When must Member States act under CADA? Key deadlines

Summary As proposed, the Cloud and AI Development Act (CADA) sets deadlines for Member States that run from the Regulation's entry into force, not its later application date. Member States would have to designate at least one data centre acceleration zone within six months (Article 10), and — within one year — designate national competent authorities for the sovereignty chapter (Article 25), adopt national cloud and AI strategies (Article 7), and carry out their first sovereignty risk assessments (Article 29). CADA would enter into force 20 days after publication in the Official Journal and apply one year later (Article 48).

Detail

The proposed CADA anchors Member State obligations to the entry into force of the Regulation, while the substantive rules that bind operators and public buyers attach to the later application date. For public-sector officers, keeping these two milestones distinct is essential.

Under Article 48, CADA would enter into force on the twentieth day following publication in the Official Journal of the European Union, and would apply from one year after that. The one-year gap is the window in which Member States must complete several preparatory obligations.

1. Designate data centre acceleration zones — +6 months (Article 10)

Article 10(1) provides that, where data centre capacity is being deployed in a Member State's territory, that Member State must designate at least one data centre acceleration zone, with the deadline expressed as "[P.O. insert the date of entry into force of this Regulation plus 6 months]." When designating zones, Member States would consider factors such as site location and size, available and future power grid capacity (and on-site clean generation/storage), network connectivity, the phasing-out of legacy copper networks, waste-heat reuse, permitting acceleration, a preference for brownfield over greenfield sites, and environmental sustainability.

2. Designate national competent authorities — +1 year (Article 25)

The sovereignty framework relies on national competent authorities (NCAs) to recognise providers against Union assurance levels. Article 25(1) requires Member States to designate one or more NCAs responsible for enforcing the sovereignty chapter "[by P.O. insert date of entry into force plus 1 year]" — the same point at which the Regulation begins to apply. Given the resourcing required (sufficient technical, financial and human resources under Article 25(3)), early preparation would matter. NCAs would handle recognition, supervision and enforcement.

3. Adopt national cloud and AI strategies — +1 year (Article 7)

Article 7(1) requires Member States to establish national cloud and AI strategies "[by same day as entry into force plus one year]." Under Article 7(2) these must include, among other things: key objectives aligned with the 'AI first' principle and a governance/monitoring framework; measures to accelerate adoption at national, regional and local level (notably for public sector bodies, SMEs and SMCs); measures to support deployment of data centre capacity and high-intensity computing infrastructure such as AI factories; and public-procurement-of-innovation measures, including plans to pursue the objective of awarding at least 25% of cloud and AI procurement to innovative SMEs (Article 33(4)).

Member States would notify the Commission of their strategies within three months of adoption and assess them at least every three years (Article 7(5)). Where a Member State has already adopted a strategy that adequately covers these objectives, it need not adopt a new one, but should update its existing strategy to address any gaps identified in light of CADA (Recital 33).

4. Carry out the first risk assessments — +1 year (Article 29)

Article 29(1) requires Member States and Union entities to carry out sovereignty risk assessments "[by date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." These determine which public-sector activities contribute to the preservation of public order and which Union assurance level (2, 3 or 4) is appropriate.

5. The application date (Article 48)

The substantive obligations — for example the procurement rules under Article 30, which require public bodies to use UAL 1 services (or UAL 2–4 for public-order activities) — become operative when the Regulation applies, one year after entry into force. So Member States must designate NCAs, adopt strategies and run their first risk assessments within the first year, and the framework's operation then begins at the application date.

What this means for you

For public-sector and procurement officers, the entry-into-force versus application distinction is the key operational detail.

1. Watch the Official Journal. The clock starts at publication. You would have six months to see acceleration zones designated and one year to see your national competent authority designated, your national strategy adopted, and the first risk assessment completed.
2. Read the national strategy early. It will set out your country's measures for the 25% SME procurement objective and for sovereign cloud, so review it as soon as it is published.
3. Prepare for NCA interaction. Once designated, the NCA handles provider recognition and supervision; it would be operational by the application date when your procurement obligations begin.
4. No separate grace period for designation. The +6-month and +1-year deadlines are fixed relative to entry into force; the substantive obligations on operators and buyers start at the application date.

Common misconceptions

• "The deadlines start when CADA applies." As proposed, no. The deadlines for acceleration zones (Article 10), NCAs (Article 25), national strategies (Article 7) and the first risk assessments (Article 29) run from entry into force. The application date is when the substantive procurement rules take effect.
• "Member States have two years to set up NCAs." As proposed, no. Article 25(1) sets designation at entry into force plus one year — the same point the Regulation begins to apply.
• "National strategies are optional if we already have a digital strategy." Partly. Under Recital 33, a Member State with an adequate existing strategy need not adopt a new one but should update it to fill any gaps. A non-compliant strategy would breach Article 7.

Related

• When was the Cloud and AI Development Act (CADA) proposed?
• Why was the Cloud and AI Development Act (CADA) proposed?
• Who does the Cloud and AI Development Act (CADA) apply to?
• Where can I read the official text of the Cloud and AI Development Act (CADA)?
• When will CADA be reviewed? Article 47 review clause explained

This is general information about a draft EU regulation, not legal advice.