Summary Yes, as proposed, the CADA central repository lists cloud computing services recognised at all four Union assurance levels (levels 1, 2, 3, and 4). Article 22(1) mandates that the Commission establish and maintain this dedicated repository for all services recognised under the sovereignty framework. This ensures that public-sector procurers, auditors, and authorities can verify sovereignty compliance across the entire spectrum of trustworthinessβfrom the baseline level 1 to the highest level 4βin a single, centralised location.
Detail
The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, introduces a harmonised Union cloud computing sovereignty framework to mitigate strategic risks associated with reliance on third-country cloud providers. This framework defines four distinct tiers of trust, known as Union assurance levels, ranging from level 1 (baseline) to level 4 (highest sovereignty).
To ensure this framework is transparent and operational, CADA requires the creation of a unified public register. Article 22(1) of the proposal explicitly states:
"The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17 ('central repository')."
This repository is not restricted to the highest tiers of sovereignty. Instead, it serves as the comprehensive public ledger for all cloud computing services that have successfully undergone the recognition process for any of the four assurance levels.
How the Repository Covers All Four Tiers
The recognition process differs by level, but the outcomeβentry into the central repositoryβis unified. The text of the proposal makes no distinction that would exclude lower tiers from the register.
- Union Assurance Level 1: Providers demonstrate compliance through a conformity self-assessment and issue an EU statement of conformity (Article 19). Once recognised by the national competent authority of establishment (or automatically for SMEs under Article 17(3)), the service is registered in the central repository.
- Union Assurance Levels 2, 3, and 4: Providers must undergo independent third-party audits to obtain a 'positive' audit opinion (Article 20). Upon successful recognition by the national competent authority, these services are also registered in the central repository.
Article 22(2) reinforces this unified approach by stating that the national competent authority of establishment that recognises a cloud computing service under Article 17 "shall register the cloud computing service in the central repository." There is no exclusion for lower assurance levels; if a service is recognised as offering Union assurance level 1, 2, 3, or 4, it appears in the same system.
The Explanatory Memorandum: A Single Source of Truth
The explanatory memorandum clarifies the strategic intent behind this centralisation. It notes that the current landscape is characterised by fragmented national approaches and a lack of transparency regarding sovereignty. By establishing a single EU-wide repository, CADA aims to provide "market transparency" and allow contracting authorities to make informed purchasing decisions.
Specifically, Recital 57 of the proposal explains the repository's function:
"The establishment of a central repository of recognised Union-assured cloud computing services is necessary to facilitate the secure and efficient storage, access and exchange of relevant information between public sector customers of services offering Union assurance levels, auditing organisations, competent authorities and the Commission."
This centralisation ensures that a procurement officer in one Member State can verify the sovereignty status of a provider in another Member State without navigating disparate national registers. The repository will be publicly available and regularly updated by the Commission and national competent authorities on a dedicated website (Article 22(4)).
Revocation and Ongoing Transparency
The repository also serves as a critical tool for ongoing compliance and risk management. Article 22(3) specifies that the revocation of an audit report or recognition must be published in the central repository and remain available there for five years.
This applies to all assurance levels. If a provider fails to maintain the criteria for level 2, 3, or 4, or if their level 1 self-assessment is found to be incorrect, this change is reflected centrally. This historical record ensures that public bodies can see not just the current status of a service, but also any past non-compliance that led to a revocation.
What this means for you
For public-sector procurement officers and compliance teams, the CADA central repository will be your primary tool for verifying supplier compliance. Under Article 30, contracting authorities must procure cloud computing services that meet specific assurance levels based on their risk assessments:
- Level 1: Mandatory for public sector activities not identified as contributing to the preservation of public order.
- Levels 2, 3, or 4: Mandatory for activities identified as contributing to the preservation of public order (e.g., national security, defence, justice, law enforcement) based on the risk assessment outcomes under Article 29.
Because the repository lists all four tiers, you do not need to consult multiple sources or national databases. When drafting tender documents or evaluating bids, you can:
- Verify Eligibility: Check the repository to confirm that a bidder's service is recognised at the exact required assurance level. If your risk assessment mandates Level 3, you can verify the service is listed specifically as such, rather than just "sovereign."
- Check Status: Ensure the service has not been revoked or suspended. The repository will show the current status and any historical revocations for the past five years, providing a clear audit trail.
- Simplify Due Diligence: Instead of requesting extensive sovereignty documentation from every bidder, you can rely on the recognition status in the central repository as the primary evidence of compliance with the CADA sovereignty framework.
This streamlines procurement processes, reduces administrative burden, and ensures that public funds are spent on services that meet the EU's harmonised sovereignty standards.
Common misconceptions
Misconception 1: The repository only lists "sovereign" or high-assurance providers (Levels 3 and 4).
- Reality: The repository includes services recognised at Union assurance level 1 as well as levels 2, 3, and 4. Level 1 is the mandatory baseline for most public sector procurement, and these services are fully integrated into the central register.
Misconception 2: Providers self-list their services in the repository.
- Reality: Providers do not upload their own status. The national competent authority of establishment registers the service in the repository after granting recognition (Article 22(2)). This ensures an official, verified record rather than self-declared data.
Misconception 3: The repository is only for large enterprises.
- Reality: The repository covers all recognised providers, including SMEs. In fact, for Level 1, SMEs benefit from automatic recognition across Member States without prior national authority review (Article 17(3)), and their services are still registered in the central repository.
Misconception 4: Once listed, a service stays listed forever.
- Reality: Recognition is ongoing. If a provider fails to maintain compliance, the audit opinion or recognition can be revoked. These revocations are published in the repository and remain visible for five years (Article 22(3)), ensuring transparency about past non-compliance.
Related
- How public buyers verify CADA sovereignty claims against the central repository
- Why list in the CADA repository? Public procurement access & market advantage
- Who registers a cloud service in the CADA central repository?
- Who maintains the CADA central repository of cloud services?
- CADA Central Repository: Who can access it and is it public?
This is general information about a draft EU regulation, not legal advice.