Summary Under the proposed Cloud and AI Development Act (CADA), Malta faces a staggered timeline of critical obligations triggered by the regulation's entry into force. As proposed, Malta must designate at least one data centre acceleration zone within six months of entry into force. Within one year, the country must both adopt a national cloud and AI strategy and designate its national competent authority. Crucially, the national strategy must be notified to the European Commission within three months of its adoption. These deadlines are designed to rapidly establish the infrastructure and oversight mechanisms required for EU cloud sovereignty.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a uniform legal framework to strengthen the EU's cloud and AI ecosystem. For Member States like Malta, the regulation imposes specific, time-bound obligations that begin immediately upon the regulation's entry into force. While the regulation generally applies one year after entry into force (Article 48), several preparatory measures have earlier, stricter deadlines to ensure the ecosystem is ready for full operation.

The Entry into Force Trigger

All deadlines are calculated from the date the regulation enters into force. According to Article 48, CADA would enter into force on the twentieth day following its publication in the Official Journal of the European Union. From that specific date, the clock starts ticking for Malta's obligations.

1. Data Centre Acceleration Zones (6 Months)

The first major milestone for Malta is the designation of data centre acceleration zones. Article 10(1) mandates that where data centre capacity is being deployed within its territory, Malta must designate at least one data centre acceleration zone within six months of the regulation's entry into force.

This is a critical infrastructure deadline. The designation is not merely a zoning exercise; Article 10(1) requires Malta to consider specific aspects when designating these zones, including:

  • The location, dimension, and size of potential facilities.
  • Available and future power grid capacity and clean energy generation possibilities.
  • Network connectivity capacity and the phasing out of legacy copper networks.
  • The ability to reuse waste heat and the site's climate resilience.
  • Measures taken to accelerate permit granting.

The six-month window is tight, intended to ensure that the regulatory "acceleration" framework is in place well before the broader application of the regulation. This allows data centre operators to identify suitable sites early and begin planning for the streamlined permitting processes described in Article 13.

2. National Cloud and AI Strategy (1 Year)

By one year after the regulation's entry into force, Malta must establish a comprehensive national cloud and AI strategy (Article 7(1)). This strategy is a foundational document that must align with the EU's objectives and the "AI first" principle.

Under Article 7(2), the strategy must include at least:

  • Key objectives and priorities for cloud and AI adoption.
  • Measures to accelerate development at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Specific measures to support the deployment of data centre capacity, with a focus on high-value, energy-efficient data centres.
  • Plans to invest in high-intensity computing infrastructure, such as AI factories and quantum computers.
  • Measures to support the development of cloud computing stack technologies built on open hardware and software.
  • Strategies to ensure the accessibility of high-quality data for AI development.

The strategy must be consistent with the Digital Decade targets and the objectives of CADA. Furthermore, Article 7(5) requires Malta to assess its national strategy at least every three years and update it as necessary.

3. Notification to the Commission (3 Months After Adoption)

Adoption of the strategy is only the first step; transparency and coordination are equally vital. Article 7(5) explicitly states that Member States must notify the Commission of their national strategies within three months of their adoption.

This notification is not a formality; it enables the Commission to monitor the adoption and revision of strategies across the Union. It ensures that Malta's national plans are consistent with EU-wide objectives and facilitates the exchange of best practices. The European Artificial Intelligence Board, established by the AI Act, will also advise and assist Malta in coordinating these strategies.

4. National Competent Authorities (1 Year)

Parallel to the strategy deadline, Malta must establish the enforcement mechanism for the sovereignty framework. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the cloud computing sovereignty framework by one year after the regulation's entry into force.

These authorities will hold significant powers under Article 26, including:

  • The power to require information from cloud providers and auditing organisations.
  • The power to carry out inspections of premises.
  • The power to order the cessation of infringements and impose fines.
  • The power to impose periodic penalty payments.

