Can a foreign or non-EU cloud provider appear in the CADA central repository?

Summary As proposed, a non-EU cloud provider can appear in the CADA central repository only if its services are formally recognised as meeting one of the four Union assurance levels. Listing is not a voluntary registration; it is the legal consequence of a successful recognition procedure. Under Article 17, a provider must submit an application to the national competent authority of establishment and, for levels 2–4, pass an independent third-party audit. Once recognised, Article 22(2) mandates that the national competent authority registers the service in the central repository maintained by the Commission. Therefore, a foreign provider cannot simply "sign up"; it must first navigate the sovereignty framework, potentially leveraging the Article 18 derogation for "associated third countries" to qualify for higher assurance levels.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty designed to reduce the Union's dependence on third-country providers while maintaining an open, non-discriminatory market. A central pillar of this framework is the Union cloud computing sovereignty framework, which categorises cloud services into four Union assurance levels (Level 1 to Level 4). The presence of a cloud service in the central repository is not a matter of voluntary registration by any provider; it is a status conferred only after a rigorous recognition process.

The Central Repository and the Registration Obligation

Article 22 of the CADA proposal mandates the Commission to establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17. This repository serves as the single source of truth for public sector bodies and other users seeking to procure sovereign-compliant cloud services.

Crucially, Article 22(2) specifies the mechanism for population of this database. It states that the national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository. This creates a direct causal link: there is no registration without prior recognition. Consequently, a non-EU provider cannot simply sign up to be listed. It must first achieve recognition status through the procedures outlined in Title IV, Chapter I, Section 1 and Section 2 of the proposal. The repository acts as a public ledger of compliance, not a marketing directory.

The Recognition Process for Non-EU Providers

For a non-EU cloud provider to be recognised, it must demonstrate compliance with the cumulative criteria set out in Annex II for the specific assurance level it seeks. The recognition process is governed by Article 17, which requires the provider to submit an application to the national competent authority of establishment.

The term "establishment" is critical. Under EU law and the CADA definitions, a provider must have a genuine and stable presence in the Union to be considered established. This typically means having a registered office, central administration, or main establishment within an EU Member State. If a non-EU provider operates through an EU subsidiary that is legally and operationally independent, that subsidiary may be the entity applying for recognition. However, the sovereignty criteria apply to the entire service delivery chain, including subcontractors and infrastructure locations.

Assurance Level 1: Self-Assessment

For Union assurance level 1, the barrier to entry is lower. Providers must carry out a conformity self-assessment (Article 19) and issue an EU statement of conformity. Under Article 17(3), this statement and necessary evidence are submitted to the evaluating national competent authority. However, there is a specific derogation for SMEs: their EU statement of conformity is directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. Despite this automation, the service is still considered "recognised" and would be included in the repository, though the administrative path differs.

Assurance Levels 2, 3, and 4: Independent Audits

For higher assurance levels, the process is more stringent. Under Article 17(4), providers seeking Level 2, 3, or 4 must submit an audit report and a 'positive' audit opinion from an accredited auditing organisation. This audit verifies compliance with the strict criteria in Annex II, which increasingly restrict third-country influence.

• Level 2 requires that the provider and its subcontractors are established in the Union, and infrastructure, assets, and personnel are located in the Union. It also requires a European cybersecurity certificate of at least 'substantial' assurance level (Annex II 2.1(e)).
• Level 3 adds requirements for Union citizenship for personnel (Annex II 3.1(d)) and stricter controls on third-country control.
• Level 4 imposes the highest standards, including a 'high' assurance level cybersecurity certification (Annex II 4.1(e)) and strict prohibitions on third-country control over the provider and subcontractors.

Third-Country Providers and the "Associated Third Countries" Mechanism

The CADA proposal acknowledges that some third-country providers may meet high sovereignty standards through specific safeguards. Article 18 introduces a mechanism for Associated Third Countries. The Commission may adopt decisions, by means of implementing acts, identifying third countries where cloud computing service providers, even if subject to the control of that third country, may be audited against the criteria for Union assurance level 3.

