CADA Deadlines for Lithuania

Summary As proposed, Lithuania faces a tight implementation schedule under the Cloud and AI Development Act (CADA). Within six months of the Regulation entering into force, Lithuania must designate at least one data centre acceleration zone. Within one year, the country must adopt a national cloud and AI strategy, designate national competent authorities, and complete risk assessments for public procurement. Crucially, the national strategy must be notified to the European Commission within three months of its adoption, not necessarily three months after the one-year deadline. These obligations are binding immediately upon the Regulation's application, as CADA would be directly applicable without national transposition.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework to strengthen Europe's cloud and AI ecosystem. As a Regulation, it would be directly applicable in Lithuania, meaning the deadlines set out in the text would become immediate legal obligations for Lithuanian authorities once the Regulation enters into force. There would be no need for national transposition legislation to trigger these timelines.

The timeline is anchored to the "date of entry into force," defined in Article 48 as the twentieth day following publication in the Official Journal of the European Union. The Regulation would apply from one year after that date, but specific preparatory obligations for Member States begin much earlier.

1. Data Centre Acceleration Zones (Article 10)

The first major milestone for Lithuania concerns physical infrastructure. Article 10(1) mandates that where data centre capacity is being deployed within its territory, Lithuania must designate at least one data centre acceleration zone ("acceleration zone") within its territory.

• Deadline: This designation must occur by the date of entry into force plus six months.
• Scope: The designation is not merely a planning exercise; it requires identifying specific sites or areas that meet rigorous criteria. Under Article 10(1), Lithuania must consider the location and dimension of the site, available and future power grid capacity, network connectivity, the ability to reuse waste heat, and measures to accelerate permitting.
• Implication: This six-month window is extremely short for a Member State. Lithuanian authorities would need to have preliminary site assessments and coordination with regional and local authorities ready well before the Regulation enters into force to meet this deadline. Failure to designate a zone within this period would constitute a breach of the Regulation.

2. National Cloud and AI Strategy (Article 7)

Parallel to the infrastructure push, Lithuania must establish a comprehensive strategic framework. Article 7(1) requires Member States to establish national cloud and AI strategies ("national strategies") by the date of entry into force plus one year.

• Content Requirements: Under Article 7(2), these strategies are not generic documents. They must include:
  • Key objectives and priorities for adoption, aligned with the "AI first" principle.
  • Measures to accelerate deployment at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Specific measures to support the deployment of data centre capacity, focusing on high-value, energy-efficient facilities.
  • Plans to invest in high-intensity computing infrastructure, such as AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built on open hardware and software.
• Notification Deadline: A critical procedural requirement is found in Article 7(5). Member States must notify the Commission of their national strategies within three months of their adoption.
  • Clarification: This three-month clock starts the moment Lithuania adopts the strategy, not when the one-year deadline expires. If Lithuania adopts its strategy six months after entry into force, it must notify the Commission by month nine. If it waits until the eleventh month to adopt, notification is due by month fourteen.
• Ongoing Obligations: The strategy is not a one-off. Article 7(5) further requires Member States to assess their strategies at least every three years based on key performance indicators and update them where necessary.

3. National Competent Authorities (Article 25)

To enforce the sovereignty framework and oversee cloud service providers, Lithuania must establish the necessary administrative infrastructure. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty chapter (Title IV).

• Deadline: This designation must be completed by the date of entry into force plus one year.
• Flexibility: Lithuania may designate an existing authority or existing authorities to fulfil this role; it is not required to create a new entity from scratch.
• Responsibilities: These authorities would be responsible for recognising cloud computing services that meet Union assurance levels (Article 17), supervising providers, and exercising investigative and enforcement powers (Article 26).
• Transparency: Under Article 25(2), Lithuania must notify the Commission of the names of these authorities and their tasks. The Commission will maintain a public register of all designated competent authorities across the Union.

4. Risk Assessments for Public Procurement (Article 29)

While not explicitly requested in the prompt's initial list, Article 29(1) is inextricably linked to the one-year deadline. It requires Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order.

• Deadline: These assessments must be conducted by the date of entry into force plus one year.
• Purpose: The outcome of these assessments determines the minimum Union assurance level required for procurement. If an activity is deemed to contribute to public order (e.g., law enforcement, defence, critical infrastructure), the contracting authority must procure only services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)). If not, a minimum of level 1 is required (Article 30(2)).
• Alignment: This deadline ensures that the procurement rules are operational immediately upon the Regulation's application, aligning with the designation of competent authorities and the adoption of the national strategy.

