How to prepare a CADA self-assessment report for Union assurance level 1

Summary To obtain recognition for Union assurance level 1 under the proposed Cloud and AI Development Act (CADA), cloud computing service providers must conduct a self-assessment against the cumulative criteria in Annex II, Section 1. As proposed, Article 19(1) mandates this self-assessment, while Article 19(2) requires the provider to issue an EU statement of conformity assuming full responsibility for compliance. Unlike higher assurance levels, this process does not require independent third-party audits. However, the provider must document evidence for every criterion—including EU establishment, infrastructure location, and data residency—and make the statement publicly available. Small and medium-sized enterprises (SMEs) benefit from a streamlined path: their statements are automatically recognized across the Union without prior validation by a national competent authority.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a four-tier sovereignty framework to address risks associated with dependence on third-country cloud providers. Union assurance level 1 serves as the baseline entry point for public sector procurement. While levels 2, 3, and 4 require rigorous independent third-party audits, level 1 relies on a conformity self-assessment mechanism. This approach lowers the barrier to entry for providers while maintaining a harmonized standard for the internal market.

The Legal Framework: Article 19 and Annex II

The procedural requirements for level 1 are explicitly defined in Article 19 of the CADA proposal.

Article 19(1) states that cloud computing service providers seeking recognition as offering Union assurance level 1 "shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II."

Following this assessment, Article 19(2) mandates that the provider "shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated." Crucially, by issuing this statement, the provider "shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II." This shifts the legal burden of proof entirely onto the provider.

Furthermore, Article 19(3) requires that the provider "shall make the EU statement of conformity publicly available," ensuring transparency for contracting authorities and the public.

The Cumulative Criteria: What You Must Document

To successfully complete the self-assessment, you must verify compliance with every criterion listed in Annex II, Section 1. These criteria are cumulative; failure to meet even one disqualifies the service from level 1 recognition. Your self-assessment report must serve as an evidentiary dossier, documenting proof for each of the following seven areas:

1. Union Establishment (Criterion 1.1(a))

The cloud computing service provider must be established in the Union.

• Documentation Required: Articles of incorporation, tax residency certificates, and business registration extracts proving the entity is constituted under the law of a Member State. You must also demonstrate a "genuine and stable" presence, such as a registered office or central administration within the EU.

2. Infrastructure and Asset Location (Criterion 1.1(b))

The infrastructure and assets of the provider, including those of its subcontractors involved in the service provision, must be located in the Union.

• Exception: This requirement applies "unless the public sector body explicitly requires otherwise."
• Documentation Required: A comprehensive asset register and data center location maps. Lease agreements, property deeds, and facility access logs must confirm that all physical infrastructure (servers, cooling, network) resides within EU borders. You must also map the locations of any subcontractor assets.

3. Data Residency (Criterion 1.1(c))

Customer data, including metadata and telemetry data, processed, stored, and transferred by the provider and its subcontractors, must remain exclusively within the Union.

• Scope: This applies at any time, including "before, during or after the configuration or use of the service."
• Exception: As with infrastructure, this applies "unless the public sector body explicitly requires otherwise."
• Documentation Required: Data flow diagrams showing end-to-end data paths. Contracts with subcontractors must explicitly prohibit data transfer outside the Union. Logs and monitoring records should demonstrate that no data leaves the EU.

4. Subcontracting Controls (Criterion 1.1(d))

If technical and operational support (including sub-outsourcing) is outsourced to third parties outside the Union, specific safeguards are mandatory.

• Requirement: You must implement necessary legal, technical, and organizational measures to ensure traceability, security, and governance. Crucially, these operations must not "in any way, compromise the operational autonomy of the cloud computing service provider."
• Documentation Required: Contracts with non-EU support providers detailing security protocols and governance structures. Evidence of technical controls (e.g., geofencing, access logs) proving that operational autonomy is maintained.

5. Cybersecurity Standards (Criterion 1.1(e))

The provider must demonstrate that the service complies with "state-of-the-art cybersecurity standards."

• Documentation Required: While no specific certification is mandated for level 1 (unlike the "substantial" or "high" levels required for L2-L4), you must provide evidence of compliance. This could include internal audit reports, ISO 27001 certifications, or alignment with recognized national cybersecurity frameworks that meet the "state-of-the-art" threshold.

6. Subcontractor Transparency (Criterion 1.1(f))

The provider must provide "full transparency around the use of subcontractors."

