Will existing cloud contracts be affected when CADA starts to apply?

Summary As proposed, the Cloud and AI Development Act (CADA) contains no explicit grandfathering clause for existing cloud contracts. This means providers must assume that current agreements with public sector bodies will eventually need to align with the new sovereignty and transparency requirements, regardless of when they were signed. However, Article 48 establishes a critical one-year application gap between the regulation's entry into force and its date of application. During this transition window, providers are not yet legally bound by the substantive rules, but they must use this time to review contracts, particularly those involving public sector bodies, to ensure readiness for the mandatory assurance levels and audit obligations that will take effect on the application date.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, represents a fundamental shift in how cloud services are procured and regulated within the EU. For cloud service providers (CSPs) and data centre operators, the most pressing legal question concerns the fate of existing contractual relationships. Will a contract signed today, which may not meet the stringent "Union assurance levels" proposed in the text, be exempt from the new regime? The answer, based on a strict reading of the proposal, is no.

No Explicit Grandfathering in Final Provisions

A comprehensive review of the final provisions (Title V) of the CADA proposal reveals no language that explicitly shields existing contractual relationships from the new regulatory requirements. Unlike some previous digital regulations that provided long-term exemptions or "grandfathering" for legacy systems or pre-existing contracts, CADA focuses on the ongoing provision of services rather than the date of contract signature.

The sovereignty framework, which introduces four distinct "Union assurance levels" (Levels 1 through 4), applies to cloud computing services provided to Union entities and public sector bodies. The obligation to comply is tied to the status of the service at the time the regulation becomes applicable, not the date the contract was executed.

If an existing contract involves a public sector customer, the provider will eventually need to demonstrate compliance with the relevant assurance level as determined by the customer's risk assessment under Article 29. The absence of a grandfathering clause implies that compliance is a condition of the service provision going forward. For instance, if a provider is currently serving a public sector client under a contract that does not meet the criteria for Union Assurance Level 2, but the client's risk assessment mandates Level 2 for that specific activity, the provider must either upgrade their service to meet those criteria or face non-compliance once the regulation applies. The contract itself does not provide a shield against the new statutory requirements.

The Role of Article 48: The One-Year Application Gap

While there is no exemption from the rules, the proposal provides a significant transition mechanism defined in Article 48. This article creates a deliberate temporal separation between the law's entry into force and its application:

• Entry into Force: The Regulation enters into force on the twentieth day following its publication in the Official Journal of the European Union.
• Application Date: The Regulation applies from "the same day and month as the date of entry into force plus one year."

This one-year gap is the critical window for market adaptation. During this period, the substantive legal obligations—such as the requirement to obtain a specific assurance level, undergo independent audits, or restrict data flows—are not yet enforceable. However, this is not a period of inaction. The proposal anticipates that Member States will need to designate national competent authorities, establish central repositories, and develop guidance on risk assessments.

For providers, this year is the designated window to align their technical, operational, and contractual frameworks with the new requirements. It is a time to prepare for the "day one" of application, where the new rules become binding. The Commission's explanatory memorandum notes that the proposal aims to "ensure attractive conditions for the deployment of sustainable and innovative computing capacity," implying that the transition period is intended to allow for the necessary restructuring of the market without immediate disruption, but with a clear deadline for compliance.

Impact on Specific Contractual Obligations

Once the application date arrives, existing contracts will likely require amendments in several key areas to remain valid and enforceable under the new framework:

1. Sovereignty and Data Localisation: Contracts must reflect the data localisation requirements of the Union assurance levels. For example, Union Assurance Level 1 requires that infrastructure and assets are located in the Union, and customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Section 1.1). Existing contracts that allow data transfer to third countries for processing or storage without explicit client consent may need renegotiation to ensure they do not violate the "exclusive within the Union" mandate.
2. Audit and Transparency: Providers aiming for Assurance Levels 2, 3, or 4 must undergo independent third-party audits (Article 20). Existing contracts may need to be updated to include clauses allowing auditors access to premises, data, and personnel, and to define the provider's obligation to report material changes that could affect their assurance status (Article 23). Without these clauses, a provider might be contractually unable to satisfy the audit requirements mandated by CADA.
3. Subcontractor Management: The criteria for higher assurance levels require strict control over subcontractors, including their location and, in some cases, citizenship status (Annex II, Sections 2.1 and 3.1). Contracts with sub-processors may need to be reviewed to ensure they can meet these stringent sovereignty criteria. If a current subcontractor agreement allows for global routing of support tasks, it may need to be amended to restrict such activities to the Union.

Public Sector vs. Private Sector Dynamics

It is crucial to distinguish between public and private sector contracts. The mandatory procurement requirements of Articles 29 and 30 apply specifically to Union entities and public sector bodies. Private sector entities are not legally forced to procure sovereign cloud services under CADA, although they may conduct similar impact assessments (Article 31).

