When must Estonia meet its CADA obligations? Key deadlines and timeline

Summary Under the proposed Cloud and AI Development Act (CADA), Estonia faces three critical, time-bound obligations triggered by the Regulation's entry into force. As a proposal (COM(2026) 502 final), these deadlines are not yet active but would become binding immediately upon adoption. Estonia must: (1) designate at least one data centre acceleration zone within six months; (2) adopt a national cloud and AI strategy and notify the Commission within three months of adoption (totaling roughly one year from entry into force); and (3) designate a national competent authority within one year. These steps are prerequisites for the Union's cloud sovereignty framework and public procurement rules.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal aimed at strengthening the EU's cloud and AI ecosystem by harmonising data centre deployment, establishing a sovereignty framework, and fostering public-sector adoption. While the text is not yet law, the draft Regulation establishes a precise timeline for Member States relative to its entry into force.

According to Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. It would then apply from one year after that date. However, specific preparatory obligations for Member States like Estonia are triggered earlier, creating a staggered compliance schedule.

The three primary obligations for Estonia are detailed below, grounded strictly in the text of the proposal.

1. Designation of Data Centre Acceleration Zones (6 Months After Entry into Force)

Legal Basis: Article 10(1)

The first major deadline for Estonia is the designation of data centre acceleration zones. Article 10(1) mandates that where data centre capacity is being deployed within its territory, Estonia must designate at least one such zone by the date of entry into force plus six months.

These zones are specific geographic areas where the development, expansion, and modernisation of data centres are facilitated through streamlined permitting and infrastructure support. When designating these zones, Estonia must consider a comprehensive set of factors listed in Article 10(1)(a)–(h), including:

• Site location, dimension, and size constraints.
• Available and future power grid capacity and clean energy generation potential.
• Network connectivity capacity and the phasing out of legacy copper networks.
• Facilities for reusing waste heat.
• Measures to accelerate permit granting and the preference for reusing brownfield sites.
• Sustainability measures to minimise environmental impacts and support carbon emission reduction.

The objective, as stated in the Recitals, is to address the Union's compute capacity gap and ensure geographically balanced deployment. Once designated, these zones benefit from an aggregated baseline permit (Article 13(2)) and accelerated environmental assessment procedures, with a maximum permit-granting procedure of 12 months (Article 13(5)).

2. Adoption and Notification of the National Cloud and AI Strategy (1 Year After Entry into Force)

Legal Basis: Article 7(1) and Article 7(5)

Estonia must establish a national cloud and AI strategy (referred to as "national strategies") by the date of entry into force plus one year, as per Article 7(1). This strategy is not merely an internal document; it is a binding framework that must align with the Regulation's objectives and the Digital Decade Policy Programme targets.

Required Content: Under Article 7(2), the strategy must include:

• Key objectives and priorities for cloud and AI adoption, adhering to the "AI first" principle.
• A governance and monitoring framework.
• Measures to accelerate adoption at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps (SMCs).
• Plans to support the deployment of data centre capacity and high-intensity computing infrastructure (e.g., AI factories, AI gigafactories, quantum computers).
• Measures to invest in cloud and AI capabilities, including public procurement of innovation.
• Measures to support the development of cloud computing stack technologies based on open hardware and software.
• Measures to ensure the accessibility of high-quality data for AI development.

The Notification Deadline: Crucially, Article 7(5) imposes a strict notification requirement. Estonia must notify the Commission of its national strategy within three months of its adoption. This means the timeline is not just "one year to adopt," but effectively "one year to adopt, followed immediately by a three-month window to notify." The Commission is tasked with monitoring the adoption and revision of these strategies.

3. Designation of a National Competent Authority (1 Year After Entry into Force)

Legal Basis: Article 25(1)

Parallel to the strategy deadline, Article 25(1) requires Estonia to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework (Title IV of the Regulation). This designation must also be completed by the date of entry into force plus one year.

