Summary Under the proposed Cloud and AI Development Act (CADA), the pathway to recognition is strictly determined by the Union assurance level you target. Article 19 mandates that providers seeking Union assurance level 1 must perform a conformity self-assessment and issue an EU statement of conformity. In contrast, Article 20 requires that providers targeting Union assurance levels 2, 3, or 4 undergo independent third-party audits to obtain a formal audit report and a "positive" audit opinion. This bifurcation balances administrative efficiency for baseline services against the rigorous verification needed for high-stakes public-order activities. Choosing the right path involves weighing the lower cost of self-assessment against the market access provided by audited higher tiers.

Detail

The CADA proposal establishes a four-tier Union cloud computing sovereignty framework. The mechanism for demonstrating compliance is not a matter of provider preference but a regulatory requirement tied directly to the assurance level. The regulation explicitly separates the entry-level assurance (Level 1) from the higher tiers (Levels 2–4), assigning distinct evidentiary burdens and verification processes to each.

Self-Assessment for Union Assurance Level 1 (Article 19)

For providers aiming for Union assurance level 1, CADA proposes a self-declaration regime designed to lower barriers to entry while establishing a baseline of sovereignty. According to Article 19(1), cloud computing service providers seeking recognition must "carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II."

This process places the primary responsibility for compliance on the provider. After completing the self-assessment, the provider must issue an EU statement of conformity as per Article 19(2). By issuing this statement, the provider assumes full legal responsibility for demonstrating that their service meets the specific criteria for Level 1. These criteria generally include being established in the Union, ensuring infrastructure is located in the Union, and guaranteeing that customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise.

Key procedural elements of the self-assessment include:

  • Documentation and Internal Control: The provider must maintain documented evidence and internal control procedures sufficient to demonstrate compliance. This is not a mere formality; the provider must be prepared to substantiate their claims if challenged.
  • Public Availability: Under Article 19(3), the provider must make the EU statement of conformity publicly available, ensuring transparency for potential customers.
  • Automatic Recognition for SMEs: A significant procedural advantage exists for small and medium-sized enterprises (SMEs). Article 17(3) states that EU statements of conformity issued by SMEs are "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." For non-SMEs, the statement is submitted to the national competent authority of establishment for a formal recognition decision.

Independent Third-Party Audits for Levels 2, 3, and 4 (Article 20)

For providers targeting Union assurance levels 2, 3, or 4, the proposal mandates a significantly more rigorous verification process involving external oversight. Article 20(1) states that these providers "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

This shift from self-declaration to third-party verification reflects the higher stakes associated with these levels. Levels 2–4 involve stricter cumulative criteria regarding data residency, personnel citizenship (Union citizens), cybersecurity certification (at least "substantial" for L2/L3, "high" for L4), and the absence of third-country control.

Key requirements for the audit process include:

  • Auditing Organisation Independence: The auditing organisation must be independent from the provider and free from conflicts of interest. Article 20(4) specifies strict independence rules: auditors must not have provided non-audit services to the provider in the 12 months before or after the audit, and must not have audited the provider in the preceding 10 years. They must also avoid contingent fees.
  • Audit Scope and Evidence: The audit is based on the criteria in Annex II and the evidence listed in Annex III. The provider must cooperate fully, providing access to relevant data, premises, and personnel, as outlined in Article 20(2). Failure to cooperate or hampering the audit is prohibited.
  • Audit Opinion: The auditing organisation issues a "positive" or "negative" opinion. A positive opinion confirms compliance with the applicable level's criteria. Article 20(5) requires the audit report to be substantiated in writing, detailing findings, methodology, and the final opinion. If the opinion is negative, the report must include operational recommendations.
  • Annual Review: Compliance is not a one-time event. Under Article 20(8), the audited provider must submit the audit report and opinion for annual review to ensure continued compliance. The auditing organisation may confirm, update, or revoke the opinion based on this review.

The Cost and Customer-Demand Trade-Offs

Deciding between these pathways involves a strategic analysis of financial costs versus market access opportunities.

