Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would impose a rigid, fixed timeline on Italy and all Member States to establish a sovereign cloud and AI ecosystem. Italy would have six months after the regulation enters into force to designate at least one data centre acceleration zone, and one year to adopt its national cloud and AI strategy and designate its national competent authority. These deadlines are calculated strictly from the regulation's entry into force (20 days after publication), not from the date of the proposal or adoption. Failure to meet these milestones would delay Italy's ability to align with the EU's strategic autonomy objectives.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen Europe's cloud and AI ecosystem by addressing capacity deficits, reducing third-country dependencies, and establishing a harmonised sovereignty framework. For Italy, as a Member State where data centre capacity is being deployed, the proposal establishes a clear, phased timeline for compliance. These obligations are not optional; they are binding conditions for the functioning of the internal market and the preservation of public order under the proposed framework.

The timeline is anchored to the regulation's entry into force. According to Article 48, the regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. While the regulation would generally apply from one year after entry into force, specific preparatory obligations for Member States are triggered earlier to ensure infrastructure and governance are ready when the full regime becomes applicable.

1. Designation of Data Centre Acceleration Zones (6 Months)

The most immediate operational deadline for Italy concerns the physical deployment of computing infrastructure. Under Article 10(1), Member States where data centre capacity is being deployed must designate at least one data centre acceleration zone (or "acceleration zone") within their territory.

The deadline for this designation is strict: it must be completed by the date of entry into force plus six months.

These zones are not merely geographic markers; they are legal designations that trigger a streamlined permitting framework. Within these zones, Member States must prepare an "aggregated baseline permit" covering common administrative authorisations, excluding only installation-specific permits. The goal, as outlined in Article 13, is to ensure that the permit-granting procedure for data centre projects deployed in these zones does not exceed 12 months from the submission of a comprehensive application.

For Italy, this means that within half a year of the regulation entering into force, the government must have legally identified specific geographic areas where:

  • Energy grid capacity and future needs have been analysed.
  • Network connectivity is available.
  • Sustainability requirements, including the use of key performance indicators from Delegated Regulation (EU) 2024/1364, are enforced.
  • Permitting processes are accelerated.

This early deadline reflects the EU's urgency in closing the compute capacity gap and preventing the "race to the bottom" in sustainability standards. If Italy fails to designate these zones within six months, it risks delaying the deployment of critical infrastructure and missing the opportunity to benefit from the streamlined permitting toolbox established under the related environmental assessment regulation.

2. Adoption of the National Cloud and AI Strategy (1 Year)

A cornerstone of CADA is the requirement for coordinated national planning to ensure the "AI first" principle is embedded in public and private sector activities. Article 7(1) mandates that Member States establish national cloud and AI strategies (referred to in the text as "national strategies") by the date of entry into force plus one year.

This strategy is a comprehensive document, not a mere formality. Article 7(2) requires it to include at least:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Measures to support the deployment of data centre capacity, with a focus on high-value, energy-efficient facilities.
  • Measures to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
  • Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty.
  • Measures to ensure the accessibility of high-quality data for AI development.

Once adopted, Italy must notify the Commission of its national strategy within three months of its adoption, as stipulated in Article 7(5). The strategy must be consistent with the objectives of the regulation and contribute to the digital targets established under the Digital Decade Policy Programme (Decision (EU) 2022/2481). Furthermore, Member States must assess their national strategies at least every three years based on key performance indicators and update them where necessary.

3. Designation of National Competent Authorities (1 Year)

To enforce the sovereignty framework and oversee the recognition of cloud services, Italy must designate the bodies responsible for supervision. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing Chapter IV of the regulation (the cloud computing sovereignty framework).

The deadline for this designation is the same as for the national strategy: by the date of entry into force plus one year.

These authorities would be granted the necessary investigative and enforcement powers, including the ability to:

  • Require information from cloud computing service providers and auditing organisations.
  • Carry out inspections of premises and seize information.
  • Order the cessation of infringements and impose fines or periodic penalty payments.

