How do I respond to a CADA request for further information during recognition?

Summary If a national competent authority requests further information during your CADA recognition application, you must submit the requested evidence within the specified time limit to avoid a rejected application. Under Article 17(5)(b) of the proposed Cloud and AI Development Act (CADA), the standard 60-day evaluation clock is suspended from the date the request is issued until the date the information is received. This suspension is generally capped at 30 days in total, unless the nature of the information requested or exceptional circumstances justify a longer delay.

Detail

The recognition process for Union assurance levels under the proposed Cloud and AI Development Act (CADA) is designed to be efficient, yet it includes robust procedural safeguards to ensure that only compliant cloud computing service providers achieve recognition. As a provider seeking recognition for Union assurance level 1, 2, 3, or 4, navigating the "request for further information" stage is critical. This step is not a rejection but a remedial mechanism allowing authorities to clarify gaps in your application.

The Legal Basis: Article 17(5)(b)

The primary provision governing this interaction is Article 17(5)(b) of the CADA proposal. This article outlines the specific actions an evaluating national competent authority may take within the initial 60-day period following the acceptance of your application.

If the authority determines that the evidence submitted is insufficient to allow them to recognize your cloud computing service as offering a specific Union assurance level, they are empowered to pause the evaluation and request additional data. The regulation explicitly states that the authority may "request further information from the applicant and request that the applicant submit such information within a specified time limit."

This provision shifts the burden of proof back to the applicant. While the authority cannot reject the application immediately upon finding gaps, the applicant must act swiftly to provide the necessary documentation, data, or explanations. Failure to comply with the specified time limit can lead to the authority concluding that the evidence remains insufficient, triggering a rejection under Article 17(5)(c).

How the 60-Day Clock Is Suspended

Understanding the mechanics of the timeline is essential for managing your internal compliance resources and legal strategy. The CADA proposal introduces a specific "stop-clock" mechanism to handle these requests fairly.

According to Article 17(5)(b), "The period of 60 days referred to in this paragraph shall be suspended from the date of issue of the request until the date the information is received."

This means:

1. The Pause: The statutory deadline for the authority to make a final decision (recognize, request more info, or reject) stops ticking the moment they issue the request.
2. The Restart: The clock does not resume until the authority physically or electronically receives your submission.
3. The Calculation: The remaining days of the original 60-day period are preserved. For example, if the authority requests information on Day 45, and you submit the response 10 days later, the authority has the remaining 15 days (plus the time taken for the suspension) to finalize their assessment.

This mechanism prevents authorities from rushing through complex evaluations due to administrative pressure while ensuring that applicants cannot indefinitely delay the process by withholding information. It creates a controlled "pause button" on the administrative procedure, allowing for a thorough review of new evidence without penalizing the authority for missing the initial 60-day target.

The 30-Day Suspension Cap and Justifications

While the clock is suspended, the CADA proposal places strict limits on how long this pause can last to prevent administrative stagnation and ensure market certainty. The same paragraph in Article 17(5)(b) states: "The suspension shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances."

This cap serves two distinct purposes:

1. Protection for the Applicant: It prevents authorities from issuing vague, overly broad, or repetitive requests for information that could delay your market entry for months. If the authority needs more than 30 days to wait for your response, they must have a valid, documented reason.
2. Flexibility for Complex Cases: The exception for "exceptional circumstances" or the "nature of the information" acknowledges that some sovereignty assessments are technically complex. For example, if the authority requests a deep-dive audit report on your software supply chain (relevant for Union assurance levels 2–4) or evidence of legal separation from third-country entities, preparing this evidence may legitimately take longer than 30 days.

If the suspension exceeds 30 days, the authority must justify this extension. As an applicant, if you believe a request is disproportionately broad and will inevitably breach the 30-day cap without clear justification, you should engage in dialogue with the authority to narrow the scope of the request or seek clarification on the "nature of the information" required.

What Constitutes "Further Information"?

