Does CADA make EUCS certification mandatory?

Summary No. As proposed, the Cloud and AI Development Act (CADA) would not make the European Cybersecurity Certification Scheme for Cloud Services (EUCS) mandatory. The Explanatory Memorandum notes that EUCS, once finalised, "could be leveraged" to show that a service meets the highest cybersecurity standards, but CADA would establish its own distinct "Union assurance levels" for sovereignty and public order. EUCS has not yet been adopted; until it exists, CADA's higher assurance levels would let providers rely on national cybersecurity certification schemes or, failing that, demonstrate compliance with the highest cybersecurity standards under applicable Union law.

Detail

The relationship between CADA and EUCS is a frequent point of confusion because both touch cloud security, yet they pursue different objectives through different mechanisms. To see whether CADA would require EUCS, it helps to look at the specific provisions of the proposal, the status of EUCS, and how the two frameworks would interact.

EUCS is not yet adopted

The European Cybersecurity Certification Scheme for Cloud Services (EUCS) is not yet in force. The Explanatory Memorandum to the CADA proposal states that the European Union Agency for Cybersecurity (ENISA) "has been working on developing a European Cybersecurity Certification Scheme for Cloud Services (EUCS), which has not yet been adopted." A regulation cannot make a certification scheme mandatory if that scheme does not yet legally exist.

CADA's sovereignty framework vs cybersecurity certification

CADA would introduce a "Union cloud computing sovereignty framework" comprising four Union assurance levels, the criteria for which are set out in Annex II (Article 16). These levels would address data sovereignty, operational continuity, and public order, not technical cybersecurity alone. Cybersecurity is one criterion among several cumulative ones.

For Union assurance level 1, the provider must "demonstrate[] that the service complies with the state-of-the-art cybersecurity standards" (Annex II, point 1.1(e)). There is no reference to EUCS here; the requirement is a general standard of care.

For Union assurance levels 2 and 3, the cybersecurity criterion is more specific. Annex II requires that:

"the audited service obtains a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881, provided that such a scheme has been established under that Regulation and is available to cloud computing service providers." (Annex II, points 2.1(e) and 3.1(e))

For Union assurance level 4, the threshold rises to a certificate of "at least assurance level 'high'" under such a scheme (Annex II, point 4.1(e)).

Crucially, each of these criteria includes a fallback for the period before EUCS is available:

"Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law." (Annex II, point 2.1(e))

This confirms that EUCS would be the preferred future benchmark for levels 2 to 4, but it is not currently mandatory because it is not yet established. For now, providers would look to national schemes or to general compliance with the highest applicable standards.

EUCS as a tool, not a blanket requirement

The Explanatory Memorandum explains the Commission's intent: certification under the Cybersecurity Act "can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements," and EUCS, "when finalised, could be leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards." So EUCS would be a recognised route for satisfying the cybersecurity component of the higher assurance levels. It would not, however, replace the broader sovereignty criteria (such as data location, personnel requirements, and absence of third-country control) that are central to CADA.

Distinction from the Cybersecurity Act

It is also worth distinguishing CADA from the Cybersecurity Act (Regulation (EU) 2019/881), which is the legal basis under which EUCS would be established. The Cybersecurity Act addresses technical cybersecurity risks; CADA, by contrast, adds "sovereignty considerations" on top of that focus. CADA references the Cybersecurity Act as the basis for the future EUCS, but it creates a separate, layered framework for sovereignty, risk assessment, and public procurement.

What this means for you

If you are a cloud service provider or data centre operator that may seek recognition under CADA, you should consider the following.

1. Do not assume EUCS is immediately required. Because EUCS is not yet adopted, you cannot obtain it. If you aim for Union assurance levels 2 to 4, focus for now on relevant national cybersecurity certifications or on demonstrating "the highest cybersecurity standards under applicable Union law."
2. Prepare for EUCS alignment. The proposal signals that EUCS would eventually be the benchmark for levels 2 to 4. Aligning with the expected "substantial" (levels 2 and 3) or "high" (level 4) thresholds now would ease future recognition.
3. Address the non-cybersecurity criteria. Even with EUCS, you would not automatically obtain an assurance level. You would also need to meet the other cumulative Annex II criteria, such as data localisation, personnel requirements, third-country control limits, and software supply-chain transparency.
4. Monitor national schemes. Until EUCS is available, national schemes may be the primary route to the cybersecurity criterion for levels 2 to 4. Engage with your national competent authority on which certifications would be recognised.

Common misconceptions

• Misconception: "CADA replaces EUCS." Reality: It would not. As proposed, CADA would incorporate EUCS as a means of demonstrating the cybersecurity component of the higher assurance levels. The two are complementary.
• Misconception: "Having EUCS guarantees Union assurance level 4." Reality: A certificate at level "high" would satisfy only one of several cumulative criteria for level 4. You would also need to meet requirements on data location, personnel, and absence of third-country control.
• Misconception: "EUCS is mandatory for all cloud providers in the EU." Reality: EUCS would be a voluntary scheme under the Cybersecurity Act. Under CADA it would, once adopted and available, become a de facto requirement only for providers seeking recognition at Union assurance levels 2 to 4. For level 1, no specific certification is required.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA vs the EUCS cloud certification scheme: how do they relate?
• CADA voluntary recognition vs mandatory procurement levels
• EUCS high level vs CADA Union assurance level 4: are they equivalent?
• CADA: who designates an acceleration zone vs a strategic project?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?

This is general information about a draft EU regulation, not legal advice.