Summary Under the proposed Cloud and AI Development Act (CADA), Germany faces three critical, time-bound obligations that begin immediately upon the regulation's entry into force. First, Germany must designate at least one data centre acceleration zone within six months. Second, it must establish a national cloud and AI strategy and designate national competent authorities within one year. Finally, the national strategy must be notified to the European Commission within three months of its adoption. As CADA is currently a proposal (COM(2026) 502 final), these dates are conditional on the final legislative text, but they represent the Commission's intended implementation schedule for strengthening EU cloud sovereignty.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to restructure Europe's cloud and AI ecosystem by addressing capacity deficits, reducing third-country dependencies, and establishing a harmonised sovereignty framework. While the regulation is not yet in force, the draft text sets out a rigorous timeline for Member States, including Germany, to align their national infrastructures and legal frameworks with EU-wide objectives.

The timeline is anchored to the regulation's entry into force. According to Article 48, the regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. It would then apply from the same day and month as the date of entry into force plus one year. However, specific preparatory obligations trigger much earlier, creating a staggered compliance schedule for national authorities.

1. Data Centre Acceleration Zones: The 6-Month Deadline

The first major milestone for Germany concerns physical infrastructure. Article 10(1) mandates that where data centre capacity is being deployed within a Member State's territory, that state must designate at least one data centre acceleration zone (or "acceleration zone") by the date of entry into force plus six months.

These zones are not merely administrative designations; they are the engine for CADA's capacity-building goals. Within these zones, Member States must facilitate the development, expansion, and modernisation of data centres through streamlined permitting processes and specific sustainability requirements. For Germany, this means identifying specific sites or areas that meet the criteria outlined in Article 10(1), which include:

  • Available and future power grid capacity.
  • Network connectivity capacity.
  • The ability to reuse waste heat.
  • Preference for brownfield sites over greenfield sites.
  • Measures to accelerate permit granting.

The six-month deadline is aggressive, reflecting the urgency of the EU's compute capacity gap. Failure to designate these zones within this window would delay the application of the "aggregated baseline permit" mechanism described in Article 13, which is designed to cut red tape for data centre projects. Consequently, German federal and state authorities would need to initiate site selection and legal designation procedures immediately upon the regulation's entry into force.

2. National Cloud and AI Strategy: The 1-Year Deadline

A cornerstone of CADA is the requirement for a coordinated national approach. Article 7(1) mandates that Member States establish national cloud and AI strategies by the date of entry into force plus one year.

This strategy is not a high-level vision document; it must be a concrete operational plan. Under Article 7(2), the strategy must include:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Specific measures to support the deployment of data centre capacity, focusing on high-value, energy-efficient projects.
  • Plans to invest in high-intensity computing infrastructure, such as AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built on open hardware and software.

For Germany, this strategy serves as the roadmap for integrating CADA's objectives into existing national digital policies. It must be consistent with the Digital Decade Policy Programme targets and contribute to the EU's broader competitiveness goals. The one-year deadline ensures that Germany has a clear, legally binding plan in place before the regulation's general application date.

3. Notification to the Commission: The 3-Month Window

Once Germany adopts its national cloud and AI strategy, it cannot simply file it away. Article 7(5) imposes a strict notification requirement: Member States must notify the Commission of their national strategies within three months of their adoption.

This notification is a critical transparency mechanism. It allows the Commission to monitor the adoption and revision of strategies across the Union, ensuring consistency with CADA's objectives. The Commission is tasked with monitoring these strategies and assessing whether they adequately address the EU's need for increased computing capacity and reduced dependence on third-country providers. For German authorities, this means that the internal adoption process must be followed immediately by the formal submission to Brussels. The Commission will also use this data to assess whether Member States are effectively supporting the network of Experience and Acceleration Centres for AI (Centres for AI) and promoting open-source solutions.

4. National Competent Authorities: The 1-Year Deadline

Parallel to the strategy deadline, Germany must establish the enforcement mechanism for the sovereignty framework. Article 25(1) requires Member States to designate one or more national competent authorities by the date of entry into force plus one year.

