Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would enter into force 20 days after publication in the Official Journal but would only apply one year later. This transition period is critical for public administrations. By the date of application, Member States must have established national cloud and AI strategies and designated national competent authorities. Crucially, before any cloud procurement tender is launched, public bodies must complete a risk assessment under Article 29 to determine the required Union assurance level. Without this assessment, contracting authorities cannot legally define the minimum sovereignty requirements for their tenders under Article 30.

Detail

The Cloud and AI Development Act (CADA) is a legislative proposal designed to strengthen the EU's cloud and AI ecosystem by addressing sovereignty, capacity, and resilience. For public administrations, the timeline for compliance is not immediate upon publication but follows a structured phased approach defined in the final provisions of the proposal. Understanding the interplay between the entry into force, the date of application, and the specific administrative deadlines is essential for procurement planning and strategic alignment.

Entry into Force and the One-Year Application Delay

The legal lifecycle of CADA, as proposed, is governed by Article 48. This article establishes two distinct dates:

  1. Entry into Force: The Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union. This is the moment the law technically exists, triggering the start of the transition period.
  2. Date of Application: The substantive obligations of the Regulation would apply from the same day and month as the date of entry into force plus one year.

This one-year gap is not merely a waiting period; it is a mandatory preparation window. During this year, Member States and Union entities must establish the governance frameworks, conduct necessary risk assessments, and align their procurement strategies before the sovereignty rules become legally binding for public tenders.

Critical Deadlines for Public Administrations

The proposal imposes specific, time-bound obligations on Member States and public bodies that must be fulfilled by the date of application (entry into force + 1 year). Failure to meet these deadlines could delay the ability of public bodies to procure compliant cloud services.

1. National Cloud and AI Strategies (Article 7)

Article 7(1) mandates that Member States establish national cloud and AI strategies by the date of entry into force plus one year. These strategies are the foundational documents for national digital sovereignty. They must include:

  • Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
  • Measures to accelerate development at national, regional, and local levels, particularly for SMEs and public sector bodies.
  • Plans to support the deployment of data centre capacity and high-intensity computing infrastructure (e.g., AI factories).
  • Measures to ensure the accessibility of high-quality data for AI development.

Public administrations must ensure their local digital transformation plans are consistent with these national strategies. Furthermore, Article 7(5) requires that these strategies be assessed at least every three years and updated as necessary to reflect technological and market developments.

2. Designation of National Competent Authorities (Article 25)

To enforce the sovereignty framework, Article 25(1) requires Member States to designate one or more national competent authorities by the date of entry into force plus one year. These authorities are responsible for:

  • Recognizing cloud computing service providers as offering specific Union assurance levels (1–4).
  • Supervising compliance with the sovereignty framework.
  • Maintaining the link between national recognition and the EU-wide central repository.

Public procurement officers will rely on these authorities to verify the status of providers. Without a designated authority, the recognition process for cloud services cannot be completed, potentially stalling procurement.

3. Mandatory Risk Assessments (Article 29)

Perhaps the most critical operational deadline for public bodies is the requirement to conduct risk assessments. Article 29(1) states that by the date of entry into force plus one year, and thereafter every two years (or whenever necessary), Member States and Union entities must carry out risk assessments.

These assessments are not optional; they are the prerequisite for determining procurement requirements. The assessment must:

  • Identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement.
  • Determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

The outcome of this assessment directly dictates the minimum assurance level that must be included in tender documents.

4. Procurement Obligations (Article 30)

Once the risk assessment is complete, Article 30 governs the actual procurement process:

  • Baseline Requirement (Level 1): Public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having Union assurance level 1.
  • Public Order Requirement (Levels 2–4): Contracting authorities whose activities have been identified as contributing to public order must only procure services recognized as having Union assurance levels 2, 3, or 4.

This creates a "gatekeeper" mechanism: a public body cannot legally launch a tender for a public-order-relevant service unless it has first completed the Article 29 risk assessment and determined the required assurance level.

The Role of the Central Repository

Article 22 establishes a central repository of cloud computing services recognized as offering Union assurance levels 1–4. This repository, maintained by the Commission, serves as the single source of truth for procurement officers. Before awarding a contract, authorities must verify that the chosen provider is listed in the repository at the required assurance level. The proposal mandates that this repository be publicly available and regularly updated.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the CADA proposal introduces a structured, risk-based compliance regime. The following steps are essential for preparation:

  1. Track the Legislative Timeline: CADA is currently a proposal. While the final text may evolve, the core structure of Article 48 (entry into force + 1 year application) is a standard legislative mechanism. Prepare your internal timelines assuming this one-year transition period will remain.
  2. Initiate Risk Mapping Early: Do not wait for the law to apply. Start mapping your organization's activities against the criteria in Article 29(1). Identify which services involve national security, justice, law enforcement, or critical infrastructure. These activities will likely require assurance levels 2, 3, or 4, which significantly narrows the pool of eligible providers compared to Level 1.
  3. Update Procurement Templates: Review your standard tender documents. You will need to include mandatory clauses requiring bidders to demonstrate recognition under the Union assurance levels framework. Ensure your evaluation criteria explicitly reference the minimum assurance level derived from your Article 29 risk assessment.
  4. Engage with National Competent Authorities: Once designated (by the application date), these authorities will be your primary point of contact for verification. Establishing early communication channels will help clarify the recognition process and resolve potential disputes regarding provider status.
  5. Plan for Migration and Transition: If your current cloud provider does not meet the required assurance level, you must plan a migration. Article 29(6) provides a safety valve: where migration is required, Member States or Union entities must migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability.

Common misconceptions

"CADA applies immediately upon publication." Incorrect. Article 48 explicitly provides a one-year transition period after entry into force before the rules apply. This period is designed to allow Member States to set up governance structures, designate authorities, and complete risk assessments.

"All public sector cloud procurement requires the highest sovereignty level." Incorrect. CADA uses a risk-based approach. Only activities identified as contributing to the preservation of public order (via the Article 29 risk assessment) require assurance levels 2, 3, or 4. General administrative activities that do not impact public order require only Union assurance level 1.

"Risk assessments are a one-time task." Incorrect. Article 29(1) requires risk assessments to be carried out by the application deadline, and thereafter every two years, or whenever necessary. Public administrations must regularly review their risk profiles as services, threats, and operational contexts evolve.

"CADA replaces the GDPR." Incorrect. CADA complements existing data protection laws. The proposal explicitly states it is consistent with the GDPR and other Union laws. CADA focuses on sovereignty, operational autonomy, and public order, while GDPR focuses on data protection and privacy. Both sets of obligations apply concurrently.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.