Summary A cloud computing service provider cannot directly apply to be listed in the CADA central repository. Instead, the provider must first obtain formal recognition for its service under the Union assurance levels framework by submitting an application to its national competent authority of establishment, as required by Article 17. Once the competent authority issues a positive recognition decision, it is that authorityβ€”not the providerβ€”that registers the service in the central repository maintained by the Commission under Article 22. This listing is the mandatory prerequisite for the service to be procurable by public sector bodies under Article 30.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a strict, two-step governance process for a cloud service to become visible and procurable within the EU public sector. The central repository is not an open directory where providers can upload their profiles; it is a legally binding register of services that have passed a rigorous sovereignty and security assessment. Understanding this distinction is critical for providers aiming to win public contracts, as the mechanism separates the assessment of compliance from the publication of results.

Step 1: Obtain Recognition Under Article 17

The journey begins with the provider seeking recognition for its cloud computing service at a specific Union assurance level (Level 1, 2, 3, or 4). According to Article 17(1), a provider that aims to be recognised must submit an application to the "national competent authority of establishment." This is the authority in the Member State where the provider has its main establishment (head office or registered office), as defined in Article 25(4).

The evidence required for this application depends entirely on the assurance level sought:

  • For Union Assurance Level 1: The provider must carry out a conformity self-assessment under Article 19. Following this, the provider issues an "EU statement of conformity." Under Article 17(3), this statement and all necessary evidence are submitted to the evaluating national competent authority. Notably, for Small and Medium-sized Enterprises (SMEs), the proposal includes a significant derogation: their EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority" (Article 17(3), second sub-paragraph).
  • For Union Assurance Levels 2, 3, and 4: The process is more stringent. The provider must undergo independent third-party audits under Article 20. Under Article 17(4), the provider submits the audit report, a "positive" audit opinion, and all evidence provided to the auditing organisation to the evaluating national competent authority.

Once the application is accepted, the evaluating national competent authority has 60 days to assess the evidence (Article 17(5)). It must either prepare a draft recognition decision and notify other Member States for a 60-day review period, request further information, or reject the request. If no reasoned objections are raised by other Member States during the review period, the evaluating authority adopts the recognition decision, and the service is recognised throughout the Union at the applicable assurance level (Article 17(7)).

Step 2: Registration in the Central Repository Under Article 22

Only after a service has been formally recognised can it be listed in the central repository. Article 22 establishes this repository, which is maintained by the European Commission. Crucially, the provider does not register itself.

Article 22(2) states explicitly: "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

This means the administrative burden of listing falls on the regulator, not the vendor. The repository serves as a "dedicated repository of cloud computing services that have been recognised in accordance with Article 17" (Article 22(1)). It is designed to be publicly available and regularly updated, providing a single source of truth for public procurers and auditing organisations (Article 22(4)). The repository also acts as a transparency mechanism: if a recognition is revoked or an audit opinion is withdrawn, this status must be published in the repository and remain available for five years (Article 22(3)).

The Link to Procurement Under Article 30

Why is this listing so important? Because Article 30 mandates that public sector bodies must procure from services listed in this repository. The repository effectively acts as the "whitelist" for public procurement.

  • Article 30(2) requires Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order to use services "recognised under Article 17 as having a Union assurance level 1."
  • Article 30(3) requires contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., in national security, defence, or critical infrastructure) to "only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

Without recognition under Article 17 and subsequent registration under Article 22, a provider is effectively invisible to public procurement processes governed by CADA. Article 30(4) allows for derogations only in exceptional cases where no recognised service is available in the central repository, reinforcing that the repository is the primary gatekeeper for market access.

What this means for you

As a cloud service provider or data centre operator, you cannot bypass the national competent authority. Your compliance strategy must focus on preparing for the audit and recognition process in your home Member State.

  1. Identify Your Competent Authority: Determine which national body in your Member State of establishment is designated as the competent authority under Article 25. You must engage with them early, as they hold the keys to the repository.
  2. Prepare for Audit (Levels 2-4): If you aim for higher assurance levels, budget for independent third-party audits. The auditing organisation must be independent and meet strict criteria under Article 20. Your cooperation with auditors, including providing access to data and premises, is mandatory (Article 20(2)).
  3. Maintain Transparency: Under Article 23, you must notify the auditing organisation and the competent authority of any material changes that could affect your audit report or recognition. Failure to do so could lead to the revocation of your recognition and removal from the central repository.
  4. SME Advantage: If you are an SME, leverage the streamlined process for Level 1 recognition. Your self-assessment statement is automatically recognised across the EU, saving you time and administrative costs compared to larger competitors seeking higher levels.

Common misconceptions

  • "I can sign up for the repository online." Incorrect. The repository is not a marketing platform. It is a legal register populated exclusively by national competent authorities based on formal recognition decisions. You cannot self-list.
  • "Recognition in one Member State is enough for local tenders only." Incorrect. Once recognised by the authority of your establishment, your service is recognised "throughout the Union" (Article 17(7)). The central repository ensures this EU-wide validity is visible to all procurers.
  • "I don't need to worry about the repository if I already have a cybersecurity certification." Incorrect. While cybersecurity certifications (like EUCS) may be part of the audit evidence for Levels 2-4, they do not automatically grant CADA recognition. You must still go through the Article 17 procedure and be registered under Article 22 to be procurable under Article 30.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.