How do I check a cloud service's sovereignty tier in the CADA repository?

Summary Under the proposed Cloud and AI Development Act (CADA), you would check a cloud service's sovereignty tier in the central repository of cloud computing services that the Commission would establish under Article 22. The repository is publicly available (Article 22(4)) and lists services recognised under Article 17 at one of four Union assurance levels (1 to 4). To verify a service, you would look it up by name, confirm the recognised level it holds, and check that no revocation has been published against it (Article 22(3)). CADA is a draft proposal, so the repository does not yet exist.

Detail

CADA proposes a sovereignty framework for cloud services used by the public sector, and the central repository is the mechanism that makes a service's tier verifiable. For a buyer, it is the reference point for confirming that a service holds the Union assurance level its activity requires.

The repository under Article 22

Article 22(1) requires the Commission to "establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17." Recital 57 describes its purpose as facilitating secure and efficient access to relevant information for public-sector customers, auditing organisations, competent authorities and the Commission. Each entry corresponds to a recognised service and states the Union assurance level it offers.

The four levels, in outline

The criteria for each level are set out in Annex II and are cumulative — a higher level must satisfy all the lower-level criteria too (Article 20(1)). In outline:

• Level 1 — the baseline. Annex II requires, among other things, that the provider is established in the Union; that infrastructure, assets and customer data (including metadata and telemetry) stay in the Union unless the public-sector body explicitly requires otherwise; that the service meets state-of-the-art cybersecurity standards; and full transparency about subcontractors.
• Level 2 — adds independent third-party audit (Article 20) and further Annex II criteria, including obtaining a European cybersecurity certificate at least at the "substantial" assurance level under a future cloud certification scheme (once such a scheme exists under Regulation (EU) 2019/881).
• Level 3 — adds further criteria; this is the level against which providers under the control of an "associated third country" may be audited, where the Commission has recognised that country under Article 18.
• Level 4 — the highest tier, with the strictest cumulative criteria.

Because the criteria are cumulative, a single repository entry showing, say, "level 3" tells you the service has met all the level 1, 2 and 3 criteria. Use only the level numbers and the Annex II framing here; the proposal does not assign every individual control to a single named tier in the way some summaries suggest, so match the listed level to your own risk assessment rather than to assumptions about what each tier "must" contain.

How to verify current status

A service's status can change, so checking the tier is an ongoing task, not a one-off:

1. Look the service up. On the Commission's dedicated website (Article 22(4)), search for the service or provider. The repository is publicly available and regularly updated.
2. Confirm the recognised level. Check that the service is listed at the level your risk assessment requires (for example level 2, 3 or 4 for a public-order-relevant activity under Article 30).
3. Check for a revocation. Under Article 22(3), the revocation of an audit report and opinion by an auditing organisation, or of a recognition by a competent authority, is published and remains available for five years. A revocation notice means the service no longer holds the recognised status and cannot be relied on for activities requiring that level.
4. Bear transparency duties in mind. Providers must report material changes under Article 23, which can lead to amendment or revocation that is then reflected in the repository. A service that is not listed at the required level cannot be procured for exclusive public-sector use under Article 30, save for the narrow Article 30(4) derogations.

Who registers the data

The Commission maintains the repository, but the national competent authority of establishment that recognised the service registers it (Article 22(2)). A recognition granted in one Member State is valid Union-wide, which is what lets the repository serve as a single check across borders.

Reading a revocation entry correctly

A revocation notice in the repository carries specific meaning. Under Article 22(3) it reflects either an auditing organisation revoking its audit report and opinion, or a competent authority revoking a recognition. The underlying causes differ: an authority may revoke where a provider supplied incorrect or misleading information (Article 17(11)); an auditing organisation may revoke for incorrect or misleading audit evidence (Article 20(7)) or after the annual review (Article 20(8)). For your purposes the practical effect is the same — the service no longer holds the recognised status for the period the revocation indicates — but the entry is published and kept visible for five years, so a historical revocation does not necessarily mean the service lacks any current recognition. Read the dates and the current recognised level together, not in isolation.

Distinguishing the level from the controlling jurisdiction

The repository records the recognised assurance level, not a simple "EU vs non-EU" label. Because level 1 permits third-country-controlled providers on conditions, and because Article 18 allows providers controlled by an "associated third country" to be audited against the level 3 criteria, you should treat the level as the operative fact. If your activity requires level 3 or 4, the listing tells you whether the service meets those cumulative criteria — which is what your risk assessment needs — regardless of the provider's nationality.

What this means for you

For a public-sector procurement officer, the repository turns sovereignty verification from manual due diligence into a database lookup.

• Streamlined checks. If a service is listed at the required level, it has satisfied the Annex II criteria for that level; you do not need to re-derive its legal structure, data location or audit status from scratch.
• Risk-based alignment. Align your check with the Article 29 risk assessment: a public-order-relevant activity requires level 2, 3 or 4 (Article 30(3)); other activities require at least level 1 (Article 30(2)).
• Ongoing monitoring. Because revocations stay visible for five years (Article 22(3)), build periodic repository checks into the contract life-cycle, and address what happens if a service loses its level in your contract terms. The proposal text does not set a fixed migration period for that scenario.
• No substitute for the repository. A provider's self-declaration is not a substitute for verifying recognised status in the repository.

Common misconceptions

• "Self-assessment is enough at every level." Only level 1 uses a conformity self-assessment (Article 19). Levels 2, 3 and 4 require an independent third-party audit (Article 20) and recognition by a national competent authority before listing.

• "The repository updates in real time." It is regularly updated, but not necessarily instantaneous: a provider notifies a material change (Article 23), and the authority then updates the record. Note the latest update and, if you suspect a recent change, confirm with the provider.

• "A third-country provider can never be listed." Level 1 in Annex II expressly contemplates providers under third-country control, subject to conditions. And under Article 18, providers controlled by a recognised "associated third country" may be audited against the level 3 criteria. Check the listed level rather than assuming exclusion by origin.

• "A revocation means the listing vanishes." A revocation is published and kept visible for five years (Article 22(3)). The service is marked as revoked rather than simply removed, so its recent history stays transparent.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Who registers a cloud service in the CADA central repository?
• CADA Repository Check: What Procurement Teams Must Verify Before Tendering
• What should a buyer do if a service is revoked in the CADA repository mid-contract?
• CADA Repository: What happens when a cloud service is discontinued?
• CADA Article 23: What happens if a CSP self-reports a change lowering its sovereignty tier?

This is general information about a draft EU regulation, not legal advice.