How do I apply for CADA recognition step by step?

Summary As proposed in the Cloud and AI Development Act (CADA), cloud computing service providers apply for sovereignty recognition by submitting an application to the national competent authority (NCA) of their establishment, as outlined in Article 17(1). The process varies significantly by assurance level: Level 1 requires a self-assessment and an EU statement of conformity (Article 19), while Levels 2–4 require an independent third-party audit and a "positive" audit opinion (Article 20). Following submission, the evaluating NCA has 60 days to assess the evidence and draft a recognition decision, which then enters a mandatory 60-day cross-border review period among other Member States under Article 17(5) and (6). Crucially, SMEs applying for Level 1 benefit from automatic recognition across the Union without prior NCA approval, per Article 17(3).

Detail

The proposed CADA establishes a harmonised Union cloud computing sovereignty framework comprising four assurance levels. To operate in the EU public sector, providers must be formally recognised at one of these levels. The application and recognition procedure is strictly defined in Article 17, supported by the conformity assessment rules in Article 19 and the independent audit requirements in Article 20.

This guide breaks down the procedural journey from identifying the correct authority to achieving Union-wide recognition, highlighting the distinct pathways for different assurance levels and the specific protections for small and medium-sized enterprises (SMEs).

Step 1: Identify the Competent Authority of Establishment

The first and most critical step is determining the correct jurisdiction for your application. Under Article 17(1), a cloud computing service provider aiming to be recognised as offering a Union assurance level must submit an application for recognition to the national competent authority of establishment.

CADA defines the "competent authority of establishment" with precision in Article 25(4). It is the authority in the Member State where the cloud computing service provider has its main establishment. This is defined as the location where the provider has its head office or registered office from which the principal financial functions and operational control are exercised. This authority acts as the "evaluating national competent authority" and holds exclusive competence for enforcing the sovereignty chapter regarding that provider.

Collaboration Requests The evaluating authority is not always required to work in isolation. Under Article 17(2), the evaluating national competent authority may, where necessary, request one or more competent authorities of other Member States to collaborate in the procedure for a candidate recognition.

• Timeline: The requested authority must respond within 15 days of receiving the request.
• Outcome: They must either confirm their agreement to collaborate or refuse the request. This mechanism ensures that cross-border expertise can be leveraged without delaying the primary assessment.

Step 2: Prepare the Required Evidence

The evidence you must prepare depends entirely on the Union assurance level you are targeting. While the substantive criteria for these levels are set out in Annex II, the procedural requirements for evidence submission are distinct for Level 1 versus Levels 2–4.

For Union Assurance Level 1 (Self-Assessment)

Providers seeking Level 1 recognition do not need an external auditor. Instead, they must carry out a conformity self-assessment of compliance with the Level 1 criteria (Article 19(1)).

• The Statement: Following this self-assessment, the provider issues an EU statement of conformity, stating that compliance with the criteria for Union assurance level 1 has been demonstrated.
• Responsibility: By issuing this statement, the provider assumes full responsibility for the compliance of the cloud computing service with the criteria set out in Annex II (Article 19(2)).
• Transparency: The provider must make the EU statement of conformity publicly available (Article 19(3)).

Submission Package for Level 1: When submitting the application to the evaluating NCA, you must include:

1. The EU statement of conformity; and
2. All necessary evidence required to support that statement (Article 17(3)).

For Union Assurance Levels 2, 3, and 4 (Independent Audit)

Providers seeking higher assurance levels cannot rely on self-assessment. They must undergo independent third-party audits at their own expense to obtain an audit report and an audit opinion from an auditing organisation (Article 20(1)).

• The Opinion: The audit must result in a "positive" audit opinion. This is defined as an opinion given where all evidence shows that the provider complies with the audit criteria and obligations set out in the regulation (Article 20(5)). A "negative" opinion precludes recognition.
• Cumulative Criteria: An audited provider undergoing an audit procedure at a higher Union assurance level must satisfy all applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher levels (Article 20(1)).

