Gaia-X label vs CADA Union assurance recognition

Summary The Gaia-X label is a voluntary, industry-governed certification with no statutory legal weight under the proposed Cloud and AI Development Act (CADA). CADA recognition, by contrast, would be a legally binding status granted by a national competent authority under Article 17 — the gateway to public procurement under Article 30. As proposed, a Gaia-X label alone would not satisfy CADA's mandatory sovereignty requirements for public-sector contracts. CADA is still a proposal and the text may change.

Detail

As the EU moves to strengthen its cloud and AI ecosystem through the proposed CADA, a clear line emerges between existing industry-led trust frameworks and the new statutory regime. For in-house counsel and compliance officers, understanding the difference between the Gaia-X label and CADA Union assurance recognition is essential for navigating the proposed procurement obligations.

The Gaia-X label: voluntary and self-governed

The Gaia-X label is a certification scheme governed by the Gaia-X Association, a non-profit comprising industry stakeholders, Member States and the Commission, aimed at fostering interoperability and trust in the European data ecosystem. Providers apply by demonstrating compliance with codes of conduct and technical standards set by the association.

It is a market-driven, voluntary instrument. It is not established by EU regulation, nor enforced by national regulators. While it signals a commitment to certain sovereignty and security principles, under the proposed CADA it would hold no statutory standing as proof of sovereignty: it could not satisfy the mandatory assurance levels required for public-sector procurement, nor confer any legal presumption of compliance with the Union cloud computing sovereignty framework.

CADA recognition: statutory and legally binding

CADA, as proposed, would establish a mandatory, harmonised Union cloud computing sovereignty framework comprising four Union assurance levels (Article 16), with criteria in Annex II.

Recognition by national competent authorities (Article 17). A provider seeking recognition would apply to the national competent authority of its establishment, which acts as the evaluating authority. This is not a simple self-declaration for the higher levels:

• Level 1: the provider self-assesses and issues an EU statement of conformity (Article 19). For SMEs, that statement is "directly and automatically recognised in all Member States" without prior recognition by the evaluating authority (Article 17(3)); other providers submit the statement and necessary evidence to the evaluating authority.
• Levels 2, 3 and 4: the provider must undergo an independent third-party audit and submit the audit report, a "positive" audit opinion (Article 20) and the underlying evidence to the evaluating authority (Article 17(4)).

Under Article 17(5), within 60 days of accepting an application the evaluating authority assesses the evidence and either prepares a draft recognition decision — notifying the other Member States' authorities for a 60-day review period to confirm the recognition across the Union — or requests further information (suspending the clock), or rejects the application. If no reasoned objections are raised during the review period, the service is recognised throughout the Union at the applicable level. The result is recorded in the Commission's central repository (Article 22), giving buyers transparency and legal certainty.

Procurement rights and obligations (Article 30)

The practical weight of CADA recognition appears in Article 30, which links recognised status to procurement:

• Default. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognised as having at least Union assurance level 1.
• Public-order activities. Under Article 30(3), contracting authorities whose activities are identified as contributing to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice or law enforcement — must only procure services recognised at Union assurance level 2, 3 or 4.

A provider holding only a Gaia-X label, without the corresponding CADA recognition, would be outside these procurement pools. The Gaia-X label is not an alternative compliance path. Article 30(4) allows narrow, duly justified derogations (for example, where no recognised service can supply the requirement), but these are exceptional and do not validate the Gaia-X label as a substitute.

Penalties and enforcement

CADA's legal weight is reinforced by enforcement. Under Article 24, Member States must lay down penalties for provider infringements of the sovereignty framework that are "effective, proportionate and dissuasive," taking into account factors such as the nature, gravity, scale and duration of the infringement and the provider's annual turnover. Article 24(3) gives recipients of cloud services a right to seek compensation for damage or loss suffered due to a provider's infringement of its obligations under the framework.

What this means for you

For in-house counsel and compliance officers, the move to CADA implies a shift from voluntary certification to statutory compliance.

1. Audit your current stack. If you rely on a Gaia-X label as a primary trust signal for public-sector or critical-infrastructure clients, assess now whether your providers are pursuing CADA recognition. The label alone would not satisfy Article 30 once CADA applies.
2. Track authority designations. Member States would designate national competent authorities within one year of entry into force (Article 25). Identify which authority is responsible for your provider's establishment, as that drives the recognition pathway under Article 17.
3. Plan for audit cost and time. For levels 2–4, the independent audit (Article 20) and the 60-day review period (Article 17) add cost and time. Budget accordingly and reflect it in negotiation timelines.
4. Review contractual warranties. Update SLAs and master agreements to warrant that the provider maintains valid CADA recognition, and address revocation — Article 23 requires providers to notify material changes affecting their status.
5. Prepare for risk assessments. Public-sector buyers must run risk assessments (Article 29) to set the required level. As a provider, be ready to supply the technical and legal evidence, particularly on third-country control and data sovereignty.

Common misconceptions

• "The Gaia-X label is sufficient for public contracts." No. Article 30 ties procurement to CADA Union assurance levels; the Gaia-X label is not named in the CADA text as a valid compliance mechanism.
• "Self-certification is enough for all providers." Only level 1 allows self-assessment (with automatic cross-border recognition for SMEs). Levels 2, 3 and 4 require independent audits and formal recognition (Articles 17 and 20).
• "CADA recognition is a one-time event." No. Providers must notify material changes (Article 23), and the audit report and opinion for levels 2–4 must be submitted annually for review (Article 20(8)). Recognition can be amended or revoked.
• "Gaia-X will simply be absorbed into CADA." CADA would establish a distinct statutory framework. There may be technical alignment, but the legal mechanisms (recognition by authorities vs association certification) remain separate; CADA recognition carries legal force, Gaia-X does not.

Related

• CADA Union assurance recognition vs ISO 27001: are they comparable?
• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
• Article 114 vs Article 173 TFEU: which legal basis does CADA use, and why?
• CADA voluntary recognition vs mandatory procurement levels
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?

This is general information about a draft EU regulation, not legal advice.