However, private contracts are not entirely immune. As public sector demand drives the market, providers may choose to standardise their offerings to meet sovereign criteria to access the lucrative public sector market. This standardisation could affect the terms offered to private clients. Furthermore, providers in critical sectors (as defined in Annex I of the NIS2 Directive) may face delegated acts requiring impact assessments, which could influence contractual risk allocation and service level agreements (SLAs) even in the private sector.

What this means for you

As a cloud service provider or data centre operator, you should treat the one-year transition period established by Article 48 as a compliance preparation window rather than a grace period for non-compliance. The lack of a grandfathering clause means that the clock is ticking on your current contract portfolio. Here are the practical steps you should take before the application date:

1. Audit Your Current Contract Portfolio

Identify all contracts with public sector bodies (Union entities, national, regional, and local authorities). These are the contracts most immediately at risk of non-compliance. Map these contracts against the four Union assurance levels. Determine which level your current service offering meets based on the criteria in Annex II. If a client's risk assessment (to be conducted under Article 29) requires a higher level than you currently provide, you must plan for technical upgrades or contract renegotiations immediately. Do not wait for the client to initiate this; the burden of proof lies with the provider to demonstrate compliance.

2. Review Data Flow and Subprocessor Clauses

Scrutinise your existing terms regarding data location and subprocessor usage. For Assurance Level 1 and above, data must remain in the Union. Ensure your contracts with subprocessors explicitly prohibit data transfer outside the EU unless explicitly authorised by the end-client. If your current contracts allow for global data routing for optimisation, you may need to introduce contractual switches or geographic restrictions to meet the "exclusive within the Union" requirement. This is a technical and legal challenge that may take months to resolve.

3. Prepare for Audit Access

If you intend to offer Assurance Levels 2, 3, or 4, you must be ready for independent audits. Review your existing contracts to ensure they do not contain confidentiality clauses that would block auditors from accessing necessary technical documentation, premises, or personnel. You may need to add specific clauses permitting independent auditing organisations to conduct assessments as required by Article 20. Without these clauses, you may be unable to obtain the necessary "positive" audit opinion.

4. Monitor Risk Assessments

Your public sector clients will be conducting risk assessments to determine the required assurance level for their activities. Engage with these clients early to understand their security and sovereignty requirements. This dialogue will help you tailor your service offerings and contract terms to meet their specific needs before the regulation becomes mandatory. The Commission will provide guidance on the methodology for these assessments, but the specific determination of risk lies with the Member States and Union entities.

5. Update Standard Terms and Conditions

Begin drafting updates to your standard terms and conditions to reflect the new transparency and reporting obligations. This includes clauses for reporting material changes that could affect your assurance status (Article 23) and defining the scope of your compliance with the sovereignty framework. Standardising these terms now will streamline the renegotiation process once the application date approaches.

Common misconceptions

Misconception 1: "If my contract was signed before CADA was proposed, it's exempt." This is incorrect. CADA does not contain a grandfathering clause. The regulation applies to the provision of services, not the date of contract signature. Once the regulation applies, all services provided to the relevant entities must meet the assurance levels required by the client's risk assessment, regardless of when the contract was initiated. The text of Article 48 provides a transition period for preparation, not an exemption for legacy contracts.

Misconception 2: "The one-year transition period means I don't need to do anything until the application date." While you are not legally liable for non-compliance during the transition period, failing to prepare will likely result in an inability to serve public sector clients once the rules take effect. The transition period is for alignment, not exemption. Technical upgrades, such as re-architecting data flows to ensure data stays in the Union, or establishing new subcontractor relationships that meet sovereignty criteria, can take significant time. Waiting until the application date to act could lead to a breach of contract with your public sector clients.

Misconception 3: "CADA only applies to large hyperscalers." CADA applies to all cloud computing service providers defined in Article 2, point (2), which is any legal entity providing a cloud computing service. While the financial and administrative burden of audits may be higher for larger providers, SMEs are also subject to the framework. However, there are some specific provisions for SMEs, such as the automatic recognition of their EU statement of conformity for Level 1 without prior national recognition (Article 17, paragraph 3), which simplifies the process for smaller players.

Misconception 4: "Private sector contracts are completely unaffected." While private sector entities are not mandatorily required to use sovereign cloud services, the market dynamics will shift. Providers may standardise their offerings to meet sovereign criteria to access the public sector market, potentially changing the terms available to private clients. Additionally, private entities in critical sectors may be subject to future delegated acts requiring impact assessments, which could indirectly affect their contractual relationships with providers.

Related

• When will the Cloud and AI Development Act (CADA) be reviewed?
• When does the Cloud and AI Development Act (CADA) start to apply?
• What will the Commission look at when it reviews CADA?
• CADA Implementing Acts: Which Rules Will Be Set by Secondary Legislation?
• When is the first CADA evaluation report due? Article 47 timeline

This is general information about a draft EU regulation, not legal advice.