Summary As proposed, the Cloud and AI Development Act (CADA) delegates the creation of uniform technical, operational, and procedural details to the European Commission through implementing acts. These acts, adopted under the examination procedure set out in Article 46(2) of the proposal, will define the practical arrangements for cloud service recognition, central repository management, risk-assessment methodologies, and the fee structures for joint procurement and the EuroCloud Federation. Crucially, while delegated acts (under Article 20(9)) will define the methodologies for auditing organizations, the procedural arrangements for recognition and the technical measures for the EuroCloud Federation are reserved for implementing acts. In-house counsel and compliance officers must monitor these secondary legislative developments closely, as they will establish the mandatory operational standards for Union assurance levels and public procurement compliance.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to establish a harmonised Union framework for cloud sovereignty and AI ecosystem resilience. While the Regulation itself sets the high-level legal framework, definitions, and core obligations, it explicitly empowers the European Commission to adopt implementing acts to ensure uniform conditions for implementation across Member States. This delegation is critical for preventing regulatory fragmentation and providing the technical granularity necessary for enforcement in a rapidly evolving market.

Under CADA, these implementing acts are adopted in accordance with the examination procedure referred to in Article 46(2) of the proposal. This procedure ensures that the Commission's actions are scrutinized by a committee of Member State representatives, balancing EU-wide consistency with national interests. The following sections detail the specific areas where implementing acts will define binding operational rules, distinguishing them from the delegated acts that will govern audit methodologies.

1. Recognition Procedures and Central Repository Management

The core of CADA's sovereignty framework is the recognition of cloud computing service providers as offering specific Union assurance levels (1–4). While Article 17 of the proposal outlines the substantive criteria for recognition, it delegates the practical execution to secondary legislation.

Article 17(12) explicitly states: "The Commission may adopt implementing acts concerning the practical arrangements for the procedures referred to in this Article." This means the specific timelines, document formats, and administrative workflows for the "one-in, EU-all" recognition mechanism will be defined in implementing acts. For instance, the precise mechanism for the 60-day review period by other Member States' competent authorities, the format for reasoned objections, and the escalation procedures to the Commission will be standardized here.

Furthermore, Article 22 mandates the establishment of a central repository for recognized cloud computing services. While the Regulation requires the Commission to maintain this repository, the specific technical and operational rules for its managementβ€”including how national competent authorities register services, how revocations are published, and the data fields requiredβ€”will be detailed in implementing acts. This ensures that the repository serves as a reliable, single source of truth for public sector buyers across the EU.

2. Conformity Self-Assessment and the Distinction from Audit Rules

For Union assurance level 1, providers must conduct a conformity self-assessment. Article 19 governs this process, requiring providers to issue an EU statement of conformity. While the Regulation sets the obligation, the detailed arrangements for how these self-assessments are documented, verified, and made publicly available may be further specified in implementing acts to ensure consistency.

A critical distinction must be made regarding Union assurance levels 2, 3, and 4, which require independent third-party audits under Article 20.

  • Delegated Acts (Audit Methodologies): Article 20(9) empowers the Commission to adopt delegated acts (not implementing acts) to "supplement this Regulation by laying down rules on the performance of audits on the procedural steps, rules for auditing organisations and their technical competences, auditing methodologies and templates for the audit reports." This means the rules governing the auditors themselves (competence, independence, methodology) are set via delegated acts.
  • Implementing Acts (Recognition Procedure): Conversely, Article 17(12) covers the practical arrangements for the recognition procedure (how the competent authority accepts the audit result).

It is a common error to conflate these two. The "broader framework for auditing organizations" (their competence and methodology) is not tied to the implementing acts under Article 17; it is tied to the delegated acts under Article 20(9). The implementing acts under Article 17(12) only govern the administrative procedure of the recognition decision itself.

3. Third-Country Recognition and Associated Countries

CADA introduces a nuanced approach to third-country cloud providers. Article 18 allows the Commission to adopt implementing acts identifying third countries whose providers may be audited against Union assurance level 3 criteria. This is a significant provision, as it enables non-EU providers to compete in the EU public sector market if their home country meets strict sovereignty and data protection criteria.

The implementing acts under Article 18 will define the cumulative criteria for such recognition, including:

  • The existence of an adequacy decision under GDPR Article 45.
  • The absence of measures enabling third-country control over the provider.
  • The absence of measures compelling service disruption or degradation.
  • Maintenance of an open market to Union cloud services.

These acts will be adopted under the examination procedure, ensuring that geopolitical and security considerations are carefully balanced. The Commission must also repeal, amend, or suspend these decisions if a third country no longer fulfills the requirements, providing a dynamic mechanism to respond to changing international relations.

4. Public Procurement and Risk Assessments

A cornerstone of CADA is the obligation for public sector bodies to procure cloud services based on Union assurance levels. Article 29 requires Member States and Union entities to conduct risk assessments to determine the appropriate assurance level for their activities.

Article 29(3) states: "The Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology to be applied, the templates to be used and the elements to be taken into account by the Member States and Union entities for the purpose of carrying out the risk assessments referred to in paragraph 1." This is a critical empowerment. Without these implementing acts, risk assessments could vary wildly between Member States, undermining the single market. The Commission will provide a standardized methodology to ensure that a "high-risk" activity in one Member State is treated consistently in another.

