How do I obtain the cybersecurity certification CADA assurance levels require?

Summary To obtain the cybersecurity certification required for CADA assurance levels, cloud providers must align with the European Cybersecurity Certification Scheme for Cloud Services (EUCS) under the EU Cybersecurity Act. As proposed, Annex II of the Cloud and AI Development Act (CADA) mandates a certificate of at least "substantial" assurance for Union Assurance Levels 2 and 3, and "high" assurance for Level 4. Until the EUCS is fully established and available, providers may rely on valid national cybersecurity certification schemes or demonstrate compliance with the highest cybersecurity standards under applicable Union law. Crucially, Level 1 does not require a formal certificate, only a demonstration of state-of-the-art standards.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a sovereignty framework built on four distinct "Union assurance levels." While the framework covers establishment, data localization, and personnel requirements, a critical gatekeeper for accessing Levels 2, 3, and 4 is the requirement for independent third-party auditing, which heavily relies on formal cybersecurity certification. CADA does not create a new certification body; instead, it anchors its technical security requirements to the existing EU Cybersecurity Act framework.

The Certification Mandate in Annex II

The specific cybersecurity certification requirements are detailed in Annex II of the CADA proposal. The criteria are cumulative, meaning a provider seeking a higher assurance level must satisfy all criteria of the lower levels, including the specific cybersecurity certification tier.

• Union Assurance Level 1: This baseline level requires providers to demonstrate that their service complies with "state-of-the-art cybersecurity standards" (Annex II, Section 1.1(e)). However, it does not mandate a formal certificate issued by a conformity assessment body. Compliance is typically demonstrated through self-assessment and internal controls, as outlined in Article 19.
• Union Assurance Level 2: The bar rises significantly. Annex II, Section 2.1(e) states that the audited service must obtain a "European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881."
• Union Assurance Level 3: The requirement mirrors Level 2 regarding the cybersecurity certificate. Annex II, Section 3.1(e) mandates the same "European cybersecurity certificate of at least assurance level 'substantial'." While Level 3 adds stricter requirements regarding personnel (Union citizenship) and the absence of third-country control, the cybersecurity baseline remains "substantial."
• Union Assurance Level 4: This highest tier requires greater rigor. Annex II, Section 4.1(e) requires a "European cybersecurity certificate of at least assurance level 'high' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881." This is the only level where the "high" assurance tier is mandatory.

Mapping to the EU Cybersecurity Framework

The CADA proposal explicitly references Regulation (EU) 2019/881 (the Cybersecurity Act). This regulation empowers the European Union Agency for Cybersecurity (ENISA) to develop European Cybersecurity Certification Schemes (ECS). The relevant scheme for this provision is the European Cybersecurity Certification Scheme for Cloud Services (EUCS).

The EUCS defines three assurance levels that map directly to CADA's sovereignty tiers:

1. Basic: Sufficient for non-critical data and general use cases.
2. Substantial: Required for sensitive data and critical infrastructure.
3. High: Required for high-security environments, such as defense, intelligence, or critical government data.

By referencing "substantial" and "high" in Annex II, CADA directly maps its sovereignty tiers to the EUCS assurance levels. A provider seeking CADA Level 2 or 3 must achieve EUCS Substantial assurance. A provider seeking CADA Level 4 must achieve EUCS High assurance. This mapping ensures that the technical security posture of the cloud service matches the sensitivity of the public-order activities it supports.

The Transition Period: National Schemes and Standards

The CADA proposal acknowledges that the EUCS may not be immediately available to all providers upon the regulation's application. Therefore, Annex II, Sections 2.1(e), 3.1(e), and 4.1(e) include a critical transitional provision:

"Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law."

This creates a three-tiered compliance path during the transition:

1. Priority 1: Obtain a valid EUCS certificate (once the scheme is established and available).
2. Priority 2: If EUCS is unavailable, obtain a valid certificate from a recognized national cybersecurity certification scheme in an EU Member State.
3. Priority 3: If neither EUCS nor a national scheme is available, the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law. This likely involves aligning with standards such as ISO/IEC 27001, ENISA guidelines, or other recognized best practices, verified through the independent audit process outlined in Article 20 of CADA.

The Role of the Independent Audit

Cybersecurity certification is not obtained in isolation under CADA. It is a core component of the broader independent audit required for Levels 2, 3, and 4. Article 20 of the CADA proposal sets out the framework for these audits.

