Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers and public buyers have distinct, interlocking duties. Providers would seek recognition at a Union assurance level from their national competent authority of establishment (Article 17) and report material changes that affect that status (Article 23). Public buyers would conduct risk assessments to set the required assurance level for their activities (Article 29) and procure only services recognised at that level (Article 30). CADA is a proposal, not yet in force.

Detail

CADA, as proposed, would split responsibilities between those supplying cloud services and those buying them for the public sector. Understanding who must do what is the starting point for compliance.

Obligations for cloud service providers

CADA ties provider obligations to the Union cloud computing sovereignty framework — four assurance levels (Article 16), from level 1 (baseline) to level 4 (highest), with criteria in Annex II. A provider cannot simply claim a level; it must be recognised.

1. Seeking recognition (Article 17). A provider that aims to be recognised at a Union assurance level submits an application to the national competent authority of establishment (Article 17(1)) — the authority in the Member State of its main establishment (Article 25(4)). Evidence depends on the level:

  • Level 1: an EU statement of conformity based on self-assessment (Articles 17(3) and 19). For SMEs, that statement is "directly and automatically recognised in all Member States without the need for prior recognition" (Article 17(3)).
  • Levels 2, 3 and 4: independent third-party audits — the audit report, a "positive" audit opinion, and all evidence given to the auditor (Articles 17(4) and 20). Higher levels add stricter criteria, such as Union-citizen personnel (levels 3 and 4) and no third-country control (level 4).

Within 60 days of accepting the application, the evaluating authority assesses the evidence and either prepares a draft recognition decision and notifies other Member States for a 60-day review period, requests more information, or rejects (Article 17(5)). If no reasoned objection is raised in the review period, the service is recognised throughout the Union (Article 17(7)).

2. Reporting material changes (Article 23). On becoming aware of any information or material change in circumstances that may affect the audit report, the "positive" opinion, or the recognition, the provider must notify the auditing organisation and the national competent authority "as soon as possible" (Article 23(1)). This can trigger amendment or revocation.

3. Penalties and compensation (Article 24). Member States set penalties that must be "effective, proportionate and dissuasive" (Article 24(1)). Recipients of the services have a right to seek compensation for damage or loss from an infringement (Article 24(3)).

Obligations for public buyers

For public-sector bodies and Union entities, CADA would make procurement sovereignty-driven rather than purely commercial.

1. Risk assessments (Article 29). By the date of entry into force plus one year, and thereafter every two years (or whenever necessary), Member States and Union entities must carry out risk assessments that:

  • identify public-sector activities using cloud services that contribute to the preservation of public order — including sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and areas such as national security, internal security, external border management, defence, justice and law enforcement (Article 29(1)(a)); and
  • determine which Union assurance level (2, 3 or 4) is appropriate (Article 29(1)(b)).

The Commission would specify the methodology and templates (Article 29(3)). Where the assessment requires migrating to a different service, migration must occur within a reasonable transition period not exceeding 12 months (Article 29(6)). Assessments must also consider whether a multi-vendor or multi-cloud strategy is appropriate (Article 29(9)).

2. Procurement rules (Article 30).

  • Non-public-order activities: entities and bodies whose activities are not identified as contributing to the preservation of public order must use services recognised at Union assurance level 1 (Article 30(2)).
  • Public-order activities: contracting authorities whose activities are so identified must procure only services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)).

3. Derogations (Article 30(4)). On an exceptional, duly justified basis, a buyer may decide not to procure a recognised service where: the subject matter cannot be supplied by recognised services in the central repository and no adequate alternative exists; a similar procurement in the previous year drew no suitable tenders; or applying the requirements would mean disproportionate cost.

The two duty-holders compared

Feature Cloud service providers Public buyers
Primary action Seek recognition of an assurance level (Article 17). Risk-assess and procure accordingly (Articles 29–30).
Trigger Aiming to serve the EU public sector. Procuring cloud for public activities.
Evidence EU statement of conformity (level 1) or audit report/opinion (levels 2–4). Risk assessment identifying public-order relevance.
Counterpart National competent authority of establishment. Internal governance plus Commission methodology.
Ongoing duty Report material changes as soon as possible (Article 23). Re-assess every two years (Article 29).
Consequence of failure Penalties, compensation claims, loss of recognition. Breach of procurement rules; security exposure.

What this means for you

As a public-sector procurement officer, your role would shift from buyer to risk manager. You cannot simply pick the cheapest or most feature-rich provider — you must first establish the sovereignty requirement for the activity.

Immediate steps:

  1. Map current usage. Identify services supporting public-order, national-security or critical activities; these will likely require level 2, 3 or 4.
  2. Prepare for risk assessments. Follow the Commission's forthcoming methodology and templates (Article 29(3)); document why a given level is appropriate.
  3. Check the central repository. Verify bidders are recognised at the required level in the repository maintained by the Commission under Article 22; award only to services meeting that level.
  4. Plan migration. If your provider does not meet the required level, you have up to 12 months to migrate (Article 29(6)) — start early.

For providers, transparency is mandatory: invest in audits for levels 2–4, keep documentation current, and report any change affecting sovereignty criteria as soon as possible (Article 23) to avoid losing recognition and public-sector eligibility.

Common misconceptions

Misconception 1: "Sovereignty is just data location." Data location is one component. Higher levels add controls on personnel (Union citizenship at levels 3–4), the software supply chain (SBOM and dependency controls), and third-country control (barred at level 4) — see Annex II.

Misconception 2: "Public buyers can choose any level." No. Where a risk assessment identifies a public-order activity, the buyer must procure level 2, 3 or 4 (Article 30(3)); non-public-order activities use level 1 (Article 30(2)).

Misconception 3: "Recognition is permanent." No. Providers must report material changes (Article 23); recognition can be amended or revoked, and supplying incorrect or misleading information can trigger revocation (Article 17(11)). Buyers also re-assess risks every two years.

Misconception 4: "The AI Act replaces CADA's sovereignty rules." No. The AI Act addresses the safety, rights and transparency of AI systems; CADA addresses the sovereignty and resilience of the cloud infrastructure beneath them. They are complementary.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.