Summary Under the proposed Cloud and AI Development Act (CADA), Cyprus faces a strict, harmonised timeline triggered by the Regulation's entry into force. The Republic must designate at least one data centre acceleration zone within six months of entry into force (Article 10(1)). It must establish its national cloud and AI strategy within one year of entry into force and notify the European Commission within three months of that adoption (Article 7(1) and 7(5)). Finally, Cyprus must designate its national competent authority responsible for enforcing the sovereignty framework within one year of entry into force (Article 25(1)). As CADA is currently a proposal (COM(2026) 502 final), these dates are prospective and would only apply if the Regulation is adopted.
Detail
The Cloud and AI Development Act (CADA) is a legislative proposal by the European Commission designed to strengthen the EU's cloud and AI ecosystem. Its primary aims include increasing computing capacity, ensuring strategic autonomy, and simplifying the deployment of data centres across the Union. While the text is not yet law, it establishes a rigid schedule for Member States to implement structural obligations. For Cyprus, compliance is not optional; the Regulation creates a fixed timeline where specific actions must be completed relative to the date the Regulation enters into force.
1. Data Centre Acceleration Zones (Article 10)
To address the Union's compute capacity deficit and reduce reliance on non-EU infrastructure, CADA mandates the creation of specific geographic areas where data centre deployment is accelerated and streamlined. These are legally defined as "data centre acceleration zones."
The Deadline: Cyprus must designate at least one data centre acceleration zone within its territory by the date of entry into force of the Regulation plus 6 months. This deadline is explicitly set in Article 10(1).
The Requirement: Article 10(1) stipulates that "where data centre capacity is being deployed within the territory of a Member State, that Member State shall designate at least one data centre acceleration zone." When designating these zones, Cyprus must consider a comprehensive set of factors to ensure sustainability and viability:
- Site Characteristics: The location, dimension, and minimum/maximum size of facilities.
- Energy & Grid: Available and future power grid capacity, including the possibility of on-site storage and clean energy generation.
- Connectivity: Available and future network connectivity capacity.
- Sustainability: The ability of the site to function sustainably, minimising environmental impacts and carbon emissions, with a specific preference for reusing brownfield sites over greenfield sites.
- Permitting: Measures already taken to accelerate the granting of necessary permits.
Furthermore, Article 10(2) imposes an ongoing obligation. Cyprus must conduct a comprehensive analysis of the energy needs and greenhouse gas emissions impacts of these zones, reviewing this analysis at least every three years. This analysis must be integrated into national network development plans to ensure "anticipatory grid investments" are made to accommodate future data centre demand.
2. National Cloud and AI Strategy (Article 7)
CADA recognises that infrastructure deployment requires a coherent national policy framework. Member States are required to align their national strategies with the EU's broader digital targets, including the "AI first" principle.
The Deadline: Cyprus must establish its national cloud and AI strategy by the same day as entry into force plus one year. This is mandated by Article 7(1).
The Notification Requirement: Once the strategy is formally adopted, Cyprus must notify the European Commission of its national strategy within three months of its adoption. This procedural step is specified in Article 7(5).
The Content: Article 7(2) outlines the mandatory components of the strategy, which must include:
- Objectives: Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
- Acceleration: Measures to accelerate development at national, regional, and local levels, particularly for SMEs, small mid-caps (SMCs), and public sector bodies.
- Infrastructure: Measures to support the deployment of data centre capacity, focusing on high-value, energy-efficient centres.
- Investment: Measures to invest in high-intensity computing infrastructure, such as AI factories, AI gigafactories, and quantum computers.
- SME Procurement: Measures to support the development of cloud and AI capabilities, including plans to achieve the objective that at least 25% of procurement for cloud computing services and AI systems be awarded to innovative SMEs (linked to Article 33).
The strategy must be consistent with the objectives of CADA and contribute to the digital targets established under the Digital Decade Policy Programme 2030 (Article 7(4)). Additionally, Cyprus must assess its national strategy at least every three years based on key performance indicators and update it where necessary (Article 7(5)).
3. National Competent Authority (Article 25)
To enforce the cloud computing sovereignty framework and oversee service providers, Member States must designate a specific regulatory body with the necessary powers and resources.
The Deadline: Cyprus must designate one or more national competent authorities by the date of entry into force plus one year. This requirement is set out in Article 25(1).
The Role: The designated authority (or authorities) will be responsible for enforcing Chapter I of Title IV of the Regulation, which covers the Union cloud computing sovereignty framework. Key responsibilities include:
- Recognition: Assessing applications from cloud computing service providers to be recognised as offering specific Union assurance levels (Article 17).