Submission Package for Levels 2–4: When submitting the application to the evaluating NCA, you must include:

1. The audit report;
2. The "positive" audit opinion; and
3. All evidence provided to the auditing organisation during the audit procedure (Article 17(4)).

Step 3: Submit the Application

You submit the application and the relevant evidence package to the evaluating national competent authority. The clock for the assessment period starts when the authority accepts the application (Article 17(5)).

Special Rule for SMEs at Level 1

A critical derogation exists for small and medium-sized enterprises (SMEs) to reduce administrative burden and accelerate market entry. Under Article 17(3), the EU statement of conformity issued by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority.

This means SMEs do not need to wait for the NCA's 60-day assessment or the cross-border review to be considered recognised at Level 1 across the Union. Their recognition is immediate upon the issuance of the statement, provided they meet the definition of an SME.

Step 4: The 60-Day Assessment by the Evaluating Authority

For non-SME Level 1 applicants and all Level 2–4 applicants, the evaluating national competent authority has 60 days from accepting the application to assess the evidence (Article 17(5)).

During this period, the authority has three potential outcomes:

1. Draft Recognition Decision: If the evidence is sufficient, the authority prepares a draft recognition decision. It must notify, as soon as possible, the competent authorities of the other Member States for a 60-day review period to confirm its intended recognition of the cloud computing service across the Union as offering the applicable Union assurance level. This notification must include the evidence referred to in paragraphs 3 or 4 (Article 17(5)(a)).
2. Request for Further Information: If the evidence submitted is insufficient to allow the evaluating competent authority to recognise the cloud computing service, it may request further information from the applicant and request that the applicant submit such information within a specified time limit.
   • Suspension: The period of 60 days referred to in this paragraph shall be suspended from the date of issue of the request until the date the information is received.
   • Cap: The suspension shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances (Article 17(5)(b)).
3. Rejection: The authority may reject the request for recognition. Prior to rejecting the request, the evaluating competent authority shall give the candidate cloud computing service provider the opportunity to provide written comments on the conclusions of the evaluation within 30 days. The evaluating competent authority shall take due account of those comments when finalising its conclusions (Article 17(5)(c)).

Step 5: The 60-Day Cross-Border Review

If the evaluating authority issues a draft recognition decision, it enters the cross-border review phase. This mechanism ensures that recognition is harmonised across the single market and prevents divergent national interpretations.

During the 60-day review period, any national competent authority of another Member State may:

• Submit a reasoned objection; or
• Request clarification if they consider the draft recognition decision does not comply with the applicable Union assurance level set out in Annex II (Article 17(6)).

Handling Clarifications

If a request for clarification is submitted, the evaluating authority must take due account of such request. It may request new information from the applicant (suspending timelines as per Article 17(5)(b)) or confirm/modify its original draft decision.

• If the requesting competent authority is not satisfied with the outcome, it may then submit a reasoned objection (Article 17(8)).

Handling Objections

If a reasoned objection is submitted within the review period, or following the clarification procedure, the evaluating national competent authority must assess the objection and either maintain or revoke its original draft decision.

• Notification: The evaluating authority must inform the competent authorities of the other Member States within 15 days after the end of the review period (or 15 days after receiving the reasoned objection following the clarification procedure) (Article 17(9)).

The Commission's Role in Disputes

If the evaluating national competent authority intends to maintain its draft decision despite the objection, the concerned national competent authority may refer the matter to the European Commission.

• Assessment: The Commission shall assess the referral and may request information from the national competent authorities concerned.
• Binding Decision: The Commission shall adopt a binding decision determining whether the evaluating national competent authority may adopt the recognition decision (Article 17(10)). This ensures that a single Member State cannot unilaterally block a valid recognition if the Commission upholds the evaluating authority's decision.

Step 6: Final Recognition and Registration

If no reasoned objection or request for clarification is submitted within the 60-day review period, the conclusions by the evaluating national competent authority are deemed accepted by all Member States.

