How to handle a Commission information request during CADA recognition

Summary As proposed in the Cloud and AI Development Act (CADA), if national competent authorities cannot resolve a disagreement over a cloud service's Union assurance level recognition, the matter may be referred to the European Commission. Under Article 17(13) and (14), the Commission has the power to require national competent authorities to provide any relevant information relating to the cloud computing service provider and the application for recognition. While the legal request is directed at the authority, the provider holds the underlying evidence and must respond within the "reasonable period" specified by the Commission to facilitate a binding decision on the recognition status.

Detail

The Cloud and AI Development Act (CADA) establishes a rigorous, harmonised framework for the recognition of cloud computing services at specific "Union assurance levels" (levels 1 through 4). This recognition is a prerequisite for cloud providers wishing to serve Union entities and public sector bodies. While the primary evaluation is conducted by the national competent authority of the provider's establishment (the "evaluating national competent authority"), the process includes a robust cross-border review mechanism to ensure consistent application across the EU.

Disagreements can arise during this process. Under Article 17(5), the evaluating authority prepares a draft recognition decision and notifies other Member States for a 60-day review period. If another Member State's competent authority submits a reasoned objection or request for clarification (Article 17(6) and (8), and the evaluating authority maintains its draft decision despite the objection (Article 17(9)), the objecting authority may refer the matter to the European Commission (Article 17(10)).

It is at this referral stage that the Commission's investigative powers become directly relevant to the cloud service provider. The Commission's role is to adopt a binding decision determining whether the evaluating national competent authority may adopt the recognition decision. To do so, the Commission must have access to all pertinent facts, which often reside with the provider.

The Commission's Power to Request Information

Article 17(13) explicitly grants the Commission the authority to require information to carry out its tasks under the referral mechanism. The text states:

"The Commission may, in order to carry out the tasks assigned to it under paragraph 10, require that national competent authorities of establishment provide, as soon as possible and within a reasonable period, any relevant information relating to the concerned cloud computing service provider and the application for recognition."

While this clause formally addresses the "national competent authorities of establishment," the practical reality is that the information required—technical architecture, audit reports, data flow diagrams, and evidence of sovereignty compliance—originates from and is held by the cloud computing service provider. The Commission needs to assess the factual basis of the recognition application and the specific grounds of the objection to make an informed decision.

Article 17(14) further clarifies the procedural safeguards and requirements for these requests. When the Commission sends a request for information, it must strictly adhere to three conditions:

1. State the purpose of the request: The Commission must explain why the information is needed for the referral assessment.
2. Specify what information is required: The request must be precise, detailing the specific data or documents needed.
3. Set the period within which the information is to be provided: The Commission must define a specific timeframe for the response.

This procedural clarity ensures that providers are not faced with vague or open-ended inquiries. The request will be targeted at the specific points of contention raised during the cross-border review. For example, if an objection relates to the location of data storage (Annex II, Section 2(c) or 3(c)) or the control mechanisms of third-country subsidiaries (Annex II, Section 2(g) or 3(g)), the Commission's request will likely focus on the evidence submitted to demonstrate compliance with those specific criteria.

The Obligation to Respond and the "Reasonable Period"

Although Article 17(13) formally directs the request to the national competent authority, the provider has a critical, albeit indirect, obligation to cooperate fully and promptly. The evaluating national competent authority cannot fulfill the Commission's request without the provider's cooperation, as the authority relies on the provider to supply the underlying technical documentation, audit reports (for Levels 2-4 under Article 20), or the EU statement of conformity (for Level 1 under Article 19).

The phrase "within a reasonable period" in Article 17(13) is critical. The Commission will define this period in the request as per Article 17(14). Failure to provide this information, or providing it late, can hinder the Commission's ability to issue a timely binding decision. Given that the recognition process is the gateway to public sector contracts under Article 30, delays can have significant commercial consequences. Therefore, providers should treat Commission requests with the same urgency as direct regulatory inquiries.

The information requested may include:

• Detailed evidence submitted during the initial application for recognition (Article 17(3) for Level 1; Article 17(4) for Levels 2-4).
• Clarifications on the technical architecture, data flow diagrams, or subcontractor arrangements.
• Explanations regarding any discrepancies identified by the objecting Member State.
• Updated evidence if the provider has made material changes to the service since the initial application (Article 23).

