How does a cloud provider check whether CADA's sovereignty rules apply to it?

Summary The trigger is your customer, not your size or origin. As proposed in Article 16(1) of the Cloud and AI Development Act (CADA), the Union cloud computing sovereignty framework sets out criteria that cloud computing service providers (CSPs) "shall meet in order to provide their cloud computing services to Union entities and public sector bodies." So the practical test is simple: do you serve, or want to serve, EU public sector bodies or Union entities? If yes, the framework is relevant to you. Seeking recognition is voluntary, but in effect it is the entry ticket to the public sector market — without it you cannot win the contracts that Article 30 ties to recognised assurance levels.

Detail

CADA, as proposed, introduces a harmonised sovereignty framework aimed at reducing the EU's dependence on third-country cloud providers and protecting public order. For a CSP, the first compliance question is whether that framework bears on its business at all. It does not apply automatically to every cloud provider; it is engaged by the nature of the customer.

The trigger: serving the public sector

Article 16(1) provides that the Union cloud computing sovereignty framework comprises four Union assurance levels, with criteria set out in Annex II, that CSPs "shall meet in order to provide their cloud computing services to Union entities and public sector bodies." The framework therefore bites where a CSP targets, bids for, or contracts with:

• Union entities (the EU institutions, bodies, offices and agencies — Article 2(7)); or
• public sector bodies (national, regional or local authorities and bodies governed by public law — Article 2(6)).

A CSP serving only private-sector clients is not directly subject to the assurance-level recognition requirements. But to supply the public sector, a CSP would need its service recognised at one of the four levels.

The recognition mechanism

Recognition is not self-declared market access; it runs through Article 17. A CSP applies to the national competent authority of its establishment, which acts as the evaluating authority.

• Union assurance level 1 (baseline): the provider carries out a conformity self-assessment and issues an EU statement of conformity (Article 19). Under Article 17(3), an SME's statement of conformity is directly and automatically recognised in all Member States without prior recognition by the evaluating authority; non-SMEs still submit to the evaluating authority for recognition.
• Union assurance levels 2, 3 and 4: these require independent third-party audits. The provider submits an audit report and a "positive" audit opinion (issued under Article 20), plus all the evidence given to the auditing organisation, to the evaluating authority (Article 17(4)).

Is recognition voluntary?

Both yes and no. Seeking recognition is voluntary in that nothing forces a CSP with no public sector ambitions to be audited. But recognition is, in practice, mandatory for public sector market access. Article 30 sets the procurement rule: public sector bodies and Union entities whose activities are not identified as public-order activities must use services recognised at Level 1 (Article 30(2)); contracting authorities whose activities do contribute to the preservation of public order, in the sectors and domains it lists, may only procure services recognised at Level 2, 3 or 4 (Article 30(3)). A CSP that ignores the framework effectively excludes itself from these contracts.

The role of the national competent authority

A CSP engages the national competent authority of its main establishment. Article 25(1) requires Member States to designate one or more such authorities by one year after entry into force, and Article 25(4) gives the Member State of main establishment exclusive competence. The CSP submits its evidence — the statement of conformity for Level 1, or the audit report and positive opinion for Levels 2–4 — and, where the authority recognises the service, that recognition takes effect throughout the Union following the cross-border review in Article 17. This single-evaluation, Union-wide-effect design limits market fragmentation.

Third-country providers

The framework also reaches CSPs established or controlled outside the EU that wish to serve EU public bodies. Article 18 lets the Commission identify, by implementing act, "associated third countries" whose providers may be audited against the Level 3 criteria, provided the country meets cumulative conditions (including an adequacy decision under the GDPR and the absence of measures allowing it to compel unlawful data access, service disruption or sanctions enforcement). Without such a decision, a provider controlled by a third country cannot reach Level 3 by that route, and Levels 3 and 4 in Annex II are otherwise reserved for providers not subject to third-country control.

What this means for you

If you are a CSP, audit your customer base and pipeline against the trigger in Article 16(1):

1. Map your customers. Identify whether you serve, or intend to bid for, EU public authorities or Union entities. If yes, the sovereignty framework is relevant to you.
2. Work out the level you need. It is your customers' activities, not yours, that set the bar. Critical public-order functions (defence, justice, law enforcement and the NIS2 sectors) will require Levels 2–4, as fixed by Member State risk assessments under Article 29. Non-public-order services need only Level 1.
3. Prepare for recognition now. Do not wait for entry into force. Run an internal gap analysis against the Annex II criteria. For Level 1, draft your EU statement of conformity; for higher levels, line up an auditing organisation that meets the independence and competence conditions in Article 20(4).
4. Engage your authority early. Contact the national competent authority in your Member State of establishment about the Article 17 process. Early dialogue helps you scope the evidence and avoid delays to market access.

Common misconceptions

"CADA applies to every cloud provider in the EU." No. As proposed, the sovereignty framework is triggered by serving Union entities and public sector bodies (Article 16(1)). Purely private-to-private cloud contracts are not directly subject to the assurance-level recognition requirements.

"We only need to worry if we are a US hyperscaler." No. The framework applies to any CSP, whatever its origin, that wants to sell to the EU public sector. European providers must also be recognised to compete — the point is a level playing field, not a nationality test.

"We can self-certify for all levels." No. Self-assessment is available only for Level 1 (Article 19). Levels 2, 3 and 4 require an independent third-party audit and a "positive" opinion from a qualifying auditing organisation (Article 20).

"Recognition in one Member State is valid only there." No. The framework is designed for Union-wide effect: once the evaluating authority recognises a service and the cross-border review in Article 17 concludes without sustained objection, the recognition applies across all Member States.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How should a non-EU provider weigh whether to pursue CADA recognition at all?
• How does a healthcare provider apply CADA when procuring cloud services?
• How does a cloud provider get recognised under a CADA sovereignty tier?
• How to scope workloads under CADA's sovereignty rules: A guide for CTOs
• Which National Competent Authority Do I Apply to for CADA Recognition?

This is general information about a draft EU regulation, not legal advice.