• Audit Scope: Auditing organizations must verify compliance with all criteria in Annex II, including the cybersecurity certification. The auditor cannot issue a "positive" audit opinion without valid evidence of the required certificate level.
• Audit Evidence: Under Article 21, auditing organizations assess compliance based on audit evidence listed in Annex III. For cybersecurity, this involves reviewing the certificate, the certification report, and the specific controls implemented to meet the EUCS or national scheme requirements. Annex III, Section 5 explicitly lists the evidence required: a valid European cybersecurity certificate, a certification report describing main components, or, during the transition, valid national certificates or evidence of adherence to the highest standards.
• Continuity: Article 20(8) requires audited providers to submit their audit report and positive opinion for review annually. This ensures that the cybersecurity certification remains valid and that the service continues to meet the required assurance level. If the underlying cybersecurity certificate expires or is revoked, the CADA recognition is at risk.

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector, the path to certification is clear but demanding. The proposed regulation creates a direct dependency between your sovereignty tier and your cybersecurity certification status.

1. Audit Your Current Posture: If you currently hold ISO 27001 or SOC 2 certifications, these are not sufficient on their own for CADA Levels 2–4. While they may serve as evidence of "highest standards" during the transition, you must map your controls to the EUCS control sets. EUCS is more granular and includes specific sovereignty and resilience controls not found in general IT security standards.
2. Plan for EUCS: Begin engaging with ENISA's EUCS working groups and conformity assessment bodies (CABs) early. The gap between ISO 27001 and EUCS Substantial/High assurance is significant. You will need to implement stricter identity management, data localization controls, and supply chain security measures to meet the "substantial" and "high" thresholds.
3. Leverage National Schemes: If EUCS is not yet available in your jurisdiction, identify the national cybersecurity certification scheme in your Member State of establishment. Ensure your security architecture aligns with its requirements to avoid rework later. National schemes are the primary valid alternative during the transition.
4. Prepare for Annual Reviews: CADA requires annual reassessment of your audit status (Article 20(8)). Your cybersecurity certification must be maintained continuously. Any lapse in your EUCS or national certificate could jeopardize your CADA recognition, as the audit opinion relies on the validity of the underlying certificate.
5. Document Everything: Article 21 and Annex III require detailed audit evidence. Maintain comprehensive records of your certification process, including the certificate itself, the certification report, and evidence of how you meet the specific cybersecurity controls required by the scheme. Auditors will specifically look for the "certification report including a description of the main components used for the development and operation of the cloud computing service."

Common misconceptions

• Misconception 1: ISO 27001 is enough. ISO 27001 is a management system standard, not a cybersecurity certification scheme under the EU Cybersecurity Act. While it is a good foundation, CADA Annex II explicitly requires a certificate under a European cybersecurity certification scheme (EUCS) or a national scheme. ISO 27001 alone will not satisfy the requirement for Levels 2, 3, or 4 unless no other scheme exists and you can prove it represents the "highest cybersecurity standards."

• Misconception 2: CADA creates its own certification. CADA does not create a new certification body. It leverages the existing EUCS framework under the Cybersecurity Act. Providers should not expect a "CADA certificate"; they will hold an EUCS certificate (or national equivalent) that satisfies CADA's criteria.

• Misconception 3: Level 1 requires certification. Level 1 only requires demonstrating compliance with "state-of-the-art cybersecurity standards." It does not mandate a formal certificate from a conformity assessment body. Certification becomes mandatory only at Level 2.

• Misconception 4: National schemes are irrelevant. During the transition period before EUCS is fully operational, national cybersecurity certification schemes are the primary valid alternative. Ignoring national schemes could leave providers without a compliant path to Levels 2–4.

• Misconception 5: Level 3 requires "high" assurance. Level 3 requires the same cybersecurity certification as Level 2: "substantial" assurance. The jump to "high" assurance is reserved exclusively for Level 4. Level 3's additional stringency comes from personnel requirements (Union citizenship) and the prohibition of third-country control, not the cybersecurity certificate level.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Compliance Checklist: Roles, Deadlines & Assurance Levels
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a public buyer verify a provider's CADA assurance level before awarding?

This is general information about a draft EU regulation, not legal advice.