Summary Under the proposed Cloud and AI Development Act (CADA), the Commission's delegated-act powers are a closed, narrowly drawn list: amend Annex I, the grand challenges (Article 6(4)); amend Annex II, the Union assurance levels (Article 16(2)); supplement the Regulation with detailed audit rules (Article 20(9)); amend Annex III, the audit evidence (Article 21(1)); and require impact assessments for certain private entities in sectors of high criticality (Article 31(3)). Article 45 sets the conditions for using these powers, and Recital 85 summarises them. As proposed, every one of these is a non-essential, technical adjustment meant to keep the framework current — none lets the Commission change CADA's core objectives, scope or fundamental obligations.
Detail
Because cloud and AI move faster than the ordinary legislative cycle, CADA would grant the Commission power to adopt delegated acts that supplement or amend non-essential elements of the Regulation. Article 45 ("Exercise of the delegation") sets the conditions: the power would be conferred for an indeterminate period from entry into force; either the European Parliament or the Council could revoke it at any time; the Commission must first consult experts designated by each Member State; and each act would enter into force only if neither institution objected within two months (extendable by three).
Recital 85 of the proposal gives the consolidated list of these empowerments, framing them as serving to "take account of technological development and maintain an efficient framework of measures for strengthening the cloud and AI ecosystem at Union level." The five specific areas are set out below.
One structural point is worth noting at the outset: the delegated powers are an exhaustive, enumerated list, not a general authority. Article 45(2) names exactly five provisions — Articles 6(4), 16(2), 20(9), 21(1) and 31(3). Anything not on that list cannot be changed by delegated act at all; it can only be amended through the ordinary legislative procedure or, where it concerns uniform application rather than substance, through an implementing act under Article 46. That closed character is itself a safeguard: it tells regulated entities precisely which parts of CADA are liable to move administratively and which are stable.
1. The grand challenges — Annex I (Article 6(4))
Article 6(4) empowers the Commission to adopt delegated acts to amend Annex I "to reflect technological and market developments," in a manner consistent with the objectives of the Cloud and AI Leadership Initiatives. Annex I lists the "grand challenges" — large-scale, cross-sectoral initiatives. As proposed, this lets the EU re-prioritise its strategic cloud and AI initiatives without amending the primary text.
2. The Union assurance levels — Annex II (Article 16(2))
Article 16(2) empowers the Commission to adopt delegated acts to amend the Union assurance levels in Annex II and the evidence in Annex III. Annex II holds the criteria for the four Union assurance levels that cloud services must meet to serve Union entities and public-sector bodies. This is the empowerment most consequential for sovereignty compliance, because the technical bar for any level could move. Separately, Article 16(3) requires the Commission to review Annexes II and III at least every 18 months to keep them aligned with new legal or technical developments.
3. Detailed audit rules (Article 20(9))
Article 20(9) empowers the Commission to adopt delegated acts to supplement the Regulation by laying down rules on the performance of audits, including:
- procedural steps for audits;
- rules for auditing organisations and their technical competences;
- auditing methodologies; and
- templates for audit reports.
Article 20 sets the high-level duty for independent third-party audits at Union assurance levels 2, 3 and 4; this power fills in the precise standards auditors would follow, so the regime is consistent across the EU.
4. Audit evidence — Annex III (Article 21(1))
Article 21(1) empowers the Commission to adopt delegated acts to amend Annex III "by laying down the necessary evidence needed to assess the audit criteria under Annex II." If new risks emerge, the Commission could require new categories of evidence for auditors to verify.
5. Private-sector impact assessments (Article 31(3))
Article 31(3) empowers the Commission, "because of specific circumstances, and where duly justified and in consultation with the Member States," to adopt delegated acts requiring entities that are not public-sector bodies and that operate in sectors of high criticality to carry out impact assessments and adopt risk-mitigation measures. Article 31 otherwise lets such private entities carry out assessments voluntarily; the delegated power lets the Commission make them mandatory where justified.
How the five powers cluster
Read together, the five empowerments fall into three functional groups, which helps explain why they were delegated rather than fixed in the body of the Regulation:
- Annex maintenance (Articles 6(4), 16(2), 21(1)). Three of the five powers simply keep annexes current — Annex I (grand challenges), Annex II (assurance-level criteria) and Annex III (audit evidence). Annexes are the natural home for detail that dates fastest, which is why the legislature is willing to let the Commission revise them under scrutiny rather than reopen the whole act each time a threat or technology shifts.
