CADA vs the EUCS cloud certification scheme

Summary The proposed Cloud and AI Development Act (CADA) and the European Cybersecurity Certification Scheme for Cloud Services (EUCS) address two different dimensions of cloud trust: sovereignty and technical cybersecurity. CADA — COM(2026) 502 final, a Commission proposal — would establish "Union assurance levels" built on data and operational sovereignty, personnel and ownership criteria, and protection against third-country interference (Article 16, Annex II). EUCS is a technical cybersecurity certification scheme developed by ENISA under the Cybersecurity Act (Regulation (EU) 2019/881) that, per CADA's explanatory memorandum, "has not yet been adopted." They are complementary, not competing: CADA's higher assurance levels require a European cybersecurity certificate under the Cybersecurity Act, and the memorandum says EUCS, "[w]hen finalised, ... could be leveraged in the framework for sovereign cloud computing services." Until such a scheme exists, national schemes (or equivalent Union-law standards) apply. Nothing here is in force yet.

Detail

To see how CADA and EUCS relate, separate the legal concept of sovereignty under the proposed Regulation from the technical concept of cybersecurity certification under the Cybersecurity Act.

Distinct objectives

CADA's core mechanism is the Union cloud computing sovereignty framework in Article 16, which establishes four "Union assurance levels" (1-4) with the criteria set out in Annex II — covering the location of data and infrastructure, the location and (at higher tiers) citizenship of personnel, software supply-chain control, and the absence of third-country control over the provider.

EUCS, by contrast, is a cybersecurity certification scheme being developed under the Cybersecurity Act. CADA's explanatory memorandum is explicit that certification under the Cybersecurity Act "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements," and that ENISA "has been working on developing a European Cybersecurity Certification Scheme for Cloud Services (EUCS), which has not yet been adopted." The memorandum frames the two instruments as filling complementary gaps: together with the Cybersecurity Act revision, the proposal would "fill long-standing gaps in sovereignty and non-technical risks." CADA's focus is the non-technical risk — for example, third-country laws with extraterritorial reach that could compel data access or service disruption — which technical certification alone does not resolve.

How EUCS fits inside the CADA framework

Although they address different risks, CADA's higher assurance levels rely on cybersecurity certification under the Cybersecurity Act. In Annex II, the criteria for Union assurance level 2 (§2.1(e)) and level 3 (§3.1(e)) require the audited service to obtain a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under Regulation (EU) 2019/881, "provided that such a scheme has been established under that Regulation and is available to cloud computing service providers." Level 4 (§4.1(e)) raises this to at least assurance level "high."

Each of these criteria sets out the same transitional rule: "Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist," and where no Union or national scheme exists the provider must demonstrate that the service "complies with the highest cybersecurity standards under applicable Union law." The explanatory memorandum adds that EUCS, "[w]hen finalised, ... could be leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards." In short, CADA writes the sovereignty requirements itself but imports the cybersecurity proof through the reference to a Cybersecurity Act certificate — with EUCS as the eventual vehicle and national schemes or equivalent standards as the bridge.

Where the two frameworks meet: risk assessment and procurement

The practical interaction happens at procurement. Under Article 29, Member States and Union entities must carry out risk assessments to identify which public-sector activities contribute to the preservation of public order and which Union assurance level (2, 3 or 4) is appropriate. Under Article 30, activities not identified as contributing to public order must use services recognised at level 1 (Article 30(2)); activities identified as contributing to public order — in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice or law enforcement — must be served only by services recognised at level 2, 3 or 4 (Article 30(3)).

To be recognised at level 2-4, a provider must pass an independent third-party audit (Article 20) against the Annex II criteria. Because those criteria include the cybersecurity-certificate requirement, the EUCS connection becomes material: a provider cannot reach level 2-4 recognition without the required cybersecurity certification — EUCS in time, national schemes or equivalent standards in the interim.

What this means for you

For in-house counsel and compliance officers, CADA and EUCS create a dual-track landscape: prepare for CADA's legal obligations while monitoring the cybersecurity certification that underpins the higher legal tiers.

1. Prepare for CADA's risk assessments and procurement mandates. Under Article 29, Member States and Union entities must run risk assessments by one year after entry into force, and every two years thereafter (or whenever necessary). Map your cloud-using activities against the methodology the Commission will set by implementing act (Article 29(3)), and identify which activities fall under NIS2 Annex I/II sectors or security/defence/law-enforcement areas and may therefore require level 2-4 services (Article 30(3)).

2. Audit your providers for sovereignty gaps, not just security. CADA's sovereignty criteria reach beyond standard cybersecurity audits. For level 2 and above, infrastructure, assets and personnel must be in the Union (Annex II §§2.1(b), 3.1(b), 4.1(b)); for levels 3 and 4, personnel must be Union citizens (§§3.1(d), 4.1(d)) and the provider must not be under third-country control (§§3.1(g), 4.1(g)). A provider could hold a cybersecurity certificate yet still fail these. Note that Article 18 opens level 3 to a third-country-controlled provider only where the Commission has recognised that country as "associated" — a high bar.

3. Monitor the cybersecurity-certification timeline. Because levels 2-4 reference a Cybersecurity Act certificate, delay in adopting EUCS affects the path to full CADA compliance; until a Union scheme exists, national schemes or equivalent standards bridge the gap (Annex II §§2.1(e), 3.1(e), 4.1(e)). CADA also requires the Commission to review Annex II and Annex III — the assurance-level criteria and the audit evidence — at least every 18 months (Article 16(3)). Ask providers about their certification roadmap and build certificate-maintenance obligations into procurement.

4. Understand penalties and enforcement. Under Article 24, Member States must lay down penalties for infringements by cloud providers that are "effective, proportionate and dissuasive." CADA does not set fixed maximum fine amounts for providers (unlike the AI Act, which caps fines in money or percentage of turnover), but it gives national competent authorities investigative and enforcement powers under Article 26, including ordering cessation and imposing fines. For public bodies, procuring the wrong assurance level could breach their Article 30 obligations.

Common misconceptions

• "EUCS certification is enough for CADA compliance." No. A cybersecurity certificate addresses technical security; CADA adds sovereignty. A certified provider can still fail level 3 or 4 if its personnel are not Union citizens or it is under third-country control. The memorandum states that certification under the Cybersecurity Act "is not suited for addressing sovereignty concerns that go beyond these technical elements."
• "CADA replaces the Cybersecurity Act." No. CADA complements it. The proposal frames the two as filling "long-standing gaps in sovereignty and non-technical risks," and CADA's higher tiers rely on a certificate issued under the Cybersecurity Act. They are interdependent, not substitutive.
• "All public-sector cloud needs the highest sovereignty level." No — the approach is risk-based. Activities not identified as contributing to public order use level 1 (Article 30(2)), which needs only a conformity self-assessment (Article 19). Levels 2-4 are reserved for public-order-relevant activities (Article 30(3)).
• "EUCS is already mandatory." No. The memorandum confirms EUCS "has not yet been adopted," and Annex II provides that "national cybersecurity certification schemes shall apply, where they exist," until a Union scheme is established. Do not treat EUCS as a current requirement, but prepare for its future integration.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• EUCS high level vs CADA Union assurance level 4: are they equivalent?
• Does CADA make EUCS certification mandatory?
• CADA Union assurance recognition vs ISO 27001: are they comparable?
• GDPR data localisation vs CADA sovereignty levels: are they the same?
• CADA vs the US CLOUD Act: how do they differ?

This is general information about a draft EU regulation, not legal advice.