Role and Powers: The designated authority will have exclusive competence for enforcing the sovereignty framework for cloud computing service providers established in Estonia (Article 25(4)). Its responsibilities include:

• Assessing applications for recognition of Union assurance levels (Levels 1–4).
• Overseeing independent third-party audits for Levels 2, 3, and 4.
• Supervising compliance with transparency obligations.
• Exercising investigative and enforcement powers, including the ability to order the cessation of infringements and impose fines (Article 26).

Notification: Similar to the strategy, Article 25(2) requires Estonia to notify the Commission of the names, tasks, and powers of these authorities. The Commission will maintain a public register of these authorities.

What this means for you

For Estonian public-sector bodies, infrastructure planners, and legal teams, these deadlines represent a compressed timeline for structural change.

For Strategic Planners and Policy Makers: The one-year window to adopt a national strategy is tight. The strategy must be comprehensive, covering everything from data accessibility to procurement innovation. Because Article 7(5) requires notification within three months of adoption, the drafting and internal approval process must be completed well before the one-year mark to allow for the notification window. The strategy will directly influence future public procurement, as Article 30 ties procurement decisions to the Union assurance levels defined in the sovereignty framework.

For Infrastructure and Permitting Teams: The six-month deadline for designating acceleration zones is the most immediate challenge. Estonia must rapidly identify sites that meet the strict criteria in Article 10(1), particularly regarding grid capacity and environmental sustainability. Early identification is vital because the designation triggers the aggregated baseline permit mechanism (Article 13), which could significantly reduce the time required to build new data centres (capped at 12 months). Delaying this designation could bottleneck the entire national data centre expansion plan.

For Procurement and Compliance Officers: The designation of the national competent authority is the linchpin for the sovereignty framework. Without this authority, the recognition of cloud services at Union assurance levels cannot proceed. Once the authority is in place, Estonian contracting authorities must conduct risk assessments (Article 29) to determine which assurance levels are required for their activities. For activities contributing to public order (e.g., law enforcement, defence), procurement will be restricted to services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

Actionable Steps:

1. Track Entry into Force: Monitor the Official Journal for the publication date, as all deadlines are calculated from this moment.
2. Map Acceleration Zones: Immediately begin technical assessments of potential sites for data centre acceleration zones, focusing on grid capacity and brownfield availability.
3. Draft the National Strategy: Initiate the drafting of the national cloud and AI strategy now, ensuring it covers the mandatory elements of Article 7(2) and aligns with the "AI first" principle.
4. Identify the Authority: Determine which existing body (e.g., the Information System Authority or a cybersecurity agency) will serve as the national competent authority, or plan for the necessary legislative changes to create one.

Common misconceptions

• Misconception: The deadlines are fixed calendar dates (e.g., "by December 2027").
  • Correction: The deadlines are relative to the Regulation's entry into force. Since CADA is currently a proposal, the exact calendar dates depend on when the European Parliament and Council adopt the final text and publish it. The clock starts only upon publication in the Official Journal.
• Misconception: Estonia can wait until the Regulation is fully applicable (one year after entry into force) to start working on these obligations.
  • Correction: The acceleration zone designation is due six months after entry into force, which is before the Regulation's main application date. Furthermore, drafting a national strategy and establishing a competent authority are complex processes that require significant lead time; waiting until the last minute would likely result in non-compliance.
• Misconception: The national strategy is an internal document that does not need to be shared.
  • Correction: Article 7(5) explicitly requires Estonia to notify the European Commission of its national strategy within three months of adoption. This is a mandatory transparency step, not an optional courtesy.
• Misconception: Only private cloud providers are affected by the competent authority.
  • Correction: The national competent authority oversees the entire sovereignty framework, which directly dictates public-sector procurement rules. Public bodies in Estonia must rely on the recognitions and assessments made by this authority to ensure their cloud providers meet the required Union assurance levels.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• When must Sweden meet its CADA obligations? Key deadlines and timeline
• When must Spain meet its CADA obligations? Key deadlines and timeline
• When must Slovenia meet its CADA obligations? Key deadlines and timeline
• When must Slovakia meet its CADA obligations? Key deadlines and timeline
• When must Romania meet its CADA obligations? Key deadlines and timeline

This is general information about a draft EU regulation, not legal advice.