Crucially, Article 25(4) establishes that the Member State in which the cloud computing service provider has its main establishment (i.e., where the head office or registered office is located) has exclusive competence for enforcing the chapter. Therefore, the designation of the Italian authority is critical for any provider established in Italy, as it will be the sole body responsible for recognising their Union assurance levels and supervising their compliance.

4. Ongoing and Future Obligations

Beyond these initial setup deadlines, Italy would face ongoing responsibilities that shape the long-term cloud landscape.

  • Risk Assessments: Article 29(1) requires Member States to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. These assessments dictate which Union assurance level (1, 2, 3, or 4) public bodies must procure. For example, activities in law enforcement or defence identified as contributing to public order would require procurement of services recognised at Level 2, 3, or 4 under Article 30(3).
  • Strategy Updates: As noted, national strategies must be updated every three years. The Commission will monitor this adoption and revision, and the European Artificial Intelligence Board (AI Board) would advise and assist Member States in coordinating these efforts.
  • Monitoring Capacity: The Commission will monitor the compute capacity available in the Union and the size of the capacity gap under Article 15, potentially recommending measures to address identified gaps.

What this means for you

For public-sector procurement officers, IT directors, and infrastructure planners in Italy, this timeline creates a clear, non-negotiable roadmap for the next 12 to 18 months following the regulation's entry into force.

  • Immediate Planning (Months 0–6): You must prepare for the designation of acceleration zones. If your department is involved in infrastructure planning, energy grid coordination, or spatial planning, you should begin identifying potential sites that meet the sustainability and grid-connection criteria outlined in Article 10. Early engagement with regional authorities is essential to ensure these zones are designated on time.
  • Strategy Alignment (Months 6–12): Within one year, the national strategy will be published. Procurement officers must align their long-term IT roadmaps with this strategy, particularly regarding the "AI first" principle and the shift towards sovereign cloud services. The strategy will likely dictate the specific assurance levels required for different public functions.
  • Procurement Adjustments: The risk assessments mandated by Article 29 will determine which Union assurance levels are required for your department's activities. You must be ready to adjust tender documents to require services that meet these assurance levels. For critical public order functions, this will likely mean requiring Level 2, 3, or 4 services, which involve independent third-party audits.
  • Vendor Engagement: Engage with cloud providers now to understand their readiness to meet the Union assurance criteria. Providers seeking recognition for Levels 2–4 will need to undergo independent audits, a process that takes time. Early engagement ensures you have compliant options available when the deadlines hit.
  • Monitoring Updates: Remember that national strategies must be updated every three years. Build internal processes to review and adapt your cloud and AI usage plans accordingly, ensuring continuous compliance with the evolving EU framework.

Common misconceptions

  • "The deadlines start from today." No. The deadlines are tied to the regulation's entry into force, which occurs 20 days after publication in the Official Journal. The substantive rules apply one year after entry into force. The six-month and one-year deadlines are calculated from that entry-into-force date, not from the date the proposal was published by the Commission.
  • "Italy can set its own timeline for acceleration zones." No. Article 10(1) sets a hard deadline: designation must occur within six months of entry into force. There is no flexibility to delay this if data centre capacity is being deployed in the territory.
  • "The national strategy is optional." No. Article 7(1) makes it mandatory. Furthermore, the strategy must be notified to the Commission within three months of adoption. Failure to do so could lead to compliance issues and potential infringement procedures.
  • "Only the government needs to worry about competent authorities." While the designation is a national task, the competent authorities will have enforcement powers over cloud providers. Public sector bodies will interact with these authorities when reporting issues or seeking guidance on assurance levels.
  • "CADA replaces existing national laws." CADA establishes a minimum harmonised framework. It does not prevent Italy from adopting stricter national measures, provided they are compatible with Union law, but it sets the baseline deadlines and criteria that must be met.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.