CADA Deadlines for Hungary

Summary Under the proposed Cloud and AI Development Act (CADA), Hungary would face a compressed implementation timeline once the regulation enters into force. The most immediate obligation would be the designation of at least one data centre acceleration zone within six months. Subsequently, Hungary would be required to establish a national cloud and AI strategy and designate national competent authorities for enforcement, both due within one year of entry into force. Crucially, the national strategy must be notified to the European Commission within three months of its adoption. These deadlines are conditional on the proposal (COM(2026) 502 final) becoming law.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen the EU's cloud and AI ecosystem by addressing capacity gaps, enhancing sovereignty, and reducing dependencies on third-country providers. For Member States like Hungary, the proposal establishes a rigid, time-bound framework to ensure rapid, coordinated deployment of infrastructure and regulatory oversight. It is essential to note that CADA is currently a proposal; the deadlines described below would only become legally binding if the European Parliament and Council adopt the text as law.

The timeline for Hungary's obligations is anchored strictly to the date the regulation enters into force. According to Article 48, the regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. From that specific date, the clock starts ticking on the following key milestones.

1. Data Centre Acceleration Zones: Six Months After Entry into Force

The first major deadline for Hungary concerns the physical infrastructure required to support the EU's AI ambitions. Article 10(1) mandates that where data centre capacity is being deployed within a Member State's territory, that state shall designate at least one data centre acceleration zone within its territory by the date of entry into force plus six months.

This designation is not merely symbolic; it triggers a specific regulatory regime. Within these zones, Hungary would be required to facilitate the development, expansion, and modernisation of data centres through streamlined administrative and permit-granting processes. When designating these zones, Hungarian authorities would need to consider specific criteria outlined in Article 10(1), including:

• The location, dimension, and size of potential facilities.
• Available and future power grid capacity and the possibility of on-site clean energy generation.
• Network connectivity capacity and the ability to phase out legacy copper networks.
• The capacity to reuse waste heat and the preference for brownfield sites over greenfield sites.
• Measures to prevent environmental impacts and ensure climate resilience.

The objective, as stated in the proposal's explanatory memorandum, is to triple EU data centre capacity within five to seven years. For Hungary, missing this six-month window would delay the application of accelerated permitting procedures, potentially hindering the rapid deployment of critical computing infrastructure.

2. National Cloud and AI Strategy: One Year After Entry into Force

Parallel to the infrastructure rollout, Hungary would be required to formulate a comprehensive strategic roadmap. Article 7(1) stipulates that Member States shall establish national cloud and AI strategies by the date of entry into force plus one year.

This strategy is not a generic policy document; it must align with the specific objectives of CADA and include a mandatory set of elements under Article 7(2). Hungary's strategy would need to cover:

• Key objectives and priorities for cloud and AI adoption, explicitly incorporating the 'AI first' principle.
• A governance and monitoring framework to achieve these objectives.
• Measures to accelerate adoption at national, regional, and local levels, particularly for public sector bodies, SMEs, and small mid-caps (SMCs).
• Specific measures to support the deployment of data centre capacity, focusing on high-value, energy-efficient facilities.
• Investments in high-intensity computing infrastructure, such as AI factories, AI gigafactories, and quantum computers.
• Measures to support the development of cloud computing stack technologies built on open hardware and software to strengthen technological sovereignty.
• Measures to ensure the accessibility of high-quality data for AI development.

The strategy must also be consistent with the digital targets established under the Digital Decade Policy Programme 2030. Furthermore, Article 7(5) requires Hungary to assess its national strategy at least every three years based on key performance indicators and update it where necessary, ensuring the document remains a living instrument rather than a static declaration.

3. Notification to the Commission: Within Three Months of Adoption

Once Hungary adopts its national cloud and AI strategy, the clock starts on a separate, shorter deadline for transparency. Article 7(5) explicitly requires Member States to notify the Commission of their national strategies within three months of their adoption.

This notification mechanism is designed to allow the Commission to monitor the adoption and revision of strategies across the Union, ensuring consistency with the regulation's objectives. The Commission would also monitor the revision process, and the European Artificial Intelligence Board (established by the AI Act) would advise and assist Member States in coordinating these strategies. Failure to notify within this three-month window would constitute a breach of the procedural obligations under the proposed regulation.