What this means for you

For Lithuanian public-sector bodies, procurement officers, and data centre operators, these deadlines define a compressed and high-stakes implementation roadmap.

For Public Procurement Officers: You cannot wait for national legislation to clarify the rules. The Regulation applies directly. By the one-year mark, you must have completed the risk assessment required under Article 29 to classify your activities.

• If your activity is classified as contributing to public order, you must immediately restrict your procurement to providers recognised at Union assurance levels 2, 3, or 4.
• If not, you must ensure a minimum of Union assurance level 1.
• You should begin engaging with the designated national competent authority (to be appointed by the one-year mark) to understand how they will interpret the risk assessment criteria and verify provider recognition.

For Data Centre Developers and Investors: The six-month deadline for acceleration zone designation (Article 10) is critical. If you are planning a data centre project in Lithuania, you must verify whether your site falls within a designated acceleration zone.

• Projects within these zones benefit from streamlined permitting processes, including an aggregated baseline permit and a maximum 12-month permit-granting procedure (Article 13).
• If a zone is not designated within six months, your project may face standard, potentially slower, national permitting procedures. Early engagement with regional authorities to identify suitable brownfield sites or areas with grid capacity is essential.

For Strategic Planners and Policy Makers: The one-year deadline for the national strategy (Article 7) requires immediate action. The strategy must be comprehensive, covering everything from AI adoption to open-source promotion.

• Notification Trap: Do not assume you have three months after the one-year deadline to notify the Commission. If you adopt the strategy early, the notification is due three months later.
• Content: Ensure the strategy includes specific measures for data centre deployment and investment in high-intensity computing, as these are mandatory elements under Article 7(2).

Timeline Summary for Lithuanian Authorities:

• T + 6 months: Designate at least one data centre acceleration zone (Article 10(1)).
• T + 1 year:
  • Adopt the national cloud and AI strategy (Article 7(1)).
  • Designate national competent authorities (Article 25(1)).
  • Complete risk assessments for public procurement (Article 29(1)).
• T + 1 year + 3 months (or earlier): Notify the Commission of the national strategy (within 3 months of adoption) (Article 7(5)).

Common misconceptions

Misconception 1: Lithuania has time to draft national laws before the deadlines apply. This is incorrect. CADA is a Regulation, not a Directive. It is directly applicable in Lithuania. There is no transposition period. The deadlines in the text are the deadlines for Lithuania. National authorities must be ready to enforce these rules from the date of application.

Misconception 2: The three-month notification period for the national strategy starts after the one-year deadline. This is a critical error. Article 7(5) states that Member States must notify the Commission within three months of the adoption of the strategy. If Lithuania adopts its strategy six months after entry into force, the notification must be sent three months later (month 9), well before the one-year deadline for adoption passes. The one-year deadline is the outer limit for adoption, not the start of the notification clock.

Misconception 3: Existing cloud contracts are exempt from the new sovereignty requirements. While the Regulation focuses on procurement, the long-term goal is to reduce dependencies on third-country providers. Public sector bodies must align future renewals and new contracts with the Union assurance levels. The risk assessment under Article 29 will likely trigger migration requirements for existing services that do not meet the required assurance level, with a transition period not exceeding 12 months (Article 29(6)).

Misconception 4: Only large hyperscalers are affected by the acceleration zone rules. Article 10 applies to the deployment of data centre capacity. Any entity, including public sector bodies or smaller operators, deploying data centres should be aware of the designated zones. Projects located within these zones benefit from the simplified administrative and permit-granting processes outlined in Article 13, which are not available for projects outside these zones.

Related

• CADA Deadlines for Hungary: Acceleration Zones, National Strategy & Competent Authorities
• CADA Deadlines for Croatia: Acceleration Zones, National Strategy & Competent Authorities
• Poland's CADA Deadlines: Acceleration Zones, National Strategy & Competent Authority Timeline
• CADA Deadlines for Denmark: Acceleration Zones, National Strategy & Competent Authority
• CADA Deadlines for France: Acceleration Zones, Strategy & Competent Authority

This is general information about a draft EU regulation, not legal advice.