Summary Yes, private companies can and are encouraged to use the central repository of cloud computing services established under the proposed Cloud and AI Development Act (CADA). Article 22(4) of the proposal explicitly mandates that the repository "shall be publicly available," ensuring open access for any user, including private-sector buyers, regardless of whether they are subject to public procurement rules. While the legal obligation to procure only from recognized providers applies to public authorities, the repository serves as a critical, free transparency tool for private enterprises to verify vendor sovereignty, cybersecurity posture, and third-country independence.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a comprehensive framework to strengthen the EU's cloud and AI ecosystem. A cornerstone of this framework is the "Union cloud computing sovereignty framework," which categorizes cloud services into four distinct "Union assurance levels" (Level 1 to Level 4). These levels are based on rigorous criteria regarding establishment in the Union, data localization, personnel citizenship, cybersecurity certification, and freedom from third-country control.

To ensure market transparency and facilitate the identification of compliant providers, Article 22 establishes a dedicated "central repository of cloud computing services." This database is the official, Union-wide record of all cloud services that have been formally recognized as meeting the criteria for one of the four assurance levels.

The Legal Basis for Public Access

The most critical provision for private sector users is Article 22(4). The text of the proposal states unequivocally:

"The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This clause removes any ambiguity regarding access rights. The repository is not a restricted internal database for government auditors or public contracting authorities. It is a public-facing resource. The phrase "publicly available" in EU legislative drafting typically implies that no registration, fee, or specific legal status (such as being a public body) is required to view the contents. Consequently, a private technology startup, a multinational corporation, a financial institution, or an individual consultant can access the list of recognized providers and their specific assurance levels at any time.

How the Repository Functions

The repository acts as the central node for the sovereignty framework's verification mechanism. Its operation involves several steps outlined in the proposal:

  1. Recognition Process: Cloud computing service providers seeking recognition must submit applications to the national competent authority of their establishment. For Union assurance level 1, this involves a self-assessment and an EU statement of conformity (Article 19). For levels 2, 3, and 4, providers must undergo independent third-party audits by an auditing organization (Article 20).
  2. Registration: Once a competent authority grants recognition, Article 22(2) requires that authority to register the service in the central repository.
  3. Maintenance and Updates: The Commission and national authorities are responsible for keeping the repository current. Article 22(3) further mandates that any revocation of an audit report or recognition "shall be published in the central repository and shall remain available there for five years." This ensures that the public record reflects not just current compliance but also historical failures or withdrawn recognitions, providing a complete compliance history.

The Distinction Between Access and Obligation

It is vital to distinguish between the right to access the repository and the obligation to procure from it.

  • Public Sector Obligation: Under Article 30, contracting authorities (public bodies) and Union entities are legally required to procure cloud services that have been recognized in the repository. For activities not impacting public order, they must procure at least Union assurance level 1. For activities contributing to the preservation of public order (e.g., law enforcement, defense, critical infrastructure), they must procure only services recognized at levels 2, 3, or 4.
  • Private Sector Freedom: Private companies are not subject to the procurement mandates of Article 30. They retain the freedom to contract with any cloud provider, including those not listed in the repository or those operating outside the EU assurance framework.

However, the repository remains highly relevant for private buyers. While not legally compelled to use it, private entities can leverage the repository to:

  • Verify Claims: Counteract "sovereignty washing" by checking if a provider's marketing claims of EU sovereignty are backed by an official audit and recognition.
  • Streamline Due Diligence: The repository aggregates complex technical and legal evidence (audit reports, conformity statements) into a single, accessible point. This significantly reduces the time and cost required for private buyers to assess a vendor's compliance with data sovereignty and cybersecurity standards.
  • Align with Sectoral Regulations: Many private sectors (e.g., finance under DORA, critical infrastructure under NIS2) face their own stringent requirements regarding third-party risk management. Choosing a provider recognized under CADA can serve as strong evidence of compliance with these broader regulatory obligations.

The Repository is Not a Marketplace

A common point of confusion is whether the repository functions as a procurement platform or a marketplace. Article 22 defines it strictly as a "dedicated repository" for information. It lists services, their assurance levels, and their compliance status. It does not facilitate transactions, negotiate contracts, or process payments.

For private companies seeking to engage in joint procurement or access specific EU-supported purchasing mechanisms, CADA proposes a separate framework under Articles 37–40 (Common Procurement Framework) and Articles 34–36 (EuroCloud Federation). These mechanisms are distinct from the transparency function of the Article 22 repository. The repository is the "menu" of verified options; the procurement frameworks are the "kitchen" where specific purchasing arrangements might be made.

What this means for you

For CTOs, procurement officers, and legal counsel in the private sector, the public availability of the CADA central repository under Article 22(4) offers a strategic advantage in vendor selection and risk management.

1. Accelerated Vendor Shortlisting

Instead of relying on self-declared compliance statements or marketing brochures, your team can query the central repository to generate a shortlist of providers that have already passed independent, Union-wide scrutiny. For organizations requiring high levels of data sovereignty (e.g., handling sensitive IP or customer data), filtering for Union assurance levels 2, 3, or 4 provides a pre-validated pool of candidates, drastically reducing the initial screening phase.

2. Enhanced Risk Mitigation

In an era of increasing geopolitical tension and extraterritorial data access laws (such as the US CLOUD Act), the risk of third-country interference is a primary concern. The repository provides a transparent view of a provider's status regarding third-country control. If a provider is subject to a third-country control but has been recognized under Article 18 (associated third countries) for Level 3, the repository will reflect this specific status. This allows private buyers to make informed decisions based on verified legal and technical safeguards rather than assumptions.

3. Compliance Evidence for Audits

If your organization is subject to external audits (e.g., by regulators, insurers, or clients), pointing to a provider's recognition in the CADA central repository serves as robust, third-party evidence of your supply chain's security and sovereignty posture. The repository's inclusion of revoked recognitions (Article 22(3)) also allows you to perform historical checks, ensuring you are not engaging with a provider that has previously failed compliance.

4. Strategic Market Positioning

As the EU public sector shifts its procurement toward sovereign cloud providers, the market dynamics will likely favor those listed in the repository. By aligning your private cloud strategy with the providers recognized in the CADA framework, you ensure better interoperability and compatibility with public sector partners and clients who are legally mandated to use these services. Early adoption of CADA-compliant providers can position your organization as a forward-thinking partner in the European digital ecosystem.

Common misconceptions

"The CADA repository is a private, government-only database."

  • Reality: This is incorrect. Article 22(4) explicitly states the repository "shall be publicly available." It is hosted on a dedicated website accessible to anyone with an internet connection, including private companies, researchers, and the general public.

"Private companies are forced to buy only from providers in the repository."

  • Reality: The procurement obligations in Article 30 apply strictly to "contracting authorities" (public bodies) and "Union entities." Private companies are free to choose any provider. However, the repository is the most reliable tool for identifying providers that meet the EU's highest sovereignty standards.

"The repository is a shop where I can buy cloud services."

  • Reality: The repository is an information database, not a transactional marketplace. It lists who is recognized and at what level, but it does not handle contracts, billing, or service delivery. Procurement activities remain the responsibility of the buyer, potentially facilitated by separate mechanisms like the Common Procurement Framework (Articles 37–40) if the buyer chooses to participate.

"If a provider is in the repository, they are perfect for every use case."

  • Reality: The repository lists providers recognized at specific assurance levels. A provider recognized at Level 1 may not be suitable for a public-order-relevant activity requiring Level 3. Private buyers must still perform their own risk assessments to match the provider's assurance level with their specific operational and regulatory needs.

Related

This is general information about a draft EU regulation, not legal advice.