Summary Yes, a public-sector buyer can raise concerns about the accuracy of a cloud service's listing in the central CADA repository, but the proposed regulation does not establish a direct "consumer-style" complaint button for individual buyers. Instead, buyers are expected to report discrepancies to the national competent authority (NCA) of the provider's establishment. Under Article 23, providers have a strict duty to notify authorities of material changes; if a buyer identifies a misleading listing, this triggers the NCA's power to investigate and potentially revoke recognition. Furthermore, Article 24 mandates that Member States impose "effective, proportionate and dissuasive" penalties on providers for such infringements and explicitly grants recipients the right to seek compensation for any damage or loss suffered due to these failures.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous transparency framework to ensure that public-sector buyers can rely on the sovereignty credentials of cloud computing services. Central to this ecosystem is the central repository of recognised services, established under Article 22, which lists cloud services assessed and recognised at specific Union assurance levels (1–4). While the Commission maintains the repository and national competent authorities (NCAs) update it, the system's integrity depends on the continuous accuracy of provider data and the vigilance of market participants.

The Transparency Duty: Article 23 as the Trigger

The accuracy of the repository is not static; it is a dynamic reflection of a provider's ongoing compliance. Article 23 imposes critical transparency obligations on cloud computing service providers. The text states:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

This duty is the linchpin of the system. A "material change" could include a shift in ownership to a third-country entity, the relocation of data storage outside the Union, or a change in subcontractor arrangements that compromises operational autonomy. If a provider fails to report such a change, the listing in the central repository becomes misleading.

When a buyer (a contracting authority or public-sector body) identifies that a service listed in the repository no longer meets the criteria for its claimed assurance levelβ€”for example, if data is being processed outside the Union contrary to the listingβ€”this constitutes a potential breach of Article 23. While the regulation does not provide a direct "complaint form" for buyers, the buyer's discovery acts as the catalyst for the regulatory enforcement mechanism.

Recourse for Buyers: Reporting to Competent Authorities

CADA channels enforcement through the national competent authority of establishment (the NCA where the provider has its main establishment). If a buyer suspects a listing is misleading, the appropriate course of action is to report the discrepancy to this NCA.

Article 26 grants these NCAs extensive investigative and enforcement powers to act on such reports. Upon receiving information suggesting an infringement, the NCA can:

  1. Require information: Demand that the provider or auditing organisation provide relevant data.
  2. Inspect premises: Carry out or order inspections to examine evidence.
  3. Order cessation: Mandate the provider to stop the infringing activity.
  4. Impose penalties: Levy fines or periodic penalty payments.

Crucially, Article 23(2) and (3) outline the immediate consequences of such a report. If an NCA (or the provider) becomes aware of a material change or a discrepancy:

  • The auditing organisation must assess whether the audit report or opinion needs to be amended or revoked.
  • The NCA must then assess whether its recognition of the service needs to be amended or revoked.

If the recognition is revoked, Article 22(3) requires that this revocation be published in the central repository and remain available for five years. Thus, a buyer's report directly triggers the process that removes the misleading listing from the public view, preventing further procurement errors.

Penalties and Compensation: Article 24

The consequences for providers who maintain misleading listings are severe. Article 24 establishes the penalty framework for infringements of the sovereignty chapter (Title IV, Chapter I). It mandates that Member States lay down rules on penalties that are "effective, proportionate and dissuasive."

When determining the severity of penalties, Article 24(2) requires Member States to consider non-exhaustive criteria, including:

  • The nature, gravity, scale, and duration of the infringement.
  • Any action taken by the infringing party to mitigate damage.
  • Previous infringements by the party.
  • The financial benefits gained or losses avoided by the provider due to the infringement.
  • The infringing party's annual turnover in the Union.

Most importantly for buyers, Article 24(3) provides a direct legal remedy for those harmed by misleading listings. The text states:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This means that if a public-sector body procured a service based on a false assurance level listed in the repository, and subsequently suffered financial loss, operational disruption, or security breaches due to the provider's failure to maintain accurate status, the buyer has a statutory right to claim compensation.

The Process for Addressing Misleading Listings

The proposed regulation outlines a clear, albeit regulatory, pathway for addressing misleading listings:

  1. Identification: The buyer identifies a discrepancy between the service's actual provision and its listing in the central repository (e.g., via independent verification or a breach of the transparency duty).
  2. Notification: The buyer notifies the NCA of establishment of the provider. This is typically done through formal market surveillance channels established by the Member State.
  3. Investigation: The NCA exercises its powers under Article 26 to investigate. It may request evidence from the provider or the auditing organisation.
  4. Reassessment: If the infringement is confirmed, the auditing organisation assesses whether the audit opinion must be revoked under Article 23(2).
  5. Revocation: The NCA assesses whether recognition must be revoked under Article 23(3). If revoked, the status is updated in the central repository.
  6. Remedy: The buyer may pursue compensation under Article 24(3) for any losses incurred during the period the listing was inaccurate.

What this means for you

For public-sector procurement officers and legal counsel, the CADA proposal shifts the burden of verification from exhaustive, pre-contractual due diligence to reliance on the central repository, but it does not absolve buyers of the need for vigilance.

  • Pre-Procurement Checks: Always verify the current status of a provider in the central repository before finalizing a contract. Ensure the listed assurance level matches the requirements determined by your risk assessment under Article 29.
  • Contractual Safeguards: Include clauses in your procurement contracts that require providers to immediately notify you of any changes that might affect their CADA recognition. This aligns with the provider's statutory duty under Article 23 and provides you with early warning of potential compliance issues.
  • Reporting Mechanisms: Familiarize yourself with the contact details of the NCAs in the Member States where your key cloud providers are established. If you suspect a listing is outdated or false, you have a duty to report it to protect public order and ensure the integrity of the single market.
  • Compensation Rights: Be aware that you have a right to compensation if a provider's failure to maintain an accurate listing causes you financial loss. Document any disruptions, migration costs, or security incidents incurred due to reliance on a misleading listing to support potential claims under Article 24(3).

Common misconceptions

"I can sue the Commission for an incorrect listing." No. The Commission maintains the repository, but the recognition and oversight are primarily the responsibility of the national competent authorities of establishment. Liability for incorrect information lies with the provider and potentially the auditing organisation, not the Commission.

"The repository is a guarantee of future compliance." No. The repository reflects the status at the time of recognition and any subsequent updates. Providers must continuously comply, and changes can occur. Buyers must monitor for updates or rely on the provider's transparency notifications under Article 23.

"Only the NCA can take action against a misleading provider." While the NCA has enforcement powers, buyers have a direct right to seek compensation for damages under Article 24(3). You are not limited to waiting for regulatory action; you can pursue civil remedies for losses suffered.

"A positive audit opinion means the provider can never be penalized." No. Audits are point-in-time assessments. If a provider fails to report material changes (Article 23) or provides false evidence during the audit, they can still be penalized under Article 24, and their recognition can be revoked.

Related

This is general information about a draft EU regulation, not legal advice.