Summary Under the proposed Cloud and AI Development Act (CADA), Finland faces a tight, fixed timeline for foundational obligations. Data centre acceleration zones must be designated within six months of the Regulation's entry into force. National competent authorities and the national cloud and AI strategy must both be established within one year of entry into force. Once the strategy is adopted, Finland has a further three months to notify the European Commission. As a Regulation, CADA would apply directly in Finland without national transposition, making these deadlines legally binding on Finnish authorities immediately upon the Regulation's entry into force.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to harmonise the deployment of cloud infrastructure and strengthen the Union's technological sovereignty. Unlike a Directive, which requires Member States to transpose rules into national law, a Regulation is directly applicable. This means the deadlines set in the text of CADA would become binding on Finland automatically, without the need for a separate Finnish legislative act to "bring them into force."
The timeline for compliance is calculated from the date of entry into force, which the proposal defines in Article 48 as "the twentieth day following that of its publication in the Official Journal of the European Union." While the Regulation would generally apply (i.e., become fully operational for most obligations) one year after entry into force, specific preparatory milestones are triggered earlier to ensure the ecosystem is ready.
1. Designation of Data Centre Acceleration Zones
Deadline: 6 months after entry into force
The first major operational deadline for Finland concerns the physical deployment of computing capacity. Article 10(1) mandates that Member States "where data centre capacity is being deployed within the territory of a Member State" must designate at least one data centre acceleration zone (acceleration zone) within their territory.
The proposal sets a strict deadline for this action: "[P.O. insert the date of entry into force of this Regulation plus 6 months]."
This requirement is driven by the urgent need to address the Union's compute capacity gap. Within these designated zones, Finland would be required to facilitate administrative and permit-granting processes, ensure access to energy grids, and apply specific sustainability requirements. For Finnish authorities, this means identifying suitable sitesโconsidering factors such as available power grid capacity, network connectivity, and environmental impactโand formally designating them as acceleration zones within this six-month window. This early deadline ensures that the regulatory framework for rapid deployment is in place before the full application of the Regulation.
2. Adoption of the National Cloud and AI Strategy
Deadline: 1 year after entry into force
Finland must develop and adopt a comprehensive national cloud and AI strategy. Article 7(1) explicitly states that Member States shall establish these strategies by "[same day as entry into force plus one year]."
This strategy is a core governance instrument under CADA. It is not a voluntary policy paper but a mandatory document that must include:
- Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
- Measures to accelerate development at national, regional, and local levels, particularly for public sector bodies and SMEs.
- Plans to support the deployment of data centre capacity, with a focus on high-value, energy-efficient facilities.
- Measures to invest in high-intensity computing infrastructure, such as AI factories and quantum computers.
- Strategies to strengthen technological sovereignty through open hardware and software.
The strategy must be consistent with the objectives of the Regulation and contribute to the Digital Decade targets. If Finland already has an existing strategy, Recital 33 clarifies that it must be updated if gaps are identified to ensure it adequately covers the objectives set out in CADA.
3. Notification of the National Strategy to the Commission
Deadline: 3 months after adoption of the strategy
Adoption is only the first step; transparency is the second. Article 7(5) requires that Member States "notify the Commission of their national strategies within three months of their adoption."
This notification mechanism allows the Commission to monitor the adoption and revision of strategies across the Union. It ensures that national strategies are consistent with the Regulation's objectives and facilitates the exchange of best practices, potentially through the European Artificial Intelligence Board. Failure to notify within this three-month window would constitute a breach of the procedural obligations under CADA.
4. Designation of National Competent Authorities
Deadline: 1 year after entry into force
To enforce the sovereignty framework and oversee cloud service providers, Finland must designate one or more national competent authorities. Article 25(1) states that Member States shall designate these authorities by "[P.O. insert date of entry into force plus 1 year]."
These authorities are the enforcement arm of the Regulation. They are responsible for:
- Recognising cloud computing service providers that offer Union assurance levels (Levels 1โ4).
- Conducting investigations into suspected infringements.
- Imposing penalties for non-compliance.
- Cooperating with competent authorities in other Member States.
Finland may designate an existing authority (such as a cybersecurity or digital agency) or create a new one, but the designation must be formalised and notified to the Commission within this one-year timeframe. The authority must be equipped with sufficient technical, financial, and human resources to perform its tasks effectively and independently.
Summary of Key Deadlines for Finland
| Obligation | Legal Basis | Deadline |
|---|---|---|
| Designate Data Centre Acceleration Zones | Article 10(1) | 6 months after entry into force |
| Adopt National Cloud and AI Strategy | Article 7(1) | 1 year after entry into force |
| Notify Commission of National Strategy | Article 7(5) | 3 months after adoption of the strategy |
| Designate National Competent Authorities | Article 25(1) | 1 year after entry into force |
What this means for you
For public-sector procurement officers, IT managers, and policy makers in Finland, these deadlines represent immediate operational triggers rather than distant legal milestones.
- Infrastructure Planning: The six-month deadline for acceleration zones means that site selection and grid capacity analysis must begin immediately upon the Regulation's entry into force. Procurement officers should align long-term infrastructure plans with these designated zones to benefit from streamlined permitting and potential state support measures.
- Sovereignty Compliance: The designation of competent authorities within one year signals that a national body will soon be verifying the sovereignty levels of cloud providers. Procurement teams must prepare to engage with this authority when selecting cloud services, particularly for activities deemed to preserve public order. Risk assessments (required under Article 29) must be ready to interface with the national authority's guidance.
- Strategic Alignment: The national cloud and AI strategy will dictate the direction of public-sector digital transformation. Officers involved in drafting this strategy must ensure it includes concrete measures for the uptake of sovereign cloud services and the deployment of AI in public services, as required by Article 7(2). This strategy will likely set the baseline for which cloud assurance levels are required for different government functions.
Common misconceptions
-
"Finland can transcribe these deadlines into national law later." CADA is a Regulation, not a Directive. This means it is directly applicable in Finland. The deadlines are fixed in EU law and do not depend on national legislative processes. While Finland may need to appoint staff or allocate budgets domestically, the legal obligation to meet the dates exists from the moment the Regulation enters into force.
-
"The deadlines start from the date the law is published." The deadlines are calculated from the date of entry into force, which is 20 days after publication in the Official Journal. However, the Regulation itself applies one year after entry into force. The specific deadlines for acceleration zones (6 months) and strategies/authorities (1 year) are tied to the entry into force date, not the application date. This creates a tight window for initial preparations before the full regulatory regime becomes active.
-
"The national strategy is optional if we already have a digital strategy." Article 7(1) requires a specific "national cloud and AI strategy" that is consistent with the Regulation's objectives. While an existing strategy may cover some elements, it must be updated or supplemented to include the specific measures required by CADA, such as the "AI first" principle and measures for sovereign cloud uptake. If gaps are identified, the existing strategy must be updated accordingly (Recital 33).
Official sources
Related
- When must Sweden meet its CADA obligations? Key deadlines and timeline
- When must Spain meet its CADA obligations? Key deadlines and timeline
- When must Slovenia meet its CADA obligations? Key deadlines and timeline
- When must Slovakia meet its CADA obligations? Key deadlines and timeline
- When must Romania meet its CADA obligations? Key deadlines and timeline
This is general information about a draft EU regulation, not legal advice.