stakeholder Engagement: The one-year window for the national strategy requires immediate drafting and broad consultation. The strategy must integrate the "AI first" principle and align with existing digital targets. Procurement officers should begin mapping current IT contracts against the future sovereignty requirements to anticipate the shift toward Union assurance levels.

Regulatory Capacity Building: The designation of a competent authority within one year requires significant administrative preparation. Croatia must identify an entity with the specific expertise to audit cloud services, assess sovereignty risks, and enforce compliance. Investing in training and hiring personnel with cloud cybersecurity and sovereignty assessment skills now will be essential to ensure the authority is operational on day one of the Regulation's application.

Compliance Readiness: The notification requirement (3 months post-adoption) means that the strategy cannot be a "last-minute" document. It must be finalised, approved, and ready for submission well before the one-year mark to allow for the notification window.

Common misconceptions

Misconception 1: The deadlines are already active. CADA is currently a proposal (COM(2026) 502 final). The timelines described—6 months for zones, 1 year for strategy and authorities—are conditional. They would only become legally binding once the Regulation is adopted and enters into force. Until that moment, Croatian authorities are not legally required to meet these specific dates, though early preparation is advisable.

Misconception 2: Acceleration zones are optional or voluntary. Article 10(1) uses the mandatory term "shall designate." For any Member State deploying data centre capacity, the designation of at least one acceleration zone is a compulsory obligation, not a voluntary option. It is a core mechanism for the EU to address the compute capacity gap.

Misconception 3: The national strategy is a one-off exercise. Article 7(5) explicitly requires Member States to assess their national strategies at least every three years and update them as necessary. This is a recurring obligation requiring a permanent governance and monitoring framework, not a single deliverable.

Misconception 4: Competent authorities only handle public procurement. While the competent authorities play a central role in the public procurement of sovereign cloud services, their remit under Title IV is broader. They are responsible for the entire sovereignty framework, including recognising cloud service providers at Union assurance levels, overseeing auditing organisations, and enforcing compliance across the market.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• CADA Deadlines for Lithuania: Acceleration Zones, National Strategy & Competent Authorities
• CADA Deadlines for Hungary: Acceleration Zones, National Strategy & Competent Authorities
• Poland's CADA Deadlines: Acceleration Zones, National Strategy & Competent Authority Timeline
• CADA Deadlines for Denmark: Acceleration Zones, National Strategy & Competent Authority
• CADA Deadlines for France: Acceleration Zones, Strategy & Competent Authority

This is general information about a draft EU regulation, not legal advice.