Summary To prove state-of-the-art cybersecurity for the proposed Cloud and AI Development Act (CADA) Union Assurance Level 1, providers must conduct a rigorous conformity self-assessment and issue an EU statement of conformity. As proposed in Article 19, this is a self-declaration process where the provider assumes sole responsibility for demonstrating compliance with Annex II, Section 1.1(e), which mandates that the service complies with "state-of-the-art cybersecurity standards." Unlike Levels 2, 3, and 4, Level 1 does not require a formal European cybersecurity certificate or third-party audit. However, the documentation must be robust enough to withstand scrutiny by national competent authorities, as the provider must be able to substantiate their claim if challenged.

Detail

The CADA proposal establishes a four-tier sovereignty framework to mitigate risks associated with dependence on non-European cloud providers. Union Assurance Level 1 serves as the mandatory baseline for all public sector procurement under Article 30(2). Proving cybersecurity compliance at this level is fundamentally a self-certification process governed by Article 19 of the proposed Regulation.

The Self-Assessment Obligation

Under Article 19(1), cloud computing service providers seeking recognition for Level 1 must carry out a conformity self-assessment. This assessment verifies compliance with the criteria set out in Annex II, Section 1. Specifically, criterion 1.1(e) states that the cloud computing service provider must "demonstrate that the service complies with the state-of-the-art cybersecurity standards."

Unlike Levels 2, 3, and 4, which require independent third-party audits and formal certificates (as detailed in Article 20 and Annex II Sections 2.1(e), 3.1(e), and 4.1(e)), Level 1 places the burden of proof directly on the provider. You are not required to obtain a certificate from a notified body, but you must be able to substantiate your claim of compliance if challenged by a national competent authority. The self-assessment is not a mere formality; it is the primary evidence of compliance.

What Constitutes "State-of-the-Art"?

The term "state-of-the-art" is not static; it refers to the current best practices and technologies available in the industry at the time of assessment. While CADA does not prescribe a single specific standard (such as ISO 27001 or NIST SP 800-53) as the exclusive benchmark in the text of Annex II, providers should look to recognized European cybersecurity certification schemes, such as the European Cybersecurity Certification Scheme for Cloud Services (EUCS), or established international standards that are widely accepted in the EU market.

To demonstrate compliance, your self-assessment should document:

  1. Technical Measures: Implementation of encryption, access controls, intrusion detection systems, and secure configuration management.
  2. Organizational Measures: Policies for incident response, data breach notification, employee training, and vendor risk management.
  3. Continuous Monitoring: Evidence that security controls are regularly tested and updated to address emerging threats.

The proposal notes in the explanatory memorandum that while the Cybersecurity Act (CSA2) addresses technical cybersecurity, CADA addresses sovereignty. However, for Level 1, the technical baseline remains critical. Providers should align their controls with the highest cybersecurity standards under applicable Union law, as referenced in the higher assurance levels, to ensure a defensible "state-of-the-art" claim.

The EU Statement of Conformity

Upon completing the self-assessment, Article 19(2) requires the provider to issue an EU statement of conformity. This document is a formal declaration that the service meets the Level 1 criteria, including the cybersecurity requirement. By issuing this statement, the provider assumes full legal responsibility for the accuracy of the claim.

Article 19(3) mandates that this statement must be made publicly available. This transparency allows public sector bodies to verify that a provider meets the minimum baseline for procurement. The statement serves as the key entry ticket for providers to be listed in the central repository of recognized services, as established under Article 22.

Role of National Competent Authorities

While the assessment is self-led, national competent authorities retain supervisory powers. Article 26 grants these authorities investigative powers, including the right to request information and conduct inspections. If an authority suspects that a provider's claim of "state-of-the-art" compliance is unfounded, they can initiate investigations. Therefore, the documentation supporting your self-assessment must be thorough, auditable, and readily accessible.

Furthermore, Article 23 imposes transparency obligations. If a provider becomes aware of any material change in circumstances that may affect the self-assessment or the recognition, they must notify the national competent authority. This ensures that the "state-of-the-art" claim remains valid over time.

Comparison with Higher Levels

It is crucial to distinguish Level 1 from the higher tiers to avoid compliance errors:

  • Level 1: Self-assessment only. No formal certificate required. Criterion 1.1(e) requires demonstrating compliance with state-of-the-art standards.
  • Level 2: Requires independent third-party audit and a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (Annex II, 2.1(e)).
  • Level 3: Requires independent third-party audit and a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, 3.1(e)).
  • Level 4: Requires independent third-party audit and a European cybersecurity certificate of at least assurance level 'high' (Annex II, 4.1(e)).

Note that for Levels 2 and 3, the cybersecurity requirement is "substantial," while Level 4 requires "high." Level 1 does not use these specific certification labels but demands a demonstration of "state-of-the-art" standards.

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector, proving Level 1 cybersecurity compliance is a strategic imperative. It is the lowest barrier to entry for sovereign cloud recognition, but it is not a trivial compliance checkbox.

Document Rigorously: You cannot simply assert that you are secure. You must maintain detailed records of your security architecture, policies, and testing results. Treat your internal security audits with the same rigor as an external one, because national authorities may request this evidence under Article 26.

Align with Recognized Standards: To reduce ambiguity, align your security controls with established frameworks such as ISO/IEC 27001, ISO/IEC 27017 (cloud security), or the EUCS requirements. Referencing these standards in your self-assessment provides a clear, defensible basis for claiming "state-of-the-art" compliance. While not explicitly mandated for Level 1, these standards are the most reliable way to demonstrate the "state-of-the-art" requirement.

Prepare for Transparency: Your EU statement of conformity will be public. Ensure that your marketing and technical documentation accurately reflect the security measures described in your self-assessment. Discrepancies between public claims and internal documentation can lead to regulatory penalties under Article 24, which requires Member States to lay down rules on penalties that are "effective, proportionate and dissuasive."

Plan for Future Escalation: If you aim to offer services for higher-risk public sector activities (Levels 2–4), you will eventually need formal certification. Building your Level 1 compliance on a foundation of recognized standards will ease the transition to third-party audits later. The criteria for Level 1 are cumulative with higher levels in terms of technical rigor, even if the certification mechanism differs.

Common misconceptions

Misconception: Level 1 requires no proof of security. Some providers assume that because Level 1 does not require a third-party audit, it requires no evidence. This is incorrect. Article 19 requires a documented self-assessment. You must be able to prove to a competent authority that your measures meet state-of-the-art standards. Lack of documentation can lead to rejection of your recognition application or penalties.

Misconception: Any security certificate suffices. While a certificate (e.g., ISO 27001) is strong evidence, it is not explicitly mandated for Level 1. However, relying solely on a certificate without a comprehensive self-assessment that maps your controls to the specific criteria in Annex II may be insufficient. The self-assessment must explicitly address the "state-of-the-art" requirement in the context of CADA's sovereignty goals.

Misconception: Level 1 cybersecurity is the same as Levels 2–4. Levels 2, 3, and 4 require a European cybersecurity certificate of at least "substantial" or "high" assurance level (see Annex II, Sections 2.1(e), 3.1(e), and 4.1(e)). Level 1 does not have this specific certification mandate. However, the "state-of-the-art" requirement still demands a high level of security. Providers should not underestimate the rigor expected for Level 1, especially as the EUCS scheme matures.

Misconception: Self-assessment is a one-time event. Cybersecurity is dynamic. Your self-assessment and EU statement of conformity must reflect your current security posture. Article 23 requires providers to notify authorities of material changes that could affect their recognition. If your security measures degrade or become outdated, you must update your assessment and statement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.