Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition at Union assurance level 1 must carry out a conformity self-assessment against the specific criteria set out in Annex II. As mandated by Article 19, you must document this assessment, issue a publicly available "EU statement of conformity," and assume full legal responsibility for your compliance. This self-declaration mechanism serves as the foundational entry point for offering sovereign cloud services to EU public sector bodies, distinct from the independent third-party audits required for higher assurance levels (2, 3, and 4).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonized framework for cloud sovereignty designed to reduce the EU's dependence on third-country providers and ensure operational autonomy for public sector entities. Central to this framework is the concept of "Union assurance levels," which categorize cloud computing services based on their trustworthiness, data localization, and independence from foreign control.

For providers aiming to serve the broadest range of public sector customers, Union assurance level 1 represents the entry point of this sovereignty framework. Unlike levels 2, 3, and 4, which require rigorous independent third-party audits by accredited bodies, level 1 relies on a conformity self-assessment. This mechanism is designed to be accessible to foster market entry while still imposing strict technical, legal, and governance requirements to ensure a baseline of sovereignty.

The Legal Basis: Article 19

The primary legal provision governing this process is Article 19 of the CADA proposal. This article explicitly outlines the obligations for providers seeking recognition at Union assurance level 1. It establishes a three-step process that shifts the burden of proof to the provider:

  1. Conducting the Self-Assessment: Providers must assess their compliance with the criteria listed in Annex II of the Regulation.
  2. Issuing the Statement: Providers must issue an "EU statement of conformity."
  3. Public Disclosure and Responsibility: Providers must make this statement publicly available and assume responsibility for the compliance of their service.

Article 19(1) states that cloud computing service providers seeking recognition under Article 17 as offering Union assurance level 1 "shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II."

This self-assessment is not a mere formality or a simple checklist. It requires a systematic, evidence-based review of your infrastructure, data flows, subcontracting chains, and corporate governance to ensure they meet the cumulative criteria defined in Annex II, Section 1. The provider acts as its own conformity assessment body for this level, a privilege that comes with significant liability.

Understanding the Criteria: Annex II, Section 1

To successfully self-assess, you must demonstrate compliance with every criterion listed in Annex II for Union assurance level 1. These criteria are cumulative; failure to meet even one results in non-compliance and disqualification from the level 1 recognition. Key areas of focus include:

  • Establishment in the Union: The cloud computing service provider must be established in the EU.
  • Location of Infrastructure and Assets: The infrastructure and assets of the provider, including those of any subcontractors involved in the service provision, must be located in the Union.
  • Data Residency: Customer data, including metadata and telemetry data, processed, stored, or transferred by the provider and its subcontractors, must remain exclusively within the Union. This applies at all timesβ€”before, during, and after the configuration or use of the serviceβ€”unless the public sector body explicitly requires otherwise.
  • Subcontractor Management: If technical or operational support is outsourced to third parties outside the Union, the provider must implement legal, technical, and organizational measures to ensure traceability, security, and governance. Crucially, these operations must not compromise the operational autonomy of the cloud provider.
  • Cybersecurity Standards: The provider must demonstrate that the service complies with state-of-the-art cybersecurity standards. Unlike higher levels, there is no mandatory requirement for a specific European cybersecurity certificate at level 1, but the standard must be demonstrably high.
  • Transparency and Due Diligence: Providers must offer full transparency regarding the use of subcontractors. This includes subjecting subcontractors to due diligence, contractual obligations, and ongoing oversight to meet Union legal obligations.
  • Vulnerability Reporting: If the provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that no existing laws or practices in that third country require the provider to report software vulnerabilities to third-country authorities prior to those vulnerabilities being known to have been exploited.

Issuing and Publishing the EU Statement of Conformity

Once the self-assessment is complete and compliance is confirmed, Article 19(2) mandates that the provider "shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated."

By issuing this statement, the provider assumes responsibility for the compliance of the cloud computing service with the criteria set out in Annex II. This is a critical legal distinction: unlike higher assurance levels where an independent auditor issues a "positive opinion" based on third-party verification, at level 1, the provider is the sole guarantor of its own compliance. The statement serves as a legal declaration that the provider accepts liability for any inaccuracies.

