Does CADA recognition expire or align with EUCS/DORA review cycles?

Summary As proposed, CADA recognition for cloud computing services does not expire on a fixed calendar date, nor is it synchronized with the review cycles of the European Cybersecurity Certification Scheme for Cloud Services (EUCS) or the Digital Operational Resilience Act (DORA). Instead, recognition relies on a continuous compliance model anchored by annual independent audits (Article 20) and the immediate reporting of material changes (Article 23). While public sector risk assessments determining the required assurance level must be refreshed every two years (Article 29), the provider's recognition status remains valid as long as the underlying audit opinion is current and no revocation triggers occur.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a distinct sovereignty framework that operates independently from existing cybersecurity and financial resilience regimes. For cloud service providers (CSPs) seeking recognition under the Union assurance levels, it is critical to understand that CADA recognition is not a time-bound license that expires annually or biennially. Rather, it is a status contingent upon continuous adherence to the criteria set out in Annex II, verified through a specific audit and recognition procedure defined in Articles 17 through 23.

CADA's Independent Recognition and Audit Cycle

The validity of a CADA recognition is directly tied to the validity of the underlying audit opinion, not a statutory expiry date. Under Article 20(8), an audited provider seeking recognition at Union assurance levels 2, 3, or 4 must annually submit the audit report and the associated 'positive' audit opinion for review by the same or a different auditing organisation. This annual review assesses the continued compliance of the audited service with the applicable criteria. Based on this review, the auditing organisation may confirm, update, or revoke the initial audit report and audit opinion.

Consequently, recognition does not have a static expiry date; it persists as long as the annual review confirms compliance. However, this status is fragile and event-driven. Article 23 imposes strict transparency obligations, requiring providers to notify the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any material change in circumstances that may affect the audit report or recognition. If the auditing organisation amends or revokes the audit report, it must notify the national competent authority, which then assesses whether its recognition needs to be amended or revoked (Article 23(2)–(3)).

Furthermore, Article 17(11) explicitly empowers the evaluating national competent authority to revoke recognition if it finds that a provider "intentionally or negligently, supplied incorrect or misleading information." Therefore, while there is no calendar-based expiry, the recognition is subject to continuous scrutiny via annual audits and event-driven reporting.

No Synchronisation with EUCS or DORA

A common area of confusion involves the relationship between CADA and other EU frameworks, particularly the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and the Digital Operational Resilience Act (DORA). CADA does not adopt the validity periods or review cycles of these instruments.

EUCS Alignment: CADA references EUCS (or national cybersecurity certification schemes where EUCS is not yet established) as a specific criterion for Union assurance levels 2, 3, and 4 (Annex II, sections 2.1(e), 3.1(e), and 4.1(e)). However, CADA does not adopt EUCS's validity period or review cycle. A CSP might hold a valid EUCS certificate, but if it fails its annual CADA-specific audit under Article 20, its CADA recognition can be revoked regardless of its EUCS status. Conversely, a lapse in EUCS certification would likely constitute a material change triggering a reassessment under Article 23, potentially leading to the loss of the corresponding CADA assurance level. The two schemes run on parallel, albeit intersecting, tracks.

DORA Alignment: DORA imposes ICT risk management and incident response testing obligations on critical third-party service providers in the financial sector. CADA is designed to complement, not replace, these requirements. The explanatory memorandum notes that CADA supports DORA's objectives but addresses broader sovereignty concerns beyond technical cybersecurity (Recital 30). There is no provision in CADA that aligns its recognition expiry with DORA's supervisory review cycles. A financial institution's compliance with DORA does not automatically validate or extend a CSP's CADA recognition, nor does a CADA recognition exempt a provider from DORA oversight.

The Two-Year Risk Assessment Cycle

While the provider's recognition does not expire on a fixed schedule, the demand side of the equation operates on a defined timeline. Article 29(1) mandates that Member States and Union entities carry out risk assessments to identify public sector activities contributing to the preservation of public order and to determine the appropriate Union assurance level (2, 3, or 4). These risk assessments must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary.

This two-year cycle does not reset the provider's recognition clock. Instead, it ensures that the public sector's procurement requirements remain aligned with current threat landscapes. If a risk assessment determines that a specific public order activity now requires a higher assurance level, the contracting authority must procure services meeting that higher level. The provider must then demonstrate compliance with the new level through the recognition process in Article 17, but the validity of their existing recognition for lower levels remains governed by their annual audit status.

What this means for you

For cloud service providers and data centre operators, the decoupling of CADA recognition from fixed expiry dates and external regulatory cycles requires a shift from "renewal management" to "continuous compliance management."

1. Annual Audit Rigor: You must budget for and execute an independent third-party audit every year for Union assurance levels 2, 3, and 4 (Article 20(8)). Failure to conduct this annual review will result in the loss of your audit opinion, which in turn invalidates your CADA recognition.
2. Material Change Monitoring: Establish internal processes to detect and report material changes immediately. Under Article 23, delays in reporting changes that affect your compliance status can lead to the revocation of recognition by the national competent authority.
3. Parallel Compliance Tracks: Do not assume that your EUCS certificate or DORA compliance report satisfies CADA requirements. Maintain separate documentation and audit trails for CADA sovereignty criteria (e.g., data localisation, personnel citizenship, absence of third-country control) as detailed in Annex II.
4. Procurement Readiness: Be prepared for public sector clients to update their risk assessments every two years (Article 29). If their risk profile changes, they may require you to upgrade your assurance level. Ensure your infrastructure and governance can scale to meet higher assurance criteria (e.g., moving from Level 2 to Level 3) without significant disruption.

Common misconceptions

• Misconception: "CADA recognition expires every two years, matching the public sector risk assessment cycle."
  • Reality: The two-year cycle in Article 29 applies to the risk assessments conducted by Member States and Union entities to determine procurement requirements. It does not dictate the validity period of a provider's recognition, which is maintained through annual audits.
• Misconception: "If I have a valid EUCS certificate, my CADA recognition is automatically valid for the same period."
  • Reality: EUCS is a criterion for higher assurance levels, but CADA recognition depends on a broader set of sovereignty criteria (e.g., legal establishment, data localisation, personnel screening). A valid EUCS certificate does not exempt you from the annual CADA audit under Article 20, nor does it guarantee CADA recognition if other sovereignty criteria are not met.
• Misconception: "DORA compliance covers all CADA sovereignty requirements for financial sector clients."
  • Reality: DORA focuses on ICT risk management and operational resilience. CADA addresses sovereignty, data confidentiality, and operational autonomy against third-country control. These are distinct regulatory objectives with different compliance mechanisms and oversight authorities.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Does CADA recognition help with DORA, NIS2 or EUCS compliance?
• CADA Compliance Order: NIS2, DORA, Risk Assessments & Recognition
• How do EUCS and DORA cloud audits combine with a CADA tier audit?
• Does DORA oversight of cloud providers count toward CADA recognition?
• Will EUCS levels map directly to CADA Union assurance levels?

This is general information about a draft EU regulation, not legal advice.