Does CADA require a dedicated website for the central repository?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly requires the European Commission to host the central repository of recognised sovereign cloud services on a dedicated website. Article 22(4) mandates that this repository be "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This ensures that public-sector procurement officers, private entities, and citizens can reliably verify the sovereignty status of cloud providers across the EU without navigating disparate national registers.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty. This framework relies on four "Union assurance levels" (1 to 4) to categorise the degree of autonomy and control a cloud service offers against third-country interference. To make this complex framework operational, transparent, and enforceable, the proposal creates a centralised digital infrastructure: the central repository of recognised cloud computing services.

The accessibility and maintenance of this repository are not left to discretion; they are codified in strict legal requirements. Under Article 22(4) of the CADA proposal, the Commission is obligated to establish and maintain this dedicated repository. The text explicitly states that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This specific wording in Article 22(4) serves several critical functions for the integrity of the EU's cloud market and the sovereignty framework:

1. Centralised Verification: Instead of public authorities having to check disparate national registers or contact individual providers for proof of status, there is a single, EU-wide point of access. This aligns with CADA's broader objective of removing single-market barriers and ensuring that a cloud service recognised in one Member State is immediately visible and verifiable across the Union. The "dedicated" nature of the website ensures it is a standalone, authoritative source, distinct from general Commission portals.

2. Public Accessibility: By mandating that the website be "publicly available," CADA ensures that the transparency mechanism extends beyond just public-sector buyers. Private entities, researchers, auditors, and citizens can verify which providers meet the Union's sovereignty standards. This openness fosters trust in the European cloud ecosystem and allows market participants to make informed decisions based on verified data rather than marketing claims.

3. Dynamic Maintenance and Regular Updates: The repository is not a static list. Article 22(4) requires that it be "regularly updated." This is crucial because the status of a cloud service is not permanent. Under Article 23, providers must notify authorities of material changes, and under Article 22(3), revocations of recognition (due to non-compliance, failed audits, or incorrect information) must be published in the repository and remain available for five years. The requirement for regular updates ensures the website reflects the current, real-time status of providers.

4. Shared Responsibility for Data Integrity: The provision assigns specific roles to different actors. The "national competent authorities of establishment" are responsible for registering the services in the repository once recognition is granted (as per Article 22(2)). The Commission, however, is responsible for maintaining the platform itself and ensuring the website remains "easily accessible." This division of labour ensures that the data originates from the national authorities that performed the assessment, while the Commission guarantees the technical availability and accessibility of the interface.

The repository will list services recognised under Union assurance levels 1 through 4. For services at levels 2, 3, and 4, recognition is based on independent third-party audits conducted by auditing organisations. For level 1, it is based on a conformity self-assessment (with automatic recognition for SMEs). The website will serve as the definitive source of truth for these designations, allowing users to filter by assurance level, provider name, or Member State.

What this means for you

For public-sector procurement officers, IT leaders, and compliance teams, the existence of a dedicated, publicly accessible website fundamentally simplifies the compliance landscape under the proposed CADA.

• Streamlined Due Diligence: When procuring cloud services, you are required to ensure the provider meets the appropriate Union assurance level based on your risk assessment (as mandated by Article 29). Instead of manually verifying audit reports, requesting certificates, or contacting providers directly for proof of status, you can consult the central repository. If a service is listed, it has been formally recognised by the relevant national competent authority. This reduces the administrative burden and accelerates procurement timelines.

• Robust Audit Trail: Using the repository provides a clear, defensible audit trail for your procurement decisions. It demonstrates that you have consulted the official EU register to verify the sovereignty status of the chosen provider. This is crucial for compliance with public procurement rules and for defending decisions against challenges regarding the selection of non-sovereign providers.

• Proactive Risk Monitoring: Because the repository is "regularly updated," you can monitor for any changes in a provider's status. If a provider's recognition is revoked (e.g., due to a failed audit, a security breach, or the discovery of incorrect information), this will be reflected in the repository. This allows you to take necessary contractual or operational actions promptly, such as initiating migration plans, before a service disruption occurs.

• Accessibility and Usability: The "easily accessible" requirement implies that the interface must be user-friendly. While the specific technical design is not detailed in the text, the legal obligation suggests the Commission must ensure the site is navigable, likely offering search functionalities to filter by provider name, assurance level, or Member State of establishment. This reduces the technical barrier for smaller public bodies that may lack dedicated IT resources.

• Market Intelligence: For private sector entities, the repository offers a unique window into the competitive landscape. You can verify the sovereignty claims of potential partners or competitors, ensuring that your supply chain aligns with your own risk management strategies or customer requirements.

Common misconceptions

Misconception 1: The repository is a private database for government use only. Correction: No. Article 22(4) explicitly states the repository must be "publicly available." While it is a critical tool for public procurement and sovereignty enforcement, it is open to the public. This transparency is designed to enhance market trust and allow private companies, researchers, and citizens to verify the sovereignty status of cloud providers.

Misconception 2: Cloud providers can register themselves directly on the website. Correction: No. The process is strictly controlled. Cloud providers submit applications for recognition to their national competent authority of establishment (as per Article 17). It is the national competent authority that registers the service in the central repository once recognition is granted (Article 22(2)). The Commission maintains the website, but the data entry is driven by the national authorities that have verified the compliance. Providers cannot self-publish their status.

Misconception 3: The website lists all cloud providers operating in the EU. Correction: No. The repository only lists cloud computing services that have been formally recognised as offering a specific Union assurance level (1–4). Providers who have not applied for recognition, or whose applications were rejected, will not appear in this specific repository. It is a list of verified sovereign services, not a general directory of all cloud providers.

Misconception 4: The website is a static list that never changes. Correction: No. Article 22(4) mandates that the repository be "regularly updated." Furthermore, Article 22(3) requires that any revocation of recognition be published and remain available for five years. The website is a dynamic tool that reflects the current compliance status of providers, including any changes in their assurance level or removal from the list.

Related

• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?
• CADA Central Repository: Who can access it and is it public?
• How does a cloud provider get listed in the CADA central repository?
• What is the CADA central repository of cloud computing services?

This is general information about a draft EU regulation, not legal advice.