When will CADA be reviewed? Article 47 review clause explained

Summary As proposed, the Cloud and AI Development Act (CADA) requires the European Commission to evaluate the regulation and report to the European Parliament, the Council and the European Economic and Social Committee by four years after its entry into force, and every five years thereafter, under Article 47. Where appropriate, the evaluation report would be accompanied by a proposal to amend the regulation. The Commission must take into account the positions of the Parliament, the Council and other relevant bodies, and pay specific attention to SMEs and the position of new competitors.

Detail

CADA is currently a legislative proposal (COM(2026) 502 final) and is not yet in force. As proposed, it includes a structured review mechanism to keep the framework fit for purpose amid rapid technological change.

The review mechanism under Article 47 Article 47 sets out the timeline and procedure:

• Initial evaluation: The Commission shall evaluate the regulation by the date of entry into force plus four years — not five.
• Subsequent reviews: After that, the Commission shall evaluate it every five years.
• Reporting: For each evaluation, the Commission reports to the European Parliament, the Council and the European Economic and Social Committee.
• Scope and inputs: In carrying out the evaluation, the Commission shall take into account the positions and findings of the European Parliament, of the Council, and of other relevant bodies or sources, and shall pay specific attention to small and medium-sized enterprises and the position of new competitors.
• Legislative amendments: Where appropriate, the report shall be accompanied by a proposal for amendment of the regulation, allowing the framework to adapt to shifts in the cloud market, AI developments or changes affecting data sovereignty.

Context within the CADA lifecycle It is worth distinguishing the entry into force date from the application date. Under Article 48, the regulation enters into force on the twentieth day following its publication in the Official Journal, and applies from one year after entry into force. The Article 47 review clock runs from entry into force, so the first evaluation (entry into force plus four years) would fall roughly three years after the substantive provisions begin to apply.

Why a periodic review The review clause reflects the EU's general approach to digital regulation, which favours regular assessment. Given the pace of cloud and AI, the cycle allows the EU to:

1. assess whether the sovereignty framework (the Union assurance levels) is effectively mitigating risks to public order;
2. evaluate whether data centre deployment incentives and acceleration zones are closing the capacity gap; and
3. determine whether the Cloud and AI Leadership Initiatives are meeting their operational objectives.

What this means for you

For in-house counsel and compliance officers, Article 47 signals that CADA would not be a "set and forget" regulation. Core obligations — risk assessments, procurement requirements, sovereignty criteria — are fixed at adoption, but implementation details and the scope of some provisions may evolve.

Strategic planning and monitoring

• Long-term compliance horizons: Assume the framework will be reassessed about four years after it takes effect, with recurring five-year reviews after that. If CADA were to enter into force in, say, late 2026 or 2027, the first review could land around 2030–2031.
• Stakeholder engagement: The Commission must consider the positions of the Parliament, the Council and other relevant bodies and pay specific attention to SMEs and new competitors. Companies and industry associations should engage, since identified gaps could lead to proposed amendments.
• Documentation and evidence: The review weighs the effective application and enforcement of the regulation. Maintain robust records of compliance efforts — risk assessments under Article 29, procurement records under Article 30 — as such data may inform the evaluation.

Impact on sovereignty and procurement The review may scrutinise whether the Union assurance levels remain proportionate and effective. Separately, note that the Commission must review Annexes II and III at least every 18 months under Article 16(3) — a faster cadence than the Article 47 review — so the assurance-level criteria could change between formal reviews. Compliance teams should watch both timelines.

Common misconceptions

• Misconception 1: The first review happens five years after entry into force.
  • Reality: Article 47 sets the first evaluation at entry into force plus four years, and every five years thereafter.
• Misconception 2: The five-year clock starts when the rules become applicable.
  • Reality: The review period runs from entry into force (20 days after publication), not from the application date one year later.
• Misconception 3: The review is a one-time event.
  • Reality: It is recurring — an initial evaluation after four years, then every five years.
• Misconception 4: The Commission can unilaterally change the law during the review.
  • Reality: The Commission evaluates and reports, and may attach a proposal for amendment. Actual changes follow the ordinary legislative procedure, involving the Parliament and the Council.

Related

• CADA Article 31: voluntary private-sector impact assessments explained
• When was the Cloud and AI Development Act (CADA) proposed?
• When must Member States act under CADA? Key deadlines
• When does CADA enter into force and start to apply?
• What is the CADA sovereignty risk assessment (Article 29)?

This is general information about a draft EU regulation, not legal advice.