Summary As proposed, the Cloud and AI Development Act (CADA) would require the European Commission to evaluate the Regulation and report on it four years after it enters into force, and every five years thereafter (Article 47). The reports would go to the European Parliament, the Council and the European Economic and Social Committee, and could be accompanied by a proposal to amend the Regulation. Because CADA would apply one year after entry into force, the first review would land roughly three years after the rules start to apply to businesses and public authorities.

Detail

CADA, proposed by the European Commission on 3 June 2026 as COM(2026) 502 final, would build in a periodic review so the framework keeps pace with fast-moving cloud and AI technology. The timing and requirements are set out in Article 47 ("Review").

The review timeline

Under Article 47(1), the Commission would have to evaluate the Regulation and report "by [date of entry into force plus 4 years], and every 5 years thereafter."

It helps to keep two dates apart. Under Article 48, the Regulation would enter into force on the twentieth day after publication in the Official Journal, but it would only apply one year later. Because the first review is pegged to entry into force plus four years, and application is entry into force plus one year, the first evaluation would arrive about three years after the rules become operative for businesses and public authorities — not five.

Who receives the reports

Article 47(1) directs the Commission to report to three bodies:

  1. the European Parliament;
  2. the Council; and
  3. the European Economic and Social Committee.

This makes the evaluation a public, inter-institutional exercise rather than an internal one. The inclusion of the European Economic and Social Committee — the EU's advisory body for employers, workers and civil-society interests — is notable: it widens the audience beyond the co-legislators to the social and economic stakeholders most affected by cloud and AI policy, and signals that the review is meant to capture market and employment effects, not just legal compliance.

A recurring cycle, not a one-off

The phrase "and every 5 years thereafter" matters: the review is a standing obligation, not a single post-implementation check. After the first report at entry into force plus four years, the Commission must repeat the exercise on a rolling five-year basis for as long as CADA is in force. That cadence is deliberately matched to the pace at which cloud and AI markets and technologies move, so the framework is re-examined often enough to stay relevant without imposing constant legislative churn.

What the review covers, and what it can trigger

The review is substantive, not a formality. Article 47(2) provides that, "where appropriate," the report "shall be accompanied by a proposal for amendment of this Regulation" — so the evaluation can lead to legislative change if the Commission concludes the text no longer fits the strategic challenges.

Article 47(3) requires the Commission, in carrying out the evaluation, to take into account the positions and findings of the Parliament, the Council and other relevant bodies, and to "pay specific attention to small and medium-sized enterprises and the position of new competitors." That is a deliberate steer toward assessing whether smaller, EU-based providers can compete against established hyperscalers.

The proposal's own framing

The proposal's explanatory section on monitoring and evaluation states that "[f]ive years after its entry into force, the Commission should review the functioning of this proposed Regulation and submit a report to the European Parliament" and to the Council. The enacting Article 47(1) sets the binding first deadline at four years after entry into force, with five-year intervals thereafter; the explanatory "five years" reflects the broader monitoring intent rather than the operative deadline. For planning purposes, the controlling figure is the four-year-then-every-five-years cycle in Article 47.

What this means for you

For public-sector procurement officers and IT decision-makers, Article 47 offers a mix of stability and a feedback channel.

1. Predictable but not frozen. A fixed review cycle lets you plan multi-year strategies — migrating to sovereign cloud, joining the EuroCloud Federation — knowing the framework will be actively maintained. But the rules can change: procurement policies set now may need adjustment if the first review produces amendments.

2. A channel for input. Because Article 47(3) requires the Commission to weigh the positions of the Parliament, the Council and other relevant bodies, the review is an opening for stakeholder engagement. Difficulties with the assurance levels, the recognition process or common procurement can be raised through national authorities and associations.

3. Explicit focus on SMEs and new entrants. Article 47(3) singles out SMEs and new competitors. If you work with smaller, EU-based providers, document your experience — that evidence may inform whether the Commission proposes changes to lower barriers to entry.

4. The sovereignty framework will be under the microscope. The review will likely test whether the four Union assurance levels are workable, whether the Article 29 risk assessments are proportionate, and whether the central repository of recognised services (Article 22) functions as a reliable procurement tool. Procurement officers' real-world feedback will matter here.

5. Distinguish the review from faster adjustments. Not every change to CADA waits for the five-yearly review. The Commission can update technical annexes and audit detail between reviews through delegated acts (Article 45), and standardise procedures through implementing acts (Article 46). The review is the route for structural reassessment — and a possible legislative proposal — whereas the secondary-legislation powers handle technical upkeep. If you are tracking what might change and when, keep these two timescales separate.

What the first report is likely to ask

Although Article 47 does not prescribe the contents in detail, the proposal's objectives point to the questions the first evaluation will probably address: has EU compute capacity grown and become less geographically concentrated; have the acceleration zones and single information points actually shortened data-centre permitting; are EU-based providers gaining ground against non-EU hyperscalers; and are the assurance-level criteria and audit burdens proportionate, especially for SMEs and small mid-caps. For organisations operating under CADA, these are precisely the areas where documented, real-world experience can shape the Commission's findings — and any amendment proposal that follows.

Common misconceptions

"The first review happens five years after the rules start applying." No. The first evaluation is pegged to entry into force plus four years (Article 47(1)). Since the rules apply one year after entry into force (Article 48), the first review falls roughly three years after they start to apply. Subsequent reviews follow every five years.

"The review is only about cost." Article 47 frames the evaluation around the Regulation's functioning — its effectiveness in strengthening the cloud and AI ecosystem and reducing dependencies — and expressly the position of SMEs and new competitors, not just administrative burden.

"The Commission can change the law through the review itself." No. The review produces an evaluation and a report, which may be accompanied by an amendment proposal (Article 47(2)). Any change would still go through the ordinary legislative procedure with the Parliament and Council.

"The review is a one-off." No. Article 47(1) mandates a recurring cycle: the first report at entry into force plus four years, then every five years thereafter.

Related

This is general information about a draft EU regulation, not legal advice.