Summary Greece must meet its initial obligations under the proposed Cloud and AI Development Act (CADA) on a rigid timeline tied to the regulation's entry into force. As proposed, Greece would be required to designate at least one data centre acceleration zone within six months, adopt and notify its national cloud and AI strategy within one year, and designate national competent authorities within one year. These deadlines are mandatory for all Member States to ensure the harmonised deployment of sovereign cloud infrastructure and AI capabilities across the EU.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a framework to strengthen Europe's cloud and AI ecosystem. For Greece, as for every other Member State, compliance is not optional but a legal obligation once the regulation is adopted and enters into force. The proposal sets a "fast-track" implementation schedule, with critical milestones occurring just six and twelve months after the regulation becomes applicable.

The following sections detail the specific obligations Greece must meet, grounded in the verbatim text of the proposal.

1. Designation of Data Centre Acceleration Zones (6 Months)

The most immediate operational requirement for Greece is the identification and designation of "data centre acceleration zones." These are specific geographic areas where the deployment of data centre capacity is facilitated through streamlined permitting processes and specific sustainability requirements.

Under Article 10(1) of the CADA proposal, the obligation is explicit: "Where data centre capacity is being deployed within the territory of a Member State, that Member State shall designate at least one data centre acceleration zone ('acceleration zone') within its territory."

The deadline for this designation is strictly defined as six months after the entry into force of the Regulation. The text states: "Member States shall designate at least one data centre acceleration zone... by [P.O. insert the date of entry into force of this Regulation plus 6 months]."

This designation triggers a cascade of immediate obligations for Greek authorities, including:

  • Energy Analysis: Conducting a comprehensive analysis of energy needs and greenhouse gas impacts for these zones, to be reviewed at least every three years (Article 10(2)).
  • Spatial Planning: Ensuring that national, regional, and local spatial development plans include provisions for data centre projects in these zones (Article 10(3)).
  • Single Information Points: Designating single information points to assist data centre operators with all necessary authorisations (Article 12).

The six-month window is tight, requiring Greek ministries responsible for energy, environment, and infrastructure to coordinate rapidly to identify sites that meet the criteria for sustainable and high-capacity compute deployment.

2. National Cloud and AI Strategy (1 Year)

Parallel to infrastructure planning, Greece must establish a comprehensive strategic framework for cloud and AI adoption. Article 7(1) mandates that "Member States shall establish national cloud and AI strategies (the 'national strategies') by [same day as entry into force plus one year]."

This strategy serves as the cornerstone of Greece's long-term CADA compliance. According to Article 7(2), the national strategy must include at least the following elements:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development and adoption at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
  • Measures to support the deployment of data centre capacity, with a particular focus on high-value data centres delivering significant economic and societal benefits while adhering to high environmental and energy-efficiency standards.
  • Measures to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
  • Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.

Crucially, Article 7(5) imposes a further, distinct deadline regarding notification: "Member States shall notify the Commission of their national strategies within three months of their adoption."

This creates a two-step timeline for the strategy:

  1. Adoption: Must occur within one year of the regulation's entry into force.
  2. Notification: Must occur within three months of that adoption.

The Commission will monitor the adoption and revision of these strategies. Furthermore, Greece must assess its national strategy at least every three years on the basis of key performance indicators and update them where necessary.

3. Designation of National Competent Authorities (1 Year)

To enforce the sovereignty framework and supervise cloud computing service providers, Greece must designate the specific authorities responsible for implementation. Article 25(1) states that "By [P.O. insert date of entry into force plus 1 year], Member States shall designate one or more national competent authorities responsible for enforcing this Chapter."

This Chapter refers to Title IV, Chapter I, which establishes the Union cloud computing sovereignty framework. These authorities will hold significant powers, including:

  • Recognition: Assessing applications from cloud providers to be recognised as offering specific "Union assurance levels" of sovereignty (Article 17).
  • Investigation: Conducting inspections, requiring information, and recording explanations from providers (Article 26).
  • Enforcement: Imposing fines and periodic penalty payments for non-compliance (Article 26).

The CADA proposal allows Greece to designate an existing authority (such as a cybersecurity agency or data protection authority) or establish a new body. However, Article 25(3) requires that these authorities be provided with "all necessary resources to carry out their tasks, including sufficient technical, financial and human resources."

Greece must also notify the Commission of the names, tasks, and powers of these authorities. The Commission will maintain a public register of these authorities, ensuring transparency across the Union.

Summary Timeline

The following table summarises the mandatory deadlines Greece would face under the proposed regulation:

Obligation Deadline Legal Basis
Designate Data Centre Acceleration Zones 6 months after entry into force Article 10(1)
Adopt National Cloud and AI Strategy 1 year after entry into force Article 7(1)
Notify Commission of National Strategy 3 months after adoption Article 7(5)
Designate National Competent Authorities 1 year after entry into force Article 25(1)

What this means for you

For Greek public-sector officials, procurement officers, and infrastructure planners, these deadlines are not abstract legislative targets but immediate operational triggers.

For Procurement Officers: The adoption of the National Cloud and AI Strategy within one year will directly shape your procurement rules. The strategy must include measures to support public procurement of cloud and AI capabilities (Article 7(2)(f)). You should prepare for upcoming changes in tender requirements, particularly regarding "Union assurance levels" for cloud services. Once the strategy is notified to the Commission, you can expect detailed guidance on how to apply these sovereignty criteria in your next procurement cycles.

For Infrastructure and Planning Officers: The six-month deadline for acceleration zones requires immediate action. You must identify potential sites that meet the sustainability and energy-efficiency criteria outlined in the CADA. This involves close coordination with energy grid operators to ensure sufficient power capacity and with environmental agencies to streamline permitting. The "single information point" mechanism (Article 12) will likely be housed within your department or a related agency, so you must be ready to assist data centre operators with their authorisation requests.

For Legal and Compliance Teams: You must ensure that the designated National Competent Authority is resourced and empowered to enforce the sovereignty framework. This includes preparing for the receipt of applications from cloud providers seeking recognition at various Union assurance levels. You must also ensure that Greece's national strategy is drafted in compliance with the "AI first" principle and aligned with the Digital Decade targets, as required by Article 7.

Common misconceptions

Misconception 1: "Greece can delay these deadlines if it is not ready." The CADA proposal uses mandatory language ("shall designate," "shall establish"). There are no opt-out clauses or extension mechanisms for these initial deadlines in the text. Failure to meet these deadlines could result in infringement proceedings by the European Commission.

Misconception 2: "The National Strategy is just a document for the Commission." The National Cloud and AI Strategy is a binding operational framework. It must include concrete measures for public procurement, data centre deployment, and AI adoption. It will be monitored by the Commission and assessed every three years. It is not a passive report but an active policy instrument that will dictate how Greek public bodies procure cloud and AI services.

Misconception 3: "Only the Ministry of Digital Governance is responsible." CADA compliance is cross-cutting. Data centre acceleration zones require input from energy, environment, and local planning authorities. The National Strategy involves ministries of industry, education, and health. The competent authorities may be existing bodies like the Hellenic Data Protection Authority or the National Cybersecurity Agency. Coordination across multiple ministries is essential to meet the six-month and one-year deadlines.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.