Summary As proposed, the Cloud and AI Development Act (CADA) does not mandate a European cybersecurity certificate for all cloud providers. The requirement is triggered only for providers seeking recognition under Union Assurance Levels 2, 3, or 4 to serve public sector bodies with public-order relevance. For Levels 2 and 3, the proposal requires a European cybersecurity certificate of at least assurance level "substantial" under the European Cybersecurity Certification Scheme for Cloud Services (EUCS). For Level 4, the requirement is stricter: a certificate of at least assurance level "high". Until the EUCS is fully established and available, national cybersecurity certification schemes apply where they exist. If no such schemes exist, providers must demonstrate compliance with the highest cybersecurity standards under applicable Union law.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" to address strategic dependencies and ensure operational autonomy for the EU public sector. A critical pillar of this framework is the tiered system of Union Assurance Levels (UALs). While Level 1 serves as a baseline for general public sector use, Levels 2, 3, and 4 are reserved for activities identified as contributing to the preservation of public order, such as national security, defense, justice, and law enforcement.

The cybersecurity certification requirement is not a blanket obligation for the entire cloud market. Instead, it is a specific condition for higher assurance levels, designed to ensure that the infrastructure supporting critical public functions meets rigorous, harmonized security standards.

The Specific Certification Requirements by Level

The criteria for cybersecurity certification are explicitly detailed in Annex II of the proposal. The distinction between the levels is precise, particularly regarding the required assurance level of the certificate.

Union Assurance Levels 2 and 3: The "Substantial" Requirement For providers seeking recognition at Union Assurance Level 2, Annex II, Section 2.1(e) states that the audited service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881 (the Cybersecurity Act).

This requirement is identical for Union Assurance Level 3. Annex II, Section 3.1(e) mandates that the service obtain a European cybersecurity certificate of at least assurance level "substantial" under the same scheme.

It is a common misconception that Level 3 requires a higher cybersecurity standard than Level 2. Under the CADA proposal, the cybersecurity certification floor for both levels is "substantial." The differentiation between Level 2 and Level 3 lies in other sovereignty criteria, such as personnel requirements (Union citizenship is conditional for Level 2 but mandatory for Level 3) and the specific handling of classified information, rather than the cybersecurity assurance level itself.

Union Assurance Level 4: The "High" Requirement For the most critical operations, Union Assurance Level 4 imposes a higher cybersecurity bar. Annex II, Section 4.1(e) specifies that the audited service must obtain a European cybersecurity certificate of at least assurance level "high" under the European cybersecurity certification scheme.

This "high" assurance level is the only tier in the CADA framework that demands the highest possible cybersecurity certification under the Cybersecurity Act. This reflects the sensitivity of the data and the criticality of the services (e.g., handling EU classified information) that Level 4 is designed to protect.

The Interim Role of National Schemes

The proposal acknowledges that the European Cybersecurity Certification Scheme for Cloud Services (EUCS) is currently in development and not yet fully operational for all providers. To prevent a regulatory vacuum, CADA includes a specific transitional mechanism.

The text in Annex II, Sections 2.1(e), 3.1(e), and 4.1(e) explicitly provides: "Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist."

This means that during the interim period before the EUCS is fully adopted and available to cloud service providers, providers can satisfy the cybersecurity certification requirement by obtaining an equivalent certification from a national cybersecurity certification scheme of an EU Member State. This ensures that the sovereignty framework can function immediately, allowing public bodies to procure services that meet national security standards while the EU-wide scheme is finalized.

Fallback Provision The proposal further addresses scenarios where neither a Union nor a national scheme exists. In such cases, the text states: "Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law." This places the burden of proof on the provider to demonstrate compliance through other means, such as adherence to recognized industry standards or national best practices, though this is intended as a last resort.

Union Assurance Level 1: No Certificate Required

It is crucial to distinguish the baseline level from the higher tiers. Union Assurance Level 1 does not require a formal European or national cybersecurity certificate. Instead, Annex II, Section 1.1(e) requires the provider to demonstrate that the service complies with "state-of-the-art cybersecurity standards."

Level 1 is a self-assessment regime. Providers must internally verify and document their compliance with current best practices but are not required to undergo a third-party audit for a specific certificate to achieve this level. This distinction is vital for providers serving public sector bodies with lower-risk activities, as it significantly reduces the immediate administrative and financial burden.

Audit and Verification Process

For Levels 2, 3, and 4, the cybersecurity certificate is not merely a document to be submitted; it is a core piece of evidence within a broader independent third-party audit. Under Article 20 of CADA, providers must undergo independent audits to obtain an audit report and a "positive" audit opinion from an auditing organization.

