Can the Commission update CADA's Union assurance levels later?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission would have the power to update the Union assurance levels and their associated criteria after the regulation enters into force. Specifically, Article 16(2) empowers the Commission to adopt delegated acts to amend Annex II (the criteria for the four sovereignty tiers) and Annex III (the audit evidence required). This mechanism is designed to ensure the sovereignty framework remains aligned with evolving technological and legal developments, as explicitly stated in Recital 85. Cloud service providers must therefore design their services with flexibility, as the requirements to maintain their assurance level recognition could change through secondary legislation without a full revision of the primary law.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised Union cloud computing sovereignty framework comprising four distinct assurance levels. These levels are designed to mitigate risks associated with dependence on third-country providers, ensuring that public sector bodies and Union entities can procure cloud services that safeguard public order, data confidentiality, and operational autonomy. The specific cumulative criteria that a cloud computing service provider must meet to be recognised at each of these levels are set out in Annex II of the proposal.

However, the proposal recognises that the cloud and AI landscape is dynamic. Technological capabilities, cybersecurity threats, and legal frameworks evolve rapidly. A static set of criteria risked becoming obsolete quickly, potentially creating gaps in sovereignty protection or imposing disproportionate burdens on providers using emerging technologies. To address this, CADA includes a specific mechanism for updating the assurance level criteria without requiring a full legislative revision of the regulation itself.

The Legal Basis for Updates

The primary legal instrument for updating the assurance levels is found in Article 16(2) of the proposal. This article states:

"The Commission is empowered to adopt delegated acts in accordance with Article 45 to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III."

This provision grants the Commission the authority to modify the technical requirements of Annex II through delegated acts. Delegated acts are a form of secondary legislation that allows the Commission to supplement or amend non-essential elements of a legislative act, provided it acts within the limits of the delegation of power conferred by the European Parliament and the Council.

The scope of this power is significant. It covers not only the criteria in Annex II but also the audit evidence listed in Annex III, which auditing organisations use to verify compliance. This means the Commission can adjust both the rules providers must follow and the proof they must provide to auditors.

Why the Criteria Need to Evolve

The necessity for this adaptive framework is explicitly outlined in Recital 85 of the proposal. The recital states that the power to adopt delegated acts is conferred on the Commission to amend Annex II "to update the criteria for Union assurance levels" in order to "take account of technological development and maintain an efficient framework of measures for strengthening the cloud and AI ecosystem at Union level."

The rationale is twofold:

1. Technological Development: As cloud architectures, encryption standards, and AI integration methods evolve, the technical measures required to ensure sovereignty (such as specific cybersecurity certifications or data localisation protocols) may need to be updated. For example, if a new, more secure method of data encryption becomes the industry standard, the Commission could update Annex II to require this standard for higher assurance levels.
2. Legal Developments: The proposal references the need to keep Annex II and Annex III up to date with "new legal or technical developments." This ensures that the sovereignty framework remains consistent with other EU legislation, such as updates to the GDPR, the NIS2 Directive, or the Cybersecurity Act.

The Process for Updating and Review

The adoption of delegated acts is not unilateral. Under Article 45, the Commission must consult experts designated by each Member State before adopting a delegated act. Furthermore, the European Parliament and the Council have the right to revoke the delegation of power or object to the adopted act within a specified period (typically two months, extendable by three). This political oversight ensures that significant changes to the sovereignty criteria are scrutinised by democratically elected bodies.

Additionally, Article 16(3) imposes a proactive review obligation on the Commission. It states:

"To ensure Annex II and Annex III remain up to date with new legal or technical developments, the Commission shall review them at least every 18 months."

This mandatory review cycle ensures that the criteria are not left stagnant. The Commission must regularly assess whether the current criteria in Annex II still effectively serve the objective of safeguarding Union public order and technological sovereignty.

Implications for the Assurance Levels

The four assurance levels (Level 1 through Level 4) represent a gradient of sovereignty, with Level 1 being the baseline and Level 4 representing the highest level of assurance, often required for classified information or critical infrastructure.

• Level 1: Primarily relies on self-assessment and basic establishment criteria.
• Levels 2, 3, and 4: Require independent third-party audits and increasingly strict criteria regarding personnel citizenship, infrastructure location, and absence of third-country control.

