Can other Member States collaborate on a CADA recognition?

Summary Under the proposed Cloud and AI Development Act (CADA), the recognition of cloud computing services as offering a specific Union assurance level is not a purely national exercise when infrastructure spans borders. As proposed in Article 17(2), the "evaluating national competent authority" (the authority in the Member State of the provider's main establishment) may request one or more other Member States to collaborate in the recognition procedure. Crucially, those requested authorities have a strict deadline: they must either confirm their agreement to collaborate or refuse the request within 15 days of receiving it. This mechanism ensures that the assessment of cross-border cloud deployments is consistent, efficient, and grounded in verified local facts across the Union.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised Union framework for recognising cloud computing services that meet specific sovereignty criteria, known as Union assurance levels. While the primary responsibility for recognising a service lies with the national competent authority of the Member State where the cloud provider has its main establishment, the physical reality of cloud infrastructure often transcends national borders. Data centres, operational personnel, and support functions may be distributed across several jurisdictions. To address this, the proposal introduces a mandatory collaboration mechanism to prevent regulatory fragmentation and ensure that the "Union assurance" is genuine across the entire service footprint.

The Evaluating Authority and the Power to Request Collaboration

The recognition process is anchored by the concept of the "evaluating national competent authority." Under Article 17(2), this is the authority in the Member State where the cloud computing service provider has its main establishment (defined in Article 25(4) as the place where the principal financial functions and operational control are exercised).

However, the proposal acknowledges that a single authority may lack the capacity or jurisdictional reach to verify all aspects of a pan-European service. Consequently, Article 17(2) explicitly empowers the evaluating authority to seek assistance. The text states that the evaluating national competent authority, "where necessary," may "request one or more competent authorities of the other Member States to collaborate in the procedure for a candidate recognition under this Article."

This provision is not merely a suggestion; it is a procedural tool designed to ensure the integrity of the assessment. For example, if a provider is established in Ireland but operates data centres in Germany and France, the Irish authority (as the evaluating authority) may request the German and French authorities to collaborate. Their role would be to verify specific local criteria, such as the physical location of the infrastructure, the presence of personnel, or the adherence to local data protection and security standards, which are critical for Union assurance levels 2, 3, and 4.

The 15-Day Response Window: A Strict Deadline

To prevent the collaboration mechanism from becoming a bottleneck in the recognition process, the proposal imposes a rigorous timeline on the requested Member States. Article 17(2) mandates a specific response window: "Within 15 days of receiving such a request, the national authority that has received a request for collaboration shall either provide confirmation that it agrees to collaborate with the evaluating national competent authority or refuse the request."

This 15-day period is calculated from the moment the request is received by the national authority. It is a binary decision: the authority must either agree to collaborate or refuse. The text does not provide for a "partial" agreement or a request for an extension within this specific window. This strict deadline serves two purposes:

1. Efficiency: It ensures that the evaluating authority can proceed with its assessment without indefinite delays caused by administrative inertia in other Member States.
2. Clarity: It forces national authorities to triage requests quickly. A refusal must be explicit. If an authority refuses, the evaluating authority must then decide whether to proceed with the assessment based on the evidence it can gather independently or to seek alternative means of verification.

It is important to note that while the deadline is strict, the proposal does not specify the consequences of a refusal beyond the immediate procedural impact. However, a refusal could complicate the evaluating authority's ability to verify cross-border criteria, potentially leading to a rejection of the application if the evidence is deemed insufficient.

Scope and Nature of Collaboration

The collaboration requested under Article 17(2) is substantive. It is not limited to administrative formalities but extends to the verification of the cumulative criteria set out in Annex II. These criteria include the location of infrastructure and assets, the citizenship of personnel (for levels 2, 3, and 4), and the absence of third-country control.

When a collaborating authority agrees to participate, it effectively becomes a partner in the evidentiary gathering process. It may be asked to:

• Verify the physical location of data centres and assets within its territory.
• Confirm the presence and citizenship status of personnel involved in the service provision.
• Validate that technical and operational support is initiated and performed exclusively within the Union.
• Assess the local implementation of cybersecurity standards and software supply chain measures.

The evaluating authority retains the lead role in synthesising this information and issuing the final recognition decision. However, the input from collaborating authorities forms a critical part of the evidence base. If a collaborating authority identifies a discrepancy or a failure to meet the criteria, it can significantly influence the outcome of the evaluation.

Integration with the Broader Recognition Procedure

The collaboration phase is the first step in a multi-stage recognition process outlined in Article 17. The timeline generally proceeds as follows:

1. Application: The provider submits an application to the evaluating authority.
2. Collaboration Request (if necessary): The evaluating authority may request collaboration from other Member States. The requested states have 15 days to confirm or refuse (Article 17(2)).
3. Assessment: The evaluating authority assesses the evidence, including input from collaborating states. This assessment must be completed within 60 days of accepting the application (Article 17(5)).
4. Draft Decision and EU Review: If the evidence is sufficient, the evaluating authority prepares a draft recognition decision and notifies all other Member States. This triggers a 60-day review period during which any Member State (collaborating or not) can raise a reasoned objection (Article 17(5)(a) and Article 17(6)).
5. Final Decision: If no objection is raised, or if objections are resolved, the evaluating authority adopts the recognition decision, which is then valid across the Union.

