Summary Under the proposed Cloud and AI Development Act (CADA), a single cloud service may be subject to three distinct regulatory audit regimes: the European Cybersecurity Certification Scheme for Cloud Services (EUCS) for technical security, the Digital Operational Resilience Act (DORA) for financial sector resilience, and CADA's new sovereignty framework for public order and autonomy. Crucially, CADA does not replace these regimes but layers a sovereignty-specific audit on top of them. Article 19 mandates a conformity self-assessment for Union Assurance Level 1, while higher levels (2, 3, and 4) require independent third-party audits against the sovereignty-specific criteria in Annex II. The proposal explicitly envisages leveraging EUCS as the technical baseline for CADA's higher assurance levels, meaning providers must hold a valid EUCS certificate (at least 'substantial' for Levels 2/3 and 'high' for Level 4) to pass the CADA audit.

Detail

The EU's regulatory landscape for cloud computing is evolving from fragmented national approaches to a harmonised, multi-layered framework. For cloud service providers (CSPs), this creates a complex compliance environment where technical security, financial resilience, and geopolitical sovereignty intersect. The proposed CADA introduces a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16), which sits alongside existing regimes like EUCS and DORA. Understanding how these audits combine is critical for providers aiming to serve public sector bodies or critical infrastructure.

The Three Distinct Audit Regimes

While these regimes may overlap in scope, they serve different legal purposes and assess different risk dimensions.

  1. EUCS (Technical Cybersecurity): The European Cybersecurity Certification Scheme for Cloud Services, developed under the Cybersecurity Act (Regulation (EU) 2019/881), focuses on technical security controls. It provides assurance levels ('basic', 'substantial', 'high') based on the robustness of security measures, such as data protection, incident management, and physical security. It addresses how secure the service is against cyber threats.
  2. DORA (Financial Resilience): The Digital Operational Resilience Act applies to financial entities and their critical ICT third-party providers. It mandates ICT risk management, incident reporting, and resilience testing. DORA audits focus on operational continuity and risk mitigation specifically within the financial sector. It addresses how resilient the service is to disruptions.
  3. CADA (Sovereignty and Public Order): CADA's audit framework, detailed in Title IV, addresses non-technical sovereignty risks. It is the only regime that explicitly mandates "Union assurance levels" based on criteria in Annex II, such as the absence of third-country control over hardware or software supply chains, data localisation, and the citizenship of personnel. It addresses who controls the service and whether it can be forced to comply with foreign laws.

CADA Article 19: The Sovereignty Self-Assessment for Level 1

A common point of confusion is the audit requirement for the baseline level. Article 19 of the proposal establishes the mechanism for Union Assurance Level 1, which serves as the minimum baseline for public sector procurement.

  • Self-Assessment Responsibility: Under Article 19(1), CSPs seeking recognition for Level 1 must carry out a conformity self-assessment of compliance with the criteria in Annex II. This is a provider-led process, not an external audit.
  • EU Statement of Conformity: Following this self-assessment, the provider issues an EU statement of conformity (Article 19(2)). By issuing this statement, the provider assumes full responsibility for demonstrating that the service meets Level 1 criteria, such as being established in the Union and keeping infrastructure and assets within the Union (unless explicitly required otherwise by the public sector body).
  • Public Availability: The provider must make this EU statement of conformity publicly available (Article 19(3)).
  • Automatic Recognition for SMEs: Notably, Article 17(3) provides a derogation for Small and Medium-sized Enterprises (SMEs): their EU statement of conformity is directly and automatically recognised in all Member States without prior recognition by a national competent authority.

For Level 1, there is no mandatory third-party audit under CADA. However, this self-assessment must coexist with any EUCS or DORA obligations the provider already holds. A provider cannot claim Level 1 if they fail to meet the basic establishment and data localisation criteria, even if they have no third-party audit.

Leveraging EUCS Within CADA for Higher Assurance Levels

For Union Assurance Levels 2, 3, and 4, the requirements escalate significantly. Article 20 mandates independent third-party audits against the sovereignty-specific criteria in Annex II. The proposal explicitly links these sovereignty audits to EUCS to avoid duplication and ensure technical rigor.

  • EUCS as a Prerequisite: Annex II is clear on this dependency.
    • Level 2: Requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'substantial' under EUCS (Annex II, Section 2.1(e)).
    • Level 3: Similarly requires a certificate of at least assurance level 'substantial' (Annex II, Section 3.1(e)).
    • Level 4: Requires a certificate of at least assurance level 'high' (Annex II, Section 4.1(e)).
  • Integration of Audits: This means a CSP cannot achieve CADA Level 2, 3, or 4 without first holding the corresponding EUCS certificate. The CADA audit (under Article 20) then focuses on the additional sovereignty criteria in Annex II that EUCS does not cover, such as:
    • Ensuring personnel are Union citizens (mandatory for Levels 3 and 4, conditional for Level 2) (Annex II, Sections 2.1(d), 3.1(d), 4.1(d)).
    • Proving no third-country control over the provider or its subcontractors (Annex II, Sections 2.1(g), 3.1(g), 4.1(g)).
    • Demonstrating that customer data is not used to train AI systems operated by third countries (Annex II, Sections 2.1(f), 3.1(f), 4.1(f)).
    • Verifying that technical support is performed exclusively within the Union by Union residents (Annex II, Sections 2.1(h), 3.1(h), 4.1(h)).
  • Transitional Arrangements: Until the EUCS scheme is fully established and available, Annex II allows for national cybersecurity certification schemes to be used, or for providers to demonstrate compliance with the highest cybersecurity standards under applicable Union law. However, once EUCS is operational, it becomes the mandatory technical baseline for CADA sovereignty recognition.

