Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance level 1 must conduct a conformity self-assessment and issue an EU statement of conformity. As proposed in Article 19(2), this statement formally attests that the service complies with all level 1 criteria, and by issuing it, the provider assumes full legal responsibility for that compliance. Article 19(3) mandates that this statement must be made publicly available. This self-declaration mechanism serves as the primary route for demonstrating baseline sovereignty compliance without the immediate need for a third-party audit, though it carries significant liability for the provider.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a tiered sovereignty framework for cloud computing services. This framework ranges from Union assurance level 1 (the baseline) to level 4 (the highest level of trust). For providers aiming to serve the public sector at this foundational level, CADA proposes a conformity self-assessment route rather than a mandatory third-party audit. This process culminates in the issuance of a specific legal document: the EU statement of conformity.

The Legal Basis: Article 19

The requirements for this statement are codified in Article 19 of the proposal, located within Title IV, Chapter I, Section 2, titled "Conformity self-assessment."

Article 19(1) establishes the prerequisite action: cloud computing service providers seeking recognition under Article 17 for Union assurance level 1 must carry out a conformity self-assessment. This assessment verifies compliance with the detailed criteria for level 1, which are set out in Annex II of the regulation. These criteria generally include requirements for the provider's establishment in the Union, the location of infrastructure and data within the Union, and guarantees against third-country control or extraterritorial data access.

Article 19(2) is the core operative provision governing the issuance and legal effect of the statement. It states:

"Following the self-assessment referred to in paragraph 1, the cloud computing service provider shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated. By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II."

This clause highlights two critical legal effects that distinguish Level 1 from higher assurance levels:

  1. Attestation: The statement is a formal declaration that the provider has verified its own compliance against the specific level 1 criteria. It serves as the provider's official confirmation that the service meets the baseline sovereignty requirements.
  2. Assumption of Responsibility: Crucially, the provider legally assumes responsibility for the accuracy of this claim. This shifts the burden of proof and liability entirely onto the provider. Unlike levels 2, 3, and 4, where an independent auditing organisation provides a verified opinion, Level 1 relies on the provider's own integrity and internal controls.

Article 19(3) imposes a strict transparency obligation:

"The cloud computing service provider shall make the EU statement of conformity publicly available."

This requirement ensures market transparency. Public sector bodies and private clients relying on the sovereignty framework need to verify that a provider has formally declared compliance. By making the statement public, CADA aims to reduce information asymmetry in the cloud market, allowing buyers to distinguish between providers who have formally attested to EU sovereignty standards and those who have not.

Relationship to Recognition

While the EU statement of conformity is a public-facing document, it is also a key component of the formal recognition process. Under Article 17(3), a provider seeking formal recognition across the EU for level 1 must submit this EU statement of conformity, along with all necessary evidence, to the evaluating national competent authority.

However, CADA includes a notable derogation for smaller providers to reduce administrative burden. Article 17(3) further states that for small and medium-sized enterprises (SMEs), the EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." For non-SME providers, the statement is submitted to the competent authority, which then follows a streamlined recognition procedure to confirm the service's status across the Union.

Content and Scope

The statement itself must clearly identify the cloud computing service and declare compliance with the criteria for Union assurance level 1 as defined in Annex II. It does not require the detailed audit evidence required for levels 2, 3, or 4 (such as independent audit reports), but the provider must maintain the internal documentation and evidence that supports the self-assessment. This internal evidence must be sufficient to demonstrate that the applicable criteria have been fulfilled, as implied by Recital 54, which notes that self-assessments should be based on "documented evidence, internal control procedures and continuous monitoring."

What this means for you

If you are a cloud service provider or data centre operator targeting the EU public sector market, issuing an EU statement of conformity is a critical step in accessing contracts that require Union assurance level 1. The process is self-driven but carries high liability.

1. Conduct a Rigorous Self-Assessment Before issuing the statement, you must conduct a thorough internal review against the Annex II criteria for level 1. This includes verifying that:

  • Your provider entity is established in the Union.
  • Your infrastructure and assets (including those of subcontractors) are located in the Union, unless the public sector body explicitly requires otherwise.
  • Customer data, including metadata and telemetry, remains exclusively within the Union.
  • You have implemented necessary legal, technical, and organisational measures to ensure traceability and security if you outsource support outside the Union.
  • You provide full transparency around subcontractors and subject them to due diligence.
  • If subject to third-country control, you guarantee that no laws in that third country require you to report software vulnerabilities to foreign authorities before they are known to be exploited.

2. Draft and Issue the Statement Once your self-assessment confirms compliance, draft the EU statement of conformity. While CADA does not prescribe a specific template in the primary text, the statement must clearly state that compliance with level 1 criteria has been demonstrated. Ensure it is unambiguous, refers to the specific service offering, and explicitly references Annex II of the regulation.

3. Publish Publicly Upload the statement to your website or a dedicated compliance portal. Ensure it is easily accessible to potential clients and competent authorities. This public availability is a legal requirement under Article 19(3). Failure to publish the statement means you cannot claim to have issued it, potentially disqualifying you from public procurement.

4. Prepare for Submission (If Not an SME) If you are not an SME, prepare to submit this statement, along with supporting evidence, to the national competent authority of your establishment when applying for formal EU-wide recognition under Article 17. If you are an SME, your statement serves as automatic recognition, but you should still be prepared to present the underlying evidence to authorities if challenged.

5. Maintain Ongoing Compliance Issuing the statement is not a one-off event. You must maintain the compliance posture that the statement attests to. Under Article 23, you have transparency obligations to notify the competent authorities of any material changes that might affect your compliance status. For level 1, while there is no ongoing audit, you remain liable for the accuracy of your initial and ongoing self-assessment. If you supply incorrect information, you face penalties under Article 24 and potential revocation of recognition under Article 17(11).

Common misconceptions

Misconception 1: The EU statement of conformity is only for internal use. Correction: No. Article 19(3) explicitly requires the provider to make the statement publicly available. It is a market-facing document intended to build trust with customers and regulators, not just an internal record.

Misconception 2: Issuing the statement guarantees EU-wide recognition for all providers. Correction: Only for SMEs. As per Article 17(3), SME statements are automatically recognised across all Member States. For larger providers, the statement is submitted to the national competent authority, which must then formally recognise the service before it holds EU-wide validity.

Misconception 3: Level 1 self-assessment is a "light touch" with no real scrutiny. Correction: While it lacks a third-party audit, the provider assumes full legal responsibility for the compliance claim. Competent authorities have investigative powers under Article 26 to verify compliance. If a provider issues a statement without genuine compliance, they face penalties under Article 24 and potential revocation of recognition under Article 17(11).

Misconception 4: The statement covers all four assurance levels. Correction: The EU statement of conformity under Article 19 is specific to Union assurance level 1. Providers seeking levels 2, 3, or 4 must undergo independent third-party audits and submit audit reports and opinions, not just a self-declaration.

Related

This is general information about a draft EU regulation, not legal advice.