How public buyers verify CADA sovereignty claims against the central repository

Summary Under the proposed Cloud and AI Development Act (CADA), public buyers cannot rely on vendor marketing to verify sovereignty. Instead, they must consult the central repository of cloud computing services established under Article 22(1). As proposed in Article 22(4), this repository is "publicly available and regularly updated" on a dedicated website, serving as the single source of truth for services formally recognised by national competent authorities. Buyers must cross-check every vendor claim against this register to confirm the specific Union assurance level (1–4) assigned to a service. Procuring a service not listed, or listed at a lower level than required by the buyer's risk assessment under Article 29, would violate Article 30 procurement obligations. This mechanism is designed to eliminate "sovereignty washing" and ensure that public order protections are grounded in audited, legally recognised status rather than self-declared assertions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a rigorous, four-tiered sovereignty framework to address the EU's dependence on non-European cloud providers and to safeguard public order. For public-sector procurement officers, the critical challenge is distinguishing between providers who genuinely meet these stringent sovereignty standards and those who merely market themselves as "sovereign," "trusted," or "EU-compliant" without undergoing the necessary legal verification. CADA resolves this ambiguity by shifting the burden of verification from individual procurement officers to a centralized, authoritative data source: the central repository.

The Central Repository as the Source of Truth

Article 22 of the CADA proposal establishes the "central repository of cloud computing services." This is not a voluntary directory or a simple list of vendors; it is a legally significant register maintained by the European Commission. Its primary function is to record cloud computing services that have successfully undergone the formal recognition process outlined in Article 17.

The process begins when a cloud computing service provider seeks to serve Union entities or public sector bodies. The provider must submit an application for recognition to the national competent authority of establishment.

• For Union assurance level 1, the provider must submit an EU statement of conformity (Article 19) demonstrating compliance with baseline criteria.
• For Union assurance levels 2, 3, and 4, the provider must undergo an independent third-party audit resulting in a "positive" audit opinion (Article 20).

Once the evaluating national competent authority assesses the evidence and no other Member State raises a reasoned objection within the statutory review period, the service is recognised throughout the Union. It is at this precise moment that the repository becomes critical. Article 22(2) mandates that the national competent authority which recognised the service "shall register the cloud computing service in the central repository." Consequently, the repository serves as the definitive proof that a service has met the cumulative criteria for a specific assurance level as defined in Annex II of the regulation.

Public Accessibility and Transparency

A cornerstone of the CADA framework is radical transparency to facilitate market access and compliance. Article 22(4) explicitly states: "The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This provision ensures that public buyers do not need special access credentials, legal privileges, or paid subscriptions to verify a provider's status. The requirement for an "easily accessible website" implies a user-friendly interface where procurement officers can search for specific services, providers, or assurance levels. The "regularly updated" clause is equally vital; it ensures that the data remains current, reflecting any recent recognitions, amendments, or, crucially, revocations. This dynamic nature prevents the repository from becoming a static list of historical data, ensuring that buyers are always viewing the live compliance status of the market.

The Verification Workflow for Public Buyers

For a procurement officer, the verification process under CADA is a systematic cross-check that must occur before contract award. The workflow involves four distinct steps:

1. Identify the Required Assurance Level: Before initiating procurement, the contracting authority must have completed the risk assessment required under Article 29. This assessment determines whether the public sector activity requires Union assurance level 1 (the baseline for all public procurement) or levels 2, 3, or 4 (for activities contributing to the preservation of public order, such as national security, justice, law enforcement, or critical infrastructure).
2. Locate the Service in the Repository: When evaluating tenders, the officer must verify that the proposed cloud computing service is explicitly listed in the central repository. The listing must state the specific Union assurance level (1, 2, 3, or 4) for which the service is recognised.
3. Cross-Check Vendor Claims: If a vendor claims to be "sovereign" or "EU-compliant" but does not appear in the repository with the required assurance level, the claim is unverified under CADA. The repository is the only mechanism that confers legal recognition of sovereignty status across the Union. A marketing brochure, a self-declaration, or a third-party certification not linked to the CADA recognition process is insufficient.
4. Check for Revocations: Article 22(3) notes that "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years." Buyers must ensure that the service they are procuring has not had its status revoked due to non-compliance, the supply of incorrect information, or a failure to maintain standards.

Guarding Against Unverified Sovereignty Marketing

One of the most significant risks for public buyers is "sovereignty washing"—where providers use vague marketing language to imply compliance with EU sovereignty standards without having undergone the rigorous audit and recognition process. CADA mitigates this by legally tying procurement eligibility directly to the repository.

Article 30 sets out strict procurement obligations that leave no room for subjective interpretation of marketing materials.

• Article 30(2) mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."
• Article 30(3) restricts procurement for activities that do contribute to public order to services "recognised as having a Union assurance level 2, 3, or 4."