- Procedural supplementation (Article 20(9)). One power supplements rather than amends: it adds a new layer of audit rules that the Regulation itself only sketches. This is the classic "fill in the operational detail of an obligation the legislature has already decided in principle" use of Article 290 TFEU.
- Conditional extension of scope (Article 31(3)). The outlier is the power to bring certain private entities within an impact-assessment duty. It is hedged with conditions — "specific circumstances," "duly justified," "in consultation with the Member States" — precisely because extending a duty to new actors sits closest to the line of what counts as "essential."
The nature of these powers
Every empowerment is confined to non-essential, technical adjustment. None lets the Commission rewrite CADA's objectives or scope, redefine a cloud computing service, or alter the basic structure of the four-tier assurance framework — those essential choices remain with the Parliament and Council. The Court of Justice has consistently held that essential elements of a policy area must be decided by the legislature itself and cannot be delegated; the deliberate narrowness of CADA's list reflects that constraint. The delegated acts fine-tune annexes and procedures; they do not redesign the regime.
What this means for you
For in-house counsel and compliance officers, this closed list tells you exactly where the Commission can move the goalposts — and where it cannot.
1. The compliance baseline is dynamic where it matters most. The criteria in Annex II and the evidence in Annex III can change by delegated act under Articles 16(2) and 21(1). A service that meets a given level today might need extra controls or new evidence after an amendment. The 18-month review cycle in Article 16(3) gives you a rhythm to anticipate this.
2. Audit detail is still to come. If you seek recognition at levels 2–4, the methodology and report templates will arrive via the Article 20(9) delegated act. Keep your controls and documentation flexible enough to map onto whatever procedural form is prescribed.
3. Watch Annex I if you are in the innovation ecosystem. Changes to the grand challenges (Article 6(4)) can reshape strategic priorities and the scope of support under the Cloud and AI Leadership Initiatives.
4. Critical-sector firms should track Article 31(3). Even though private-entity impact assessments are voluntary by default, the Commission can make them mandatory for sectors of high criticality where duly justified. Map your cloud dependencies now so a future requirement does not catch you flat.
5. Use the review cadence and consultation. Article 16(3)'s 18-month review and Article 45(4)'s expert consultation are the predictable points at which changes are shaped. Engage through national authorities and associations.
6. Separate the delegated list from everything else. Build your regulatory-monitoring map around the distinction between what can change by delegated act and what cannot. Changes to Annexes I–III and to the audit and private-sector-assessment rules can arrive administratively and fast; changes to the four-level structure, the scope, the definitions or the procurement obligations require full legislation and will be visible far in advance through the ordinary legislative process. Allocating monitoring effort accordingly — close watch on the five delegated empowerments, lighter periodic checks on the legislative track — keeps your compliance horizon-scanning proportionate.
How this differs from implementing acts
It is worth being precise about the boundary, because the two are easy to conflate. The delegated powers above let the Commission change what the rules are (within the non-essential limit). Implementing acts under Article 46 do something different: they fix how already-decided rules are applied uniformly — for instance, the recognition procedure (Article 17(12)) or the risk-assessment methodology (Article 29(3)). So if you read that the Commission is updating Annex II's criteria, that is a delegated act and a substantive change to your obligations; if you read that it is specifying a recognition template, that is an implementing act and a procedural matter. The control regimes differ too: delegated acts face Parliament/Council objection, implementing acts face the Member State examination-procedure committee.
Common misconceptions
"The Commission can change the core sovereignty principles." No. Delegated powers are confined to technical adjustments — updating annex criteria or specifying audit procedures. The four-level structure and the basic obligations are fixed in the main Regulation.
"Delegated acts take effect automatically." No. Under Article 45, a delegated act enters into force only if neither the Parliament nor the Council objects within two months (extendable by three) of notification.
"Only the Commission shapes these changes." The Commission adopts the act, but must first consult Member State experts (Article 45(4)), and the Parliament and Council can object to any act or revoke the delegation entirely (Article 45(3), (6)).
"Private-sector entities are entirely outside sovereignty assessments." Article 31 lets private entities assess voluntarily, but Article 31(3) lets the Commission require assessments for entities in sectors of high criticality where justified. Critical-infrastructure firms should not assume permanent exemption.
Related
- Does CADA give the Commission too much power through delegated acts?
- CADA Delegated & Implementing Acts: What the Commission Decides Later
- How will CADA keep up with technological change? Delegated acts & review
- CADA Delegated Acts: How Long Does the Commission Keep Its Power?
- Can the European Parliament or Council revoke the Commission's delegated powers under CADA?
This is general information about a draft EU regulation, not legal advice.