Malta may designate an existing authority or create a new one. However, under Article 25(2), Malta must notify the Commission of the names of these authorities, their tasks, and their powers. The Commission will then maintain a public register of these authorities to ensure transparency across the single market.

What this means for you

For Maltese public-sector bodies, procurement officers, and IT leaders, these deadlines represent a shift from voluntary planning to mandatory compliance. The timeline is aggressive, requiring immediate action to align national infrastructure and governance with EU standards.

Immediate Action: Infrastructure Mapping (Months 0–6)

The six-month deadline for acceleration zones means that land-use planning and energy grid assessments cannot wait. Departments responsible for spatial planning, energy, and telecommunications must immediately begin identifying sites that meet the criteria in Article 10(1). This includes assessing grid capacity and the potential for clean energy generation. Delaying this identification could result in Malta missing the deadline, potentially hindering the deployment of critical data centre capacity.

Strategic Alignment: The National Strategy (Months 6–12)

The development of the national cloud and AI strategy requires a whole-of-government approach. It is not solely an IT issue but a strategic economic and security imperative.

  • Procurement Impact: The strategy will define the roadmap for public procurement. As Article 30 later mandates, public bodies must procure cloud services based on Union assurance levels. The strategy must outline how Malta will transition to these levels.
  • Skills and Innovation: The strategy must address the "AI first" principle and the development of skills. Public bodies should prepare to integrate these objectives into their own digital transformation plans.
  • Stakeholder Engagement: While the three-month notification window is for the adopted strategy, the drafting process should involve extensive consultation with industry, academia, and civil society to ensure the strategy is practical and effective.

Governance Setup: Competent Authorities (Months 6–12)

Designating the national competent authority is a legal and operational necessity. This body will be the gatekeeper for cloud sovereignty in Malta.

  • Resource Allocation: The authority will need significant technical and legal resources to audit providers, manage the recognition process, and enforce penalties.
  • Inter-agency Coordination: The authority will likely need to work closely with data protection authorities, cybersecurity agencies, and competition authorities. Early coordination is essential to define roles and avoid overlaps.
  • Notification Readiness: Once designated, the details must be prepared for immediate notification to the Commission to ensure Malta is listed in the public register without delay.

Procurement Readiness

Once the acceleration zones are designated and the competent authority is in place, the procurement landscape will change. Public bodies must begin auditing their current cloud contracts to assess compliance with future Union assurance levels. If a service is deemed to contribute to public order (as defined in Article 29), it may eventually require a higher assurance level (2, 3, or 4). Early preparation can prevent costly and disruptive migrations later.

Common misconceptions

Misconception 1: The deadlines start from publication. The deadlines are tied to the regulation's entry into force, which occurs 20 days after publication in the Official Journal. While publication is the public announcement, the legal clock for Malta's obligations only starts 20 days later. However, given the short six-month window for acceleration zones, the time between publication and the first deadline is very tight.

Misconception 2: The national strategy is a static document. The national cloud and AI strategy is a living document. Article 7(5) requires Malta to assess and update the strategy at least every three years. It must evolve with technological developments and market changes. Treating it as a one-time compliance exercise would be a strategic error.

Misconception 3: The competent authority is just an IT oversight body. The national competent authority under CADA is a powerful enforcement body with specific powers to audit, inspect, and fine cloud providers. It is not a general IT support unit but a specialized regulator focused on sovereignty, security, and market compliance. It requires dedicated legal and technical expertise.

Misconception 4: The three-month notification is a consultation period. The three-month period in Article 7(5) is strictly for notification of the adopted strategy to the Commission. It is not a window for public consultation or stakeholder feedback. Public consultation and drafting must be completed before the strategy is formally adopted.

Misconception 5: Acceleration zones are optional. Article 10(1) states that "where data centre capacity is being deployed," Malta shall designate at least one zone. Given Malta's strategic position and the EU's push for capacity, this is effectively a mandatory requirement for any Member State with active or planned data centre development.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.