Cost Implications:

  • Self-Assessment (Level 1): This route is significantly less expensive in terms of direct compliance costs. Providers bear the internal cost of developing processes, documentation, and internal controls but avoid the substantial fees associated with hiring independent auditing organisations. This makes Level 1 attractive for smaller providers, startups, or those entering the EU market with standardised, lower-risk offerings where the "automatic recognition" for SMEs further reduces administrative friction.
  • Independent Audit (Levels 2–4): Audits are resource-intensive and costly. Providers must pay for the auditing organisation's fees, which vary based on the complexity of the service, the assurance level sought, and the depth of the evidence required. Additionally, providers must invest heavily in internal readiness to facilitate the audit, including preparing extensive documentation, ensuring operational transparency, and potentially upgrading infrastructure to meet stricter criteria. Article 20(1) explicitly notes that these audits are conducted "at their own expense," meaning the provider bears the full financial burden.

Customer Demand and Market Access:

  • Level 1 Access: Public sector bodies whose activities have not been identified as contributing to the preservation of public order under risk assessments (per Article 29) are required to use services with Union assurance level 1. This provides a baseline market for compliant providers, covering general administrative functions and non-sensitive data processing.
  • Levels 2–4 Access: Contracting authorities in sectors critical to public order (e.g., national security, defence, justice, law enforcement) are restricted to procuring services with Union assurance levels 2, 3, or 4, as mandated by Article 30(3). These contracts are often higher value, strategically significant, and essential for national security. Therefore, while the audit process is costlier, it unlocks access to the most sensitive and lucrative public sector workloads.

Providers must therefore assess their target customer base. If a provider serves only general public administration functions, Level 1 self-assessment may suffice. However, to compete for contracts in defence, law enforcement, or critical infrastructure, the investment in independent audits for higher assurance levels is a mandatory prerequisite.

What this means for you

As a cloud service provider, your first step is to determine which Union assurance level aligns with your service architecture, risk profile, and target market.

  1. If you target Level 1: Focus on building robust internal governance. Ensure your infrastructure and data flows strictly adhere to the Union-only requirements of Annex II for Level 1. Develop a clear, defensible EU statement of conformity. If you are an SME, leverage the automatic recognition provision to accelerate your market entry across the EU without waiting for national authority approval.
  2. If you target Levels 2–4: Begin preparing for audit readiness early. Engage with potential auditing organisations to understand their specific evidence requirements and timelines. Ensure your supply chain, personnel policies (including Union citizenship requirements), and cybersecurity measures meet the stricter cumulative criteria of Annex II. Budget for annual audit renewals and factor these costs into your service pricing for public sector tenders.
  3. Strategic Positioning: Consider offering tiered services. You might maintain a Level 1 offering for general public sector use while pursuing Level 3 or 4 recognition for a subset of services designed for high-security clients. This allows you to capture a broader market while managing compliance costs effectively.

Common misconceptions

  • "Self-assessment is optional for Level 1." No, Article 19 makes the conformity self-assessment and the issuance of an EU statement of conformity mandatory for any provider seeking Level 1 recognition. It is not a voluntary best practice but a regulatory requirement.
  • "Audits are one-time events." Article 20(8) requires annual reviews. Compliance is continuous, and auditing organisations may revoke their positive opinion if a provider fails to maintain standards or if material changes occur that are not properly reported under Article 23.
  • "Level 1 is the only option for SMEs." While SMEs benefit from streamlined recognition for Level 1, they are not prohibited from seeking higher assurance levels. An SME can undergo independent audits for Levels 2–4 if their service capabilities and market strategy justify the investment.
  • "The auditing organisation chooses the assurance level." No, the provider selects the level they wish to target. The auditing organisation's role is to verify whether the provider meets the cumulative criteria for that specific level. A provider cannot be audited for Level 3 if they fail to meet the criteria for Levels 1 and 2, as compliance is cumulative.

Related

This is general information about a draft EU regulation, not legal advice.