• Requirement: Subcontractors must be subject to due diligence, contractual obligations, and ongoing oversight to meet Union legal obligations.
• Documentation Required: A complete list of all subcontractors. Due diligence reports, signed contracts with specific compliance clauses, and records of ongoing oversight activities (e.g., audit logs, performance reviews).

7. Vulnerability Reporting (Criterion 1.1(g))

This criterion applies specifically if the provider is subject to the control of a third country or a legal entity established in a third country.

• Requirement: The provider must guarantee that "there are no existing laws and practices in that third country, demonstrated by independent sources, that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."
• Documentation Required: A legal opinion or independent analysis verifying the absence of such conflicting laws in the relevant third country. This is a critical "control" check to prevent forced disclosure of vulnerabilities before they are publicly known.

The EU Statement of Conformity

Once the self-assessment is complete and evidence is gathered, you must draft the EU statement of conformity. This is not a generic template; it is a specific legal declaration.

• Content: The statement must explicitly declare that the service meets all cumulative criteria in Annex II, Section 1.
• Liability: By signing, the provider assumes full legal responsibility for the accuracy of the claims. False declarations can trigger penalties under Article 24.
• Publication: Per Article 19(3), this statement must be made publicly available, typically on the provider's website or a dedicated transparency portal.

The Recognition Process and SME Exception

After issuing the statement, the provider submits it to the national competent authority of establishment for recognition under Article 17.

• Standard Procedure: The authority reviews the evidence to ensure the self-assessment is robust.
• The SME Advantage: Article 17(3) introduces a significant simplification for small and medium-sized enterprises. For SMEs, the EU statement of conformity "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This automatic recognition accelerates market access for smaller European providers, allowing them to serve public sector bodies immediately upon issuing their statement.

What this means for you

As a cloud service provider targeting the European public sector, preparing for CADA level 1 recognition is a strategic commercial imperative. Under Article 30(2), contracting authorities are required to procure cloud computing services recognized at Union assurance level 1 as a minimum requirement for activities that do not contribute to the preservation of public order. Without this recognition, you are effectively barred from a vast segment of the EU public market.

Your immediate action plan should include:

1. Conduct a Gap Analysis: Audit your current infrastructure, data flows, and subcontractor chains against the seven criteria in Annex II. Identify any assets or data residing outside the EU that lack explicit public sector consent.
2. Gather Evidence: Begin collecting the legal and technical documentation required for each criterion. Pay special attention to Criterion (g) if you have non-EU shareholders or parent companies; securing independent legal verification on vulnerability reporting laws is often the most complex step.
3. Draft the Statement: Prepare a precise EU statement of conformity that mirrors the language of Annex II. Ensure it is ready for immediate public disclosure.
4. Verify SME Status: If you qualify as an SME under the EU definition, ensure your status is clearly documented to leverage the automatic recognition pathway under Article 17(3), bypassing the need for a national authority review.

Common misconceptions

• "Level 1 is optional for public sector contracts." No. As proposed, Article 30(2) makes Union assurance level 1 the mandatory minimum baseline for public sector procurement of cloud services for activities not identified as contributing to the preservation of public order. Without this recognition, you cannot bid for the majority of standard public cloud contracts.

• "I can keep data in the US if I have an adequacy decision." Not necessarily. Annex II, Criterion (c) requires data to remain exclusively within the Union unless the public sector body explicitly requires otherwise. The CADA sovereignty framework focuses on data location and operational autonomy, which is distinct from and goes beyond the data protection safeguards of the EU-US Data Privacy Framework. Adequacy does not override the data residency requirement.

• "Self-assessment means no scrutiny." While there is no third-party audit for level 1, the process is subject to regulatory enforcement. Article 23 imposes transparency obligations, requiring you to notify the competent authority of any material changes that could affect compliance. Furthermore, Article 24 outlines penalties for infringements, including providing incorrect or misleading information. The self-assessment is a legally binding declaration subject to fines and compensation claims.

• "Subcontractors are exempt from location rules." Annex II, Criterion (b) explicitly includes "those of its subcontractors which are involved in the provision of the service." If your subcontractors host assets or process data outside the EU without explicit public sector consent, your service fails the level 1 criteria. You are responsible for the entire supply chain.

Related

• How do I self-assess for CADA Union assurance level 1?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a public buyer verify a provider's CADA assurance level before awarding?
• How does a public buyer justify procuring above the minimum CADA assurance level?
• How does a non-EU cloud provider qualify under CADA assurance level 3?

This is general information about a draft EU regulation, not legal advice.