The Commission's assessment under Article 17(10) is the final arbiter in these disputes. Its decision determines whether the service is recognized throughout the Union at the applicable assurance level. Consequently, the quality, completeness, and timeliness of the information provided in response to the Commission's request are decisive factors in the outcome.

What this means for you

For cloud service providers and data centre operators seeking Union assurance level recognition, understanding the Commission's role is essential for risk management. While most recognition applications are resolved at the national level, the possibility of a referral to the Commission introduces a higher-stakes layer of scrutiny.

Prepare for Scrutiny at All Levels When submitting your application to the national competent authority under Article 17(1), assume that the evidence you provide may eventually be reviewed by the Commission. Ensure that your documentation—whether it is the EU statement of conformity for Level 1 or the independent audit report for Levels 2, 3, or 4—is robust, verifiable, and easily accessible. Ambiguous evidence is more likely to trigger objections from other Member States, which can lead to a referral.

Monitor the Cross-Border Review Period During the 60-day review period mentioned in Article 17(5), you should remain in close contact with the evaluating national competent authority. If another Member State raises a reasoned objection, your authority may seek additional information from you before deciding whether to maintain its draft decision. Being proactive in providing clarifications at this stage can sometimes resolve the issue before it escalates to the Commission.

Respond Promptly to Commission Requests If the matter is referred to the Commission, and a request for information is issued under Article 17(14), treat the deadline as strict. The Commission will specify the period for response. Delaying your response to the national competent authority, who must then forward it to the Commission, can delay the entire recognition process. Establish internal protocols to ensure that legal, technical, and compliance teams can rapidly assemble the requested information.

Ensure Information Accuracy The information you provide to the Commission must be accurate and consistent with your initial application and any subsequent audits. Inconsistencies can undermine your credibility and may lead the Commission to conclude that the evaluating authority's decision was unfounded. The Commission's binding decision under Article 17(10) will rely heavily on the factual record you help establish.

Legal and Technical Coordination Given the technical nature of many sovereignty criteria (e.g., data localization, personnel citizenship, absence of third-country control), ensure that your legal and technical teams are aligned. The Commission's request may bridge legal compliance and technical architecture. A coordinated response demonstrates that your organization has the necessary governance structures to maintain the claimed Union assurance level.

Common misconceptions

Misconception 1: The Commission only talks to national authorities. While Article 17(13) formally directs the request to the national competent authority, the information required is often held exclusively by the cloud service provider. Providers cannot assume they are excluded from the process. The national authority will likely rely on the provider to supply the detailed technical and operational evidence. Ignoring a request because it was not addressed directly to you can cause critical delays.

Misconception 2: The Commission's request is informal. The request for information under Article 17(14) is a formal part of the regulatory enforcement and recognition framework. It requires a specific statement of purpose, a detailed specification of required information, and a set deadline. Treating it as an informal inquiry can lead to non-compliance with the stated period, which may negatively impact the Commission's assessment.

Misconception 3: Only Level 1 applications are at risk. The recognition mechanism applies to all Union assurance levels (1-4). While Level 1 relies on a self-assessment (Article 19), Levels 2, 3, and 4 require independent third-party audits (Article 20). Objections can arise at any level, particularly regarding complex criteria such as third-country control (Annex II, Section 3(g)) or data localization (Annex II, Section 3(c)). The Commission's power to request information is not limited by the assurance level; it applies to any referral under Article 17(10).

Misconception 4: The Commission's decision is advisory. Article 17(10) states that the Commission shall adopt a "binding decision." This is not a recommendation. If the Commission determines that the evaluating authority may not adopt the recognition decision, the recognition is effectively blocked at the EU level. The information you provide in response to the Commission's request is a key input into this binding decision.

Related

• How do I respond to a CADA request for further information during recognition?
• How does a data centre operator request single-information-point assistance as an SME?
• How do I escalate a stalled CADA recognition to the Commission?
• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?

This is general information about a draft EU regulation, not legal advice.