When must Slovakia meet its CADA obligations? Key deadlines and timeline

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would impose a rigid, synchronized timeline on Slovakia to establish its cloud infrastructure and governance framework. Slovakia would have six months after the regulation's entry into force to designate its first data centre acceleration zones. Within one year, it must adopt its national cloud and AI strategy, designate its national competent authority, and notify the Commission of that strategy. Missing these statutory windows would delay Slovakia's ability to legally procure sovereign cloud services, access EU funding for strategic projects, and enforce the Union's cloud sovereignty framework.

Detail

The proposed Cloud and AI Development Act (CADA) is designed to harmonize the deployment of cloud infrastructure and the adoption of sovereign cloud services across the European Union. For Slovakia, as for all Member States, the timeline for compliance is not a suggestion but a binding schedule anchored to the regulation's entry into force. Understanding these deadlines is critical for public-sector procurement officers, IT strategists, and national policymakers, as failure to meet them would hinder the country's ability to leverage EU funding, procure compliant cloud services, and protect public order through sovereign digital infrastructure.

The timeline is anchored to two key dates defined in Article 48: the entry into force (20 days after publication in the Official Journal) and the date of application (one year after entry into force). The most immediate and significant obligations for Slovakia fall within the first 12 to 18 months of the regulation's life.

1. Data Centre Acceleration Zones: 6 Months After Entry Into Force

The most urgent operational deadline relates to physical infrastructure. Under Article 10(1) of the proposed CADA, Member States must designate at least one "data centre acceleration zone" within their territory where data centre capacity is being deployed. This designation must occur no later than six months after the regulation enters into force.

These acceleration zones are not merely symbolic; they are the designated areas where streamlined permitting processes, single information points, and aggregated baseline permits will apply (as detailed in Articles 11–13). By missing this six-month window, Slovakia would delay the ability of operators to benefit from the accelerated administrative procedures intended to triple EU data centre capacity by 2035. The designation process requires Member States to consider site dimensions, power grid capacity, network connectivity, and environmental sustainability criteria. The regulation explicitly states that Member States shall designate these zones "by [date of entry into force plus 6 months]."

2. National Cloud and AI Strategy: One Year After Entry Into Force

Parallel to infrastructure planning, Slovakia must develop a strategic roadmap. Article 7(1) mandates that Member States establish a "national cloud and AI strategy" within one year of the regulation's entry into force. This strategy is not optional; it is the foundational document that aligns national efforts with the EU's broader objectives of technological sovereignty and industrial competitiveness.

The strategy must include specific elements:

• Key objectives and priorities for cloud and AI adoption, aligned with the "AI first" principle.
• Measures to accelerate development and adoption at national, regional, and local levels, particularly for SMEs and public sector bodies.
• Plans for supporting the deployment of data centre capacity and high-intensity computing infrastructure (such as AI factories).
• Measures to ensure accessibility of high-quality data for AI development.

Crucially, Article 7(5) adds a reporting deadline: Slovakia must notify the European Commission of its national strategy within three months of its adoption. This means the strategy must be finalized and submitted no later than 15 months after the regulation enters into force. The Commission will monitor these strategies to ensure consistency with CADA's objectives, and the European Artificial Intelligence Board (AI Board) will advise and assist in their coordination.

3. National Competent Authority Designation: One Year After Entry Into Force

Governance and enforcement are equally time-sensitive. Article 25(1) requires Member States to designate one or more "national competent authorities" responsible for enforcing the cloud computing sovereignty framework (Title IV of the regulation) within one year of entry into force.

These authorities are pivotal because they:

• Recognize cloud computing service providers as offering specific "Union assurance levels" (Levels 1–4) under Article 17.
• Supervise and enforce obligations related to transparency, audits, and penalties (Articles 23–24).
• Maintain a public register of recognized sovereign cloud services in the central repository established by the Commission (Article 22).

Without a designated competent authority, Slovakia would have no body to officially recognize cloud providers as compliant with the sovereignty criteria. This would effectively block public sector bodies from legally procuring cloud services under the mandatory assurance level requirements (Article 30), as there would be no recognized pool of compliant vendors.

4. Risk Assessments and Procurement Obligations: One Year After Entry Into Force

While not a single "deadline" in the same sense, Article 29(1) triggers a continuous obligation starting one year after entry into force. Member States and Union entities must carry out risk assessments to determine which public sector activities require specific Union assurance levels (2, 3, or 4) for cloud computing services. These assessments must be repeated every two years or whenever necessary.

This deadline is critical for procurement officers because it dictates when the mandatory procurement rules under Article 30 become fully operational. Once the risk assessments are complete, contracting authorities whose activities are identified as contributing to the preservation of public order must only procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4. All other public sector bodies must use services recognized as offering Union assurance level 1.

What this means for you

For public-sector and procurement officers in Slovakia, these deadlines represent a clear roadmap for the next 18–24 months.

1. Immediate Action (Months 0–6): Engage with national and regional authorities to identify potential sites for data centre acceleration zones. The criteria in Article 10(1) (power grid capacity, network connectivity, environmental impact) must be evaluated now to ensure the designation is submitted within six months of entry into force.
2. Strategic Planning (Months 6–12): Begin drafting the national cloud and AI strategy as required by Article 7. This document will likely influence future procurement mandates and funding eligibility. Ensure it includes the mandatory elements: AI adoption targets, data centre deployment plans, and measures for SME participation.
3. Governance Setup (Months 6–12): Identify and empower the national competent authority as per Article 25(1). This body needs resources, expertise, and legal mandate to evaluate cloud providers against the sovereignty criteria in Annex II of the regulation. Without this body, you cannot legally award contracts for sovereign cloud services.
4. Procurement Preparation (Months 12–15): As the one-year mark approaches, prepare for the mandatory risk assessments (Article 29). Your procurement teams must understand which services require Union assurance levels 2–4 (for public order-critical activities) versus level 1 (for general public services). Update tender templates to include the Union added value criteria (Article 32) and ensure that only providers listed in the central repository are eligible for bids.

Common misconceptions

• "The deadlines start when the regulation is published." Incorrect. The deadlines are tied to the entry into force (20 days after publication) and the date of application (one year after entry into force). The six-month deadline for acceleration zones is six months after entry into force, not publication.
• "We can use any cloud provider for the first few years." Incorrect. From the date of application (one year after entry into force), public sector bodies must use cloud services that have been formally recognized as meeting at least Union assurance level 1 (Article 30(2)). There is no general grace period for non-compliant providers unless a specific derogation under Article 30(4) applies (e.g., no suitable tender received).
• "The national strategy is just a guidance document." Incorrect. The national cloud and AI strategy under Article 7 is a mandatory legal obligation. It must be notified to the Commission within three months of adoption. The Commission monitors these strategies, and they inform the allocation of EU funding and the implementation of the Cloud and AI Leadership Initiatives.
• "Slovakia can wait to designate its competent authority until it needs to audit a provider." Incorrect. Article 25(1) sets a hard deadline of one year after entry into force for designation. Delaying this would leave a legal vacuum in the enforcement of the sovereignty framework, potentially invalidating procurement processes that rely on recognized assurance levels.

Related

• When must Sweden meet its CADA obligations? Key deadlines and timeline
• When must Spain meet its CADA obligations? Key deadlines and timeline
• When must Slovenia meet its CADA obligations? Key deadlines and timeline
• When must Romania meet its CADA obligations? Key deadlines and timeline
• When must Portugal meet its CADA obligations? Key deadlines and timeline

This is general information about a draft EU regulation, not legal advice.