4. Designation of National Competent Authorities: One Year After Entry into Force

To enforce the cloud computing sovereignty framework—a core pillar of CADA—Hungary would be required to establish the necessary regulatory bodies. Article 25(1) mandates that Member States designate one or more national competent authorities responsible for enforcing the sovereignty chapter by the date of entry into force plus one year.

These authorities would hold exclusive competence for enforcing the sovereignty framework in the Member State where a cloud computing service provider has its main establishment. Their responsibilities, detailed in Article 25(3) and Article 26, would include:

• Recognising cloud computing service providers that offer specific Union assurance levels (Levels 1–4).
• Supervising recognised providers to ensure ongoing compliance.
• Exercising investigative powers, such as requiring information, conducting inspections, and requesting explanations.
• Imposing penalties or requesting judicial authorities to do so for infringements.

The proposal requires that these authorities be granted all necessary resources, including sufficient technical, financial, and human resources, to perform their tasks in an impartial, transparent, and timely manner. Hungary would also need to notify the Commission of the names, tasks, and powers of these designated authorities, allowing the Commission to maintain a public register.

What this means for you

For Hungarian public-sector bodies, procurement officers, and data centre operators, these deadlines represent a fundamental shift in the regulatory landscape.

• For Data Centre Developers: The six-month deadline for acceleration zones means that site selection and permitting strategies must be aligned with the designated zones immediately upon the regulation's entry into force. Projects located within these zones would benefit from the "aggregated baseline permit" and the 12-month maximum permit-granting timeline described in Article 13, but only if the zone is designated on time.
• For Public Procurement Officers: The one-year deadline for the national strategy and competent authorities sets the stage for future procurement rules. Once the competent authority is designated and the strategy is adopted, public bodies will be required to procure cloud services based on the Union assurance levels determined by risk assessments under Article 29. Procurement teams must prepare to evaluate providers against these new sovereignty criteria rather than just price and technical specifications.
• For Legal and Compliance Teams: The three-month notification window for the national strategy requires close coordination between the drafting ministry and the Commission. Delays in adoption could compress the time available for internal review and external consultation before the notification deadline.
• For Industry Stakeholders: The designation of national competent authorities within one year signals the imminent start of the recognition process for cloud providers. Hungarian providers seeking to serve the public sector must prepare for the audit and recognition procedures outlined in Article 17 and Article 20 well in advance of the authority's full operational capacity.

Common misconceptions

Misconception 1: The deadlines start from the date the proposal was published. The deadlines in CADA are strictly tied to the date the regulation enters into force, not the date of the proposal (COM(2026) 502 final) or its publication in the Official Journal. While entry into force occurs 20 days after publication, the substantive obligations (6 months, 1 year) begin counting from that entry-into-force date.

Misconception 2: Hungary can skip the acceleration zone designation if it already has data centres. Article 10(1) applies "where data centre capacity is being deployed within the territory of a Member State." Even if Hungary currently has operational data centres, the regulation requires the designation of acceleration zones to facilitate future development, expansion, and modernisation. The goal is to create a streamlined regulatory environment for new capacity, which is essential for meeting the EU's target of tripling capacity.

Misconception 3: The national strategy is a one-time exercise. While the initial strategy is due within one year, Article 7(5) mandates a recurring obligation. Hungary must assess its strategy at least every three years based on key performance indicators and update it where necessary. This ensures the strategy evolves with technological advancements and market conditions.

Misconception 4: The competent authority designation is optional or can be delegated indefinitely. Article 25(1) makes the designation of national competent authorities mandatory. These authorities must have the legal power to enforce the sovereignty framework, including the power to impose penalties. While Member States may designate existing authorities, the legal mandate and resources must be formally assigned within the one-year deadline.

Misconception 5: The "AI first" principle is just a slogan. Under Article 7(2)(a), the national strategy must explicitly include the 'AI first' principle, which urges organisations to reflect on their business processes considering the opportunities offered by AI. This is a binding requirement for the content of the strategy, not merely a policy aspiration.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• CADA Deadlines for Lithuania: Acceleration Zones, National Strategy & Competent Authorities
• CADA Deadlines for Croatia: Acceleration Zones, National Strategy & Competent Authorities
• Poland's CADA Deadlines: Acceleration Zones, National Strategy & Competent Authority Timeline
• CADA Deadlines for Denmark: Acceleration Zones, National Strategy & Competent Authority
• CADA Deadlines for France: Acceleration Zones, Strategy & Competent Authority

This is general information about a draft EU regulation, not legal advice.