When must Romania meet its CADA obligations? Key deadlines and timeline

Summary Under the proposed Cloud and AI Development Act (CADA), Romania would face three critical, non-negotiable deadlines to establish its foundational cloud and AI governance framework. First, the designation of at least one data centre acceleration zone must occur within six months of the regulation's entry into force. Second, the national cloud and AI strategy must be adopted within one year of entry into force, with a mandatory notification to the European Commission within three months of that adoption. Third, the designation of the national competent authority responsible for enforcing the sovereignty framework must be completed within one year of entry into force. These timelines are fixed relative to the regulation's entry into force, creating a compressed implementation window for Romanian public authorities.

Detail

The Cloud and AI Development Act (CADA), proposed in COM(2026) 502 final, is designed to strengthen Europe's cloud and AI ecosystem by harmonising rules for data centre deployment, cloud sovereignty, and public procurement. As a proposal, CADA is not yet in force; however, if adopted in its current form, it would impose strict, harmonised timelines on Member States, including Romania, to ensure rapid implementation. The regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union and applies one year later (Article 48).

For public-sector and procurement officers in Romania, the most critical initial obligations revolve around strategic planning, infrastructure zoning, and regulatory oversight. These deadlines are fixed relative to the regulation's entry into force, not its application date, creating a tight implementation window that requires immediate preparatory action.

National Cloud and AI Strategy: The One-Year Horizon

Article 7(1) mandates that Member States establish a national cloud and AI strategy within one year of the regulation's entry into force. This strategy is not merely a policy document but a binding roadmap that must align with the EU's broader "AI first" principle and the Digital Decade targets. Article 7(2) specifies that the strategy must include key objectives for cloud and AI adoption, measures to accelerate deployment in strategic sectors like healthcare and energy, and plans to support the development of open-source cloud stack technologies.

Crucially, Article 7(5) requires Romania to notify the European Commission of this national strategy within three months of its adoption. This notification triggers EU-level monitoring. The strategy must be assessed and updated at least every three years based on key performance indicators (Article 7(5)). If Romania already has a strategy that adequately covers CADA's objectives, it may update the existing document rather than creating a new one, provided it fills any identified gaps (Recital 33). This flexibility, however, does not extend the deadline for the initial adoption or the subsequent notification.

Data Centre Acceleration Zones: The Six-Month Sprint

To address the EU's compute capacity deficit, CADA requires the rapid designation of specific geographic areas where data centre deployment is streamlined. Article 10(1) states that where data centre capacity is being deployed, a Member State shall designate at least one data centre acceleration zone within its territory by six months after the regulation's entry into force.

This is a strict deadline that precedes the general application of the regulation. The designation must consider site dimensions, power grid capacity, network connectivity, and environmental sustainability (Article 10(1)). Within these zones, Member States must ensure fair, reasonable, and non-discriminatory resource allocation and prevent speculative reservation practices (Article 11(2)). The acceleration zones are designed to benefit from expedited permitting processes, with permit-granting procedures not exceeding 12 months for comprehensive applications (Article 13(5)). For Romania, this means that the physical infrastructure for future sovereign cloud services must be legally defined and zoned within a very short timeframe after the law takes effect.

National Competent Authorities: The One-Year Regulatory Mandate

The enforcement of CADA's cloud sovereignty framework—specifically the recognition of cloud providers meeting Union assurance levels—requires a designated regulatory body. Article 25(1) obliges Member States to designate one or more national competent authorities responsible for enforcing Chapter IV of the regulation within one year of entry into force.

These authorities must have the necessary technical, financial, and human resources to supervise cloud computing service providers effectively (Article 25(3)). The Member State where a cloud provider has its main establishment holds exclusive competence for enforcement (Article 25(4)). Romania must notify the Commission of the names, tasks, and powers of these authorities, which the Commission will maintain in a public register (Article 25(2)). This designation is a prerequisite for the recognition of cloud services under the Union assurance levels, making it a foundational step for the entire sovereignty framework.

What this means for you

For public-sector procurement officers, IT directors, and regional planners in Romania, these deadlines signal an immediate need for internal preparation. Although CADA is not yet law, the Commission's proposal is detailed and likely to form the basis of final legislation.

1. Start Strategy Drafting Now: The one-year deadline for the national strategy (Article 7) means that Romanian authorities should begin drafting or reviewing existing digital strategies immediately. Procurement officers should identify gaps in current cloud adoption plans, particularly regarding the shift toward sovereign cloud services and open-source solutions. Ensure your department's objectives align with the national strategy's requirements for supporting SMEs and strategic industrial sectors.
2. Prepare for Accelerated Procurement: The six-month deadline for designating acceleration zones (Article 10) implies that the physical infrastructure for future sovereign cloud services will be defined quickly. Procurement teams should monitor regional development plans to understand where these zones will be located, as this will influence future data residency requirements and service availability.
3. Engage with the Competent Authority: Once the national competent authority is designated within one year (Article 25), it will become the primary point of contact for all matters related to cloud sovereignty assurance levels. Procurement officers should establish early lines of communication with this authority to understand the recognition process for cloud providers. This is critical because, under Article 30, contracting authorities involved in public order preservation must only procure services recognised at Union assurance levels 2, 3, or 4.

Common misconceptions

Misconception 1: The deadlines start when the law is applied, not when it enters into force. Many assume that implementation timelines begin when the regulation becomes applicable (one year after entry into force). However, CADA explicitly ties key deadlines to the entry into force date. For example, the acceleration zone designation is due six months after entry into force (Article 10(1)), which is before the regulation's general application date. This creates a compressed timeline for initial administrative setup.

Misconception 2: Existing national strategies automatically comply. Some believe that current national digital strategies are sufficient. While CADA allows Member States to update existing strategies if they already cover the regulation's objectives (Recital 33), the bar is high. The strategy must specifically address the "AI first" principle, open-source stack development, and the specific governance frameworks for cloud sovereignty. If gaps exist, they must be filled within the one-year deadline.

Misconception 3: Only the central government is responsible. While the national strategy and competent authority designation are central tasks, the implementation involves regional and local authorities. For instance, the designation of acceleration zones requires coordination among national, regional, and local authorities, including transmission system operators and network connectivity providers (Article 10(4)). Procurement officers at regional levels should anticipate increased coordination requirements.

Official sources

• Digital Decade Policy Programme (Decision (EU) 2022/2481)

Related

• When must Sweden meet its CADA obligations? Key deadlines and timeline
• When must Spain meet its CADA obligations? Key deadlines and timeline
• When must Slovenia meet its CADA obligations? Key deadlines and timeline
• When must Slovakia meet its CADA obligations? Key deadlines and timeline
• When must Portugal meet its CADA obligations? Key deadlines and timeline

This is general information about a draft EU regulation, not legal advice.