- Supervision: Monitoring recognised providers to ensure continued compliance.
- Enforcement: Exercising investigative and enforcement powers, such as the power to require information, carry out inspections, and impose fines (Article 26).
Article 25(2) requires Cyprus to notify the Commission of the names of these competent authorities and their tasks and powers. The Commission will maintain a public register of these authorities. Crucially, Article 25(4) establishes that the Member State in which a cloud computing service provider has its main establishment has exclusive competence for enforcing these rules, ensuring a "one-stop-shop" for supervision.
Summary of Key Deadlines for Cyprus
| Obligation | Legal Basis | Deadline Trigger |
|---|---|---|
| Designate Acceleration Zones | Article 10(1) | Entry into force + 6 months |
| Adopt National Cloud & AI Strategy | Article 7(1) | Entry into force + 1 year |
| Notify Commission of Strategy | Article 7(5) | 3 months after strategy adoption |
| Designate National Competent Authority | Article 25(1) | Entry into force + 1 year |
What this means for you
For public-sector bodies, procurement officers, and infrastructure planners in Cyprus, these deadlines represent critical milestones that will fundamentally shape the digital infrastructure landscape.
Procurement Planning: The requirement to adopt a national strategy within one year (Article 7) means that procurement frameworks for cloud and AI services must align with the strategic priorities defined in that document. Officers should anticipate that future tenders will increasingly require cloud services to meet specific Union assurance levels (sovereignty criteria). The strategy will likely detail how public bodies should transition towards sovereign cloud solutions, particularly for activities identified as contributing to public order.
Infrastructure Coordination: The six-month deadline for designating acceleration zones (Article 10) is tight. Public authorities involved in spatial planning, energy grid management, and environmental permitting must coordinate closely with the national government to identify suitable sites. This includes ensuring that grid capacity is available and that environmental assessments are streamlined. Procurement officers working on large-scale IT projects may need to consider the location of data centres in these zones to ensure compliance with future sovereignty requirements.
Regulatory Engagement: With the national competent authority to be designated within one year (Article 25), public sector bodies should prepare to engage with this new regulatory entity. This authority will oversee the recognition of cloud providers. Procurement teams will need to verify that their chosen cloud providers are recognised in the central repository maintained by the Commission (Article 22) and hold the appropriate Union assurance level required for their specific use case.
SME Participation: Article 7(2)(f) and Article 33 require the national strategy to include plans for ensuring that at least 25% of cloud and AI procurement is awarded to innovative SMEs. Procurement officers should review tender structures to ensure they are SME-friendly, such as dividing contracts into lots, to meet this strategic objective.
Common misconceptions
Misconception 1: The deadlines are based on the date of publication. Correction: The deadlines are tied to the "entry into force" of the Regulation. According to Article 48, the Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union. The "application" date (when the rules become fully applicable) is one year after entry into force. Therefore, the six-month deadline for acceleration zones is six months after entry into force, not after publication or application.
Misconception 2: Cyprus can use existing strategies without formal adoption. Correction: Article 7(1) requires the establishment of a national cloud and AI strategy by the specified deadline. While the explanatory memorandum notes that if a Member State has already adopted a strategy that adequately covers the objectives, it is not required to adopt another, it must still ensure consistency and notify the Commission. If gaps exist, the strategy must be updated. The notification to the Commission within three months of adoption (Article 7(5)) is a mandatory step, regardless of whether it is a new strategy or an updated existing one.
Misconception 3: The national competent authority is optional. Correction: Article 25(1) uses the mandatory term "shall designate." Member States do not have the option to opt out of designating a national competent authority. This authority is essential for enforcing the sovereignty framework and recognising cloud providers. Cyprus must notify the Commission of this authority's name and tasks (Article 25(2)).
Misconception 4: Acceleration zones apply only to new data centres. Correction: Article 10(1) applies "where data centre capacity is being deployed within the territory of a Member State." This implies that if Cyprus is deploying any data centre capacity, it must have at least one designated acceleration zone. The zone facilitates the deployment of data centres within it, but the designation of the zone itself is a mandatory territorial planning obligation for Member States deploying capacity.
Official sources
Related
- When must Sweden meet its CADA obligations? Key deadlines and timeline
- When must Spain meet its CADA obligations? Key deadlines and timeline
- When must Slovenia meet its CADA obligations? Key deadlines and timeline
- When must Slovakia meet its CADA obligations? Key deadlines and timeline
- When must Romania meet its CADA obligations? Key deadlines and timeline
This is general information about a draft EU regulation, not legal advice.