These authorities are the gatekeepers of the Union cloud computing sovereignty framework. Their responsibilities, detailed in Article 25 and Article 26, include:

  • Receiving and assessing applications for recognition of cloud computing service providers.
  • Supervising providers recognised at Union assurance levels 1 through 4.
  • Exercising investigative and enforcement powers, including the power to order the cessation of infringements and impose fines.

For Germany, this involves identifying an existing authority (such as the Federal Office for Information Security, BSI, or a new body) or establishing a new one with the necessary resources, expertise, and technical means. The authority must be able to perform its tasks impartially, transparently, and independently. The one-year deadline ensures that the enforcement body is fully operational when the regulation's substantive rules on sovereignty and procurement take effect.

5. Risk Assessments and Procurement Alignment

While the structural deadlines (zones, strategy, authorities) are the primary focus for national governments, they enable the next phase: risk assessment. Article 29(1) requires Member States to carry out risk assessments by the date of entry into force plus one year. These assessments identify public sector activities that contribute to the preservation of public order and determine the appropriate Union assurance level (2, 3, or 4) for those activities.

This timeline is critical for procurement. Once the risk assessment is complete, contracting authorities must procure cloud services that meet the required assurance levels. For activities identified as contributing to public order (e.g., defence, justice, law enforcement), Article 30(3) mandates the procurement of services recognised at Union assurance levels 2, 3, or 4. The one-year deadline for the risk assessment ensures that the procurement rules are ready to be applied immediately after the regulation's application date.

What this means for you

For public-sector bodies, procurement officers, and cloud providers in Germany, these deadlines represent a non-negotiable timeline for action. The six-month window for acceleration zones is a signal that infrastructure planning must begin immediately, even before the regulation is formally adopted.

Key actions for stakeholders:

  1. Monitor the Acceleration Zone Designation: Public authorities should track the designation of data centre acceleration zones in their regions. These zones will determine where new, sovereign capacity can be built with streamlined permits.
  2. Prepare for the National Strategy: The national strategy will define Germany's specific priorities for cloud and AI. Procurement officers should align their internal roadmaps with the expected content of this strategy, particularly regarding the "AI first" principle and support for European providers.
  3. Engage with the Future Competent Authority: Once designated, the national competent authority will be the primary point of contact for cloud sovereignty issues. Building a relationship with this authority early can help providers navigate the recognition process for Union assurance levels.
  4. Anticipate Risk Assessments: Public bodies should begin internal mapping of their activities to determine which might be classified as contributing to "public order." This will dictate whether they must procure at assurance level 1 or the higher levels (2-4) once the risk assessment is finalised.

Common misconceptions

Misconception 1: The deadlines are already fixed and legally binding. CADA is currently a proposal (COM(2026) 502 final). The dates and obligations cited here are based on the current draft text. While the Commission intends for these timelines to be strict, the final regulation could be amended during the legislative procedure in the European Parliament and the Council. Until the regulation is formally adopted and published in the Official Journal, these timelines are not legally binding.

Misconception 2: All cloud procurements must meet the highest assurance level. CADA introduces a risk-based approach. Not all public sector activities require the highest levels of sovereignty. Article 30(2) states that entities whose activities have not been identified as contributing to public order must use services with Union assurance level 1. Only activities identified as contributing to public order in sectors such as national security, defence, or justice require assurance levels 2, 3, or 4. Procurement officers should not assume that all cloud services need to be at the highest level; the risk assessment will determine the appropriate level.

Misconception 3: Germany can ignore the acceleration zone deadline if it already has many data centres. The designation of acceleration zones is a mandatory requirement under Article 10(1), regardless of existing data centre capacity. These zones are designed to facilitate the deployment of new, sustainable, and innovative data centre projects. Even if Germany has significant existing capacity, the designation of acceleration zones is necessary to ensure that new capacity is deployed in a way that meets EU sustainability and sovereignty standards.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.