Where in CADA are the final provisions on governance found?

Summary The final provisions governing the lifecycle, amendment, and enforcement of the proposed Cloud and AI Development Act (CADA) are consolidated in Title V (Articles 45–48). This section establishes the legal machinery for the regulation's evolution: Article 45 empowers the Commission to adopt delegated acts to update technical annexes; Article 46 mandates the committee procedure for implementing acts; Article 47 requires a mandatory review four years after entry into force, followed by five-year intervals; and Article 48 sets the critical timeline, with the regulation entering into force 20 days after publication but applying only one year later. For legal teams, Title V is the definitive source for the regulatory horizon, defining when obligations become binding and how the technical criteria for sovereignty may evolve.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, is structured into five distinct titles. While Titles I through IV establish the substantive framework—covering the Cloud and AI Leadership Initiatives, data centre acceleration zones, and the Union cloud computing sovereignty framework—Title V contains the "Final Provisions." These provisions are not merely administrative; they constitute the governance engine that ensures the regulation remains adaptable to technological shifts while maintaining democratic oversight.

Title V comprises four specific articles, each serving a distinct function in the regulatory lifecycle. Understanding the interplay between these articles is essential for compliance planning, as they dictate the mechanism for rule-making, the timeline for enforcement, and the schedule for legislative review.

Article 45: Exercise of the Delegation

Article 45 is the primary mechanism for updating the technical and non-essential elements of CADA without requiring a full legislative amendment by the European Parliament and the Council. It confers on the Commission the power to adopt delegated acts for an indeterminate period starting from the date of entry into force.

The scope of this delegation is explicitly defined by referencing specific articles within the regulation where the Commission is empowered to act:

• Article 6(4): To amend Annex I (Grand Challenges) to reflect market and technological developments.
• Article 16(2): To amend Annex II (Criteria for Union Assurance Levels) and Annex III (Audit Evidence), allowing the technical criteria for sovereignty to evolve.
• Article 20(9): To supplement the regulation with detailed rules on the performance of audits, including procedural steps and templates.
• Article 21(1): To amend Annex III regarding the necessary evidence for audit criteria.
• Article 31(3): To specify the need for impact assessments and risk mitigation measures for private sector entities in high-criticality sectors.

Crucially, this power is subject to strict democratic controls. The delegation may be revoked at any time by the European Parliament or the Council. Furthermore, any delegated act adopted under these provisions enters into force only if no objection is expressed by either institution within two months of notification. This period may be extended by three months at the initiative of either the Parliament or the Council. This "objection procedure" ensures that the Commission cannot unilaterally alter the core technical standards of the sovereignty framework without the tacit approval of the co-legislators.

Article 46: Committee Procedure

While Article 45 covers delegated acts, Article 46 governs the adoption of implementing acts, which are necessary to ensure uniform conditions for the implementation of the regulation. This article establishes that the Commission shall be assisted by a committee acting within the meaning of Regulation (EU) No 182/2011.

Specifically, Article 46(2) states that where the regulation refers to this paragraph, Article 5 of Regulation (EU) No 182/2011 applies. This triggers the examination procedure, the standard EU mechanism for adopting implementing acts. This procedure is relevant for CADA in areas such as:

• The practical arrangements for the recognition of cloud computing service providers (Article 17).
• The methodology for risk assessments (Article 29).
• The fees for the EuroCloud Federation and common procurement activities (Articles 36 and 40).
• The technical and operational measures for the EuroCloud Federation (Article 35).

Under this procedure, the committee (composed of representatives from Member States) votes on the draft implementing act. This ensures that Member States retain a formal say in the procedural rules that govern the day-to-day operation of the CADA framework, preventing the Commission from acting in isolation on implementation details.

Article 47: Review

Article 47 mandates a periodic evaluation of the regulation to ensure its continued relevance and effectiveness. The Commission is required to evaluate the regulation and submit a report to the European Parliament, the Council, and the European Economic and Social Committee.

The timeline for this review is specific:

1. Initial Review: The first evaluation must occur by a date set as four years after the date of entry into force.
2. Subsequent Reviews: Thereafter, the evaluation must occur every five years.

The report must be accompanied by a proposal for amendment if appropriate. The evaluation is not a mere formality; the Commission is explicitly required to take into account the positions and findings of the European Parliament, the Council, and other relevant bodies. Crucially, the review must pay specific attention to small and medium-sized enterprises (SMEs) and the position of new competitors. This provision signals that the regulatory burden on smaller market players will be a focal point of future legislative adjustments, potentially leading to tailored guidance or exemptions in subsequent amendments.

Article 48: Entry into Force and Application

Article 48 establishes the definitive timeline for the regulation's lifecycle, distinguishing between the moment the law exists and the moment it becomes enforceable.

• Entry into Force: The Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union. This is the date the legal text becomes part of the EU acquis.
• Application: The Regulation shall apply from the same day and month as the date of entry into force plus one year.

This structure creates a mandatory one-year transition period. During this year, the regulation is law, but its substantive obligations (such as the requirement to procure at specific Union assurance levels or to designate data centre acceleration zones) are not yet enforceable. This period is designed to allow Member States to designate competent authorities, cloud providers to undergo audits, and public bodies to adjust their procurement strategies.

What this means for you

For in-house counsel, compliance officers, and legal strategists, Title V provides the roadmap for regulatory stability and change.

1. Leverage the Transition Period: Article 48 grants a clear one-year window between publication and application. Use this time to conduct gap analyses against the Union assurance levels (detailed in Annex II) and to update vendor contracts. The one-year delay is a strategic buffer for organizations to align their infrastructure with the new sovereignty requirements.
2. Monitor Delegated Acts for Technical Shifts: Article 45 means the technical criteria for sovereignty are not static. The Commission can amend Annex II (assurance levels) and Annex III (audit evidence) via delegated acts. You must monitor the Official Journal for these acts, as they will refine the specific audit evidence you must provide to achieve recognition.
3. Prepare for the Five-Year Review Cycle: Article 47 ensures the law will be reviewed every five years (starting four years after entry into force). Given the rapid pace of AI and cloud technology, significant changes to the scope or requirements are likely after the first review. Build compliance monitoring into your long-term strategy to anticipate these shifts.
4. Advocate for SME Considerations: If your organization qualifies as an SME, note that the review clause (Article 47) explicitly mandates attention to SMEs. This may lead to tailored guidance or adjustments in future delegated acts to reduce administrative burdens.

Common misconceptions

• Misconception: "The rules in CADA are fixed for the duration of the regulation."
  • Reality: As shown in Article 45, the Commission has the power to amend key annexes via delegated acts. The criteria for cloud sovereignty and audit evidence can change without a new full legislative vote, provided the European Parliament and Council do not object within the objection period.
• Misconception: "The regulation applies immediately upon publication."
  • Reality: Article 48 distinguishes between "entry into force" (20 days after publication) and "application" (one year after entry into force). Obligations do not become enforceable until the application date.
• Misconception: "The Commission can change the core obligations unilaterally."
  • Reality: The delegation in Article 45 is subject to revocation by the Parliament or Council. Additionally, the two-month objection period for delegated acts provides a check on the Commission's power. For implementing acts, the committee procedure in Article 46 ensures Member State input.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• What role does the European Economic and Social Committee play in CADA governance?
• CADA Governance: The Steering Committee vs. Comitology and the EuroCloud Federation
• CADA vs AI Act: How Secondary Legislation and Governance Differ
• CADA Governance: Comitology Committee vs EuroCloud Steering Committee
• Will existing cloud contracts be affected when CADA starts to apply?

This is general information about a draft EU regulation, not legal advice.