When must Luxembourg meet its CADA obligations? Key deadlines and timeline

Summary As proposed, the Cloud and AI Development Act (CADA) imposes a rigorous, phased timeline on Luxembourg to build its sovereign cloud and AI infrastructure. Under Article 10(1), Luxembourg must designate at least one data centre acceleration zone within six months of the Regulation's entry into force. Under Article 7(1) and Article 25(1), the Member State must adopt a national cloud and AI strategy and designate national competent authorities within one year of entry into force. Additionally, Article 7(5) requires notification of the strategy to the Commission within three months of adoption. These deadlines are designed to rapidly expand compute capacity and establish a trusted public-sector procurement framework.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, is a legislative instrument intended to strengthen Europe's cloud and AI ecosystem. For Luxembourg, as for all Member States, the timeline for compliance is strictly tied to the Regulation's entry into force. According to Article 48, the Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union. It would then apply from one year after that date. However, specific obligations trigger earlier deadlines relative to the entry into force.

The following breakdown details the critical milestones Luxembourg must meet to ensure full compliance with the proposed framework.

1. Data Centre Acceleration Zones (6 Months)

The most immediate and time-sensitive obligation concerns the physical infrastructure required to host cloud and AI workloads. Under Article 10(1), Member States must designate at least one data centre acceleration zone within their territory where data centre capacity is being deployed. This designation must occur by the date of entry into force plus six months.

These acceleration zones are the primary mechanism for streamlining the deployment of new data centres. The proposal requires Luxembourg to consider a comprehensive set of factors when designating these zones, including:

• The location and dimension of the site, and the minimum and maximum size of facilities that could be built.
• The available and future power grid capacity, and the possibility of on-site storage and clean energy generation.
• The available and future network connectivity capacity.
• The capacity of the zone to support the phasing out of legacy copper networks.
• The ability of the site to function sustainably, particularly regarding preventing environmental impacts and reducing carbon emissions (Article 10(1)(a)–(h)).

Once designated, these zones benefit from facilitated administrative and permit-granting processes. Article 13(5) stipulates that the permit-granting procedure for data centre projects deployed in acceleration zones shall not exceed 12 months from the moment a comprehensive application is submitted. This acceleration is vital for Luxembourg to contribute to the EU's broader objective of tripling data centre capacity in the next five to seven years.

2. National Cloud and AI Strategy (1 Year)

Strategic planning is equally time-sensitive. Article 7(1) requires Member States to establish national cloud and AI strategies by the date of entry into force plus one year. This strategy is a mandatory legal requirement, not merely advisory, and must include specific elements to align with the CADA's objectives.

The national strategy must include:

• Key objectives and priorities for cloud and AI adoption, aligned with the 'AI first' principle, and a governance framework to achieve them.
• Measures to accelerate the development and adoption of cloud and AI at national, regional, and local levels, particularly among public sector bodies, SMEs, and small mid-caps.
• Measures to support the broad deployment of AI in strategic industrial and public sectors, such as healthcare, energy, and mobility.
• Measures to support the deployment of data centre capacity, focusing on high-value data centres that adhere to high environmental and energy-efficiency standards.
• Measures to invest in high-intensity computing infrastructure, including AI factories, AI gigafactories, and quantum computers.
• Measures to support the development of cloud computing stack technologies built upon open hardware and software to strengthen technological sovereignty (Article 7(2)).

Furthermore, Article 7(5) mandates that Member States notify the Commission of their national strategies within three months of their adoption. This ensures the Commission can monitor adoption and revision. The proposal requires Member States to assess their national strategies at least every three years on the basis of key performance indicators and update them where necessary.

3. National Competent Authorities (1 Year)

To enforce the sovereignty framework and oversee the recognition of cloud computing service providers, Luxembourg must establish the necessary regulatory bodies. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty chapter by the date of entry into force plus one year.

These authorities are crucial for the practical implementation of CADA. Their responsibilities include:

• Recognising cloud computing service providers that offer specific Union assurance levels (Levels 1–4).
• Supervising recognised providers to ensure ongoing compliance with the criteria in Annex II.
• Cooperating with other Member States and the Commission to ensure consistent enforcement across the EU.

The proposal allows Member States to designate existing authorities, provided they have the necessary resources, expertise, and technical means to carry out their tasks impartially and independently (Article 25(3)). Crucially, Article 25(4) establishes that the Member State in which the cloud computing service provider has its main establishment (head office or registered office) shall have exclusive competence for enforcing this chapter.

4. Risk Assessments and Procurement Alignment (1 Year)

While not a single "deadline" in the same sense as the designation of zones, Article 29(1) requires Member States and Union entities to carry out risk assessments by the date of entry into force plus one year. These assessments identify public sector activities that contribute to the preservation of public order and determine which Union assurance level (2, 3, or 4) is appropriate for those activities.

This deadline aligns with the strategy and authority designations, creating a coordinated start to the sovereign procurement regime. Once the risk assessment is complete, Article 30(3) would require contracting authorities whose activities contribute to public order to procure only cloud computing services recognised at Union assurance levels 2, 3, or 4.

What this means for you

For public-sector and procurement officers in Luxembourg, these deadlines represent a critical window for preparation. The six-month timeline for acceleration zones means that spatial planning, energy infrastructure assessments, and grid connection analyses must begin immediately upon the Regulation's entry into force.

The one-year deadline for the national cloud and AI strategy means that strategic planning for AI adoption and data centre investment must be integrated into broader national digital policies now. Procurement teams should familiarise themselves with the 'AI first' principle and the requirement to consider European added value in tenders, as these will become standard components of public procurement procedures under CADA.

Once the national competent authority is designated, it will become the primary point of contact for cloud providers seeking recognition and for public bodies seeking guidance on assurance levels. Early engagement with this authority is advisable to ensure that procurement strategies are aligned with the upcoming risk assessments.

Common misconceptions

• Misconception: The deadlines start from the date the Regulation is published.
  • Reality: The deadlines are calculated from the date of entry into force, which occurs 20 days after publication. For example, the acceleration zone deadline is six months after entry into force, not publication.
• Misconception: Luxembourg can ignore the acceleration zone requirement if it has limited space for new data centres.
  • Reality: Article 10(1) is mandatory. All Member States where data centre capacity is being deployed must designate at least one acceleration zone. This is a key mechanism to address the EU's capacity gap and ensure balanced geographic deployment.
• Misconception: The national cloud and AI strategy is a one-time document.
  • Reality: Article 7(5) requires Member States to assess their national strategies at least every three years and update them if necessary. This ensures the strategy remains relevant as technology and market conditions evolve.
• Misconception: The national competent authority must be a newly created agency.
  • Reality: Article 25(1) explicitly states that Member States may designate an existing authority or existing authorities, provided they are granted the necessary powers and resources.

Related

• When must Sweden meet its CADA obligations? Key deadlines and timeline
• When must Spain meet its CADA obligations? Key deadlines and timeline
• When must Slovenia meet its CADA obligations? Key deadlines and timeline
• When must Slovakia meet its CADA obligations? Key deadlines and timeline
• When must Romania meet its CADA obligations? Key deadlines and timeline

This is general information about a draft EU regulation, not legal advice.