The collaboration mechanism under Article 17(2) is distinct from the EU-wide review period. Collaboration is about gathering evidence before the draft decision is made, whereas the review period is about challenging the draft decision once it is proposed.

What this means for you

For cloud computing service providers, legal counsel, and compliance officers, understanding the cross-border collaboration mechanism is essential for managing the recognition timeline and preparing robust evidence.

1. Map Your "Main Establishment" and Infrastructure

Your first step is to definitively identify your "main establishment" as defined in Article 25(4). This determines your evaluating authority. Simultaneously, map all your infrastructure, assets, and personnel locations across the EU. If your operations span multiple Member States, you must anticipate that the evaluating authority will likely invoke Article 17(2) to request collaboration.

2. Prepare for Multi-Jurisdictional Evidence Requests

Do not assume that submitting evidence to your evaluating authority is sufficient. If your infrastructure is distributed, be prepared to provide identical or complementary evidence to any collaborating authority. This includes:

• Infrastructure: Lease agreements, utility bills, and network diagrams proving the location of data centres.
• Personnel: Employment contracts, payroll records, and proof of Union citizenship for staff involved in the service.
• Operations: Records showing that technical support and administrative access are performed exclusively within the Union.

Delays in providing this evidence to a collaborating state can stall the entire process, as the evaluating authority cannot complete its 60-day assessment without it.

3. Monitor the 15-Day Authority Deadline

While the 15-day deadline in Article 17(2) applies to the national authorities, not the provider, it is a critical internal clock. If you anticipate that your infrastructure requires cross-border verification, engage early with your evaluating authority to ensure the collaboration request is triggered immediately upon application submission. This gives the collaborating authorities the maximum time to respond within their 15-day window, preventing bottlenecks.

4. Ensure Consistency Across Jurisdictions

The information you provide to the evaluating authority must be consistent with any information provided to collaborating authorities. Discrepancies can lead to:

• Refusal of Collaboration: If a collaborating authority finds your evidence contradictory, it may refuse to collaborate or report the inconsistency.
• Reasoned Objections: During the subsequent 60-day EU review period, any Member State can raise an objection if they believe the draft decision does not comply with the criteria (Article 17(6)).
• Revocation: If incorrect or misleading information is supplied intentionally or negligently, the evaluating authority may revoke the recognition under Article 17(11).

5. Strategic Engagement for Complex Structures

For providers with complex multi-national structures, consider proactively informing the evaluating authority of the specific jurisdictions that will need to collaborate. This demonstrates transparency and can help streamline the process. It also allows you to prepare the relevant local authorities in advance, ensuring they are ready to respond within the 15-day window.

Common misconceptions

Misconception 1: The evaluating authority acts alone. Many providers assume that once they submit their application to the Member State of their main establishment, only that authority matters. In reality, Article 17(2) explicitly allows and encourages collaboration with other Member States. Ignoring this can lead to incomplete assessments or delays if the evaluating authority later realises it needs input from another jurisdiction to verify local criteria.

Misconception 2: Collaborating states have veto power. A collaborating state does not have a veto over the final recognition decision. Its role is to provide input and evidence. The final decision rests with the evaluating authority, subject to the EU-wide objection process. However, a refusal to collaborate or negative input from a collaborating state can complicate the evaluating authority's ability to issue a positive decision, as it may lack the necessary evidence to confirm compliance.

Misconception 3: The 15-day deadline is for the provider to respond. The 15-day deadline in Article 17(2) applies strictly to the national authority receiving the collaboration request. It is not a deadline for the cloud provider. However, providers should be aware that this short window means the evaluating authority will move quickly to gather necessary cross-border evidence. If you are slow to provide evidence to a collaborating authority, you risk the evaluating authority proceeding with incomplete information.

Misconception 4: Collaboration is optional for the evaluating authority. While Article 17(2) states the evaluating authority "may" request collaboration, in practice, for any multi-national provider, collaboration is likely "necessary" to verify compliance with infrastructure and data localisation criteria. Failing to request collaboration when needed could expose the evaluating authority to criticism or objections from other Member States during the review phase, potentially jeopardising the recognition.

Related

• CADA Recognition Disputes: What Happens When a Member State Objects?
• CADA Recognition Clock: How Long Can the Assessment Be Suspended?
• Can the Commission request information during CADA recognition?
• Can the Commission overrule a CADA recognition dispute?
• Can a provider appeal a refused CADA recognition?

This is general information about a draft EU regulation, not legal advice.