The auditing organization is responsible for verifying the presence and validity of the cybersecurity certificate as part of the evidence required to confirm compliance with the assurance level criteria. The audit must be performed by an organization that is independent, possesses proven technical competence, and adheres to strict professional ethics. The certificate serves as a foundational element, but the audit validates the entire sovereignty posture, including data localization, personnel screening, and supply chain transparency.

What this means for you

For CTOs, cloud architects, and compliance officers, the CADA proposal introduces a nuanced certification landscape that depends entirely on your target assurance level and the nature of your clients.

1. Determine Your Target Assurance Level The first step is to assess whether your services are intended for general public sector use (Level 1) or for critical public-order activities (Levels 2–4).

  • If targeting Level 1: You do not need to pursue an EUCS or national certificate immediately. Focus on internal self-assessment against state-of-the-art standards and ensure your documentation is robust enough to withstand potential scrutiny.
  • If targeting Levels 2, 3, or 4: You must prepare for a formal certification process. If you aim for Level 2 or 3, you need a "substantial" assurance certificate. If you aim for Level 4, you need a "high" assurance certificate.

2. Navigate the Interim Period with National Schemes Since the EUCS is not yet fully established, do not wait for the EU-wide scheme to begin your compliance journey. Investigate whether your Member State has an existing national cybersecurity certification scheme for cloud services.

  • Actionable Step: If a national scheme exists, obtaining this certification is the most direct path to compliance under CADA's interim provisions. This allows you to serve public sector clients immediately while preparing for the eventual transition to the EUCS.
  • Transition Planning: Be aware that once the EUCS is established, national schemes may be phased out or harmonized. You should have a roadmap to migrate from a national certificate to the EUCS "substantial" or "high" certificate as soon as it becomes available.

3. Budget for Independent Audits Achieving Levels 2–4 requires more than just a certificate; it requires a full independent audit. These audits are resource-intensive, involving third-party auditors who will examine your premises, data flows, personnel records, and technical architecture.

  • Cost Implication: Budget for the costs of both the cybersecurity certification (EUCS or national) and the independent audit required by CADA. These are distinct processes, though they may be coordinated.
  • Readiness: Ensure your internal documentation, security policies, and technical controls are audit-ready well in advance. The auditor will need access to verify that your certificate is valid and that your operations align with the certificate's scope.

4. Monitor the EUCS Timeline The transition from national schemes to the EUCS is a dynamic process managed by the European Union Agency for Cybersecurity (ENISA) and the Commission. Stay informed about the timeline for the EUCS's final adoption and availability. Providers should be ready to transition from national certificates to the EUCS once it becomes available, as the national schemes will likely be superseded by the EU-wide framework.

Common misconceptions

Misconception 1: CADA requires an EUCS certificate for all cloud providers. This is incorrect. The requirement for a formal cybersecurity certificate applies only to providers seeking recognition under Union Assurance Levels 2, 3, or 4. Providers operating at Level 1 are only required to self-assess compliance with state-of-the-art cybersecurity standards.

Misconception 2: Level 3 requires a "high" cybersecurity certificate. This is a frequent error. Under the CADA proposal, both Level 2 and Level 3 require a certificate of at least assurance level "substantial". The "high" assurance level is exclusively required for Level 4. The distinction between Levels 2 and 3 lies in other criteria, such as personnel citizenship requirements, not the cybersecurity certification level.

Misconception 3: The EUCS is available today for all providers. The EUCS is still in development under the Cybersecurity Act. CADA explicitly allows for the use of national cybersecurity certification schemes until the EUCS is established and available. Providers should not assume they can immediately obtain an EUCS certificate; they may need to rely on national schemes in the interim.

Misconception 4: A cybersecurity certificate is sufficient for sovereignty compliance. The cybersecurity certificate is just one component of the Union Assurance Levels. Providers must also meet strict requirements related to data localization, personnel screening (Union citizenship for Levels 3 and 4), absence of third-country control, and software supply chain transparency. For example, Level 4 requires that the provider and subcontractors are not subject to the control of a third country, a requirement that goes far beyond cybersecurity certification.

Misconception 5: National schemes are irrelevant once the EUCS exists. While the EUCS is the long-term goal, national schemes are highly relevant in the interim period. CADA explicitly states that national cybersecurity certification schemes shall apply where they exist until the EUCS is established. Relying on a robust national certification can provide a competitive advantage and demonstrate compliance with CADA's interim requirements.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.