Summary Under the proposed Cloud and AI Development Act (CADA), Portugal faces a compressed timeline to establish its legal and administrative frameworks. The Regulation would enter into force 20 days after publication in the Official Journal, triggering immediate deadlines. Portugal must designate at least one data centre acceleration zone within six months of entry into force. Subsequently, it must establish its national cloud and AI strategy and designate its national competent authority within one year of entry into force. Crucially, these deadlines are calculated from the entry into force date, not the later application date, meaning Portugal must act within months of the law's publication to ensure compliance before the main rules take effect.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to be a directly applicable EU Regulation. This means it would become binding law in Portugal without the need for national transposition legislation. However, the Regulation imposes specific preparatory obligations on Member States that must be fulfilled on a strict schedule. The timeline is anchored to Article 48, which states the Regulation enters into force on the twentieth day following its publication and applies one year thereafter.
Several critical obligations for Portugal are triggered by the entry into force date, creating a "pre-application" phase where the state must build its infrastructure and strategy before the full regulatory regime becomes active.
1. Data Centre Acceleration Zones: The 6-Month Deadline
The most immediate obligation for Portugal concerns the physical deployment of computing capacity. To address the EU's compute capacity gap, Article 10(1) mandates that Member States designate at least one data centre acceleration zone ("acceleration zone") within their territory where data centre capacity is being deployed.
The deadline for this designation is explicit: within six months of the Regulation's entry into force.
This is a hard deadline. Portugal must identify and legally designate specific sites or areas that meet the criteria set out in Article 10(1), which include:
- Grid Capacity: Availability of current and future power grid capacity, including the possibility of on-site clean energy generation.
- Connectivity: Sufficient network connectivity capacity.
- Permitting: Existing measures to accelerate the granting of necessary permits.
- Sustainability: Preference for reusing brownfield sites and the ability to function sustainably, minimizing environmental impacts.
- Heat Reuse: The ability to reuse data centre waste heat.
Once designated, these zones become the primary locations for streamlined permitting. Under Article 13, the permit-granting procedure for data centre projects within these zones must not exceed 12 months from the submission of a comprehensive application. Failure to designate a zone within the six-month window could delay the deployment of critical infrastructure and prevent projects from accessing these accelerated procedures.
2. National Cloud and AI Strategy: The 1-Year Deadline
Parallel to the infrastructure designation, Portugal must formulate a comprehensive strategic roadmap. Article 7(1) requires Member States to establish a national cloud and AI strategy by the date of entry into force plus one year.
This strategy is not a voluntary policy paper; it is a mandatory legal instrument that must align with the Regulation's objectives. Under Article 7(2), the strategy must include:
- Objectives: Key objectives for cloud and AI adoption, adhering to the "AI first" principle.
- Deployment Measures: Actions to accelerate development at national, regional, and local levels, specifically targeting public sector bodies, SMEs, and small mid-caps.
- Infrastructure: Plans to support the deployment of data centre capacity with high environmental and energy-efficiency standards.
- Investment: Measures to invest in high-intensity computing infrastructure, such as AI factories, AI gigafactories, and quantum computers.
- Open Source: Measures to support the development of cloud computing stack technologies built upon open hardware and software.
Notification Requirement: Once Portugal adopts this strategy, Article 7(5) imposes a secondary deadline: the Member State must notify the Commission within three months of its adoption. The strategy must also be assessed at least every three years based on key performance indicators and updated if necessary.
3. Designation of National Competent Authorities: The 1-Year Deadline
To enforce the sovereignty framework and supervise cloud computing service providers, Portugal must establish the necessary administrative bodies. Article 25(1) requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty chapter of the Regulation.
The deadline for this designation is one year after the Regulation's entry into force, aligning with the strategy deadline.
These authorities will hold significant powers under Article 26, including:
- Investigative Powers: The power to require information from providers, conduct inspections of premises, and seize copies of information.
- Enforcement Powers: The power to order the cessation of infringements, impose remedies, and impose fines or periodic penalty payments.
- Recognition: The authority to assess applications for Union assurance levels (1–4) and issue recognition decisions.
Portugal must notify the Commission of the names, tasks, and powers of these designated authorities. The Commission will maintain a public register of these authorities to ensure transparency and facilitate cross-border cooperation under Article 27 (Mutual Assistance) and Article 28 (Cross-border Cooperation).
