Does a provider take legal responsibility under CADA self-assessment?

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider that issues an EU statement of conformity via the self-assessment route for Union assurance level 1 assumes full legal responsibility for the compliance of its service with the relevant criteria. This is not a passive administrative step; it is a binding legal assertion. As proposed in Article 19(2), the act of issuing the statement explicitly binds the provider to the accuracy of their claims. Consequently, providers face severe consequences for non-compliance, including the revocation of recognition for supplying "incorrect or misleading information," the imposition of effective, proportionate and dissuasive penalties by Member States, and a statutory right for customers to seek compensation for damages suffered due to such infringements.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a tiered sovereignty framework for cloud computing services known as Union assurance levels. For the entry-level tier, Union assurance level 1, the proposal deliberately opts for a conformity self-assessment mechanism rather than mandating a costly third-party audit. This design choice aims to lower barriers to entry for smaller and medium-sized enterprises (SMEs) while establishing a baseline of trust across the single market. However, the procedural simplicity of self-assessment does not equate to a reduction in accountability. On the contrary, the proposal places the entire weight of legal liability on the provider's declaration.

The Legal Weight of the Self-Assessment

Article 19 of the CADA proposal outlines the specific procedure for conformity self-assessment. Providers seeking recognition at Union assurance level 1 must first conduct an internal assessment of their compliance with the cumulative criteria set out in Annex II of the regulation. These criteria cover establishment in the Union, location of infrastructure and data, subcontractor governance, cybersecurity standards, and transparency regarding third-country control.

Following this internal review, the provider must issue an "EU statement of conformity." The critical legal provision governing the consequences of this act is found in Article 19(2), which states:

"Following the self-assessment referred to in paragraph 1, the cloud computing service provider shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated. By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II."

This clause is the cornerstone of the self-assessment regime. By issuing the statement, the provider is not merely reporting a status or filing a form; it is making a formal, legally binding assertion of fact. The phrase "assume responsibility" creates a direct liability link between the provider and the regulatory framework. If the service is later found not to meet the criteria for Union assurance level 1—whether due to infrastructure located outside the Union, data residency failures, or inadequate subcontractor oversight—the provider is in breach of the regulation. Crucially, this liability attaches regardless of whether the breach was intentional or the result of negligence, as the provider has staked their legal standing on the accuracy of their own declaration.

Consequences of Non-Compliance and Misleading Information

The assumption of responsibility under Article 19(2) triggers a cascade of tangible legal and commercial consequences. Because the provider is the sole guarantor of compliance for level 1, they become the primary target for enforcement actions if that compliance is later found to be false.

1. Revocation of Recognition The most immediate administrative consequence is the loss of status. Under Article 17(11), the evaluating national competent authority is empowered to revoke its recognition if it finds that the cloud computing service provider "intentionally or negligently, supplied incorrect or misleading information." Since the EU statement of conformity is the foundational evidence submitted for level 1 recognition, a false statement directly triggers this revocation clause. Once revoked, the service loses its Union assurance status, potentially disqualifying it from public procurement contracts that mandate level 1 or higher.

2. Financial Penalties Beyond administrative sanctions, providers face significant financial risks. Article 24 mandates that Member States lay down rules on penalties applicable to infringements of the sovereignty chapter. These penalties must be "effective, proportionate and dissuasive." When calculating fines, authorities are required to consider non-exhaustive criteria including the nature, gravity, scale and duration of the infringement, any financial benefits gained by the infringing party, and the provider's annual turnover in the preceding financial year. A false self-assessment that allows a non-compliant provider to secure public contracts would likely be considered a serious infringement, potentially resulting in substantial fines.

3. Right to Compensation Perhaps the most significant commercial risk arises from Article 24(3), which establishes a private right of action. It states that recipients of the cloud computing services "shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter." If a public sector body relies on a false EU statement of conformity and subsequently suffers data breaches, operational disruptions, or legal liabilities due to the provider's lack of sovereignty compliance, the provider can be held financially liable for those damages. This creates a direct tort-like liability where the provider's self-assessment error translates into civil damages.