Additionally, Article 29(5) allows the Commission to adopt implementing acts to specify the Union assurance levels needed for public sector activities if it concludes that a Member State's risk assessment is inadequate. This gives the Commission a corrective power to ensure that critical public order concerns are adequately addressed.

5. EuroCloud Federation and Joint Procurement Fees

CADA establishes the European public sector cloud federation (EuroCloud Federation) and a framework for joint procurement by the Commission. Both mechanisms rely on fee-based financing models, which are detailed in implementing acts.

Article 36 addresses fees for the administration of the EuroCloud Federation. Paragraph 4 states: "The Commission shall adopt implementing acts laying down detailed rules for determining the estimated costs, the individual amount of the fees, and the manner and conditions under which the fees are to be paid." This ensures transparency and cost-recovery principles are applied uniformly.

Similarly, Article 40 governs fees for procurement activities carried out by the Commission on behalf of Member States. Paragraph 5 empowers the Commission to adopt implementing acts specifying:

  • The estimated costs attributable to procurement activities.
  • The individual amounts of chargeable fees.
  • The manner and conditions under which fees are to be paid.

These acts will define how participating entities (Member States, Union entities, and partner organizations) contribute to the costs of the joint procurement platform, ensuring financial sustainability without distorting competition.

6. Other Implementing Act Empowerments

Beyond the core sovereignty and procurement frameworks, CADA delegates several other operational details to implementing acts:

  • Experience and Acceleration Centres for AI: Article 5(4) empowers the Commission to adopt implementing acts detailing the procedure for establishing Centres for AI, including participant organization profiles, selection criteria, and task implementation details.
  • EuroCloud Federation Participation: Article 34(4) allows for implementing acts specifying the procedure to participate in the EuroCloud Federation and templates for participation requests.
  • EuroCloud Technical Measures: Article 35(6) empowers the Commission to adopt implementing acts specifying the technical, operational, and organizational measures required for sharing services within the federation.
  • Joint Procurement Reimbursement: Article 40(2) allows for implementing acts laying down practical and operational arrangements for reimbursement of initial establishment costs by participating entities.

What this means for you

For in-house counsel and compliance officers, the reliance on implementing acts means that the full scope of CADA's operational obligations is not yet fixed. The Regulation sets the "what," but the implementing acts will define the "how."

1. Monitor the Examination Procedure: All the aforementioned implementing acts are adopted under the examination procedure of Article 46(2). This involves a committee of Member State representatives. Compliance teams should monitor the progress of these acts, as they will provide the concrete checklists and templates for compliance. Early engagement with industry associations can help shape these technical standards.

2. Prepare for Standardized Risk Assessments: Public sector entities and private companies in critical sectors (as defined in NIS2) must prepare for the risk assessment methodology that will be defined by implementing acts under Article 29. This methodology will likely include specific templates and criteria for evaluating data sensitivity, criticality, and magnitude. Compliance frameworks should be flexible enough to integrate these standardized tools once published.

3. Understand the Fee Structures: Entities participating in the EuroCloud Federation or joint procurement activities will need to budget for fees. The implementing acts under Articles 36 and 40 will define how these fees are calculated and collected. Understanding these cost-recovery mechanisms is essential for financial planning and procurement strategy.

4. Audit Readiness and Legal Instrument Distinction: Providers must distinguish between the audit rules and the recognition procedure. The rules for auditing organizations (competence, independence, methodology) will be set via delegated acts under Article 20(9). However, the procedural arrangements for the recognition of the service (application, review, objection) will be set by implementing acts under Article 17(12). Providers should ensure their internal governance structures can adapt to both the delegated audit standards and the implementing recognition procedures.

5. Third-Country Providers: For non-EU cloud providers, the implementing acts under Article 18 will determine whether their home country is recognized for Union assurance level 3. Compliance teams should monitor these decisions closely, as they will impact market access and competitive positioning in the EU public sector.

Common misconceptions

Misconception 1: Implementing acts are less important than the Regulation. Reality: Implementing acts are legally binding and provide the essential operational details. Without them, the Regulation's high-level obligations would be unenforceable. For example, the risk assessment methodology under Article 29 will be defined in an implementing act, making it as critical as the obligation to conduct the assessment itself.

Misconception 2: All technical details regarding audits are in implementing acts. Reality: CADA distinguishes between delegated acts (which amend or supplement non-essential elements, like audit methodologies under Article 20(9)) and implementing acts (which ensure uniform application, like recognition procedures under Article 17(12)). The rules for auditing organizations are set via delegated acts, while the procedural arrangements for recognition are set via implementing acts.

Misconception 3: The central repository is just a static list. Reality: The central repository (Article 22) is a dynamic tool managed through implementing acts. It will include detailed information on recognized services, revocations, and compliance status. Its management and update procedures will be strictly regulated to ensure reliability for public sector buyers.

Misconception 4: Risk assessments are purely national matters. Reality: While Member States conduct risk assessments, the Commission will specify the methodology and templates via implementing acts (Article 29(3)). This ensures a harmonized approach across the EU, preventing a patchwork of national standards that could fragment the single market.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.