Summary Yes, a cloud computing service provider has a specific procedural right to challenge a potential refusal of Union assurance recognition under the proposed Cloud and AI Development Act (CADA). As proposed, the law mandates a critical safeguard: before a national competent authority can reject an application, it must give the provider the opportunity to submit written comments on the evaluation's conclusions. The authority is then legally required to "take due account" of these comments when finalizing its decision. This is not a post-decision court appeal, but a mandatory administrative right to be heard during the evaluation phase, ensuring fairness before a final negative decision is issued.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonized framework for recognizing cloud computing services at four "Union assurance levels" (levels 1 through 4). These levels dictate the degree of sovereignty, security, and operational autonomy a provider must demonstrate to serve public sector bodies and critical private entities in the EU. The recognition process is managed by national competent authorities, specifically the authority in the Member State where the provider has its main establishment, but it operates within a strict, EU-wide procedural system.

If a provider's application for recognition is at risk of being refused, CADA provides a specific mechanism for intervention before the final decision is made. This is distinct from a traditional judicial appeal; it is a mandatory administrative "right to be heard" embedded in the evaluation timeline.

The Right to Comment Before Rejection

The core protection for providers is explicitly codified in Article 17(5)(c) of the CADA proposal. This provision outlines the steps a national competent authority (the "evaluating national competent authority") must take within 60 days of accepting an application for recognition.

If the evaluating authority determines that the evidence submitted by the provider is insufficient to grant recognition, it faces a binary choice: request further information or reject the request. However, the law imposes a strict procedural condition on the rejection path. Article 17(5)(c) states:

"Prior to rejecting the request for recognition, the evaluating competent authority shall give the candidate cloud computing service provider the opportunity to provide written comments on the conclusions of the evaluation within 30 days. The evaluating competent authority shall take due account of those comments when finalising its conclusions."

This provision ensures that a provider cannot be silently rejected. The authority must first communicate its preliminary conclusions and the specific reasons for the potential rejection. The provider then has a 30-day window to submit written arguments, clarify technical misunderstandings, provide additional context, or correct factual errors in the evaluation.

The Authority's Obligation to Consider Comments

The phrase "take due account" carries significant legal weight in EU administrative law. It prevents the authority from issuing a perfunctory or pre-determined rejection without genuinely reviewing the provider's defense. If the provider's written comments successfully address the specific deficiencies identified in the evaluationβ€”for example, by clarifying a complex data flow diagram, explaining a subcontractor's compliance measures, or correcting a technical misinterpretation of the criteriaβ€”the authority is obligated to reconsider its stance.

If, after reviewing the comments, the authority still intends to reject the application, it must finalize its conclusions based on the totality of the evidence, including the provider's rebuttal. Only after this process is complete can the formal rejection decision be issued. This ensures that the final decision is robust and based on a fully considered case.

Post-Rejection Options and Cross-Border Mechanisms

While Article 17(5)(c) covers the pre-rejection phase, CADA also outlines mechanisms for what happens if a rejection occurs or if other Member States object to a recognition.

  1. Objections from Other Member States: Under Article 17(6), other national competent authorities can submit reasoned objections if they believe a draft recognition decision (or a rejection) does not comply with the assurance levels. If such an objection is raised, the evaluating authority must assess it. If the authority maintains its decision despite the objection, the matter can be escalated.
  2. Commission Intervention: If a disagreement persists between Member States regarding a recognition or rejection, Article 17(10) allows a concerned national competent authority to refer the matter to the European Commission. The Commission then assesses the referral and can adopt a binding decision determining whether the evaluating authority may proceed with its recognition (or rejection) decision. This acts as a dispute resolution mechanism for cross-border inconsistencies.
  3. Revocation: Article 17(11) notes that a recognition can be revoked if the provider intentionally or negligently supplied incorrect or misleading information. While this article does not explicitly detail the appeal process for revocation, the general principles of administrative law and the right to defense implied in Article 17(5)(c) would likely apply to revocation proceedings as well, ensuring providers have a chance to respond to allegations of fraud or negligence before a final revocation.

The Role of the Competent Authority of Establishment

It is important to note that the "competent authority of establishment" (the authority in the Member State where the provider has its main establishment) has exclusive competence for enforcing the sovereignty framework, as per Article 25(4). This centralizes the process, meaning a provider typically deals with one primary authority for recognition, rather than navigating 27 different national bureaucracies simultaneously. However, this authority must collaborate with other Member States if their input is needed, as outlined in Article 17(2), ensuring a unified EU-wide standard.

What this means for you

For cloud service providers and data center operators aiming to enter the EU public sector market, understanding this procedural safeguard is critical for maintaining your application momentum and protecting your commercial interests.

  1. Prepare for the 30-Day Window: When you submit your application (including your EU statement of conformity for Level 1 or audit reports for Levels 2–4), assume there will be queries. The 30-day period to provide written comments is strict. You should have internal legal and technical teams ready to draft rapid, precise responses to technical or legal queries from the competent authority.
  2. Document Everything: Since the authority must "take due account" of your comments, ensure your written submissions are clear, referenced, and directly address the evaluation's conclusions. Vague objections may not be sufficient to change the outcome. Keep a detailed record of all correspondence and the specific points raised in your rebuttal.
  3. Engage Early: If you anticipate difficulties in meeting certain criteria (e.g., subcontractor transparency, data localization, or cybersecurity certification), engage with the competent authority early in the process. While Article 17(5)(c) applies before rejection, proactive communication can often resolve issues before they reach the point of a formal negative evaluation.
  4. Monitor Cross-Border Feedback: If your service operates across multiple Member States, other national authorities may review your recognition. Be prepared to address their concerns if they raise objections under Article 17(6), as these can trigger a review of your application.
  5. Legal Recourse: If the authority rejects your application despite your written comments, you will likely need to explore national administrative law remedies or judicial review in the Member State of establishment. CADA harmonizes the criteria but leaves enforcement and specific judicial procedures to national law, subject to EU principles of effective judicial protection.

Common misconceptions

Misconception 1: There is no right to appeal a refusal. Reality: While CADA does not create a new EU-wide court for cloud recognition, it mandates a strict administrative right to be heard (Article 17(5)(c)) before a rejection is finalized. This is a substantive procedural right, not just a formality, allowing providers to correct errors before the decision is made.

Misconception 2: The Commission automatically reviews every rejection. Reality: The Commission only becomes involved if there is a dispute between Member States (Article 17(10)) or if a national authority refers the matter. The Commission does not act as a first-instance appeal body for individual provider rejections; the primary review happens at the national level.

Misconception 3: You can wait until the last minute to respond. Reality: The 30-day window for written comments is strict. Given the technical complexity of cloud sovereignty audits (involving data flows, subcontractor chains, and cybersecurity certifications), preparing a robust defense takes time. Delays in responding can be interpreted as a lack of cooperation or an inability to meet standards, potentially leading to an automatic rejection.

Misconception 4: Rejection is final and irreversible. Reality: A rejection is a final administrative decision, but it is subject to national judicial review. Furthermore, if the rejection is based on insufficient evidence, you can usually reapply with corrected documentation. The "due account" requirement in Article 17(5)(c) ensures that the initial rejection is based on a fully considered case, reducing the likelihood of arbitrary decisions.

Related

This is general information about a draft EU regulation, not legal advice.