Summary No, the CADA central repository does not replace national cloud certification lists or existing cybersecurity certification schemes like the European Cybersecurity Certification Scheme for Cloud Services (EUCS). As proposed in Article 22, the repository serves as a single, EU-wide register specifically for cloud computing services that have been formally recognised as meeting CADA's "Union assurance levels" (1 through 4).

National certification lists remain relevant for general cybersecurity compliance and private-sector vendor risk management. The CADA repository focuses exclusively on sovereignty and public order assurance. The two systems are complementary: a service may hold national or EUCS certifications, but it only appears in the CADA repository if it has successfully undergone the specific CADA recognition process (self-assessment for Level 1, or independent audit for Levels 2–4) and been registered by the national competent authority.

Detail

To understand why the CADA central repository does not replace national lists, it is necessary to distinguish between cybersecurity certification and sovereignty assurance. The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a new framework focused on reducing dependencies on third-country providers and ensuring operational autonomy for the public sector. This framework relies on four "Union assurance levels," each with specific criteria detailed in Annex II of the proposal.

The Role of Article 22: A Register of Recognition, Not Certification

Article 22 of the CADA proposal mandates the establishment of a "central repository of cloud computing services." This repository is not a certification body itself; rather, it is a transparency and verification tool. Its primary function is to list cloud computing services that have been recognised as offering a specific Union assurance level (1, 2, 3, or 4) across the entire Union.

Under Article 22(1), the Commission is tasked with establishing and maintaining this dedicated repository. The entry of a service into this repository is not automatic upon obtaining a cybersecurity certificate. Instead, it is the final step in a recognition process managed by national competent authorities.

  • For Union Assurance Level 1: Providers perform a conformity self-assessment and issue an EU statement of conformity (Article 19). For Small and Medium-sized Enterprises (SMEs), this statement is directly and automatically recognised in all Member States without prior recognition by a national competent authority (Article 17(3)). However, for non-SMEs, the national competent authority of establishment must still assess the evidence and prepare a draft recognition decision.
  • For Union Assurance Levels 2, 3, and 4: Providers must undergo independent third-party audits (Article 20). Upon receiving a "positive" audit opinion, the provider submits an application for recognition to the national competent authority of establishment (Article 17(1)).

Article 22(2) explicitly states that the national competent authority that recognised the cloud computing service under Article 17 must register it in the central repository. Therefore, the repository reflects the outcome of a legal recognition process, not just a technical certification. It acts as the single source of truth for public procurers seeking services that meet the sovereignty criteria required under Article 30.

Relationship to EUCS and National Cybersecurity Schemes

The CADA proposal explicitly distinguishes its sovereignty framework from existing cybersecurity regulations, particularly the Cybersecurity Act and the forthcoming European Cybersecurity Certification Scheme for Cloud Services (EUCS).

Recital 6 of the CADA explanatory memorandum notes that while the Cybersecurity Act addresses supply chain risks and EUCS addresses technical cybersecurity, they do not cover "non-technical risks" such as sovereignty, data sovereignty, and operational continuity against third-country interference. CADA fills this gap.

Consequently, holding an EUCS certificate or a national cybersecurity certification does not automatically grant a place in the CADA repository. However, these certifications are often prerequisites for higher Union assurance levels:

  • Level 2 and 3: Annex II (2.1(e) and 3.1(e)) requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme like EUCS, or a national scheme if EUCS is not yet available.
  • Level 4: Annex II (4.1(e)) requires a certificate of at least assurance level 'high'.

Thus, a provider might hold a national cybersecurity certificate and an EUCS certificate but still not appear in the CADA repository if they have not applied for and received CADA recognition. Conversely, a service in the CADA repository will likely hold underlying cybersecurity certifications, but its presence in the repository signals that it has also passed the sovereignty-specific criteria (e.g., data localisation, personnel citizenship, absence of third-country control).

Why National Lists Persist

National cloud certification lists serve different purposes than the CADA repository:

  1. Scope: National lists often cover a broader range of security standards, local data protection nuances, and specific sectoral requirements (e.g., healthcare or finance) that go beyond the four-tier sovereignty model of CADA.
  2. Pre-CADA Era: Many national lists existed before CADA was proposed. CADA does not abolish national laws that are more protective or address different risks.
  3. Private Sector Use: While CADA's procurement obligations (Article 30) apply strictly to public sector bodies and Union entities, private companies may still rely on national certifications for their own vendor risk management, independent of CADA's assurance levels.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the distinction between the central repository and national lists is critical for procurement strategy and compliance planning.

1. Procurement Due Diligence

If you are a public sector body or a Union entity, Article 30 mandates that you procure cloud services based on the Union assurance level determined by your risk assessment (Article 29). The CADA central repository (Article 22) will be your primary source of truth for verifying which providers are legally recognised to meet these levels.

  • Action: Do not assume a provider is CADA-compliant just because they appear on a national cybersecurity list. You must verify their presence in the CADA central repository.
  • Action: For private sector entities in critical infrastructure (NIS2 scope), while CADA impact assessments are voluntary (Article 31), using the repository can simplify vendor vetting by providing a harmonised view of sovereignty compliance.

2. Provider Compliance Strategy

For cloud providers, especially SMEs, the path to the repository differs:

  • SMEs: If you aim for Union Assurance Level 1, you can issue an EU statement of conformity. For SMEs, this is automatically recognised across the Union (Article 17(3)), meaning you may not need to engage a national competent authority for recognition, but your service must still be registered in the central repository to be easily discoverable by public buyers.
  • Non-SMEs & Higher Levels: You must engage with the national competent authority of your establishment. Ensure your technical and legal structures meet the cumulative criteria in Annex II, including cybersecurity certifications (EUCS or national).

3. Technical Architecture and Data Locality

The repository is a legal register, not a technical API for service discovery. However, the criteria for Levels 2–4 (Annex II) are stringent regarding data locality and personnel.

  • Architects: Design your cloud stacks to ensure that infrastructure, assets, and personnel are located exclusively within the Union (for Levels 2–4). Even if you have a national certification, failing these sovereignty criteria will prevent you from entering the CADA repository, effectively excluding you from high-value public procurement.

Common misconceptions

Misconception 1: "If I have an EUCS certificate, I am automatically in the CADA repository."

  • Correction: No. EUCS addresses cybersecurity. CADA addresses sovereignty. You must separately apply for CADA recognition (Article 17) and meet the specific sovereignty criteria (Annex II). The EUCS certificate is often a prerequisite for the audit, but it is not the recognition itself.

Misconception 2: "The CADA repository replaces all national cloud trust marks."

  • Correction: CADA creates a harmonised Union framework for public procurement. It does not invalidate national schemes that may offer additional protections or address different risks. National lists may continue to exist for private sector use or for national-specific regulatory requirements.

Misconception 3: "Listing in the repository guarantees unlimited data transfer rights."

  • Correction: The repository confirms that a provider meets the assurance level criteria at the time of recognition. It does not override GDPR or other data protection laws. Providers must still report material changes (Article 23) that could affect their status, and the competent authority can revoke recognition if criteria are no longer met.

Misconception 4: "SMEs are exempt from the repository."

  • Correction: SMEs benefit from simplified recognition for Level 1 (automatic recognition of their self-assessment), but their services must still be registered in the central repository (Article 22) to be visible to public buyers. The repository is the mechanism that ensures transparency and trust across the Union.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.