Summary If you are new to the proposed Cloud and AI Development Act (CADA), your immediate priority is to determine your organisational role under Article 2 (e.g., cloud provider, public contracting authority, or critical private entity). As a proposal (COM(2026) 502 final), CADA is not yet law; however, Article 48 establishes that it would apply one year after its entry into force (which occurs 20 days after publication). Your first compliance step is to map your current activities against the Union assurance levels defined in Article 1 and Annex II, and prepare for the mandatory risk assessments or conformity self-assessments required by your specific role.

Detail

The Cloud and AI Development Act (CADA) represents a significant shift in the EU's regulatory landscape, moving beyond the safety of AI systems to address the sovereignty, capacity, and resilience of the underlying cloud infrastructure. For legal and compliance teams, the complexity lies in the fact that CADA creates a new, multi-layered framework that interacts with existing laws like the AI Act and NIS2 Directive. To navigate this, you must ground your analysis in the text of the proposal, specifically Article 1 (subject matter), Article 2 (definitions), and Article 48 (entry into force).

1. The Legal Basis: What CADA Would Do (Article 1)

Before assessing obligations, you must understand the scope of the instrument. Article 1(1) of the proposal establishes that CADA would create a framework for strengthening the EU cloud and AI ecosystem through five specific measures:

  • Establishing the Cloud and AI Leadership Initiatives to foster research and innovation.
  • Setting a framework for the accelerated deployment of data centres across the Union.
  • Enabling the availability of a sovereign cloud and AI offer to safeguard the Union's public order.
  • Reducing dependencies on critical technologies.
  • Fostering the adoption of cloud computing services across the public sector.

Crucially, Article 1(2) and 1(3) clarify that the regulation has two distinct general objectives: ensuring competitiveness and innovation capacity, and improving the single market by increasing resilience and strategic autonomy. This dual objective means that compliance is not just about technical security, but about supply-chain sovereignty and market structure.

2. Identifying Your Role (Article 2)

The obligations under CADA are strictly role-dependent. You cannot determine your compliance path without first categorising your organisation using the definitions in Article 2. The most critical definitions for a compliance officer are:

  • Cloud computing service provider: A legal entity that provides a cloud computing service. The definition of "cloud computing service" itself is cross-referenced to Article 6, point (30), of Directive (EU) 2022/2555 (NIS2). It covers on-demand administration and broad remote access to scalable computing resources. Importantly, this definition includes on-demand access to AI systems hosted remotely but excludes the AI system itself and its underlying model (which remain under the AI Act).
  • Contracting authorities: Defined by reference to Article 2(1), point (1), of Directive 2014/24/EU. These are public bodies procuring cloud services.
  • Public sector body: Defined by reference to Article 2, point (1), of Directive (EU) 2019/1024.
  • Union entities: The EU institutions, bodies, offices, and agencies.
  • Private sector entities in critical sectors: While not a standalone definition in Article 2, Article 31 explicitly references entities listed in Annex I of Directive (EU) 2022/2555 (NIS2) as those who may carry out impact assessments similar to public sector bodies.

If your organisation does not fit these definitions, CADA may not impose direct obligations on you, though you may be affected as a subcontractor or through market shifts.

3. The Critical Timeline (Article 48)

Time is the most pressing factor for compliance planning. Article 48 sets the statutory timeline for the proposal:

  • Entry into Force: The Regulation would enter into force on the twentieth day following its publication in the Official Journal of the European Union.
  • Application Date: It would apply from the same day and month as the date of entry into force plus one year.

This creates a one-year preparation window between publication and the date obligations become mandatory. During this period, Member States must designate national competent authorities (Article 25), and providers must prepare for conformity assessments or audits. Public sector bodies must develop their risk assessment methodologies (Article 29). Note that as a proposal, these dates are subject to change during the legislative process, but the "one-year application" structure is the baseline for planning.

4. Role-Specific Obligations and Checklists

Once you have identified your role under Article 2, you must map your obligations to the specific articles and annexes.

A. If You Are a Cloud Computing Service Provider

Your primary obligation is to seek recognition under the Union cloud computing sovereignty framework established in Article 16.

