Summary To secure recognition under the proposed Cloud and AI Development Act (CADA), providers must submit a comprehensive evidence pack to their national competent authority. For Union Assurance Level 1, this requires an EU statement of conformity based on a self-assessment. For Levels 2, 3, and 4, it requires an audit report and a 'positive' audit opinion from an independent auditor, accompanied by all evidence gathered during the audit. Under Article 17(3) and (4), the submission must be complete; if evidence is missing, the authority may request further information, which suspends the 60-day assessment clock until the information is received.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for recognising cloud computing services that meet specific sovereignty criteria. For providers, the path to recognition is governed by strict procedural rules in Article 17 and evidentiary standards in Article 21 and Annex III. Building a robust evidence pack is not merely an administrative step; it is the primary mechanism to demonstrate compliance with the Union assurance levels and to avoid procedural delays.

1. The Core Submission: Article 17(3) vs. Article 17(4)

The first step in building your evidence pack is determining the required primary document based on your target assurance level. Article 17 draws a sharp distinction between Level 1 and Levels 2–4.

For Union Assurance Level 1: Under Article 17(3), the provider must submit an EU statement of conformity. This is a self-assessment mechanism where the cloud computing service provider assumes sole responsibility for demonstrating compliance with the criteria in Annex II. The statement must explicitly declare that the service meets the Level 1 criteria. Crucially, the provider must also submit "all the necessary evidence" to support this declaration. Unlike higher levels, no independent audit opinion is required for Level 1, but the evidence must still be sufficient to prove compliance with criteria such as Union establishment, data localisation, and cybersecurity standards.

For Union Assurance Levels 2, 3, and 4: Under Article 17(4), the submission requirements are significantly more rigorous. You must submit:

  1. The audit report prepared by an independent auditing organisation.
  2. A 'positive' audit opinion issued by that organisation.
  3. "All the evidence provided to the auditing organisation during the audit procedure."

This third requirement is critical. It means the evidence pack submitted to the national competent authority is not just the final report, but the entire evidentiary dossier that underpinned the auditor's conclusion. If you omit a specific document that the auditor relied upon, the competent authority may deem the submission incomplete.

2. Assembling the Evidence: Article 21 and Annex III

Article 21 mandates that auditing organisations assess compliance based on the audit evidence listed in Annex III. While Annex III is described as "indicative," Article 21(2) requires that evidence be "relevant and sufficient" to enable the preparation of an audit report and opinion, and "reliable." In practice, to secure a 'positive' opinion and subsequent recognition, providers should treat the Annex III criteria as a mandatory checklist.

The evidence pack must address the following key areas, mapped to the specific criteria in Annex II and the evidence requirements in Annex III:

  • Union Establishment (Criterion A): You must prove incorporation under Member State law and a stable, effective presence in the Union. Evidence includes national company extracts, tax residency documentation, VAT registration, and verification via the Business Registers Interconnected System (BRIS) and VAT Information Exchange System (VIES). Physical proof is required, such as lease contracts, utility bills, and employment contracts showing permanent staff and operational premises in the Union.
  • Location of Infrastructure, Assets, and Personnel (Criterion B): A detailed list of all infrastructure locations (primary, backup, disaster recovery, log storage) with precise addresses proving they are within the Union. This must be supported by lease agreements, property deeds, and network diagrams showing exclusive use of Union-based infrastructure. For personnel, provide employment contracts, payroll records, and timesheets proving that staff involved in the service are located in the Union.
  • Data Localisation (Criterion C): Evidence that customer data (including metadata and telemetry) remains exclusively within the Union. This includes access logs, data flow diagrams, and contractual agreements with subcontractors. For Levels 2–4, you must demonstrate that no data is transferred outside the Union without explicit public sector body approval.
  • Union Citizenship (Criterion D): For Levels 2, 3, and 4, you must prove that personnel involved in the service are Union citizens. This requires valid government-issued documents (passports or national ID cards) and access control policies showing that only authorised Union citizens have access to the service's operation and data. Note: For Level 2, this requirement is conditional; it applies only if the public sector body explicitly requires it. For Levels 3 and 4, it is mandatory.
  • Cybersecurity Certification (Criterion E): A valid European cybersecurity certificate (or national equivalent if the EU scheme is not yet established) demonstrating compliance with the required assurance level. Annex II specifies that Levels 2 and 3 require a certificate of at least 'substantial' assurance, while Level 4 requires 'high' assurance.
  • Absence of Third-Country Control (Criterion G): A comprehensive analysis of ownership and control. This includes cap tables, shareholder agreements, and governance documents proving that no third country or legal entity established in a third country exercises control that could compromise service continuity or data access. Note: Annex II 3.1(g) contains a drafting slip referencing "Article 19" for the third-country derogation mechanism; the correct cross-reference is Article 18 (Associated third countries), which allows the Commission to identify third countries with sufficient safeguards.
  • No Technical Support Outside the Union (Criterion H): Contractual clauses and technical evidence (e.g., geographically restricted network controls) proving that all support, administration, and maintenance are initiated and performed exclusively within the Union by Union residents.
  • Software Supply Chain Transparency (Criterion I): A complete and up-to-date Software Bill of Materials (SBOM), a list of dependencies, and evidence of risk-based processes for mitigating dependencies on external manufacturers. This includes migration plans for alternative solutions in case of vendor failure or third-country restrictions.
  • Open-Source Software (Criterion J): Evidence of controls to prevent the use of remote features in open-source components that could tamper with or disrupt the service.
  • Global Services and Subsidiaries (Criterion K): Evidence that any third-country subsidiaries are legally and operationally independent, with no access to Union customer data or privileged accounts.