DORA's Role in the Mix

DORA operates in parallel, primarily targeting the financial sector. While DORA does not mandate a specific "sovereignty" audit, its requirements for ICT third-party risk management often overlap with CADA's sovereignty concerns, particularly regarding operational continuity.

  • Complementary, Not Conflicting: DORA focuses on the resilience of the service (e.g., can it withstand a cyberattack? does it have a business continuity plan?). CADA focuses on the trustworthiness and autonomy of the service (e.g., is the provider subject to foreign laws that could force data disclosure or service disruption?).
  • Audit Efficiency: A CSP serving financial entities will likely undergo DORA audits for its ICT risk management systems. When undergoing a CADA audit for Level 2 or higher, the auditor will likely review DORA compliance evidence as part of the broader assessment of operational resilience. For instance, proving that service continuity cannot be disrupted by third-country interference (Annex II, Section 2.1(g)(iii)) often relies on the same business continuity and incident response documentation used for DORA.

The Combined Audit Process

For a CSP aiming for CADA Level 3 (often required for critical public sector activities like law enforcement or defence), the audit process would effectively integrate three layers:

  1. EUCS Audit: An accredited body audits the CSP against the EUCS scheme for the 'substantial' assurance level. This covers technical security controls.
  2. CADA Sovereignty Audit: An independent auditing organisation (selected by the CSP, per Article 20) conducts an audit against Annex II. This auditor verifies:
    • The EUCS certificate is valid and meets the required level.
    • The CSP is not subject to third-country control (checking ownership structures, board composition, and legal dependencies).
    • All infrastructure, assets, and personnel are located in the Union.
    • Software supply chain measures are in place (e.g., SBOMs, source code audits, migration plans).
    • Personnel are Union citizens (or meet conditional requirements for Level 2).
  3. DORA Review (if applicable): If the CSP serves financial entities, DORA regulators may review the same ICT risk management documentation used in the EUCS and CADA audits, reducing the burden of duplicate evidence collection.

The CADA audit report must include a 'positive' audit opinion confirming compliance with all cumulative criteria in Annex II (Article 20(5)). This opinion, combined with the EUCS certificate, forms the basis for recognition by the national competent authority (Article 17(4)).

What this means for you

For cloud service providers and data centre operators, the convergence of these regimes means you must prepare for integrated audit readiness.

  • Map Your Controls: Create a control matrix that maps your existing EUCS and DORA controls to the CADA Annex II criteria. Identify gaps where sovereignty-specific evidence is needed (e.g., proof of Union citizenship for staff, legal analysis of third-country control, migration plans for third-country software).
  • Prepare for Self-Assessment (Level 1): If you only target Level 1, ensure your internal processes can robustly support the EU statement of conformity required by Article 19. Document your self-assessment thoroughly, as national competent authorities may request evidence upon request. Remember, SMEs benefit from automatic recognition.
  • Engage Early with Auditors: For Levels 2–4, select auditing organisations that have expertise in both cybersecurity (EUCS) and legal/sovereignty issues. The CADA audit is not just technical; it involves deep legal due diligence on ownership, control, and personnel citizenship.
  • Leverage DORA Compliance: If you are a critical ICT third-party provider under DORA, use your DORA documentation to support your CADA audit, particularly for operational resilience and incident management criteria. Ensure your business continuity plans explicitly address the risk of third-country interference, as this is a specific CADA requirement.
  • Monitor EUCS Status: Keep a close watch on the adoption of the EUCS scheme. Until it is fully operational, you may rely on national schemes, but once EUCS is live, it will be a mandatory prerequisite for CADA Levels 2, 3, and 4.

Common misconceptions

  • Misconception: CADA replaces EUCS.
    • Reality: CADA leverages EUCS. You cannot get a CADA Level 2, 3, or 4 without the corresponding EUCS certificate. They are complementary, not mutually exclusive. EUCS covers the technical security; CADA covers the sovereignty.
  • Misconception: DORA covers sovereignty.
    • Reality: DORA covers operational resilience and ICT risk management. It does not address third-country control, data localisation, or supply chain autonomy in the way CADA does. You still need CADA compliance for public sector contracts involving public order.
  • Misconception: Article 19 requires a third-party audit.
    • Reality: Article 19 is for Union Assurance Level 1 and requires only a conformity self-assessment and an EU statement of conformity. Third-party audits are only mandatory for Levels 2, 3, and 4 under Article 20.
  • Misconception: CADA audits are purely technical.
    • Reality: While they rely on technical evidence (like EUCS), CADA audits are heavily legal and geopolitical, focusing on ownership structures, citizenship, and the absence of third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.