Summary The CADA central repository would be a statutory EU register, established and maintained by the European Commission under Article 22 of the proposed Cloud and AI Development Act, listing cloud services recognised at a Union assurance level (1–4) under Article 17. A Gaia-X catalogue is a voluntary, industry-led directory of services adhering to the Gaia-X framework's trust and interoperability standards, with no statutory force under EU law. For public-sector procurement tied to sovereignty, the CADA repository is the authoritative source; Gaia-X is a complementary trust and interoperability signal. CADA is a proposal, not yet in force.
Detail
The difference comes down to a statutory instrument versus a voluntary framework. CADA, as proposed, would create a harmonised legal structure for cloud sovereignty; Gaia-X is a collaborative, market-driven initiative for trust and interoperability.
The CADA central repository: a statutory register
Under Article 22(1), the Commission "shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17" (the "central repository"). It would serve several functions:
- Proof of recognition. A service is listed once recognised at a specific Union assurance level. Under Article 22(2), the national competent authority of establishment that recognised the service registers it in the repository. Recognition itself runs through the Article 17 procedure (self-assessment for level 1; independent audit for levels 2–4).
- Transparency, including failures. The repository is publicly available and regularly updated by the Commission and national competent authorities (Article 22(4)). It also records negative outcomes: under Article 22(3), the revocation of an audit report and opinion, or of a recognition, "shall be published in the central repository and shall remain available there for five years."
- Procurement reference. Public buyers use it to verify assurance levels: where a tender cannot be met by recognised services in the repository, that is one of the narrow conditions for the procurement derogation in Article 30(4).
By centralising recognition at Union level, the repository would replace the patchwork of national "sovereign cloud" lists with a single EU-wide reference.
Gaia-X catalogues: voluntary industry directories
Gaia-X is an industry-led initiative for a federated European data and cloud ecosystem. Its catalogues list providers committed to the Gaia-X framework — codes of conduct, trust seals and interoperability standards. Key contrasts:
- Voluntary participation. Providers join to signal commitment to European data sovereignty and interoperability; no EU law requires a Gaia-X listing to sell cloud services in the EU.
- No legal enforcement. Gaia-X cannot impose penalties, revoke legal status or mandate procurement; its seals are industry certifications, not legal recognitions.
- Interoperability emphasis. Where CADA centres on sovereignty (control over data and infrastructure), Gaia-X puts comparable weight on interoperability between services.
- Industry governance. Gaia-X is governed by industry bodies (such as the Gaia-X Association), not by the Commission or national regulators.
Key differences at a glance
| Feature | CADA central repository (Article 22) | Gaia-X catalogue |
|---|---|---|
| Legal status | Statutory register under EU law (as proposed). | Voluntary industry directory. |
| Maintainer | European Commission, with national competent authorities. | Gaia-X Association / industry bodies. |
| Content | Services recognised at Union assurance levels 1–4. | Services adhering to Gaia-X trust/interop standards. |
| Enforcement | Tied to recognition, revocation and procurement rules. | Market reputation and industry codes. |
| Primary goal | Sovereignty and public-order protection in procurement. | Interoperability, trust, reduced fragmentation. |
| Procurement use | Authoritative source for risk-based procurement. | Optional reference for interoperability. |
What this means for you
For CTOs, architects and SMEs, the distinction affects compliance strategy and market access.
For cloud service providers. To serve the EU public sector under CADA, listing in the central repository would be a prerequisite: you must be recognised via Article 17 — self-assessment for level 1, or independent third-party audit (Article 20) for levels 2–4 — and registered by your national competent authority of establishment. A Gaia-X listing does not confer CADA recognition, and vice versa; you may pursue both. The Annex II criteria (EU establishment and data location, personnel citizenship at higher levels, controls on third-country control and the software supply chain) are more prescriptive than Gaia-X's trust seals and may require operational changes.
For public-sector buyers. Use the central repository to verify a provider's assurance level. Gaia-X catalogues can supplement your search for interoperable solutions, but they cannot substitute for the verification underpinning Article 30. A provider in Gaia-X but not in the repository cannot be used for activities requiring assurance levels 2–4.
For SMEs and start-ups. Higher-level audits are demanding, but Article 17(3) eases level 1: an SME's EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." Gaia-X can still be a useful trust and interoperability signal to private clients.
Common misconceptions
Misconception 1: "Gaia-X is the EU's sovereign cloud law." Gaia-X is an industry framework, not legislation. CADA is the proposed law. Gaia-X creates voluntary commitments; CADA would create binding obligations.
Misconception 2: "If I'm in Gaia-X, I'm automatically in the CADA repository." No. The repository lists only services recognised under Article 17 and registered under Article 22. You must apply separately through your national competent authority.
Misconception 3: "The CADA repository replaces all other cloud listings." No. It serves a specific legal function — verifying sovereignty for public procurement. Providers will likely remain listed across commercial marketplaces, Gaia-X and the repository.
Misconception 4: "CADA only applies to hyperscalers." No. CADA applies to cloud computing service providers generally, with specific easing for SMEs (e.g. automatic level 1 recognition under Article 17(3)).
Official sources
Related
- CADA vs the US CLOUD Act: how do they differ?
- CADA Union assurance recognition vs ISO 27001: are they comparable?
- CADA self-assessment vs NCA recognition: how the two paths differ
- Is Gaia-X compliance enough to meet CADA?
- GDPR data localisation vs CADA sovereignty levels: are they the same?
This is general information about a draft EU regulation, not legal advice.