Does CADA apply to SMEs and startups? Scope and reliefs explained

Summary Yes — as proposed, the Cloud and AI Development Act (CADA) would apply to SMEs and startups, but it builds in measures to reduce their burden and open market opportunities. Article 2 defines "SME" by reference to Commission Recommendation 2003/361/EC (point 8) and "small mid-cap" or "SMC" by reference to Commission Recommendation (EU) 2025/1099 (point 9). The most significant relief is in Article 17(3): for Union assurance level 1, the EU statement of conformity issued by an SME would be directly and automatically recognised in all Member States, without prior recognition by the evaluating national competent authority.

Detail

CADA is designed to strengthen Europe's cloud and AI ecosystem and to reduce dependence on a small number of non-EU providers. A core aim of the proposal is to create room for smaller European providers to grow and to compete for public and private demand. The Regulation would not exempt SMEs or startups from its scope; instead, it tailors certain steps to keep obligations proportionate.

How CADA defines SMEs and small mid-caps

• SMEs: Article 2, point (8), defines a "small and medium-sized enterprise" or "SME" as an enterprise as defined in Article 2 of Annex I to Commission Recommendation 2003/361/EC — the EU's standard definition, which generally turns on staff headcount (under 250), annual turnover (not exceeding EUR 50 million), and balance sheet total (not exceeding EUR 43 million).
• Small mid-caps (SMCs): Article 2, point (9), defines a "small mid-cap" or "SMC" by reference to point 2 of the Annex to Commission Recommendation (EU) 2025/1099. This category sits between SMEs and large enterprises, so growing companies can still benefit from targeted support.

Streamlined recognition for SMEs (Article 17)

To serve Union entities and public sector bodies, providers must be recognised as offering one of the four Union assurance levels (Article 16). For Union assurance level 1, a provider carries out a conformity self-assessment and issues an "EU statement of conformity" (Article 19), then submits it to the national competent authority of establishment for recognition (Article 17(1) and (3)).

Article 17(3) then adds a derogation for SMEs. As proposed, "the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." In other words, an SME offering a level 1 service would not need to wait for the national recognition step — its self-assessment would be valid EU-wide on issue, cutting time-to-market and administrative cost.

This relief is specific to level 1. For Union assurance levels 2, 3 and 4, the provider must submit an audit report and a positive audit opinion from an independent auditing organisation (Articles 17(4) and 20); the SME automatic-recognition derogation does not apply to those higher levels.

Opportunities for smaller providers

CADA aims to lower barriers to entry for European providers through procurement and reuse measures:

• Union added value: Article 32 requires contracting authorities, in procurement of innovative cloud services and AI systems, to include non-price award criteria assessing the tenderer's contribution to a European cloud and AI ecosystem — including the use of software or hardware designed or manufactured in the Union. These criteria must be ancillary and not decisive (Article 32(2)), but they can favour EU-based providers.
• SME procurement target: Article 33 requires Member States to monitor procurement of innovation in cloud and AI, and to pursue the objective that at least 25% of their procurement for cloud computing services and AI systems be awarded to innovative SMEs (Article 33(4)).
• Open source and reuse: Article 41 would have the Union and Member States encourage public bodies to use and reuse open standards and open-source components. Article 42 requires reusable public-sector software to be made available through the EU Open Source Solutions Catalogue, which Article 43 tasks the Commission with maintaining — a pool startups can draw on or contribute to.

Support mechanisms

• Experience and Acceleration Centres for AI (Centres for AI): Article 5 requires each Member State to establish Centres for AI, building on the European Digital Innovation Hubs. Their objectives include accelerating adoption of cloud and AI technologies for SMEs, SMCs and public bodies (Article 5(2)(b)), and they are tasked with supporting the scaling-up of spin-offs and startups (Article 5(3)(d)).
• National strategies: Article 7 requires Member States to adopt national cloud and AI strategies, which under Article 33(4) must include plans for meeting the 25% SME procurement objective.

What this means for you

If you are a cloud service provider classified as an SME or small mid-cap, CADA as proposed would bring both obligations and advantages.

1. Use the SME relief for assurance level 1. If you target Union assurance level 1, make your conformity self-assessment robust and well documented. You could issue your EU statement of conformity and rely on automatic EU-wide recognition under Article 17(3), removing a cross-border bottleneck.
2. Watch "Union added value" criteria (Article 32). Position your offer as part of the European digital supply chain and highlight EU-designed or EU-manufactured hardware and software to score well, bearing in mind these criteria are ancillary, not decisive.
3. Engage with Centres for AI (Article 5). These hubs offer access to European providers, upskilling, and support for scaling startups — useful if you aim to move up the assurance levels.
4. Prepare for audits if you scale up. For assurance levels 2, 3 or 4 the SME automatic-recognition relief does not apply: you would need an independent audit (Article 20). Start preparing documentation, software bills of materials (SBOMs) and security evidence early.
5. Build an open-source strategy. Drawing on or contributing to the EU Open Source Solutions Catalogue (Article 43) can cut costs and demonstrate alignment with the Regulation's autonomy aims.

Common misconceptions

Misconception 1: SMEs are exempt from CADA. Reality: As proposed, CADA would apply to cloud computing service providers serving Union entities and public sector bodies, SMEs included. The Regulation provides procedural simplifications — notably automatic recognition of level 1 self-assessments (Article 17(3)) — not a blanket exemption.

Misconception 2: The SME relief applies to all assurance levels. Reality: The automatic-recognition derogation in Article 17(3) applies only to Union assurance level 1. For levels 2, 3 and 4, every provider must undergo independent third-party audits (Article 20), regardless of size.

Misconception 3: CADA only benefits large hyperscalers. Reality: The proposal aims to diversify the market. Risk assessments under Article 29 must consider whether a multi-vendor or multi-cloud strategy is appropriate (Article 29(9)), and the "Union added value" criteria (Article 32) plus the 25% SME objective (Article 33(4)) actively favour smaller EU-based providers.

Misconception 4: "Small mid-cap" is a new, arbitrary category. Reality: Article 2(9) references an existing instrument, Commission Recommendation (EU) 2025/1099, defining a recognised EU category for companies that have outgrown SME status but are not yet large enterprises.

Related

• What does CADA mean for SMEs and startups in the EU cloud market?
• Who does the Cloud and AI Development Act (CADA) apply to?
• When will CADA be reviewed? Article 47 review clause explained
• When does CADA enter into force and start to apply?
• What is the territorial scope of CADA?

This is general information about a draft EU regulation, not legal advice.