Does Gaia-X conformity satisfy CADA sovereignty tiers?

Summary No, Gaia-X conformity does not automatically satisfy or replace the Union assurance levels established under the proposed Cloud and AI Development Act (CADA). While Gaia-X labels may provide useful evidence to support a CADA audit, they are voluntary and do not constitute the legally binding recognition required for public sector procurement. Under CADA, providers must undergo a specific recognition process under Article 17, involving either a self-assessment for Union assurance level 1 or an independent third-party audit against Annex II criteria for levels 2, 3, and 4. Gaia-X evidence may support but cannot replace the mandatory CADA audit.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a mandatory, harmonized framework for cloud sovereignty in the European Union. This framework is legally distinct from existing voluntary industry schemes like Gaia-X. To understand why Gaia-X conformity is insufficient on its own, it is necessary to examine the legal architecture of CADA's sovereignty framework, specifically Article 16 and Article 17, and the nature of the Gaia-X ecosystem.

The CADA Sovereignty Framework: Article 16

As proposed, CADA establishes a Union cloud computing sovereignty framework comprising four distinct levels of trust, referred to as Union assurance levels 1, 2, 3, and 4 (Article 16(1)). These levels are designed to mitigate risks associated with dependence on third-country providers, including extraterritorial data access, service disruption, and third-country control. The criteria for these levels are detailed in Annex II of the proposal and range from basic establishment and data localization requirements (Level 1) to strict prohibitions on third-country control and mandatory Union citizenship for personnel (Level 4).

Crucially, CADA does not recognize external certifications as equivalent to these Union assurance levels. The framework is self-contained; compliance is determined solely by meeting the cumulative criteria set out in Annex II and undergoing the formal recognition process mandated by the regulation. The proposal explicitly creates a new, separate regulatory path for sovereignty recognition, distinct from any pre-existing voluntary labels.

The Recognition Process: Article 17

Article 17 of CADA outlines the exclusive mechanism for a cloud computing service provider to be officially recognized as offering a specific Union assurance level. This is a legally binding procedure involving national competent authorities.

1. Application: A provider aiming for recognition must submit an application to the national competent authority of establishment (Article 17(1)).
2. Evidence Submission:
   • For Union assurance level 1, the provider must submit an EU statement of conformity based on a self-assessment (Article 17(3), referencing Article 19).
   • For Union assurance levels 2, 3, and 4, the provider must submit an audit report and a 'positive' audit opinion issued by an independent auditing organization (Article 17(4)). This audit must assess compliance against the strict criteria in Annex II.
3. Assessment and Recognition: The evaluating national competent authority assesses the evidence within 60 days. If accepted, the service is recognized across the Union at the appropriate assurance level (Article 17(5)-(7)).

This process is mandatory for any provider wishing to serve public sector bodies that require sovereign services. Without this formal recognition, a provider cannot legally claim to offer a CADA-compliant sovereign service, regardless of any other certifications they may hold. The regulation does not provide for "grandfathering" or automatic equivalence of other labels.

Gaia-X: Voluntary and Non-Binding

Gaia-X is a European initiative aimed at creating a federated, sovereign cloud infrastructure. It operates through a set of codes of conduct and trust labels (e.g., the Gaia-X Trust Seal). These labels are voluntary and are typically obtained through self-assessment or third-party audits conducted by Gaia-X-recognized audit partners.

While the principles underlying Gaia-X—such as data localization, transparency, and security—often overlap with the criteria in CADA's Annex II, the Gaia-X label itself is not a legal instrument under EU law. It does not confer the status of a recognized Union assurance level. The CADA proposal explicitly creates a new, separate regulatory path for sovereignty recognition. There is no provision in CADA that allows a Gaia-X label to substitute for the EU statement of conformity or the independent audit required under Article 17.

The Role of Gaia-X Evidence in CADA Compliance

Although Gaia-X conformity does not replace CADA recognition, it may play a supportive role. The evidence gathered during a Gaia-X audit—such as documentation of data flows, security controls, and subcontractor management—could potentially be used as part of the audit evidence required for a CADA audit under Annex III.

However, this is not automatic. The independent auditing organization conducting the CADA audit (as defined in Article 20) must verify that all specific criteria in Annex II are met. If the Gaia-X audit criteria differ from or are less stringent than CADA's Annex II requirements, the provider will still need to address those gaps. For example, CADA's higher assurance levels (3 and 4) impose strict requirements on personnel citizenship and third-country control that may not be fully covered by standard Gaia-X labels. Therefore, Gaia-X evidence may streamline the audit process by providing a baseline of documentation, but it does not exempt the provider from the full CADA audit.

What this means for you

For cloud service providers and data centre operators, the distinction between Gaia-X and CADA compliance is critical for market access and legal risk management.

• Do not rely on Gaia-X for public sector contracts: If you intend to bid for public sector cloud contracts that require sovereign services, you must undergo the CADA recognition process under Article 17. A Gaia-X label alone will not satisfy the procurement requirements set out in Article 30, which mandates that contracting authorities procure services recognized at the appropriate Union assurance level.
• Plan for dual compliance: If you already hold a Gaia-X label, you can leverage your existing documentation to support your CADA application. However, you must still engage an independent auditing organization for levels 2–4 and submit to the national competent authority. Budget for the additional costs and time associated with the CADA-specific audit and recognition timeline (60-day assessment period).
• Understand the tier requirements: Review Annex II carefully. Gaia-X may align with some Level 1 or 2 criteria, but Levels 3 and 4 introduce stringent requirements (e.g., no third-country control, Union citizenship for staff) that may require significant operational changes. Ensure your service architecture can meet these specific legal thresholds.
• Monitor delegated acts: The specific audit procedures and evidence requirements are subject to delegated acts under Article 20(9) and Article 21(1). Stay informed about these secondary legislations, as they will define the exact technical standards for the audits that Gaia-X evidence must meet.

Common misconceptions

"Gaia-X is the EU's official sovereignty standard." No. Gaia-X is a voluntary industry initiative. CADA is a proposed EU regulation that creates a mandatory, legally binding sovereignty framework. They are separate instruments with different legal statuses.

"If I have a Gaia-X Trust Seal, I am automatically CADA compliant." No. CADA requires a specific recognition decision by a national competent authority based on an audit against Annex II criteria. A Gaia-X seal is not recognized as equivalent evidence under Article 17.

"CADA replaces Gaia-X." CADA does not explicitly abolish Gaia-X. Gaia-X may continue to operate as a voluntary best-practice framework. However, for legal compliance and public procurement, CADA's Union assurance levels will be the decisive factor. Gaia-X may become less relevant if it does not align closely with CADA's Annex II criteria.

"Self-assessment is enough for all levels." No. Under CADA, self-assessment (EU statement of conformity) is only permitted for Union assurance level 1 (Article 19). Levels 2, 3, and 4 require mandatory independent third-party audits (Article 20).

"Gaia-X evidence is sufficient for the CADA audit." No. While Gaia-X evidence may be submitted as part of the audit evidence under Annex III, the independent auditor must still verify compliance with every cumulative criterion in Annex II. If Gaia-X criteria are less stringent, the provider must provide additional evidence to satisfy the CADA requirements.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA vs Gaia-X: Does industry conformity meet EU sovereignty tiers?
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for CTOs: Mapping EU Compliance, Sovereignty Tiers & Procurement
• EUCS vs CADA: Does cybersecurity certification guarantee sovereignty tiers?
• DORA vs CADA: Does financial compliance satisfy cloud sovereignty?

This is general information about a draft EU regulation, not legal advice.