Updates via delegated acts could affect any of these levels. For instance, the Commission might tighten the requirements for Level 3 to ensure that providers subject to third-country control can only qualify if they meet enhanced separation measures. Alternatively, it might streamline Level 1 criteria to encourage broader adoption of sovereign services by smaller EU providers.

What this means for you

For cloud service providers and data centre operators aiming to obtain or maintain recognition under the CADA sovereignty framework, the ability of the Commission to update Annex II has several practical implications:

1. Design for Flexibility

Providers should not build their compliance programmes as static, one-time projects. Because the criteria in Annex II can change, your technical architecture and governance processes must be adaptable. For example, if you currently meet Level 2 criteria by using a specific national cybersecurity certification, you should monitor whether the Commission might update Annex II to require the European Cybersecurity Certification Scheme (EUCS) once it is fully established. Your contracts with subcontractors and your internal security policies should allow for such pivots.

2. Monitor Delegated Acts

You must actively track the legislative process for delegated acts under Article 16(2). Since the Commission is required to review Annex II every 18 months, there will be regular opportunities for changes. Subscribing to updates from the European Commission's Directorate-General for Communications Networks, Content and Technology (CNECT) and monitoring the Official Journal for published delegated acts is essential. Early awareness of proposed changes allows you to prepare your audit evidence (Annex III) in advance.

3. Audit Readiness

Since Article 16(2) also empowers the Commission to amend Annex III (audit evidence), the proof you must provide to auditing organisations may change. Auditing organisations will need to align their methodologies with these updates. Providers should maintain open lines of communication with their chosen auditors to ensure that any new evidence requirements can be met efficiently during the annual review or initial audit process.

4. Impact on Public Sector Contracts

Public sector bodies will base their procurement requirements on the assurance levels defined in Annex II. If the Commission updates these levels, the requirements for public tenders will shift accordingly. Providers relying on a specific tier (e.g., Level 2) for a portfolio of government contracts must ensure they can meet any new criteria that might be introduced for that tier. Failure to adapt could result in the loss of recognition, thereby disqualifying you from future public procurement opportunities that mandate that assurance level.

5. Third-Country Control Considerations

For providers subject to third-country control, the criteria in Annex II are particularly sensitive. Recital 61 and the criteria in Annex II for Levels 3 and 4 include derogations for third-country controlled providers if specific safeguards are in place. The Commission's updates may refine these safeguards. Providers in this category should pay close attention to how delegated acts might alter the conditions under which they can still qualify for higher assurance levels, particularly regarding the prevention of unauthorised access and service disruption.

Common misconceptions

Misconception 1: The assurance levels are fixed for the lifetime of the regulation. Some providers assume that once they meet the criteria in Annex II as published in the proposal, they are compliant permanently. This is incorrect. The proposal explicitly empowers the Commission to amend these criteria. Compliance is an ongoing process that requires adaptation to secondary legislation.

Misconception 2: Only the technical criteria change, not the audit evidence. Article 16(2) explicitly states that the Commission can amend both Annex II (criteria) and Annex III (evidence). Therefore, not only might the rules change, but the documentation and proof required to demonstrate compliance will also evolve. Providers cannot assume that their current audit trail will remain sufficient.

Misconception 3: Updates require a new law passed by Parliament and Council. Because the Commission uses delegated acts, updates to the assurance levels do not require the full ordinary legislative procedure. This means changes can be implemented more quickly and frequently than if each adjustment required a new regulation. However, this speed comes with the caveat that providers must be agile in their compliance strategies.

Misconception 4: The Commission can change the four-tier structure itself. While the Commission can amend the criteria for the levels, the fundamental structure of four Union assurance levels is established in Article 16(1). Significant structural changes, such as adding a fifth level or removing a tier, would likely require an amendment to the regulation itself, not just a delegated act. The delegated acts are intended for updating the content of the criteria to reflect technological and legal developments, not for redesigning the entire framework.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Can the Commission update Annex I on the Cloud and AI Leadership Initiatives?
• Which parts of CADA can the Commission change through delegated acts?
• CADA Delegated & Implementing Acts: What the Commission Decides Later
• How the Commission can amend CADA's annexes after adoption
• Can the European Parliament or Council revoke the Commission's delegated powers under CADA?

This is general information about a draft EU regulation, not legal advice.