Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union Assurance Level 1 must conduct a conformity self-assessment under Article 19, supported by an EU statement of conformity. While Gaia-X labels are not automatically equivalent to CADA recognition, the evidence generated during Gaia-X conformity processes can serve as supporting documentation for this self-assessment. However, for Union Assurance Levels 2, 3, and 4, providers must undergo independent third-party audits under Article 20; Gaia-X labels alone cannot substitute for these mandatory audits. The CADA framework explicitly distinguishes between self-declaration for the baseline level and third-party verification for higher sovereignty tiers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework to mitigate risks associated with dependence on third-country providers. This framework is structured around four "Union assurance levels" (Levels 1–4), each with increasing stringency regarding data localisation, personnel citizenship, cybersecurity certification, and freedom from third-country control.

The mechanism for demonstrating compliance differs fundamentally between Level 1 and Levels 2–4. This distinction creates two distinct pathways for providers, particularly those already engaged with existing European trust frameworks like Gaia-X.

Self-Assessment for Union Assurance Level 1

For providers targeting Union Assurance Level 1, CADA establishes a self-assessment regime. Article 16 sets out the scope of the sovereignty framework, mandating that providers meet specific cumulative criteria outlined in Annex II. These criteria generally require that the provider is established in the Union, that infrastructure and assets remain in the Union (unless the public sector body explicitly requires otherwise), and that customer data remains exclusively within the Union.

Article 19, titled "Conformity self-assessment," details the specific process for Level 1. Providers seeking recognition must carry out a conformity self-assessment of compliance with the Level 1 criteria. Following this assessment, the provider issues an "EU statement of conformity," explicitly assuming responsibility for the compliance of the cloud computing service with the criteria set out in Annex II. This statement must be made publicly available.

This is where Gaia-X labels may intersect with CADA compliance. Gaia-X is a European initiative that has developed a Trust Framework and a Conformity Programme. Providers who have already undergone Gaia-X conformity assessments have likely generated substantial documentation regarding their data residency, security measures, and subcontractor oversight. While a Gaia-X label is not a CADA legal instrument, the evidence compiled to achieve Gaia-X conformity (such as data flow diagrams, security policies, and subcontractor due diligence records) can be repurposed as supporting evidence for the CADA Level 1 self-assessment.

This approach reduces the administrative burden of creating new documentation from scratch, allowing providers to map existing Gaia-X artefacts to the CADA Annex II Level 1 criteria. For instance, Gaia-X requirements regarding data sovereignty and transparency often align closely with CADA Level 1 criteria (a) through (g) of Annex II.

However, it is crucial to note that the self-assessment under CADA is a statutory obligation with specific legal consequences. The EU statement of conformity under Article 19 carries legal liability. Therefore, while Gaia-X evidence is useful, the provider must explicitly verify that their operations meet the precise wording of CADA Annex II, which may differ in specific technical or legal nuances from Gaia-X requirements. The provider remains solely responsible for the accuracy of the statement.

Independent Audits for Union Assurance Levels 2–4

For providers seeking Union Assurance Levels 2, 3, or 4, the self-assessment route is closed. Article 20, titled "Independent audit," mandates independent third-party audits for these higher tiers. Providers must undergo independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation.

The criteria for Levels 2–4 are significantly more stringent. For example:

  • Level 2 requires that the audited provider and its subcontractors are established in the Union, and that infrastructure, assets, and personnel are located in the Union. It also requires a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme (or national equivalents if the Union scheme is not yet available).
  • Level 3 adds requirements for personnel to be Union citizens (conditional on public sector body requirements) and maintains the 'substantial' cybersecurity certification.
  • Level 4 requires personnel to be Union citizens (mandatory) and a European cybersecurity certificate of at least assurance level 'high'.

Crucially, Article 20 specifies that audits must be performed by organisations that are independent, have no conflicts of interest, and possess proven expertise. The audit report must include a 'positive' or 'negative' opinion based on audit evidence.

In this context, Gaia-X labels hold limited direct value for compliance. A Gaia-X label, which is often based on self-declaration or limited third-party verification depending on the specific label type, cannot satisfy the rigorous independent audit requirement of Article 20. The CADA framework explicitly requires a formal audit opinion from a recognised auditing organisation. While a Gaia-X compliant provider may find it easier to pass a CADA audit due to their existing mature security and governance practices, the Gaia-X label itself does not exempt them from the Article 20 audit process. The auditing organisation will still need to collect specific audit evidence as defined in Annex III of CADA, which may go beyond what was required for Gaia-X conformity.

