How do public-sector buyers use the CADA central repository?

Summary Under the proposed Cloud and AI Development Act (CADA), the central repository would be the place public-sector buyers check to confirm a cloud service's recognised sovereignty status before procuring it. As proposed in Article 22(4), the repository is publicly available and maintained by the Commission and national authorities, listing services recognised at Union assurance levels 1 to 4. Article 30 would then require contracting authorities and Union entities to procure only recognised services, with the required level set by the risk assessment under Article 29. CADA is a draft proposal, so neither the repository nor these procurement duties are in force yet.

Detail

CADA proposes a mandatory sovereignty framework for the public sector's use of cloud services. The central repository is the operational link between recognition and procurement: it is where a buyer verifies that a service has been recognised and at what level.

The repository: access and contents

Article 22 establishes the central repository of cloud computing services. Recital 57 describes its purpose as facilitating the secure and efficient storage, access and exchange of relevant information among public-sector customers, auditing organisations, competent authorities and the Commission.

The repository is populated by national authorities: when a service is recognised at a Union assurance level, the national competent authority of establishment registers it (Article 22(2)). Article 22(4) requires that "The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." It lists recognised services and their level, and — under Article 22(3) — also publishes revoked audit reports and opinions and revoked recognitions, which remain visible for five years.

How the repository connects to procurement (Article 30)

The repository matters because of Article 30, which ties procurement to recognised status:

• Article 30(2) — Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order (under the Article 29 risk assessment) must use cloud computing services recognised under Article 17 as having Union assurance level 1.
• Article 30(3) — contracting authorities whose activities have been identified as contributing to the preservation of public order (sectors under Annex I or II of the NIS2 Directive, and the areas of national security, internal security, external border management, defence, justice or law enforcement) must procure only services recognised at Union assurance level 2, 3 or 4.

A typical workflow would therefore be:

1. Risk assessment (Article 29). Determine whether the activity contributes to the preservation of public order.
2. Identify the required level. Level 1 for general activities; level 2, 3 or 4 for public-order-relevant activities.
3. Check the repository. Find the services recognised at the required level.
4. Procure. Restrict or evaluate the tender on the basis of recognised services at that level.

The role of the risk assessment

The repository is not a simple "approved/banned" list; it works together with the national risk assessment. Article 29 requires Member States and Union entities to identify which public-sector activities use cloud services that contribute to the preservation of public order. The outcome dictates which level must be sourced. A municipality handling routine administrative data may need only level 1; a national security or justice function would need a higher level. The repository lets the buyer filter by the verified level the activity requires.

A worked sequence

Consider a national authority procuring a cloud platform for a justice-sector workload. Its Article 29 risk assessment identifies the activity as contributing to the preservation of public order. Under Article 30(3), the area of justice falls within the activities that must procure only services recognised at level 2, 3 or 4. The procurement officer therefore consults the central repository, filters for services recognised at the required level, confirms none of the candidate services carries a revocation notice (Article 22(3)), and frames the tender so that recognition at the required level is an eligibility condition. By contrast, a municipality procuring a routine document-management service whose activity is not identified as public-order-relevant would, under Article 30(2), need a service recognised at level 1, and would run the same repository check at that level.

This illustrates the central point: the repository does not tell a buyer which level it needs — the Article 29 risk assessment does that — but it tells the buyer which services actually hold that level.

Interaction with wider procurement duties

The repository check is one part of CADA's procurement architecture. Article 32, for example, would require contracting authorities to apply "Union added value" non-price award criteria in procurement of innovative cloud services and AI systems (such as contribution to the EU technology supply chain), and Article 33 sets monitoring duties and an aspiration that at least 25% of cloud and AI procurement go to innovative SMEs. The repository does not replace these; it sits underneath them, ensuring that whichever recognised service is chosen meets the sovereignty level the activity requires.

Exceptions

Article 30(4) allows a contracting authority, exceptionally and where duly justified, not to procure a recognised service where, for example: the subject matter cannot be supplied by any recognised service available in the repository and no adequate alternative exists (and that absence is not the result of artificially narrowing the procurement); a similar procurement in the previous year drew no suitable tenders or participants; or applying the requirement would mean procuring at disproportionate cost. These are narrow exceptions; the default is to source from the repository.

What this means for you

For a public-sector procurement officer, the repository would become a routine compliance step.

• Build the check into your tenders. Specify that bidders' services must be recognised at the required assurance level in the central repository. This is likely to function as an eligibility condition, not merely an award criterion.
• Know your risk tier. Work out, from the Article 29 risk assessment, whether your activity is public-order-relevant — that is what decides whether you look for level 1 or for levels 2-4.
• Monitor through the contract. Recognitions can be amended or revoked, and revocations appear in the repository (Article 22(3)). If a service loses the required level, you may need to act. CADA's proposal text does not set a fixed migration deadline for that situation, so address transition in your contract terms.
• Document any derogation. If you rely on Article 30(4), keep a clear, justified record of why a recognised service was not procured. The grounds are limited — no adequate recognised alternative in the repository (and not because the procurement was artificially narrowed), a prior similar procurement that drew no suitable tenders, or disproportionate cost — and the derogation is exceptional, so the documentation needs to stand up to scrutiny.
• Mind the scope of Article 30. It applies to contracting authorities (and Union entities) procuring cloud services for their exclusive use (Article 30(1)). Confirm that the procurement falls within that scope before treating the recognised-service requirement as engaged, and align the required level with the outcome of the Article 29 risk assessment rather than defaulting to the highest level available.

Used this way, the repository turns a complex sovereignty judgement into two checks: the risk assessment fixes the level, and the repository confirms which services hold it. Both are needed; neither substitutes for the other.

Common misconceptions

• "The repository lists every EU cloud provider." No. It lists only services recognised at a Union assurance level after self-assessment (level 1) or independent audit (levels 2-4). Providers that have not sought or obtained recognition — including large non-EU providers — would not appear.

• "Level 1 is the highest standard." Level 1 is the baseline for general public-sector use. Levels 2, 3 and 4 add cumulative criteria; level 4 is the highest. Note that level 1 does not exclude third-country-controlled providers — Annex II level 1 sets conditions for them rather than barring them.

• "Private companies must procure from the repository." The mandatory rules in Article 30 bind contracting authorities and Union entities. Private entities in NIS2 critical sectors may run similar assessments under Article 31, but are not, under the proposal, required to procure only from the repository unless later delegated acts impose it.

• "Once listed, a provider stays listed forever." Audited levels are reviewed annually (Article 20(8)) and recognition can be revoked. Article 23 requires providers to report material changes, and Article 22(3) ensures revocations are published — so verify current status before and during procurement.

Related

• CADA Procurement & Central Repository: How Public Buyers Must Verify Sovereign Cloud
• How public buyers verify CADA sovereignty claims against the central repository
• CADA Central Repository: Who can access it and is it public?
• Can a private company use the CADA central repository to choose a cloud provider?
• Why list in the CADA repository? Public procurement access & market advantage

This is general information about a draft EU regulation, not legal advice.