These articles do not allow for the procurement of services based on a provider's self-declaration or a "sovereign-by-design" marketing campaign. They require a formal recognition under Article 17, which is recorded in the Article 22 repository. Therefore, if a provider is not in the repository, or is in the repository with a lower assurance level than required by the risk assessment, the public buyer cannot legally procure that service under the CADA framework. The only exceptions are the specific derogations in Article 30(4), which apply only in exceptional circumstances, such as the absence of any adequate alternative in the central repository, provided the absence is not the result of an artificial narrowing of the procurement parameters.

The Role of National Competent Authorities

While the Commission maintains the repository, the data originates from national competent authorities. Article 25 requires Member States to designate one or more national competent authorities responsible for enforcing the sovereignty framework. These authorities possess investigative and enforcement powers to verify compliance. If a national competent authority revokes a recognition (e.g., because a provider supplied misleading information or failed an annual review), this revocation is immediately reflected in the central repository. This dynamic updating ensures that public buyers are protected from providers whose sovereignty status has lapsed or been invalidated, ensuring that the "publicly available" status of the repository is always reliable.

What this means for you

For public-sector procurement officers, the CADA repository transforms sovereignty verification from a complex, resource-intensive legal analysis into a concrete, data-driven check. Here is how this impacts your daily operations and compliance strategy:

• Standardize Your Evaluation Criteria: Update your tender documents to explicitly require that bidders provide the reference ID or confirmation of their listing in the CADA central repository at the specific Union assurance level required by your risk assessment. Make this a mandatory eligibility criterion, not just a weighted evaluation factor. If a bidder cannot produce a valid entry in the repository, they should be excluded from the procedure.
• Simplify Due Diligence: You no longer need to independently audit a provider's legal structure, data residency, or cybersecurity certifications to verify sovereignty. The repository confirms that a national competent authority has already performed this verification. Your role shifts from auditor to verifier of the registry entry, significantly reducing administrative burden and legal risk.
• Monitor for Changes: Because the repository is regularly updated, you should establish a process to check the status of your current cloud providers periodically. If a provider's status is downgraded or revoked, you may need to initiate migration plans. Article 29(6) notes that if a risk assessment requires migration, it should occur within a reasonable transition period not exceeding 12 months.
• Align Risk Assessments with Repository Tiers: Ensure your Article 29 risk assessments are precise. If you incorrectly classify a non-critical service as requiring Level 3, you may find fewer vendors in the repository, limiting competition and potentially driving up costs. Conversely, if you classify a critical service as Level 1, you may violate public order protections. The repository helps you see the market reality of how many providers meet each tier, allowing for more realistic procurement planning.

Common misconceptions

Misconception 1: "If a provider has an EU subsidiary, they are automatically sovereign under CADA." Correction: No. Having an EU establishment is a baseline criterion for Union assurance level 1 (Annex II, Section 1.1(a)), but it is not sufficient on its own. The provider must also meet criteria regarding data residency, subcontractor oversight, cybersecurity standards, and, for higher levels, personnel citizenship and third-country control. Only services that pass the full audit and are registered in the Article 22 repository hold a valid sovereignty claim.

Misconception 2: "I can accept a provider's self-declaration of sovereignty as proof." Correction: While providers issue an "EU statement of conformity" for Level 1, this self-declaration must still be part of the recognition process submitted to the national competent authority. For Levels 2–4, independent third-party audits are mandatory. Public buyers must rely on the central repository, which confirms that the national authority has accepted this evidence. A self-declaration without repository recognition does not satisfy Article 30 procurement obligations.

Misconception 3: "The repository only lists EU-based providers." Correction: Not necessarily. Article 18 allows for the recognition of third countries as providing sufficient assurances for Union assurance level 3, provided they meet strict criteria (e.g., adequacy decisions, no measures compelling data access or service disruption). If a third-country provider meets these criteria and passes the audit, their service can be listed in the repository. However, the vast majority of listed services will likely be EU-established entities due to the stringent control requirements for Levels 2 and 4.

Misconception 4: "Once listed, a provider's status is permanent." Correction: The repository is dynamic. Article 22(3) ensures that revocations are published. Providers must also report material changes under Article 23. If a provider fails to maintain compliance, their status can be amended or revoked, and this will be reflected in the public register. Buyers must treat the repository as a live status check, not a one-time verification.

Related

• CADA Procurement & Central Repository: How Public Buyers Must Verify Sovereign Cloud
• How do public-sector buyers use the CADA central repository?
• CADA Central Repository: Who can access it and is it public?
• Does the CADA central repository list all four sovereignty tiers?
• Why list in the CADA repository? Public procurement access & market advantage

This is general information about a draft EU regulation, not legal advice.