Furthermore, Article 19(3) requires that "the cloud computing service provider shall make the EU statement of conformity publicly available." This transparency measure ensures that public sector bodies, contracting authorities, and other stakeholders can verify the provider's claim to sovereignty. The statement should be easily accessible, typically via the provider's website, a dedicated compliance portal, or the central repository once established.

The Path to Recognition and the SME Derogation

While the self-assessment and statement of conformity are the core tasks under Article 19, they are part of a broader recognition process outlined in Article 17. Generally, a provider must submit an application for recognition to the national competent authority of establishment, including the EU statement of conformity and all necessary evidence. The authority then evaluates the evidence to decide on recognition.

However, CADA includes a significant simplification for smaller players to foster competition. Article 17(3) provides a derogation for small and medium-sized enterprises (SMEs). For SMEs, the EU statement of conformity issued under Article 19(2) "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This means that if you are an SME, once you have completed your self-assessment and published your EU statement of conformity, you are automatically recognized as offering Union assurance level 1 across the entire EU. You do not need to wait for a national authority to approve your application. For larger providers, the statement of conformity is submitted as part of the application to the national competent authority, which then evaluates the evidence. If satisfied, the authority recognizes the service as offering Union assurance level 1 across the EU.

What this means for you

For cloud service providers and data centre operators, the self-assessment for Union assurance level 1 is the first critical step in positioning your services for the EU public sector market. As CADA is a proposal, these steps represent the intended compliance path. Here is how to prepare:

  1. Audit Your Supply Chain: Map your entire subcontractor chain. Ensure that any third-party providers involved in service delivery are either EU-based or, if non-EU, are governed by strict contracts that guarantee data residency and operational autonomy. Document these relationships thoroughly, as you must be able to prove traceability and governance.
  2. Verify Data Flows: Conduct a technical audit of your data flows. Confirm that all customer data, metadata, and telemetry remain within the EU borders. Implement technical controls to prevent accidental exfiltration to non-EU servers, especially in cases of disaster recovery or backup. Remember, the criteria apply "at any time."
  3. Document Your Cybersecurity Posture: Gather evidence that your service meets state-of-the-art cybersecurity standards. This may include existing certifications (such as ISO 27001, SOC 2, or national schemes) or internal security policies, provided they align with the specific requirements of Annex II. You must be able to demonstrate this compliance if challenged.
  4. Draft the EU Statement of Conformity: Create a formal document that explicitly declares your compliance with each criterion in Annex II, Section 1. Ensure this document is clear, unambiguous, and ready for public publication. It must state that you have carried out the self-assessment and that you assume responsibility.
  5. Prepare for Submission or Publication:
    • If you are an SME: Ensure your statement is published and easily accessible. You are automatically recognized across the EU upon publication.
    • If you are a larger provider: Prepare to submit this statement along with supporting evidence to your national competent authority. Be ready for a review period where the authority may request further information or collaborate with other Member States' authorities.

Common misconceptions

  • "Level 1 is 'low' security." Union assurance level 1 is not a low-security tier; it is a sovereignty tier. It still requires strict data localization, EU establishment, and state-of-the-art cybersecurity. It is simply the level that does not require an independent audit, making it more accessible while maintaining high baseline trust. The criteria in Annex II are cumulative and rigorous.
  • "I can use non-EU subcontractors freely." You can use non-EU subcontractors for technical support, but only if you can prove that their access does not compromise operational autonomy or data sovereignty. You must implement robust legal and technical safeguards, and document them extensively. The burden of proof lies entirely with you.
  • "The self-assessment is optional." No. Article 19 makes it mandatory for any provider seeking recognition at level 1. Without the self-assessment and the subsequent EU statement of conformity, you cannot be recognized as offering a sovereign service under CADA.
  • "Once I issue the statement, I'm done." Compliance is ongoing. Article 23 imposes transparency obligations, requiring you to notify authorities of any material changes that might affect your compliance. If your infrastructure, subcontracting arrangements, or control structures change, you must reassess and potentially update your statement. Failure to do so could lead to penalties under Article 24.
  • "SMEs don't need to do anything." While SMEs benefit from automatic recognition, they must still perform the self-assessment and issue the statement. The "automatic" part only refers to the waiver of the national authority's prior approval step. The legal responsibility remains with the SME.

Related

This is general information about a draft EU regulation, not legal advice.