To qualify, a third country must meet cumulative criteria, including:

1. Having an adequacy decision under the GDPR (Article 45 of Regulation (EU) 2016/679).
2. Having no measures enabling control over the provider that conflicts with lawful access to non-personal data (Article 32(2) and (3) of the Data Act).
3. Having no measures to compel service disruption, degradation, or compliance with restrictive measures (sanctions, embargoes) unless legitimate under EU law.
4. Maintaining an open market to Union cloud computing services.
5. Granting equivalent access to public procurement procedures.

If a provider is from an Associated Third Country, it can still undergo the audit process and seek recognition for Level 3. If successful, the national competent authority recognises the service, and it is subsequently registered in the central repository under Article 22(2). Without this specific Commission decision, a purely foreign-controlled provider would likely fail the "absence of third-country control" criteria for Levels 3 and 4 (Annex II 3.1(g) and 4.1(g)), or the establishment requirements for Level 2. Note that the draft text in Annex II 3.1(g) contains a drafting slip referencing "Article 19" for the derogation; the correct cross-reference is Article 18.

Revocation and Transparency

The repository is dynamic. Article 22(3) states that the revocation of an audit report or recognition by a competent authority shall be published in the central repository and remain available for five years. Furthermore, Article 23 imposes transparency obligations on providers to notify the auditing organisation and competent authority of any material changes that may affect their assurance level. If a non-EU provider's status changes (e.g., a change in ownership leading to third-country control), it must report this, potentially leading to a loss of recognition and removal or flagging in the repository.

What this means for you

If you are a non-EU cloud service provider or a data centre operator looking to serve the EU public sector or regulated private sector, you cannot simply list your services in the CADA central repository. You must treat the repository as a certification badge, not a directory.

1. Establish EU Presence: You likely need an EU-established legal entity to act as the applicant for recognition under Article 17. This entity must have the operational control and resources to meet the sovereignty criteria.
2. Assess Your Assurance Level: Determine which level your customers require. Level 1 may be achievable via self-assessment, but Levels 2–4 require independent audits and significant structural changes, such as ensuring all infrastructure, personnel, and data remain within the EU.
3. Monitor Third-Country Status: If you are controlled by a third-country entity, check if your home country is designated as an "Associated Third Country" under Article 18. If not, you may be excluded from Levels 3 and 4 unless you can demonstrate effective legal, technical, and organisational separation from the third-country controller.
4. Prepare for Audits: Engage with accredited auditing organisations early. The audit evidence required (Annex III) is extensive, covering everything from software bills of materials (SBOMs) to detailed maps of data flows and personnel citizenship.

Common misconceptions

• "Any cloud provider can register in the repository." False. The repository is exclusively for services that have been formally recognised under Article 17. Unrecognised services, regardless of their quality or market share, will not appear.
• "Non-EU providers are automatically excluded." False. Non-EU providers can be recognised if they meet the criteria through an EU-established entity or if they are from an Associated Third Country (for Level 3) under Article 18. The framework is risk-based, not purely geographic, though geographic location of data and personnel is a key criterion.
• "Listing is a one-time event." False. Recognition is subject to annual reviews (Article 20) and ongoing monitoring. Material changes must be reported (Article 23), and recognition can be revoked, leading to removal from the repository.
• "Level 1 is just a formality." While Level 1 uses self-assessment, it still requires meeting cumulative criteria in Annex II, including being established in the Union and keeping data within the Union. For SMEs, recognition is automatic, but the underlying compliance obligation remains.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Can a private company use the CADA central repository to choose a cloud provider?
• CADA Central Repository: Who can access it and is it public?
• How does a cloud provider get listed in the CADA central repository?
• CADA Central Repository: What it means for a cloud provider to be listed
• Who registers a cloud service in the CADA central repository?

This is general information about a draft EU regulation, not legal advice.