Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would impose a rapid, synchronized implementation timeline on Czechia. The most immediate deadline requires the designation of at least one data centre acceleration zone within six months of the regulation's entry into force. Within one year, Czechia must simultaneously establish a national cloud and AI strategy and designate national competent authorities to enforce the new sovereignty framework. Crucially, once the national strategy is adopted, Czech authorities must notify the European Commission within three months. These deadlines are mandatory for all Member States and form the foundational infrastructure for the EU's cloud sovereignty goals.

Detail

The proposed Cloud and AI Development Act (CADA) is designed to address the fragmentation of the EU cloud market and the limited availability of computing capacity. For Czechia, as a Member State, the regulation establishes a binding schedule to align national policies with Union objectives. The timeline is not merely aspirational; it creates specific legal obligations with fixed dates calculated from the regulation's entry into force.

1. Data Centre Acceleration Zones: The 6-Month Deadline

The first and most urgent obligation for Czechia concerns physical infrastructure deployment. Under Article 10(1) of the proposed CADA, Member States are required to designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed.

The regulation sets a strict deadline for this action: six months after the entry into force of the regulation. This short timeframe reflects the urgency of closing the EU's compute capacity gap.

When designating these zones, Czech authorities must consider a comprehensive set of factors outlined in Article 10(1), including:

  • The location, dimension, and size of potential facilities.
  • Available and future power grid capacity, including on-site storage and clean energy generation.
  • Network connectivity capacity and the ability to phase out legacy copper networks.
  • The potential for reusing waste heat and the preference for brownfield sites over greenfield sites.
  • Measures taken to accelerate permitting and ensure environmental sustainability.

Furthermore, Article 10(2) requires Czechia to conduct a comprehensive analysis of the energy needs and greenhouse gas impacts of these zones, which must be reviewed at least every three years. This analysis must be integrated into national network development plans to ensure anticipatory grid investments.

2. National Cloud and AI Strategy: The 1-Year Deadline

Parallel to the infrastructure designation, Czechia must align its broader policy framework with EU goals. Article 7(1) mandates that Member States establish a "national cloud and AI strategy" within one year of the regulation's entry into force.

This strategy is a binding roadmap, not a voluntary document. According to Article 7(2), it must include:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • A governance and monitoring framework to achieve these objectives.
  • Measures to accelerate development at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps.
  • Plans for supporting data centre deployment and high-intensity computing infrastructure, such as AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built upon open hardware and software.
  • Measures to ensure the accessibility of high-quality data for AI development.

The strategy must be consistent with the objectives of CADA and the digital targets established under the Digital Decade Policy Programme 2030 (Article 7(4)).

3. Notification to the Commission: The 3-Month Follow-Up

Adopting the national strategy is only the first step in the compliance chain. Article 7(5) imposes a strict notification requirement: Member States must notify the Commission of their national strategies within three months of their adoption.

This notification is critical for the Commission's monitoring role. It allows the Commission to assess whether the strategy is consistent with CADA's objectives and to facilitate the exchange of best practices among Member States. The European Artificial Intelligence Board (established by the AI Act) is also tasked with advising and assisting Member States in coordinating these strategies (Article 7(6)). Failure to notify within this window could hinder the Commission's ability to monitor progress and provide necessary guidance.

4. Designation of National Competent Authorities: The 1-Year Deadline

To enforce the cloud computing sovereignty framework, Czechia must have the appropriate regulatory bodies in place. Article 25(1) requires Member States to designate one or more "national competent authorities" responsible for enforcing the provisions of Title IV (Autonomy).

Like the national strategy, this designation must occur within one year of the entry into force of the regulation. These authorities will be the primary interface for cloud service providers seeking recognition at Union assurance levels.

Under Article 25(3), Czechia must ensure these authorities have all necessary resourcesβ€”technical, financial, and humanβ€”to perform their tasks impartially, transparently, and in a timely manner. The Member State where the cloud service provider has its main establishment (head office or registered office) holds exclusive competence for enforcement (Article 25(4)).

The powers of these authorities, detailed in Article 26, include:

  • Investigative powers: requiring information, conducting inspections, and seizing data.
  • Enforcement powers: ordering the cessation of infringements, imposing remedies, and levying fines.

5. Ongoing Obligations: Risk Assessments and Procurement

While the initial deadlines focus on setup, ongoing operational obligations begin shortly after. Article 29(1) requires Member States to carry out risk assessments to determine which public sector activities contribute to the preservation of public order.

These assessments must be conducted one year after entry into force and thereafter every two years. The risk assessment determines the appropriate Union assurance level (2, 3, or 4) for specific activities. This directly dictates procurement rules under Article 30:

  • Activities not identified as contributing to public order must use services at Union assurance level 1.
  • Activities identified as contributing to public order must procure only services recognized at Union assurance levels 2, 3, or 4.

Additionally, Article 32 requires contracting authorities to include "Union added value" criteria in public procurement for cloud services and AI systems, evaluating how tenders contribute to the European digital supply chain.

What this means for you

For public-sector bodies, procurement officers, and IT managers in Czechia, these deadlines represent a non-negotiable timeline for preparation. The "one-year" and "six-month" windows are short, meaning preparatory work must begin immediately upon the regulation's entry into force.

  • Procurement Officers: Do not wait for the national strategy to be finalized. Begin reviewing current cloud contracts and upcoming tenders. You will need to align future procurements with the Union assurance levels determined by your risk assessments. Ensure that your procurement documentation includes the new "Union added value" criteria (Article 32) to evaluate how tenders strengthen the European digital supply chain.
  • IT and Infrastructure Managers: Engage with national authorities to identify potential sites for data centre acceleration zones. Understand the sustainability and energy efficiency requirements that will apply to these zones, as these will be critical for the 6-month designation deadline.
  • Policy Advisors: Start drafting the components of the national cloud and AI strategy now. Engage with stakeholders, including SMEs, industry partners, and the "Centres for AI" network, to ensure the strategy is realistic and comprehensive. Crucially, plan for the 3-month notification window immediately following the strategy's adoption.
  • Legal and Compliance Teams: Prepare for the establishment of the national competent authority. Understand the investigative powers and penalty regimes that will apply to cloud service providers and public sector bodies. Ensure that internal processes are ready to support the risk assessments required under Article 29.

Common misconceptions

"I have time to wait until the regulation is fully adopted." The deadlines are tied to the regulation's entry into force, not its full application or the completion of all delegated acts. The 6-month deadline for acceleration zones and the 1-year deadline for strategies and authorities mean that preparatory work must start immediately upon publication in the Official Journal.

"The national strategy is optional or a formality." It is a mandatory legal requirement under Article 7. Failure to adopt and notify the strategy within the specified timelines constitutes a breach of EU law. The strategy must be consistent with CADA's objectives and the Digital Decade targets.

"Sovereignty levels apply to all public sector cloud use." No. Article 30 distinguishes between general public sector activities (which require Union assurance level 1) and those contributing to the preservation of public order (which require levels 2, 3, or 4 based on risk assessments). Not every department needs the highest level of sovereignty; the risk assessment determines the requirement.

"CADA replaces national cybersecurity laws." CADA complements existing laws like NIS2 and the GDPR. It adds a specific layer of sovereignty and procurement rules but does not replace broader cybersecurity or data protection obligations. In fact, Annex II requires services to obtain a European cybersecurity certificate of at least "substantial" assurance for levels 2 and 3, and "high" for level 4.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.