Summary of Key Deadlines for Portugal
The following table summarizes the critical milestones Portugal must meet relative to the Regulation's entry into force (EoF):
| Obligation | Legal Basis | Deadline (Relative to EoF) | Key Action Required |
|---|---|---|---|
| Regulation Enters into Force | Article 48 | Day 20 (after publication) | Clock starts ticking. |
| Designate Data Centre Acceleration Zone(s) | Article 10(1) | 6 months | Identify sites meeting grid, connectivity, and sustainability criteria. |
| Establish National Cloud and AI Strategy | Article 7(1) | 1 year | Adopt strategy covering AI first, infrastructure, and open source. |
| Designate National Competent Authority | Article 25(1) | 1 year | Appoint authority with investigative and enforcement powers. |
| Notify Commission of Strategy | Article 7(5) | 3 months after adoption | Submit strategy to the Commission. |
| Regulation Applies (Main Rules) | Article 48 | 1 year | Sovereignty framework and procurement rules become active. |
Note: "Entry into force" occurs 20 days after publication. "Application" occurs one year after entry into force. The deadlines for strategy, zones, and authorities are calculated from the entry into force date.
What this means for you
For public-sector bodies, procurement officers, and data centre operators in Portugal, these deadlines create a narrow preparation window. The state must act quickly to create the legal and administrative environment before the main rules of CADA become applicable.
- Strategic Alignment for Procurement: Public bodies must anticipate that the national cloud and AI strategy will dictate the criteria for future cloud procurement. Once the strategy is adopted (within one year of EoF), it will define the national priorities for "AI first" and sovereign cloud adoption. Procurement officers should monitor the drafting of this strategy to understand how it will influence the risk assessments required under Article 29 for determining Union assurance levels.
- Site Selection for Data Centres: For operators planning new data centres, the six-month deadline for acceleration zone designation is critical. Projects located within these designated zones will benefit from the 12-month maximum permitting timeline under Article 13. Operators should engage early with national and regional authorities to ensure potential sites meet the Article 10 criteria (grid capacity, brownfield preference, sustainability) to be included in the initial designation.
- Engagement with Competent Authorities: The national competent authority designated within one year will be the primary regulator for cloud sovereignty. It will manage the recognition of Union assurance levels (1–4) and enforce penalties for non-compliance. Cloud providers and public bodies should establish early dialogue with this authority to understand the specific audit requirements and evidence needed for recognition under Article 17 and Article 20.
- Readiness for Sovereignty Rules: While the main application date is one year after entry into force, the preparatory work must happen immediately. The sovereignty framework (Article 16) and procurement obligations (Article 30) will take effect on the application date. Portugal must have its strategy and authority in place before this date to ensure that public bodies can immediately conduct the required risk assessments and procure services at the appropriate assurance levels.
Common misconceptions
-
"The deadlines start when the law applies." This is incorrect. The deadlines for the national strategy, competent authority designation, and acceleration zones are tied to the entry into force of the Regulation (20 days after publication), not its application date (one year later). This means Portugal has only 6 to 12 months from publication to meet these initial obligations, well before the main rules take effect.
-
"Portugal can wait to designate an acceleration zone." No. Article 10(1) sets a hard deadline of six months after entry into force. Failure to designate a zone could delay data centre projects and prevent them from benefiting from the streamlined 12-month permitting process established in Article 13.
-
"The national strategy is optional or just a high-level document." No. Article 7(1) makes it mandatory for all Member States. Furthermore, the strategy must be notified to the Commission within three months of adoption. It is a binding instrument that must include specific measures for infrastructure, open source, and AI adoption, and must be consistent with the Digital Decade targets.
-
"Competent authorities are just for cybersecurity." No. While they will coordinate with cybersecurity authorities, their role under CADA is distinct and broader. They are responsible for enforcing the cloud sovereignty framework, recognizing providers for Union assurance levels, and imposing penalties for non-compliance under Article 24. They are the gatekeepers for sovereign cloud procurement in the public sector.
Official sources
Related
- When must Sweden meet its CADA obligations? Key deadlines and timeline
- When must Spain meet its CADA obligations? Key deadlines and timeline
- When must Slovenia meet its CADA obligations? Key deadlines and timeline
- When must Slovakia meet its CADA obligations? Key deadlines and timeline
- When must Romania meet its CADA obligations? Key deadlines and timeline
This is general information about a draft EU regulation, not legal advice.