Summary As proposed in the Cloud and AI Development Act (CADA), a cloud computing service provider (CSP) gets recognised at a sovereignty tier by applying to the national competent authority of its establishment under Article 17. The evidence route depends on the tier: Level 1 rests on a conformity self-assessment and an EU statement of conformity (Article 19); Levels 2, 3 and 4 require an independent third-party audit yielding a "positive" audit opinion (Article 20). The evaluating authority then has 60 days to assess the evidence and, if satisfied, prepares a draft recognition decision that is notified to other Member States for a 60-day cross-border review. If no sustained objection arises, recognition takes effect across the Union. SMEs seeking Level 1 are recognised automatically without that procedure.
Detail
The recognition mechanism in Article 17 is built to function as a single-evaluation, Union-wide-effect system: a service recognised through one Member State's authority is recognised across the Union, subject to a cross-border review. The procedure begins with the CSP submitting an application to the national competent authority of establishment, which Article 17(1)–(2) designates as the "evaluating national competent authority." What you must include depends entirely on the Union assurance level you seek.
Two routes diverge after Level 1
1. The self-assessment route (Union assurance level 1). Under Article 17(3), a candidate for Level 1 submits to the evaluating authority the EU statement of conformity referred to in Article 19(2), together with all the necessary evidence. The statement is issued after a conformity self-assessment against the Level 1 criteria in Annex II, and by issuing it the provider assumes responsibility for compliance.
A derogation applies to SMEs: under the second subparagraph of Article 17(3), an EU statement of conformity issued by an SME is directly and automatically recognised in all Member States without prior recognition by the evaluating authority. Non-SMEs at Level 1 still go through the authority, but the evidentiary route is lighter than for the audited tiers.
2. The independent audit route (Union assurance levels 2, 3 and 4). Under Article 17(4), a candidate for these levels submits the audit report, the "positive" audit opinion referred to in Article 20, and all the evidence provided to the auditing organisation during the audit. The audit must confirm that the service meets the cumulative Annex II criteria for the level sought — and, because the criteria are cumulative, a provider audited at a higher level must also satisfy every criterion applicable to the lower levels (Article 20(1)). The auditing organisation must meet the independence and competence conditions in Article 20(4).
Evaluation and cross-border review
Once the evaluating authority accepts the application, Article 17(5) gives it 60 days to assess the evidence. It may:
- Prepare a draft recognition decision and notify the competent authorities of the other Member States, triggering a 60-day review period during which they can confirm the intended Union-wide recognition (Article 17(5)(a)). The notification must include the evidence under paragraphs 3 or 4.
- Request further information where the evidence is insufficient. The 60-day period is suspended from the date of the request until the information arrives, and the suspension may not exceed 30 days in total unless justified by the nature of the information or by exceptional circumstances (Article 17(5)(b)).
- Reject the application — but only after giving the candidate 30 days to comment in writing on the conclusions, which the authority must take due account of (Article 17(5)(c)).
Objections and disputes
During the review period, another Member State's authority may submit a reasoned objection or a request for clarification where it considers the draft decision does not comply with the applicable assurance level (Article 17(6)). A request for clarification obliges the evaluating authority to take it into account and either seek new information, confirm, or modify its draft; if the requesting authority remains unsatisfied it may then object (Article 17(8)). Faced with a reasoned objection, the evaluating authority assesses it and either maintains or revokes its draft decision, informing the other authorities within 15 days (Article 17(9)).
If the evaluating authority intends to maintain its draft decision over an objection, the concerned authority may refer the matter to the Commission, which assesses the referral, may request information, and adopts a binding decision on whether recognition may be granted (Article 17(10)). This centralised tie-breaker prevents a single Member State from stalling a compliant service indefinitely.
If no reasoned objection or request for clarification is submitted within the review period, the evaluating authority's conclusions are deemed accepted, it adopts the recognition decision, and the service is recognised throughout the Union at the appropriate level (Article 17(7)).
Registration, revocation and ongoing obligations
Following recognition, the national competent authority of establishment registers the service in the public central repository (Article 22(2)). Recognition is not permanent: under Article 17(11) the evaluating authority may revoke it where the provider intentionally or negligently supplied incorrect or misleading information. For the audited tiers, the audit report and positive opinion must be reviewed annually (Article 20(8)), and under Article 23 the provider must promptly notify the auditing organisation and the authority of any material change that may affect the audit opinion or the recognition.
Why the cross-border review exists
The 60-day review period is the mechanism that turns a single national recognition into Union-wide effect. Because a recognition granted by one Member State's authority is intended to be valid across the whole Union, the other Member States are given a structured window to check that the draft decision genuinely meets the Annex II criteria for the level claimed. This is what prevents "forum shopping" — seeking recognition in the most lenient Member State — while still giving providers a single point of entry. For a provider, the takeaway is that the home authority's view is necessary but not automatically final: the evidence has to convince peers across the Union, and the more consistent and complete it is, the lower the risk that a clarification request or objection extends the timeline.
Recognition attaches to a service, at a level
Recognition is granted to a specific cloud computing service at a specific Union assurance level, not to the provider as an organisation. A provider offering several distinct services may need separate recognitions, each at the level appropriate to that service and to the public-sector activities it will support. And because the Annex II criteria are cumulative (Article 20(1)), a higher-level recognition presupposes compliance with every lower-level criterion too — there is no way to "skip" a level by meeting only the criteria unique to the tier sought.
What this means for you
For CSPs, recognition is a structured route to public-sector market access — demanding for the higher tiers, streamlined for SMEs at Level 1.
- Pick your track early. Decide whether you are pursuing Level 1 (self-assessment) or Levels 2–4 (audit). If you are an SME, the automatic Level 1 recognition is a real advantage; for higher tiers, budget for and schedule the independent audit well ahead.
- Engage your authority of establishment. The process starts and ends with that authority. Build the relationship early — it is your point of contact for the application and any clarifications.
- Document for cumulative criteria. Remember that higher-tier audits also test every lower-tier criterion (Article 20(1)). Make your data-localisation, supply-chain and governance evidence audit-ready.
- Expect cross-border scrutiny. Even after your home authority is satisfied, other Member States have 60 days to object. Clear, unambiguous documentation reduces that risk.
- Maintain compliance. Recognition is conditional: track material changes and report them under Article 23, and keep up the annual audit review for Levels 2–4.
Common misconceptions
"Recognition is granted by the European Commission." No. Recognition is granted by the national competent authority of establishment. The Commission only intervenes to resolve cross-border disputes via a binding decision when a matter is referred to it (Article 17(10)).
"Every provider needs an independent audit." No. Only Levels 2, 3 and 4 require an audit (Article 20). Level 1 rests on self-assessment and an EU statement of conformity, and SMEs at Level 1 are recognised automatically (Article 17(3)).
"Once recognised, you are safe for life." No. Recognition can be revoked for incorrect or misleading information (Article 17(11)), the audit must be reviewed annually (Article 20(8)), and material changes must be reported (Article 23).
"Objections from other Member States are rare and decisive." The 60-day review exists precisely to catch inconsistencies, so do not assume automatic approval. But a single objection is not decisive: the evaluating authority may maintain its decision, and the Commission resolves the dispute by binding decision (Article 17(10)).
Related
- How does a recognised frontier AI project get computing support under CADA?
- How does a cloud provider check whether CADA's sovereignty rules apply to it?
- How do I move my cloud service up a CADA sovereignty tier?
- How do I get recognised at CADA Union assurance level 4?
- How to get recognised at CADA Union assurance level 3: Audit, criteria & third-country rules
This is general information about a draft EU regulation, not legal advice.