Summary No, cloud service providers do not apply directly to be listed in the Cloud and AI Development Act (CADA) central repository. As proposed in COM(2026) 502 final, the European Commission establishes and maintains the repository, but the legal duty to register a service lies exclusively with the national competent authority of establishment. Listing is an automatic administrative consequence of successfully completing the recognition process under Article 17; it is not a separate application step. Providers must secure recognition first; the repository entry follows as a mandatory duty of the national authority under Article 22(2).
Detail
The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework to enhance the transparency and trustworthiness of cloud computing services within the EU single market. A cornerstone of this framework is the "central repository of cloud computing services," designed to serve as a single source of truth for public sector bodies and Union entities seeking to procure sovereign cloud services.
However, a critical administrative distinction exists between the recognition of a service and its listing in the repository. Many providers mistakenly believe they must submit a separate application to the European Commission to appear on this list. The text of the proposal clarifies that this is not the case. The pathway to the repository is strictly sequential, national-centric, and automatic upon successful recognition.
The Gateway: Recognition under Article 17
The absolute prerequisite for any cloud computing service to appear in the central repository is formal recognition as offering a specific Union assurance level (Level 1, 2, 3, or 4). This recognition process is governed entirely by Article 17 of the proposal.
Under Article 17(1), a cloud computing service provider that aims to be recognised must submit an application for recognition to the national competent authority of establishment. This authority is defined as the competent authority in the Member State where the provider has its main establishment (i.e., its head office or registered office from which principal financial functions and operational control are exercised).
The process is tiered based on the assurance level sought:
- For Union Assurance Level 1: The provider submits an EU statement of conformity (based on a self-assessment) and all necessary evidence to the national competent authority. Notably, for SMEs, this statement is directly and automatically recognised in all Member States without prior national evaluation, though the authority still oversees the process.
- For Union Assurance Levels 2, 3, and 4: The provider must submit an audit report, a "positive" audit opinion from an independent auditing organisation, and all evidence provided during the audit procedure.
Once the application is accepted, the evaluating national competent authority has 60 days to assess the evidence. If satisfied, it prepares a draft recognition decision and notifies the competent authorities of other Member States for a 60-day review period. If no reasoned objections are raised within this period, the recognition is deemed accepted by all Member States, and the evaluating authority adopts the final recognition decision.
Crucially, Article 17 is the only gateway. Without a valid recognition decision issued by a national competent authority, a service has no legal standing to be entered into the central repository.
Automatic Registration: The Role of Article 22(2)
Once the recognition process under Article 17 is successfully concluded, the service enters the repository. However, the provider does not trigger this entry. The mechanism is defined in Article 22, titled "Central repository of cloud computing services."
Article 22(1) establishes that the Commission shall establish and maintain the dedicated repository. However, the specific act of registration is delegated to the national level. Article 22(2) explicitly states:
"The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."
This provision creates a mandatory legal obligation for the national authority, not the provider. The verb "shall" indicates that registration is automatic and compulsory once recognition is granted. The provider has no direct interface with the Commission for the purpose of listing. The national authority acts as the sole conduit, transferring the data from the national recognition decision to the EU-wide repository.
Furthermore, Article 22(3) mandates that any revocation of an audit report, audit opinion, or recognition must also be published in the central repository and remain available there for five years. This ensures the repository remains a dynamic and accurate reflection of the current compliance status of services across the Union.
The Commission's Role vs. The National Authority's Role
It is vital to distinguish the roles of the actors involved:
- The Provider: Submits evidence and applications only to the national competent authority of establishment.
- The National Competent Authority: Evaluates the application, issues the recognition decision, and automatically registers the service in the repository under Article 22(2).
- The Commission: Establishes the technical infrastructure of the repository, maintains the website, and ensures it is publicly available and regularly updated (Article 22(4)). The Commission does not evaluate individual applications for listing.
This structure ensures that the repository is a direct reflection of national enforcement actions, maintaining the principle of subsidiarity while achieving EU-wide transparency.
What this means for you
For cloud service providers, data centre operators, and their legal counsel, understanding this administrative architecture is essential for compliance strategy and resource planning.
1. Your Primary Interface is National, Not EU
Your compliance efforts must be directed at the national competent authority of establishment in your Member State. You do not need to prepare a separate dossier for the European Commission. Your timeline for "getting listed" is entirely dependent on the speed and procedures of your national authority's recognition process under Article 17.
2. Listing is a Consequence, Not a Goal
Do not treat the repository as a separate certification scheme. You cannot "apply to be listed." Listing is the administrative by-product of a successful recognition. If your application under Article 17 is rejected or delayed, you will not appear in the repository. Conversely, once you are recognised, you do not need to take further action to appear; the national authority is legally bound to register you.
3. Prepare for the "Positive" Audit Opinion
For providers seeking Levels 2, 3, or 4, the bottleneck is the independent audit. You must secure a "positive" audit opinion from an auditing organisation that meets the independence and competence criteria of Article 20. Without this specific opinion, the national authority cannot issue a recognition decision, and thus cannot register you in the repository.
4. Monitor the Repository for Accuracy
While you do not control the listing process, you should monitor the central repository once it is operational. Since the national authority is responsible for the data entry, errors can occur. If your service is listed incorrectly (e.g., wrong assurance level or missing details), you must engage with your national competent authority to correct the record, as the Commission will not accept direct corrections from providers.
5. Transparency Obligations Remain with You
Although you do not apply to the repository, you retain active obligations under Article 23. If you become aware of any material change in circumstances that may affect your recognition (e.g., a change in ownership, a new third-country control risk, or a breach of cybersecurity standards), you must notify the auditing organisation and the national competent authority immediately. This notification may trigger a reassessment and, potentially, a revocation of your listing in the repository.
Common misconceptions
"I can apply directly to the Commission to be listed in the CADA repository."
- Reality: This is incorrect. The Commission maintains the repository but does not accept applications for listing. All applications for recognition must be submitted to the national competent authority of establishment under Article 17. Listing is automatic upon recognition.
"Listing in the repository is optional if I am recognised."
- Reality: No. Article 22(2) uses the mandatory language "shall register." Once a national competent authority recognises a service, it is legally obligated to register it in the central repository. There is no opt-out mechanism for recognised providers.
"The repository is a marketing platform I can update myself."
- Reality: The repository is a regulatory transparency tool, not a marketing directory. Providers cannot edit their own listings. All data is populated by the national competent authority based on the official recognition decision. Any updates or revocations are also managed by the authorities.
"If I am an SME, I don't need to go through the national authority."
- Reality: Even for SMEs seeking Level 1 recognition, where the EU statement of conformity is automatically recognised across the Union, the process still involves the national competent authority. The authority is the entity that registers the service in the repository under Article 22(2), even if the evaluation step is streamlined.
Related
- How does a cloud provider get listed in the CADA central repository?
- CADA Central Repository: What it means for a cloud provider to be listed
- CADA Central Repository Fee: Is there a cost to be listed?
- How does a cloud service get listed in the CADA central repository?
- CADA Procurement: Can a buyer rely on the repository when a service is not listed?
This is general information about a draft EU regulation, not legal advice.