The regulation does not strictly define what "further information" entails, but it must be directly related to the evidence required for recognition under Annex II. The nature of the request often depends on the assurance level sought:

• For Union Assurance Level 1: Requests may involve clarifying your EU statement of conformity, providing additional evidence regarding the location of your infrastructure, or demonstrating compliance with cybersecurity standards.
• For Union Assurance Levels 2, 3, and 4: Requests are likely tied to the audit report and the "positive" audit opinion required under Article 17(4). Common requests include:
  • Clarification on subcontractor due diligence processes.
  • Additional documentation proving that customer data remains exclusively within the Union.
  • Evidence of legal, technical, and organizational measures to prevent third-country control.
  • Details on your cybersecurity certification status (e.g., "substantial" or "high" assurance levels).
  • Proof of Union citizenship for personnel, if required by the public sector body.

You must ensure that the information you provide is complete, accurate, and directly addresses the points raised by the authority. Providing partial or ambiguous information may lead the authority to issue a second request (if permitted by national implementation) or, more likely, lead to a rejection under Article 17(5)(c).

Strategic Response to Requests

When you receive a request for further information, treat it as a formal part of your compliance dossier.

1. Document the Date: Record the exact date of receipt, as this marks the start of the suspension period.
2. Coordinate Teams: Engage your legal, technical, and audit teams immediately to ensure the response is robust.
3. Proactive Communication: If the requested information is not immediately available, communicate proactively with the authority. While the regulation allows for a suspension, it is good practice to inform the authority of your timeline for gathering the data, especially if you anticipate approaching the 30-day limit.
4. Quality Over Speed: Ensure your response is comprehensive. Incomplete responses increase the risk of a negative outcome, as the authority may deem the evidence still insufficient.

What this means for you

For cloud service providers and data centre operators, the request for further information is not necessarily a negative signal; it is a standard part of the due diligence process for sovereignty recognition. However, it requires immediate and precise attention.

1. Monitor Communications Closely: Ensure your designated point of contact with the national competent authority is responsive. Missing a request or failing to submit within the specified limit can result in the authority concluding that your evidence is insufficient, leading to a rejection.
2. Track the Suspension Period: Keep a detailed log of the 60-day evaluation clock. Note the exact date the request was issued and the date your response was received. If the suspension approaches 30 days, be prepared to discuss extensions if the complexity of the request warrants it.
3. Prepare Comprehensive Responses: Do not provide minimal answers. The authority is assessing your compliance with strict sovereignty criteria. Incomplete responses increase the risk of a negative outcome. For higher assurance levels, ensure your audit evidence aligns precisely with the criteria in Annex II of the CADA proposal.
4. Engage Early if Issues Arise: If you encounter difficulties in providing the requested information due to technical or legal constraints, engage with the authority early. Explaining the "exceptional circumstances" that might justify a longer suspension period can help manage expectations and prevent a rushed rejection.

Common misconceptions

Misconception 1: The 60-day deadline is absolute. Many providers assume the authority must decide within 60 days regardless of circumstances. In reality, Article 17(5)(b) explicitly allows for the suspension of this period. The deadline is flexible if the authority requests further information, provided the suspension itself is capped at 30 days unless justified.

Misconception 2: A request for information means rejection is imminent. A request for further information is a procedural step to clarify ambiguities, not a prelude to rejection. It indicates the authority is still engaged in the evaluation process and sees potential in your application, provided the gaps can be filled. Rejection under Article 17(5)(c) is a distinct outcome that occurs when evidence remains insufficient after requests for information or if the initial application is fundamentally flawed.

Misconception 3: You can take as long as you need to respond. The authority specifies a time limit for your response. While the evaluation clock is suspended, you are not exempt from responding promptly. Failing to meet the specified deadline may be interpreted as a failure to provide sufficient evidence, leading to a rejection. The 30-day cap on suspension applies to the authority's waiting period, not an unlimited grace period for you.

Related

• How to handle a Commission information request during CADA recognition
• How does a data centre operator request single-information-point assistance as an SME?
• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition

This is general information about a draft EU regulation, not legal advice.