Can a CADA recognition application be rejected? Article 17 explained

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a national competent authority may reject an application for recognition of a cloud computing service's Union assurance level. However, this is not an immediate or unilateral decision. Article 17(5)(c) explicitly mandates that before rejecting a request, the evaluating authority must give the candidate cloud computing service provider the opportunity to provide written comments on the conclusions of the evaluation within 30 days. The authority is then legally required to "take due account" of those comments before finalising its decision. If the authority maintains its decision after this period, the application is formally rejected, and the service cannot be marketed as offering that specific assurance level to public sector bodies.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous, harmonised framework for cloud sovereignty in the EU. A cornerstone of this framework is the recognition process, which allows cloud computing service providers (CSPs) to demonstrate compliance with specific "Union assurance levels" (ranging from Level 1 to Level 4). This recognition is a prerequisite for providers wishing to supply cloud services to Union entities and public sector bodies, particularly for activities identified as contributing to the preservation of public order.

The procedural mechanics for seeking this recognition are codified in Article 17 of the proposal. A CSP must submit an application to the national competent authority of its establishment, which acts as the "evaluating national competent authority." The nature of the evidence required depends on the assurance level sought:

• For Union assurance level 1, the provider submits a conformity self-assessment and an EU statement of conformity (Article 19).
• For Union assurance levels 2, 3, and 4, the provider must submit an audit report and a "positive" audit opinion from an independent auditing organisation (Article 20).

Once an application is accepted, the evaluating authority has a statutory timeline of 60 days to assess the submitted evidence. During this review period, the authority may determine that the evidence is insufficient or non-compliant. In such cases, the proposal outlines specific procedural safeguards to ensure fairness and legal certainty, culminating in the rejection mechanism detailed in Article 17(5)(c).

The Rejection Mechanism: Article 17(5)(c)

The proposal explicitly acknowledges that not all applications will succeed. Article 17(5)(c) states that where the evidence submitted is insufficient to allow the evaluating competent authority to recognise the cloud computing service, the authority "may reject the request for recognition."

However, the regulation imposes a strict procedural safeguard before this rejection can become final. The authority cannot simply issue a rejection notice. Instead, prior to rejecting the request for recognition, the evaluating competent authority shall give the candidate cloud computing service provider the opportunity to provide written comments on the conclusions of the evaluation within 30 days.

This 30-day window is a critical component of the due process rights afforded to providers under the proposed framework. It serves several functions:

1. Clarification: It allows the provider to clarify ambiguities in the evidence submitted or explain technical contexts that may have been overlooked.
2. Supplementation: It provides a final opportunity to submit additional documentation or arguments that directly address the authority's preliminary findings of non-compliance.
3. Challenge: It enables the provider to contest the authority's interpretation of the criteria or the sufficiency of the evidence with legal and technical arguments.

Crucially, the authority is not free to ignore this input. Article 17(5)(c) mandates that the evaluating competent authority "shall take due account of those comments when finalising its conclusions." This legal obligation means the authority must actively consider the provider's response. If the comments successfully resolve the identified deficiencies, the authority may proceed to a recognition decision. If the comments fail to address the core issues, the authority may then proceed with the formal rejection.

The Review Period and Cross-Border Objections

It is important to distinguish the rejection process under Article 17(5)(c) from the cross-border review process. If the evaluating authority intends to grant recognition (rather than reject), it must notify other Member States' competent authorities for a 60-day review period (Article 17(5)(a)). During this period, other authorities may raise reasoned objections.

However, the rejection process is distinct. If the evaluating authority concludes that the evidence is insufficient, it triggers the 30-day comment period for the applicant. Only after this period expires and the authority has "taken due account" of the comments can the rejection be finalised. If the authority decides to maintain its draft decision to reject after considering the comments, the application is formally denied.

Outcomes and Distinction from Revocation

If the authority rejects the request after the 30-day comment period, the cloud computing service is not recognised as offering the applied-for Union assurance level. Consequently:

• The provider cannot use this recognition in public procurement procedures.
• The provider cannot market the service as compliant with that specific sovereignty level to public sector bodies.
• The service does not appear in the central repository of recognised services (Article 22).

It is vital to distinguish rejection from revocation.

• Rejection occurs during the initial application phase when the evidence is found insufficient (Article 17(5)(c)).
• Revocation occurs after recognition has been granted, if it is later found that the provider "intentionally or negligently, supplied incorrect or misleading information" (Article 17(11)).