• Adoption: The evaluating national competent authority shall adopt the recognition decision.
• Union-wide Effect: The audited service shall be recognised throughout the Union at the appropriate Union assurance level (Article 17(7)).

Once recognised, the national competent authority of establishment must register the cloud computing service in the central repository maintained by the Commission (Article 22(2)). This central repository is publicly available and ensures transparency across the Union, allowing public sector bodies to verify the assurance level of potential providers.

Grounds for Revocation

Recognition is not permanent if compliance lapses or if the initial application was flawed.

• Incorrect Information: The evaluating national competent authority may revoke its recognition where it finds that a cloud computing service provider, whose service was recognised across the Union, intentionally or negligently supplied incorrect or misleading information (Article 17(11)).
• Material Changes: If a provider becomes aware of any information or any material change in circumstances that may affect the audit report, the "positive" opinion, or the recognition, they must notify the auditing organisation and the national competent authority of establishment as soon as possible (Article 23(1)).
• Audit Revocation: If the auditing organisation amends or revokes the audit report or opinion based on these notifications, the NCA must assess whether its recognition needs to be amended or revoked (Article 23(2)).

What this means for you

For cloud service providers and data centre operators, the path to CADA recognition is a structured, multi-stage administrative process that requires rigorous preparation and strategic planning.

For SMEs targeting Level 1: The process is significantly streamlined. You must still perform the self-assessment and issue the EU statement of conformity, but you bypass the NCA assessment and cross-border review entirely. Your recognition is automatic and immediate across the EU, reducing time-to-market and administrative burden. This is a key competitive advantage for smaller EU-based providers.

For larger providers or those targeting Levels 2–4: You must budget for and manage an independent third-party audit before you can even submit your application. The audit must yield a "positive" opinion. Once submitted, you face a potential 60-day assessment window, which can be extended if the NCA requests more information (up to 30 days suspension). Following that, you enter a 60-day period where any other Member State can object. This cross-border element means your recognition is subject to scrutiny by peers across the EU, not just your home regulator. You must be prepared for potential disputes that could escalate to the European Commission.

Preparation is key: Ensure your evidence package is comprehensive. For Levels 2–4, this means coordinating closely with your auditing organisation to ensure all audit evidence is documented and ready for submission to the NCA. For Level 1, ensure your self-assessment documentation is robust enough to withstand potential scrutiny during the cross-border review, even if the NCA accepts it initially. Remember that the clock starts only when the authority accepts the application, so ensure your submission is complete to avoid immediate rejection or delays.

Common misconceptions

Misconception 1: All providers must go through the NCA assessment. Many assume every provider must wait for the NCA to approve their Level 1 status. This is incorrect for SMEs. Article 17(3) explicitly states that the EU statement of conformity issued by SMEs is directly and automatically recognised in all Member States without prior NCA recognition.

Misconception 2: The 60-day assessment is a hard deadline. The 60-day clock for the evaluating authority can be suspended. If the authority requests further information, the clock stops until the information is received. While the suspension is capped at 30 days, this can effectively extend the timeline if the provider is slow to respond or if the information requested is complex.

Misconception 3: Recognition is final once granted. Recognition is conditional on ongoing compliance. Providers must report material changes to their auditing organisation and NCA (Article 23). If the NCA finds that incorrect or misleading information was supplied, it can revoke recognition (Article 17(11)). Furthermore, auditing organisations can revoke their audit reports and opinions, which triggers a review of the recognition.

Misconception 4: Any Member State can block recognition unilaterally. While any Member State can object, the evaluating authority has the power to maintain its decision. If it does, the matter can be referred to the Commission, which makes the final binding decision. A single Member State cannot indefinitely block a recognition if the evaluating authority and the Commission uphold the decision.

Related

• Which National Competent Authority Do I Apply to for CADA Recognition?
• How do I apply for recognition as a frontier AI priority project under CADA?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• What happens if another Member State objects to my CADA recognition?

This is general information about a draft EU regulation, not legal advice.