3. The 60-Day Clock and the Risk of Suspension

Article 17(5) establishes a strict timeline for the evaluating national competent authority: they have 60 days to assess the evidence and either prepare a draft recognition decision, request further information, or reject the request.

However, this timeline is conditional on the completeness of your submission. Article 17(5)(b) states that if the evidence submitted is insufficient, the authority may request further information. Crucially, "the period of 60 days... shall be suspended from the date of issue of the request until the date the information is received."

The suspension is not indefinite. The text limits the suspension to 30 days in total, unless justified by the nature of the information or exceptional circumstances. Nevertheless, a suspension triggers a "stop-start" process that can significantly delay your market entry. If the authority cannot verify your compliance because a specific piece of evidence (e.g., a specific lease contract or a signed shareholder agreement) is missing, the clock stops. Therefore, assembling a complete, verified evidence pack that anticipates the auditor's and authority's needs is a strategic necessity to ensure the 60-day clock runs uninterrupted.

4. Submission and Competence

Your application must be submitted to the national competent authority of establishment. Article 25(4) clarifies that the Member State where the provider has its main establishment (head office or registered office where principal financial functions and operational control are exercised) has exclusive competence for enforcing this chapter.

Once submitted, the evaluating authority may notify other Member States' competent authorities for a 60-day review period (Article 17(5)(a)). If no reasoned objection is raised, the recognition is deemed accepted across the Union. This cross-border review underscores the importance of the evidence pack being robust enough to withstand scrutiny from multiple national authorities.

What this means for you

For cloud service providers, the CADA evidence pack represents a shift from general compliance to granular, auditable proof.

  1. Audit Readiness is Non-Negotiable: If you are targeting Levels 2, 3, or 4, you cannot simply "declare" compliance. You must engage an independent auditor early and use Annex III as a pre-audit checklist. Ensure your auditor collects every piece of evidence listed in Article 21 and Annex III before the audit concludes.
  2. Documentation Hygiene: Maintain real-time updates on your SBOM, asset registers, personnel records, and lease agreements. The evidence must reflect the exact state of your service at the time of the audit. Retroactive documentation is unlikely to be accepted as "reliable" under Article 21.
  3. Strategic Timing: Do not assume a 60-day turnaround. While the suspension is capped at 30 days, the time taken to gather missing evidence and the subsequent re-evaluation can extend your timeline significantly. Plan your market entry strategy with this buffer in mind.
  4. Main Establishment Focus: Ensure your main establishment is well-prepared, as it is the sole point of contact for the entire Union recognition process. If your main establishment is in a Member State with limited experience in CADA, consider engaging local legal and technical experts to guide the competent authority through your evidence pack.

Common misconceptions

  • "Self-assessment is enough for all levels." Incorrect. Only Level 1 allows for a self-assessment and an EU statement of conformity. Levels 2, 3, and 4 strictly require an independent third-party audit and a 'positive' audit opinion under Article 17(4).
  • "Annex III is optional." While Annex III is labelled "indicative," Article 21 requires evidence to be "relevant and sufficient." In practice, auditors and competent authorities will expect you to meet the specific evidence points in Annex III to demonstrate compliance with the strict criteria in Annex II. Missing a key piece of evidence listed in Annex III is a primary cause for suspension of the 60-day clock.
  • "The 60-day clock is fixed." It is not. Article 17(5)(b) explicitly allows the authority to suspend the clock if evidence is insufficient. An incomplete submission is the fastest way to delay your recognition.
  • "US CLOUD Act compliance is sufficient." No. The US CLOUD Act addresses extraterritorial data access requests but does not address the specific sovereignty requirements of CADA, such as the mandatory location of infrastructure, personnel citizenship, and the absence of third-country control. CADA requires specific technical and organisational measures to prevent third-country interference, regardless of international agreements.
  • "Article 19 handles third-country derogations." This is a common error. Annex II 3.1(g) references Article 19, but Article 19 in the text refers to "Conformity self-assessment." The correct mechanism for third-country derogations (allowing services controlled by a third country to qualify for Level 3) is found in Article 18 (Associated third countries).

Related

This is general information about a draft EU regulation, not legal advice.