Summary As proposed, the Cloud and AI Development Act (CADA) would establish a central, public repository of cloud computing services recognised as meeting specific Union assurance levels (Article 22). Small and medium-sized enterprises (SMEs) can use this freely accessible register to identify providers that have already undergone rigorous auditing or conformity self-assessment. This transparency significantly lowers the cost of vendor due diligence, allowing SMEs to verify that their chosen cloud services comply with the sovereignty and security standards required for public-sector contracts without needing expensive internal legal teams.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, aims to strengthen Europe's cloud and AI ecosystem by reducing dependencies on third-country providers and ensuring operational autonomy. A cornerstone of this framework is the creation of a centralised, transparent mechanism for verifying the sovereignty and security of cloud computing services. For SMEs, who often lack the extensive legal, technical, and financial resources of larger corporations, this mechanism offers a streamlined, cost-effective way to identify compliant providers and compete for public contracts.

The Central Repository of Recognised Services

Under Article 22 of the CADA proposal, the European Commission would establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17. This repository serves as the single source of truth for which services have met the Union's sovereignty criteria.

The process of entering this repository is rigorous. A cloud computing service provider must first seek recognition from the national competent authority of its establishment. Depending on the desired level of assurance, this involves either a conformity self-assessment for the baseline level or an independent third-party audit for higher tiers. Once a national competent authority grants recognition, it is obligated to register the service in the central repository (Article 22(2)). This ensures that the list is not merely a self-declared directory but a verified registry of services that have passed EU-level scrutiny.

Public Access and Transparency: A Game Changer for SMEs

A critical feature of this repository for SMEs is its universal accessibility. Article 22(4) explicitly states that "the central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This public availability means that any entity, including SMEs, can access the list of recognised services without needing special permissions, security clearances, or paying fees. The repository is not a private database reserved for government auditors; it is a transparency tool designed to inform the entire market. By making this information public, CADA aims to reduce information asymmetry between large incumbents and smaller providers, as well as between public buyers and their suppliers. For an SME, this means they can instantly check if a potential vendor is compliant, rather than waiting months for a custom audit or relying on marketing claims.

Understanding Union Assurance Levels in the Repository

The repository categorises services based on four "Union assurance levels" (Levels 1 through 4), as defined in Annex II of the proposal. These levels represent different degrees of sovereignty, data localisation, and control over third-country influence. The repository allows users to filter or search by these levels to find the right fit for their needs.

  • Union Assurance Level 1: Requires a conformity self-assessment by the provider. It serves as the baseline for most public sector procurement where no specific public order risk has been identified.
  • Union Assurance Levels 2, 3, and 4: Require independent third-party audits and meet increasingly strict criteria regarding data localisation, personnel citizenship, and the absence of third-country control.

When an SME searches the repository, they can see which assurance level a provider has achieved. This allows the SME to quickly determine if a provider is eligible for specific types of public sector contracts. For example, if a public authority requires a service for an activity deemed to have "public order relevance" (such as law enforcement or defence), they may only procure from providers recognised at Level 2, 3, or 4 (Article 30(3)). An SME bidding for such a contract can use the repository to verify that their cloud provider meets this threshold before submitting a tender, avoiding disqualification due to non-compliant infrastructure.

Lowering the Cost of Due Diligence

For SMEs, conducting thorough due diligence on cloud providers is often prohibitively expensive. Assessing whether a provider's infrastructure is located in the Union, whether their data remains exclusively within the Union, and whether they are subject to third-country control requires significant legal and technical expertise. SMEs typically cannot afford to hire external auditors to verify these complex sovereignty criteria for every potential vendor.

The CADA repository mitigates this burden significantly. By providing a verified list of compliant services, it allows SMEs to bypass much of the initial investigative work. Instead of spending resources auditing a provider's compliance with complex sovereignty criteria, an SME can check the repository to see if the provider is already recognised. This "trust but verify" approach, backed by EU-wide regulatory oversight and independent audits, significantly reduces transaction costs and legal risk for smaller businesses. It effectively outsources the heavy lifting of compliance verification to the national competent authorities and auditing organisations, making the market more accessible to agile, smaller players.

Revocation and Updates: Ensuring Reliability

The repository is dynamic, not static. If a provider's compliance is compromised, the recognition can be revoked. Article 22(3) specifies that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This ensures that the public record remains accurate and that SMEs are aware if a provider they rely on has lost its compliant status. The repository is regularly updated, ensuring that the information is current. This transparency protects SMEs from inadvertently using a service that has fallen out of compliance, which could jeopardise their own contracts with public authorities.

What this means for you

For public-sector procurement officers and the SMEs they engage with, the CADA repository represents a shift towards standardised, transparent compliance verification.

For Procurement Officers:

  • Simplified Tendering: You can specify in tender documents that bidders must use cloud services recognised in the CADA central repository at a specific Union assurance level. This ensures that all suppliers are working with vetted, sovereign infrastructure.
  • Risk Mitigation: By relying on the central repository, you reduce the risk of inadvertently procuring services that do not meet the sovereignty requirements set out in Article 29 and Article 30.
  • Supporting SMEs: By mandating the use of the repository, you lower the barrier to entry for SMEs. They no longer need to prove sovereignty from scratch; they simply need to demonstrate that their provider is listed in the repository. This fosters a more competitive and diverse supply chain.

For SMEs:

  • Market Access: Use the repository to identify cloud providers that are already compliant with public sector requirements. This allows you to bid for public contracts with confidence that your infrastructure choices meet the necessary criteria.
  • Cost Efficiency: Reduce the legal and technical costs associated with vendor due diligence. Instead of conducting your own sovereignty audits, rely on the EU-recognised status of your provider.
  • Competitive Advantage: Partnering with a provider that holds a high Union assurance level (e.g., Level 3 or 4) can be a differentiator in tenders for critical public services, such as healthcare or justice, where higher levels of data protection and operational autonomy are required.

Common misconceptions

Misconception 1: The repository is only for public authorities. While the repository is primarily used by public authorities to enforce procurement rules under Article 30, Article 22(4) explicitly states that the repository is publicly available. SMEs and private companies can and should use it to verify their providers' compliance status, especially if they supply the public sector or wish to ensure their own supply chain resilience.

Misconception 2: Being in the repository means the service is "sovereign" in all contexts. The repository lists services by their Union assurance level. A service recognised at Level 1 may not be sufficient for high-risk public order activities, which may require Level 2, 3, or 4. Users must check the specific assurance level and ensure it matches the risk assessment requirements of their specific use case (Article 29).

Misconception 3: The repository replaces the need for contractual safeguards. While the repository provides evidence of compliance with CADA's sovereignty criteria, it does not replace other contractual obligations, such as those under the GDPR or the Data Act. SMEs should still ensure that their contracts with cloud providers address all relevant data protection and interoperability requirements.

Misconception 4: Only EU-based providers can be in the repository. While the providers must be established in the Union, the criteria for higher assurance levels (particularly Level 3) allow for the possibility of third-country providers being audited if specific conditions are met and the Commission adopts an implementing act recognising the third country (Article 18). However, the vast majority of recognised services will likely be from providers established in the EU.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.