The Role of Evidence and Documentation

The distinction between self-assessment and audit hinges on the type of evidence required. For Level 1, the provider relies on its own internal controls and documentation. For Levels 2–4, the evidence must be verified by an independent third party.

CADA Annex III outlines "Audit evidence for the audit procedure," specifying that auditing organisations should request evidence such as location details of infrastructure, asset registers, personnel employment contracts, and data flow diagrams. Providers who have already assembled this documentation for Gaia-X conformity will have a head start. They can present these existing documents to the CADA auditing organisation, potentially streamlining the audit process. However, the auditor will still need to verify that this evidence meets the specific CADA criteria, which may include additional requirements not present in the Gaia-X framework, such as specific checks on third-country control or detailed software supply chain measures (SBOMs).

Furthermore, Article 22 establishes a central repository of cloud computing services recognised under the CADA framework. Only after successful self-assessment (Level 1) or independent audit (Levels 2–4) and subsequent recognition by the national competent authority can a service be listed in this repository. Gaia-X labels do not grant entry into this repository; only CADA recognition does.

What this means for you

For cloud service providers and data centre operators, the relationship between Gaia-X and CADA requires a strategic approach to compliance documentation.

  1. For Level 1 Providers: If you are targeting Union Assurance Level 1, leverage your existing Gaia-X conformity documentation. Map your Gaia-X evidence (data residency proofs, security policies, subcontractor agreements) directly to the CADA Annex II Level 1 criteria. Use this mapped evidence to support your internal self-assessment and the issuance of your EU statement of conformity under Article 19. Ensure that any gaps between Gaia-X requirements and CADA criteria are explicitly addressed in your self-assessment report.

  2. For Level 2–4 Providers: If you are targeting higher assurance levels, do not rely on Gaia-X labels as a substitute for compliance. You must engage an independent auditing organisation to conduct an audit under Article 20. However, you can use your Gaia-X conformity status as a quality indicator to select an auditor and to prepare for the audit. Provide your Gaia-X documentation as a baseline, but be prepared for the auditor to request additional evidence specific to CADA, such as detailed software bill of materials (SBOMs) or specific checks on third-country control mechanisms.

  3. Documentation Management: Maintain a centralised repository of compliance evidence that is flexible enough to serve both Gaia-X and CADA requirements. This includes up-to-date data flow diagrams, asset registers, personnel location records, and cybersecurity certifications. This dual-use documentation strategy will reduce the cost and time associated with achieving CADA recognition, regardless of the assurance level.

  4. Recognition Process: Remember that self-assessment or audit is only the first step. You must submit your evidence (EU statement of conformity for Level 1, or audit report and opinion for Levels 2–4) to the national competent authority of establishment for recognition under Article 17. Only after this recognition is granted will your service be listed in the CADA central repository, making it eligible for procurement by public sector bodies.

Common misconceptions

Misconception 1: A Gaia-X label is equivalent to CADA Union Assurance Level 1. This is incorrect. While Gaia-X and CADA share similar goals of sovereignty and trust, they are distinct legal and technical frameworks. A Gaia-X label does not automatically confer CADA Level 1 status. Providers must still conduct the formal self-assessment and issue the EU statement of conformity under CADA Article 19. The Gaia-X label can support this process, but it is not a legal substitute.

Misconception 2: CADA self-assessment applies to all assurance levels. This is incorrect. Self-assessment under Article 19 is strictly limited to Union Assurance Level 1. For Levels 2, 3, and 4, CADA Article 20 mandates independent third-party audits. Providers cannot self-certify for these higher levels, regardless of their Gaia-X status or internal maturity.

Misconception 3: Gaia-X conformity exempts providers from CADA audits. This is incorrect. Even if a provider is fully Gaia-X conformant, they must still undergo the independent audit process required by CADA for Levels 2–4. The CADA auditing organisation will perform its own verification based on CADA-specific criteria and evidence requirements (Annex III). Gaia-X conformity may make the audit smoother, but it does not remove the obligation to be audited.

Misconception 4: CADA recognition is automatic upon self-assessment or audit. This is incorrect. Under Article 17, providers must submit their self-assessment or audit results to the national competent authority for formal recognition. The competent authority may request further information or reject the application. Recognition is a formal administrative act, not an automatic consequence of completing the assessment or audit.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.