Can CADA enforcement lead to a provider losing its assurance-level recognition?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), enforcement actions can directly lead to a cloud service provider losing its Union assurance-level recognition. National competent authorities possess the explicit power to revoke recognition if a provider "intentionally or negligently" supplies incorrect or misleading information during the application process (Article 17(11)). Furthermore, if a cross-border check reveals that a provider no longer meets the technical and sovereignty criteria set out in Annex II, the competent authority of establishment must take enforcement measures, which can result in the withdrawal of the service's status from the central repository. This removal effectively disqualifies the provider from public procurement contracts requiring that specific assurance level.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous, dynamic framework for recognizing cloud computing services at different levels of sovereignty, known as Union assurance levels (1–4). As proposed in COM(2026) 502 final, this recognition is not a permanent license; it is a conditional status contingent upon continuous compliance with the criteria set out in Annex II. The mechanism for losing this recognition is woven into the recognition process itself, the coercive supervisory powers of national authorities, and the cross-border cooperation mechanisms designed to ensure uniform application across the single market.

Recognition and Revocation under Article 17

The cornerstone of the sovereignty framework is the recognition procedure detailed in Article 17. A cloud computing service provider seeking recognition for a specific Union assurance level must submit an application to the national competent authority of its establishment. This authority acts as the "evaluating national competent authority."

For Union assurance level 1, recognition is based on a self-assessment and an EU statement of conformity. For levels 2, 3, and 4, it requires a positive audit opinion from an independent auditing organization. Once the evaluating authority accepts the evidence, it prepares a draft recognition decision. Other Member States have a 60-day review period to raise reasoned objections. If no objections are raised, the service is recognized across the Union.

However, Article 17(11) explicitly grants the evaluating national competent authority the power to revoke this recognition. This power is triggered if the authority finds that the cloud computing service provider "intentionally or negligently, supplied incorrect or misleading information" during the application process. This means that even if the technical criteria were met at the time of the initial audit, the integrity of the application process is paramount. If a provider is found to have falsified data, hidden subcontractor relationships, or misrepresented its governance structure to gain recognition, the authority can strip that status.

Crucially, the draft regulation distinguishes between the initial grant of recognition and the ongoing maintenance of that status. While Article 17(11) focuses on the integrity of the application, the broader framework ensures that recognition is not a "set and forget" status.

Supervisory Powers under Article 26

To enforce the rules outlined in Article 17 and ensure ongoing compliance, Article 26 grants significant investigative and enforcement powers to the national competent authorities of establishment. These powers are not merely advisory; they are coercive and designed to uncover non-compliance that might otherwise remain hidden.

Under Article 26(1), competent authorities have the power to:

• Require any cloud computing service provider, as well as any other persons acting for purposes related to their trade, to provide information relating to a suspected infringement.
• Carry out, or request a judicial authority to order, inspections of any premises used for the provision of the service to examine, seize, or obtain copies of information.
• Ask any member of staff or representative to give explanations regarding suspected infringements and, with consent, record their answers.

More critically, Article 26(2) outlines enforcement powers that can lead to the termination of a provider's status. These include:

• The power to order the cessation of infringements and impose remedies proportionate to the infringement.
• The power to impose fines for failure to comply with the Regulation.
• The power to impose periodic penalty payments to ensure that an infringement is terminated.

While Article 26 focuses on penalties and cessation orders, these enforcement actions are the primary tools used to address non-compliance. If an investigation reveals that a provider is no longer compliant with the criteria that formed the basis of its recognition, the authority can use these powers to compel compliance. If compliance is not achieved, or if the non-compliance is severe (such as the supply of misleading information), the authority can initiate the revocation process under Article 17(11). Additionally, Article 26(2)(a) allows authorities to order the cessation of infringements, which could effectively mean suspending the service's ability to operate under its recognized status until the infringement is remedied.

Cross-Border Checks and Annex II Compliance under Article 28

The sovereignty framework relies on mutual recognition across the EU, but this trust is not blind. Article 28 establishes a robust mechanism for cross-border cooperation to ensure that a service recognized in one Member State actually maintains its compliance in another.

