Does CADA apply to cloud service providers?

Summary Yes. As proposed, the Cloud and AI Development Act (CADA) directly concerns cloud computing service providers — and, under conditions, providers controlled from third countries. A provider that wants to sell to the public sector would seek recognition at one of four Union assurance levels: level 1 via a conformity self-assessment, and levels 2 to 4 via independent third-party audit (Articles 16 to 21). Recognition carries ongoing transparency duties (Article 23), and infringements can attract penalties and a right to compensation (Article 24). CADA is still a proposal, so none of this is in force yet.

Detail

CADA places cloud computing service providers at the centre of its sovereignty framework. The scope follows from the definitions and the obligations in Title IV.

Who is covered

Article 2(2) defines a "cloud computing service provider" as "a legal entity which provides a cloud computing service." "Cloud computing service" is defined in Article 2(1) by reference to Article 6, point (30), of Directive (EU) 2022/2555 (NIS2) — broadly, a digital service giving on-demand, broadly accessible access to a scalable and elastic pool of shareable computing resources. The definition is wide and is not limited to large providers.

CADA's sovereignty rules bite mainly where a provider wishes to offer services to Union entities and public-sector bodies. The Regulation does not, by itself, impose the assurance framework on purely private-sector contracts — but because public procurement drives significant demand, the rules effectively shape market expectations more widely.

The sovereignty framework and assurance levels

The core mechanism is the Union cloud computing sovereignty framework. Article 16 establishes four Union assurance levels (1 to 4), with the detailed, cumulative criteria set out in Annex II. To sell to the public sector, a provider must be recognised at the relevant level.

• Level 1 rests on a conformity self-assessment: the provider draws up an EU statement of conformity (Article 19).
• Levels 2 to 4 require an independent third-party assessment by an auditing organisation, supported by audit evidence (Articles 20 to 21).

The criteria escalate with each level — broadly, the higher the level, the stronger the requirements on control of the service, data handling and protection from third-country interference. The precise, cumulative requirements for each level are those set out in Annex II rather than summarised in the body of the Regulation, so a provider should map its service against Annex II directly.

The recognition process

Article 17 sets out recognition. A provider applies to the national competent authority of its establishment, which acts as the evaluating authority and may ask competent authorities in other Member States to collaborate. For level 1, the provider submits its EU statement of conformity and the necessary evidence; notably, an EU statement of conformity issued under Article 19 by a provider that is an SME is directly and automatically recognised in all Member States without prior recognition by the evaluating authority (Article 17(3)).

Transparency and ongoing obligations

Recognition is not a one-off. Article 23 requires providers to report material changes that could substantiate a change in their recognised level. Failure to keep recognition current can put a provider's recognised status at risk.

Third-country-controlled providers

Article 18 addresses providers controlled from third countries. It sets out a mechanism by which the Commission may recognise a third country as providing sufficient assurances, so that cloud computing services controlled from that third country become eligible to qualify under Union assurance level 3. Without such recognition, the eligibility of third-country-controlled services for the higher levels is constrained. ("Control" is itself a defined term, in Article 2(21), by reference to Regulation (EU) 2021/697.) Providers should treat the precise conditions in Article 18 and Annex II as the operative source rather than relying on general summaries.

Enforcement

Article 24 requires Member States to lay down penalties for infringements by providers that are effective, proportionate and dissuasive, and provides that recipients may seek compensation for damage or loss resulting from a provider's infringement, in accordance with Union and national law.

What this means for you

If you provide cloud services and intend to serve the EU public sector, CADA adds a recognition-and-compliance track.

1. Map your target level against Annex II. Decide which Union assurance level you are aiming for and assess your service against the cumulative Annex II criteria for that level — that is where the substantive requirements live.
2. Plan for audits. Levels 2 to 4 require independent third-party assessment and audit evidence (Articles 20 to 21). Start early, because the assessment and the authority's evaluation take time.
3. Review your corporate structure. If you are controlled from a third country, study Article 18: absent Commission recognition of that third country, your eligibility for the higher levels may be limited.
4. Build a change-reporting process. Article 23 requires prompt reporting of material changes; design internal triggers so you do not lose recognised status.
5. Identify your competent authority. Your national competent authority of establishment (Article 17, Article 25) is your route to recognition and your supervisor.

Common misconceptions

"CADA only applies to large hyperscalers." No. The Article 2(2) definition covers any legal entity providing cloud computing services. SMEs are within scope — though Article 17(3) gives SME level-1 statements of conformity automatic cross-border recognition.

"If I comply with GDPR, I comply with CADA." No. GDPR governs personal-data protection; CADA addresses sovereignty, operational autonomy and public order. A GDPR-compliant service can still fall short of an assurance level — for example, where it is controlled from a third country whose laws have extraterritorial reach.

"Recognition in one Member State lets me ignore the others." Partly. Article 17 provides for recognition across the Union, but you remain supervised by your home competent authority, and other Member States can be asked to collaborate in the procedure.

"Private-sector contracts are unaffected." Largely, but not entirely. CADA's procurement duties target public-sector buyers (Article 30), yet Article 31 lets certain private entities within NIS2 scope run similar impact assessments, and public-sector expectations tend to influence the wider market.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What does CADA mean for cloud service providers?
• Does CADA apply to non-EU cloud providers?
• Does CADA apply to AI systems and AI providers, not just cloud?
• Why is the EU dependent on non-EU cloud providers?
• Who does the Cloud and AI Development Act (CADA) apply to?

This is general information about a draft EU regulation, not legal advice.