How can an AI startup list on the CADA marketplace?

Summary As proposed, the Cloud and AI Development Act (CADA) does not establish a commercial "marketplace" or e-commerce platform where AI startups can list products for sale. Instead, it creates a central repository of cloud computing services that have been formally recognised as meeting specific Union assurance levels of sovereignty (Article 22). To appear in this repository—and thus become visible to public-sector buyers—a provider must undergo a conformity assessment or independent audit and be recognised by a national competent authority (Articles 17–20). Listing is a regulatory prerequisite for public procurement, not a marketing feature.

Detail

The proposed CADA framework distinguishes sharply between general commercial availability and the specific recognition required for public-sector procurement. The "marketplace" referenced in the proposal is not a digital storefront but a regulatory register of trusted services designed to reduce information asymmetry and ensure the availability of sovereign options for the public sector.

The Central Repository (Article 22)

The core mechanism for visibility under CADA is the central repository of cloud computing services. Article 22 mandates that the European Commission shall establish and maintain this dedicated repository. Its purpose is to facilitate the secure and efficient storage, access, and exchange of information between public-sector customers, auditing organisations, competent authorities, and the Commission.

Listing in this repository is not automatic; it is the final step in a rigorous recognition process:

1. Recognition: A cloud computing service provider must submit an application for recognition to the national competent authority of its establishment (Article 17).
2. Assessment: Depending on the desired assurance level, the provider must either issue an EU statement of conformity (Level 1, Article 19) or undergo independent third-party audits (Levels 2–4, Article 20).
3. Registration: Once the national competent authority of establishment positively concludes the recognition procedure, it registers the cloud computing service in the central repository (Article 22(2)).

The repository will be publicly available and regularly updated on a dedicated, easily accessible website (Article 22(4)). This ensures transparency and allows public-sector buyers to identify services that meet the required sovereignty standards.

Union Assurance Levels and Recognition

To be listed, a service must be recognised as offering one of four Union assurance levels (Article 16). These levels represent increasing degrees of sovereignty, data localisation, and protection against third-country interference. The criteria for these levels are detailed in Annex II of the proposal.

• Union Assurance Level 1: Requires a conformity self-assessment by the provider. The provider issues an EU statement of conformity demonstrating compliance with criteria such as establishment in the Union and data remaining within the Union (Article 19). For SMEs, this statement is directly and automatically recognised in all Member States without prior recognition by the evaluating national competent authority (Article 17(3)).
• Union Assurance Levels 2, 3, and 4: Require independent third-party audits. The provider must submit an audit report and a "positive" audit opinion to the evaluating national competent authority (Article 17(4)). These levels impose stricter criteria, including requirements for personnel citizenship, cybersecurity certification, and separation from third-country control.

For example, Level 2 requires that infrastructure, assets, and personnel be located in the Union, and that customer data remain exclusively within the Union unless explicitly required otherwise by the public sector body. Level 3 and 4 introduce further requirements regarding Union citizenship for personnel and higher cybersecurity certification levels ("substantial" for Level 3, "high" for Level 4).

Transparency Obligations (Article 23)

Listing in the repository is not a one-time event. Providers have ongoing transparency obligations under Article 23. If a recognised provider becomes aware of any material change in circumstances that may affect the audit report, the "positive" opinion, or the recognition itself, it must notify the auditing organisation and the national competent authority of establishment as soon as possible.

If the auditing organisation or competent authority amends or revokes the audit report or recognition based on this notification, the change must be published in the central repository. Revocations remain available in the repository for five years (Article 22(3)). This ensures that the repository remains an accurate and up-to-date source of truth for public-sector buyers, preventing them from procuring services that no longer meet the required standards.

Visibility to Public-Sector Buyers

The primary audience for the central repository is the public sector. Article 30 mandates that contracting authorities must procure cloud computing services that have been recognised under Article 17. Specifically:

• Entities whose activities have not been identified as contributing to the preservation of public order must use services recognised as having Union assurance level 1.
• Entities whose activities contribute to the preservation of public order (e.g., national security, defence, law enforcement) must procure services recognised as having Union assurance levels 2, 3, or 4.

Therefore, listing in the repository is effectively a prerequisite for accessing the public procurement market for cloud and AI services in the EU. It signals to buyers that the service meets the minimum sovereignty and security standards required by law. Without this listing, a provider cannot legally supply cloud services to public bodies for activities deemed relevant to public order.

What this means for you

For AI startups and cloud service providers, "listing on the CADA marketplace" means navigating the recognition process to achieve Union assurance status. This is a strategic compliance exercise rather than a simple registration.

1. Assess Your Eligibility: Determine which Union assurance level your service can meet. Level 1 is the baseline and may be achievable through self-assessment, particularly for SMEs. Higher levels require significant operational changes, such as ensuring all infrastructure and personnel are located in the Union and obtaining specific cybersecurity certifications.
2. Engage with National Competent Authorities: You must apply for recognition through the national competent authority of your establishment. Start preparing your documentation early, including evidence of compliance with Annex II criteria.
3. Prepare for Audits (Levels 2–4): If targeting higher assurance levels, engage an accredited auditing organisation. Ensure your technical architecture, data flows, and supply chain are auditable. Note that for Levels 2–4, the audit must result in a "positive" opinion.
4. Maintain Ongoing Compliance: Establish internal processes to monitor for material changes that could affect your recognition status. Promptly report these changes to avoid revocation and removal from the repository.
5. Market Your Recognition: Once listed, use your Union assurance status as a key differentiator in public procurement tenders. Article 32 allows contracting authorities to include non-price award criteria that evaluate a tenderer's contribution to the European cloud and AI ecosystem, which can favour recognised sovereign providers.

Common misconceptions

"CADA creates a digital storefront for AI products." No. CADA creates a regulatory register of cloud computing services that meet sovereignty standards. It is not a general AI product marketplace where startups can upload software for sale. The repository lists services that have passed a sovereignty assessment.

"All AI startups can list immediately." No. Only providers that have successfully completed the conformity assessment or audit process and been recognised by a national competent authority can be listed. This process involves legal, technical, and operational verification.

"Listing is optional for private-sector sales." While the repository is primarily designed for public-sector procurement, private-sector entities in critical sectors (e.g., those subject to NIS2) may also look to this registry as a benchmark for trust and sovereignty. However, the legal obligation to procure from the repository applies specifically to public contracting authorities.

"Recognition is permanent." No. Recognition is subject to ongoing transparency obligations under Article 23. If a provider fails to report material changes or loses compliance, the recognition can be amended or revoked, and the service removed from the repository.

Related

• How can a startup qualify as a CADA frontier-AI project?
• When can AI startups start benefiting from CADA support?
• How can researchers access AI computing support under CADA?
• Can telecom providers run CADA impact assessments?
• Can research bodies use the EuroCloud Federation under CADA?

This is general information about a draft EU regulation, not legal advice.