Transparency and Ongoing Obligations

The responsibility assumed in Article 19(2) is not a one-time event at the point of issuance; it is a continuous obligation. Article 23 imposes strict transparency obligations on recognized providers. If a provider becomes aware of any information or "material change in circumstances that may affect the audit report and the 'positive' opinion" (or in the case of level 1, the conformity statement), they must notify the national competent authority "as soon as possible."

Failure to report such changes can be construed as supplying misleading information, effectively retroactively invalidating the original statement and triggering the revocation and penalty mechanisms described above. Furthermore, while level 1 allows for self-assessment, providers subject to the control of a third country face specific, high-stakes criteria. Annex II, point 1.1(g) requires that such providers guarantee that no existing laws in the controlling third country require them to report software vulnerabilities to third-country authorities before those vulnerabilities are known to be exploited. A provider issuing a statement of conformity while ignoring this criterion is assuming responsibility for a claim that may be difficult to verify, significantly increasing their legal exposure.

What this means for you

For in-house counsel, compliance officers, and general counsels, the self-assessment route under CADA is not a "free pass" or a low-risk alternative to auditing. It shifts the entire burden of proof and legal risk onto your organization. You must treat the EU statement of conformity with the same rigor as a certified audit report, despite the lack of external sign-off.

1. Document Everything: Since there is no third-party auditor to witness your process, your internal documentation is your only defense. You must maintain comprehensive, auditable records demonstrating exactly how you verified compliance with every criterion in Annex II for level 1. This includes evidence of data localization, subcontractor due diligence, cybersecurity measures, and legal analysis of third-country control.
2. Review Governance Structures: Ensure that the individual or body signing the EU statement of conformity has the explicit authority and technical expertise to make such a legal assertion. The assumption of responsibility is personal to the entity issuing the statement; a lack of internal expertise cannot be used as a defense against a claim of misleading information.
3. Monitor for Changes: Implement a continuous monitoring system to detect any changes in your infrastructure, subcontracting arrangements, or the legal environment of controlling third countries that could invalidate your self-assessment. Under Article 23, you must report these changes immediately to avoid being flagged for supplying misleading information.
4. Assess Third-Country Control: If your provider is controlled by a third-country entity, conduct a thorough, up-to-date legal analysis of the controlling jurisdiction's laws regarding data access, vulnerability reporting, and extraterritorial reach. A failure to accurately assess this can render your statement of conformity misleading from the outset, exposing you to immediate revocation.
5. Prepare for Liability: Recognize that your customers (public sector bodies) may seek compensation for damages resulting from your non-compliance. Your insurance coverage, contractual indemnities, and risk management strategies should be reviewed to ensure they align with these new statutory risks, particularly the right to compensation under Article 24(3).

Common misconceptions

Misconception 1: Self-assessment means no oversight. While there is no mandatory third-party audit for level 1, the service is still subject to oversight by national competent authorities. Under Article 17, the provider must submit the EU statement of conformity to the evaluating national competent authority for recognition. The authority has the power to request further information, reject the recognition if evidence is insufficient, and revoke recognition if misleading information is discovered.

Misconception 2: Negligence is not a problem for self-assessments. Article 17(11) explicitly states that recognition can be revoked if the provider "intentionally or negligently" supplied incorrect information. You do not need to have committed fraud to lose your status; a careless, poorly documented, or uninformed self-assessment is sufficient grounds for revocation and potential penalties.

Misconception 3: The statement is only for regulatory filing. The EU statement of conformity is a commercial document with direct market consequences. Public sector bodies will rely on it to award contracts under Article 30. If the statement is false, you are not just violating administrative law; you are exposing yourself to civil liability for damages under Article 24(3), where customers can sue for losses incurred due to your non-compliance.

Related

• CADA Self-Assessment vs. Audited Tiers: A Legal Guide
• When does CADA require self-assessment versus an independent audit?
• CADA Conformity Self-Assessment: The Level 1 Pathway Explained
• CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services
• Is CADA Level 1 self-assessment trustworthy for buyers?

This is general information about a draft EU regulation, not legal advice.