A rejection of a request for a higher assurance level (e.g., Level 3) does not automatically preclude the provider from applying for a lower level (e.g., Level 1 or 2), provided the provider meets the distinct, less stringent criteria for those tiers. However, the rejection stands for the specific level applied for, and the provider must re-apply separately for a different level.

What this means for you

For cloud service providers, data centre operators, and their legal counsel, understanding the rejection mechanism under Article 17(5)(c) is vital for managing compliance strategies and client expectations. Public sector contracts often have strict deadlines, and a delayed or rejected recognition can jeopardize market access.

1. Prepare Robust Evidence from the Start Rejections often stem from insufficient, unclear, or non-compliant evidence. Ensure that your self-assessment (for Level 1) or audit reports (for Levels 2–4) are comprehensive and directly address the criteria in Annex II. For higher levels, the audit must be performed by an independent organisation that meets the strict independence and competence criteria outlined in Article 20. A weak audit report is a primary cause for rejection.

2. Treat the 30-Day Comment Period as a Critical Window If you receive a preliminary conclusion indicating potential rejection, do not ignore it. This is your statutory right under Article 17(5)(c). Use the full 30 days to craft a detailed, evidence-based response. Engage your legal, technical, and audit teams to address every point raised by the authority. This is your best—and often only—chance to overturn a negative decision before it becomes final.

3. Ensure Your Response is "Due Account" Worthy The authority is legally required to "take due account" of your comments. To maximise the impact of your response:

• Map your comments directly to the authority's specific conclusions.
• Provide new, verifiable evidence where possible, rather than just arguments.
• Reference specific clauses in Annex II that you believe you satisfy.
• If the rejection is based on a misunderstanding of your technical architecture, provide diagrams or third-party validation.

4. Maintain Open Communication with the Competent Authority While the process is formal, early engagement with the national competent authority of your establishment can help clarify expectations. If you are unsure whether your evidence meets the criteria, seek guidance early in the process to avoid costly rejections later.

5. Plan for Contingencies and Re-application If your application is rejected, assess whether you can meet the criteria for a lower assurance level. For instance, if a Level 3 application is rejected due to third-country control issues, you might still qualify for Level 1 or 2 if you meet those specific, less stringent criteria. This allows you to continue serving public sector clients, albeit for less sensitive use cases. Note that re-applying with the same evidence will likely lead to the same result; you must address the specific reasons for rejection.

6. Document Everything Keep detailed records of all submissions, communications, and comments provided during the evaluation process. This documentation may be crucial if you need to challenge the decision under national administrative law or demonstrate good faith in future applications.

Common misconceptions

Misconception 1: Rejection is immediate and final. Reality: Rejection is not immediate. The authority must first notify you of its preliminary conclusions and give you 30 days to respond under Article 17(5)(c). The final decision is only made after considering your written comments.

Misconception 2: The authority can ignore your comments. Reality: The regulation explicitly states the authority "shall take due account" of your comments. They cannot simply dismiss your response without consideration. If they fail to do so, it could be grounds for a challenge under national administrative law.

Misconception 3: A rejection means your service is illegal. Reality: A rejection of a recognition application means your service cannot be marketed as offering a specific Union assurance level for public procurement. It does not mean the service is illegal to operate in the private sector or for non-public sector clients. However, you cannot claim compliance with the rejected assurance level.

Misconception 4: You can re-apply immediately without changes. Reality: If your application is rejected, re-applying with the same evidence will likely lead to the same result. You must address the specific reasons for rejection, either by providing new evidence, correcting errors, or adjusting your service to meet the criteria.

Misconception 5: The Commission makes the final decision on recognition. Reality: The national competent authority of your establishment is the primary decision-maker. The Commission becomes involved only in specific cross-border disputes or if a Member State objects to a draft recognition decision (Article 17(10)). The Commission does not typically intervene in a rejection decision unless it is part of a broader cross-border dispute.

Related

• Can a CADA auditor revoke its audit opinion? Article 20 explained
• CADA Auditing Independence: Article 20 Conflict Rules Explained
• CADA Cross-Border Recognition: The 60-Day Review Period Explained
• CADA Recognition: What if your application lacks evidence?
• CADA Recognition: What Evidence Must Accompany Your Application?

This is general information about a draft EU regulation, not legal advice.