Can the Commission change the CADA assurance levels by delegated act?

Summary Yes, as proposed, the European Commission would have the power to amend the specific technical and legal criteria for the four Union assurance levels (levels 1–4) through delegated acts. Under Article 16(2) of the Cloud and AI Development Act (CADA), the Commission is empowered to update the criteria set out in Annex II, as well as the associated audit evidence requirements in Annex III. This authority is exercised under the strict conditions laid down in Article 45, ensuring the sovereignty framework can adapt to rapid technological and legal developments without requiring a full legislative revision. Crucially, Article 16(3) mandates that the Commission review these annexes at least every 18 months to ensure they remain current.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" designed to mitigate risks associated with dependence on third-country providers and to safeguard the Union's public order. Central to this framework are four "Union assurance levels" (levels 1, 2, 3, and 4), which define increasingly strict cumulative requirements for cloud computing service providers seeking to serve Union entities and public sector bodies. These criteria, covering aspects such as data localisation, personnel citizenship, cybersecurity certification, and third-country control, are detailed in Annex II of the proposal.

Because technology, cybersecurity threats, and geopolitical risks evolve rapidly, the static text of a regulation risks becoming outdated. To address this, the proposal grants the Commission specific legislative powers to update these standards dynamically.

Legal Basis for Amendments: Article 16(2)

Article 16(2) explicitly confers the power to amend the framework's core components:

"The Commission is empowered to adopt delegated acts in accordance with Article 45 to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III."

This provision allows the Commission to modify two distinct but interconnected elements:

1. The Criteria (Annex II): The substantive requirements that cloud providers must meet to achieve a specific assurance level. For example, the Commission could update cybersecurity certification requirements if a new European cybersecurity certification scheme (such as the EUCS) is established, or adjust data localisation rules in response to new legal precedents or market realities.
2. The Audit Evidence (Annex III): The specific documentation and proof that auditing organisations must request to verify compliance. As audit methodologies, digital forensics, and technical standards evolve, the Commission can update what constitutes sufficient "audit evidence" without changing the underlying legal obligations in the main text of the Regulation.

Procedural Safeguards: Article 45

The power to adopt these delegated acts is not unlimited; it is subject to the conditions laid down in Article 45 of the proposal. These safeguards ensure democratic oversight and technical robustness:

• Expert Consultation: Before adopting a delegated act, the Commission must consult experts designated by each Member State, in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making. This ensures that national technical and legal expertise informs the updates.
• Parliamentary and Council Scrutiny: Once adopted, the delegated act is notified simultaneously to the European Parliament and the Council. It enters into force only if no objection is expressed by either body within a period of two months of notification. This period may be extended by three months at the initiative of either the Parliament or the Council.
• Revocation: The European Parliament or the Council may revoke the delegation of power at any time. A decision to revoke puts an end to the delegation specified in that decision, though it does not affect the validity of any delegated acts already in force.

The Mandatory 18-Month Review Cycle

To ensure the framework remains fit for purpose and does not stagnate, Article 16(3) imposes a mandatory review obligation on the Commission:

"To ensure Annex II and Annex III remain up to date with new legal or technical developments, the Commission shall review them at least every 18 months."

This regular review cycle is a critical governance mechanism. It ensures that the assurance levels reflect the current state of the art in cloud security, the status of European cybersecurity certifications, and international legal developments. It provides a predictable timeline for potential updates, allowing industry stakeholders, national competent authorities, and auditing organisations to anticipate changes and prepare accordingly.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the ability of the Commission to amend assurance criteria via delegated act has significant implications for long-term compliance strategy:

• Dynamic Compliance Obligations: You cannot rely on a static compliance checklist. The requirements to achieve Union assurance levels 2, 3, or 4 are subject to change. Your compliance program must be agile enough to adapt to updates in Annex II and Annex III. A service recognised today might face new evidence requirements tomorrow.
• Monitoring the Official Journal: Since delegated acts are legally binding and directly applicable, you must monitor the Official Journal of the European Union for their publication. The entry into force of a new delegated act will immediately update the criteria you must meet to maintain your recognised assurance level.
• Audit Readiness: As the Commission updates Annex III (audit evidence), the specific documentation you must provide to auditing organisations may change. Ensure your data governance, record-keeping, and technical logging systems are robust enough to generate the required evidence for independent third-party audits at any time.
• Strategic Planning and Engagement: The 18-month review cycle provides a window for industry feedback. Engage with industry associations and national competent authorities during these review periods to influence the development of future criteria, ensuring they are technically feasible, proportionate, and aligned with market realities.

Common misconceptions

• "The Commission can change the law overnight." Incorrect. While delegated acts allow for quicker updates than full legislative procedures, they are subject to strict procedural safeguards under Article 45, including mandatory consultation with Member State experts and a two-month (extendable to five months) scrutiny period by the European Parliament and the Council.
• "Only technical criteria can be changed." Incorrect. Article 16(2) allows amendments to the Union assurance levels in Annex II, which include legal and organisational criteria (e.g., third-country control, personnel citizenship requirements, and data localisation rules), not just technical specifications.
• "Member States can set their own assurance levels." Incorrect. The framework is harmonised at the Union level. While Member States conduct risk assessments to determine which level is required for specific public sector activities (under Article 29), the criteria defining those levels are defined centrally in Annex II and can only be amended by the Commission via delegated act.
• "The review is optional." Incorrect. Article 16(3) uses the mandatory verb "shall": the Commission must review the annexes at least every 18 months.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Can the Commission change CADA audit evidence requirements?
• Can a provider hold different CADA assurance levels for different services?
• Who must meet CADA Union assurance levels?
• Who can act as a CADA auditing organisation?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels

This is general information about a draft EU regulation, not legal advice.