If a competent authority in a Member State where the service is used (the "competent authority of destination") has reason to suspect that a cloud computing service provider no longer fulfills the requirements under Annex II (the criteria for Union assurance levels), it can request the competent authority of establishment to assess the matter.

Article 28(1) states that the destination authority may request the establishment authority to "take the necessary investigatory and enforcement measures to ensure compliance." The establishment authority must respond within two months, providing an assessment and explaining any measures taken or envisaged.

If the establishment authority's assessment confirms that the provider no longer meets the Annex II criteria, the logical consequence is the withdrawal of recognition. This is further supported by Article 23, which imposes transparency obligations. If a provider becomes aware of material changes affecting its compliance, it must notify the auditing organization and the competent authority. If the auditing organization revokes its audit report (due to non-compliance with Annex II), the competent authority must assess whether to revoke its recognition. The cross-border mechanism in Article 28 ensures that a provider cannot hide non-compliance by operating in a different Member State than its establishment.

Consequence for the Marketplace Listing

The practical impact of losing recognition is immediate and visible. Article 22 requires the Commission to establish and maintain a central repository of cloud computing services that have been recognized under Article 17. This repository is publicly available and serves as the definitive list of compliant providers for public sector bodies.

Article 22(3) explicitly states that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

For public sector bodies and private entities relying on these services for compliance with their own risk assessments (as mandated by Article 29 and Article 30), a service removed from the central repository is no longer eligible for procurement in contexts requiring that specific Union assurance level. For example, if a service loses its Union assurance level 3 status, it can no longer be used by contracting authorities whose activities have been identified as contributing to the preservation of public order in sensitive sectors, unless a derogation applies. This effectively removes the provider from the market for high-stakes public sector contracts across the EU.

What this means for you

For cloud service providers and data centre operators aiming to serve the European public sector, maintaining your Union assurance-level recognition is critical. CADA introduces a dynamic compliance model where recognition is a privilege, not a right.

1. Data Integrity is Non-Negotiable: Ensure that all information submitted during the application for recognition under Article 17 is accurate and verifiable. Any discovery of negligent or intentional misrepresentation can lead to immediate revocation of your status under Article 17(11).
2. Continuous Monitoring: Compliance with Annex II is ongoing. You must monitor your operations, subcontractor relationships, and data flows continuously. Any material change that affects your ability to meet Annex II criteria must be reported immediately under Article 23.
3. Prepare for Cross-Border Scrutiny: Be ready for investigations initiated by other Member States under Article 28. If a host state suspects non-compliance, your home state's competent authority will investigate. You must cooperate fully with these investigations to avoid enforcement actions that could lead to revocation.
4. Audit Readiness: For levels 2–4, your relationship with your auditing organization is vital. If your auditor revokes their opinion due to non-compliance with Annex II, the chain reaction will lead to your recognition being revoked by the competent authority. Maintain open lines of communication with your auditor and ensure your technical and organizational measures are robust.

Common misconceptions

Misconception 1: Recognition is permanent once granted. Reality: Recognition is contingent on continuous compliance. As shown in Article 23 and Article 28, any material change or failure to meet Annex II criteria can trigger a review and potential revocation.

Misconception 2: Only the home state can revoke recognition. Reality: While the competent authority of establishment holds the formal power to revoke under Article 17(11), the process can be triggered by cross-border cooperation under Article 28. Other Member States play a crucial role in identifying non-compliance.

Misconception 3: Losing recognition only affects public sector contracts. Reality: While the primary mandate is for public procurement, the central repository (Article 22) is public. Private sector entities, especially those in high-criticality sectors under NIS2, may also rely on this recognition for their own risk assessments (Article 31). Losing recognition can damage your market reputation and limit your ability to serve regulated private clients.

Misconception 4: Revocation is only for severe fraud. Reality: Article 17(11) allows revocation for both intentional and negligent supply of incorrect or misleading information. Negligence is sufficient to trigger this severe consequence.

Related

• Can a CADA authority publish its enforcement decisions?
• Which CADA obligations can lead to penalties?
• What records should a provider keep for CADA enforcement?
• How does CADA enforcement support the sovereignty assurance levels?
• Does a provider's size affect CADA enforcement measures?

This is general information about a draft EU regulation, not legal advice.