  • The Goal: Obtain recognition for one of four Union assurance levels (Levels 1–4) defined in Annex II.
  • Level 1 (Baseline): Requires a conformity self-assessment and an EU statement of conformity (Article 19). This is the minimum requirement for public sector procurement.
  • Levels 2, 3, and 4 (Higher Sovereignty): Require independent third-party audits (Article 20) and a "positive" audit opinion. These levels impose stricter criteria on third-country control, personnel citizenship, and data localisation.
  • Transparency: You must notify the competent authority of any material changes that could affect your recognition (Article 23).
  • Checklist:
    1. Determine your target assurance level based on your client base.
    2. Prepare the EU statement of conformity (Level 1) or engage an auditing organisation (Levels 2–4).
    3. Gather evidence for Annex II criteria (e.g., infrastructure location, personnel citizenship, software supply chain).
    4. Submit your application to the national competent authority of establishment (Article 17).

B. If You Are a Public Sector Contracting Authority or Union Entity

Your primary obligation is to conduct risk assessments to determine the required assurance level for your procurement.

  • Risk Assessment: Under Article 29, you must identify public sector activities that contribute to the preservation of public order (e.g., law enforcement, defence, critical infrastructure).
  • Procurement Rules:
    • Article 30(2): For activities not identified as contributing to public order, you must procure services recognised at Union assurance level 1.
    • Article 30(3): For activities identified as contributing to public order, you must procure services recognised at Union assurance level 2, 3, or 4.
  • Checklist:
    1. Conduct the risk assessment required by Article 29 (identifying public order relevance).
    2. Update procurement documents to include the Union assurance level as a mandatory requirement.
    3. Verify that potential suppliers are listed in the central repository of recognised services (Article 22).
    4. Consider multi-vendor or multi-cloud strategies to enhance resilience (Article 29(9)).

C. If You Are a Member State

  • Strategies: You must adopt a national cloud and AI strategy within one year of entry into force (Article 7).
  • Infrastructure: You must designate at least one data centre acceleration zone within six months of entry into force (Article 10) and establish single information points for permit granting (Article 12).
  • Checklist:
    1. Draft the national strategy aligning with Article 7.
    2. Identify and designate data centre acceleration zones.
    3. Designate national competent authorities for enforcement (Article 25).

D. If You Are a Private Sector Entity in a Critical Sector

  • Impact Assessments: Under Article 31, entities in sectors listed in Annex I of the NIS2 Directive may carry out impact assessments similar to the public sector risk assessments.
  • Checklist:
    1. Verify if your sector is listed in NIS2 Annex I.
    2. Consider conducting a voluntary impact assessment to align with future procurement standards.

What this means for you

For in-house counsel and compliance officers, the path forward is structured but requires immediate action to prepare for the one-year application window.

  1. Conduct a Role Audit: Use Article 2 to definitively categorise your organisation. Are you a provider, a buyer, or a critical private entity? This determines your entire compliance strategy.
  2. Monitor the Legislative Clock: While CADA is currently a proposal, the timeline in Article 48 is the baseline. Once published, the one-year countdown begins. Do not wait for the final text to start internal gap analyses.
  3. Assess Your Sovereignty Posture:
    • Providers: If you serve the public sector, you must aim for at least Union assurance level 1. Review your infrastructure, personnel, and supply chain against Annex II immediately.
    • Buyers: If you are a public body, begin drafting your risk assessment methodology under Article 29 to identify which services are critical to public order.
  4. Prepare for the Central Repository: All recognised services will be listed in the central repository established by the Commission (Article 22). Ensure your internal procurement or vendor management systems can integrate with this future data source.

Common misconceptions

  • "CADA replaces the AI Act." Incorrect. The AI Act (Regulation (EU) 2024/1689) regulates the safety and fundamental rights of AI systems. CADA regulates the sovereignty and infrastructure of the cloud hosting those systems. They are complementary; an organisation deploying high-risk AI in the public sector may need to comply with both.
  • "Union Assurance Level 1 is the highest standard." Incorrect. Article 16 and Annex II establish four levels. Level 1 is the minimum baseline for public procurement. Levels 2, 3, and 4 represent progressively higher sovereignty, with Level 4 requiring the strictest controls on third-country influence and personnel.
  • "I have five years to comply." Incorrect. Article 48 specifies a one-year application period after entry into force. While some delegated acts may follow later, the core obligations for providers and public buyers begin within that first year.
  • "Only public sector bodies are affected." Incorrect. While public procurement drives the demand, cloud computing service providers must actively seek recognition to remain competitive. Furthermore, private entities in critical sectors (NIS2 Annex I) are explicitly mentioned in Article 31 as entities that may need to conduct impact assessments.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.