Summary Under the proposed Cloud and AI Development Act (CADA), the Netherlands faces three critical initial deadlines to align its national infrastructure and governance with EU standards. The country must designate at least one data centre acceleration zone within six months of the regulation's entry into force. One year after entry into force, the Netherlands must adopt a national cloud and AI strategy, notify the European Commission of this strategy within three months of adoption, and designate its national competent authority for enforcing cloud sovereignty rules. These timelines are designed to rapidly expand compute capacity and establish a trusted procurement framework for public sector bodies.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal by the European Commission intended to strengthen Europe's cloud and AI ecosystem by reducing dependencies on third-country providers and increasing domestic compute capacity. As proposed, the regulation establishes strict, harmonised deadlines for Member States, including the Netherlands, to implement specific structural and strategic measures. Understanding these timelines is essential for Dutch public-sector entities and procurement officers who will be the primary users of the resulting sovereign cloud infrastructure.

The timeline begins with the regulation's entry into force, which is set to occur on the twentieth day following its publication in the Official Journal of the European Union, as per Article 48. While the general application of the rules begins one year after entry into force, specific preparatory actions have earlier triggers that require immediate attention from national authorities.

Data Centre Acceleration Zones (6 Months)

The most immediate operational requirement for the Netherlands relates to physical infrastructure. Under Article 10(1) of the proposal, Member States must designate at least one "data centre acceleration zone" within their territory if they are deploying data centre capacity. This designation must be completed within six months of the regulation's entry into force.

These acceleration zones are critical because they unlock streamlined permitting processes, single information points, and aggregated baseline permits for data centre projects. By designating these zones early, the Netherlands signals its commitment to addressing the EU's compute capacity gap. The proposal aims to triple EU data centre capacity within five to seven years, and the acceleration zones are the mechanism to achieve this speed. For the Netherlands, a hub of existing digital infrastructure, this means formally identifying specific sites where regulatory barriers are reduced to facilitate rapid construction and connection to energy and network grids. The designation must consider aspects such as available power grid capacity, network connectivity, and the ability to reuse waste heat, as outlined in Article 10(1).

National Cloud and AI Strategy (1 Year)

Parallel to infrastructure deployment, the Netherlands must develop a strategic roadmap. Article 7(1) requires Member States to establish a national cloud and AI strategy within one year of the regulation's entry into force. This strategy is not merely advisory; it is a binding requirement that must be consistent with the objectives of CADA.

The strategy must include key priorities for cloud and AI adoption, governance frameworks, and measures to accelerate deployment at national, regional, and local levels. It should specifically address the support of Experience and Acceleration Centres for AI (Centres for AI), the deployment of data centre capacity, and investment in high-intensity computing infrastructure such as AI factories. Crucially, the strategy must also outline measures to support the development of cloud computing stack technologies based on open hardware and software to strengthen technological sovereignty.

Once adopted, the Netherlands is not done. Article 7(5) imposes a strict reporting deadline: Member States must notify the European Commission of their national strategies within three months of their adoption. This notification ensures that the Commission can monitor progress and ensure coherence across the Union. The strategy is then subject to assessment at least every three years based on key performance indicators, with updates required if gaps are identified.

National Competent Authority (1 Year)

To enforce the sovereignty framework, the Netherlands must establish the institutional machinery for oversight. Article 25(1) mandates that Member States designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework within one year of the regulation's entry into force.

This authority will be responsible for recognising cloud computing service providers that meet the Union assurance levels (Levels 1–4). It will have investigative and enforcement powers, including the ability to require information from providers, carry out inspections, and impose fines for non-compliance. The proposal allows Member States to designate an existing authority, but it must be clearly defined and notified to the Commission. The authority of the Member State where the cloud provider has its main establishment will have exclusive competence for enforcement, meaning the Netherlands will supervise providers established on its soil, while relying on mutual assistance for cross-border issues.

What this means for you

For public-sector procurement officers and infrastructure planners in the Netherlands, these deadlines are not abstract legislative milestones; they are operational triggers that will reshape how you buy cloud services and deploy infrastructure.

First, the six-month deadline for acceleration zones (Article 10(1)) is a signal to infrastructure providers and local authorities. If your organisation is planning new data centre projects or expanding existing ones, you should monitor which zones are designated. Projects within these zones benefit from faster permitting (capped at 12 months for comprehensive applications under Article 13) and simplified administrative processes. You should align your infrastructure planning with these designated areas to avoid regulatory bottlenecks.

Second, the one-year deadline for the national strategy (Article 7(1)) will define the strategic direction for your procurement. The national strategy will likely detail which sectors are considered critical and what levels of sovereignty are required. As a procurement officer, you must stay informed about the content of this strategy, as it will inform the risk assessments you are required to conduct under Article 29. These risk assessments determine whether you must procure services with Union Assurance Level 1 (the minimum baseline) or higher levels (2, 3, or 4) for activities contributing to public order.

Third, the designation of the national competent authority (Article 25(1)) within one year means a clear regulatory contact point will emerge. You will need to interact with this authority, particularly when verifying the status of cloud providers in the central repository of recognised services. Understanding the authority's role is crucial for due diligence. When you procure cloud services, you will need to check the central repository (maintained by the Commission under Article 22) to ensure the provider is recognised at the appropriate assurance level. The national competent authority is the body that validates these recognitions.

Finally, the three-month notification window (Article 7(5)) implies that the strategy will be public and subject to EU-level scrutiny shortly after adoption. Procurement officers should treat the national strategy as a living document that will guide your tender specifications, particularly regarding the use of EU-added-value criteria (Article 32) and the promotion of open-source solutions (Article 41).

Common misconceptions

Misconception 1: The deadlines start when the law is published. The timeline does not begin on the date of publication in the Official Journal. It begins on the date of entry into force, which is 20 days after publication. Furthermore, the general application of the rules starts one year after entry into force. However, the specific deadlines for acceleration zones (6 months) and the national strategy/competent authority (1 year) are calculated from the entry into force date, not the application date. This distinction is critical for accurate project planning.

Misconception 2: The national strategy is a voluntary guideline. Article 7(1) uses the mandatory language "Member States shall establish". The national cloud and AI strategy is a binding legal obligation. Failure to adopt it within the one-year timeframe would constitute non-compliance with the regulation. Moreover, the strategy must be notified to the Commission within three months of adoption, creating a transparent accountability mechanism.

Misconception 3: The national competent authority is a new body that must be created from scratch. Article 25(1) states that Member States "may designate an existing authority". The Netherlands does not necessarily need to create a new agency. It can assign these responsibilities to an existing body, such as the Dutch Authority for Consumers and Markets (ACM) or the National Cyber Security Centre (NCSC), provided it has the necessary resources and powers. The key is the formal designation and notification to the Commission.

Misconception 4: Acceleration zones apply to all data centres. The obligation to designate acceleration zones under Article 10(1) applies "where data centre capacity is being deployed". Not all data centres must be located in these zones. However, projects within acceleration zones benefit from specific facilitations, such as aggregated baseline permits and streamlined environmental assessments. Public sector bodies should prioritise locating critical infrastructure in these zones to leverage the faster permitting timelines.

Related

This is general information about a draft EU regulation, not legal advice.