Summary Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final โ a proposal, not yet in force), a cloud computing service provider would reach Union assurance level 1 through a self-assessment route rather than an independent audit. As proposed, the provider would (1) carry out a conformity self-assessment against the Level 1 criteria in Annex II, (2) issue a public "EU statement of conformity" assuming responsibility for that compliance (Article 19), and (3) apply for recognition to the national competent authority of its place of establishment โ the "evaluating national competent authority" โ submitting that statement plus all necessary evidence (Article 17(3)). The authority would then run a 60-day assessment followed by a 60-day cross-Member-State review before recognition takes effect across the Union. As a derogation, statements issued by providers that are SMEs would be recognised directly and automatically in every Member State, without that prior authority recognition.
Detail
CADA would establish a Union cloud computing sovereignty framework built on four "Union assurance levels," with the criteria set out in Annex II (Article 16(1)). Level 1 is the baseline tier, and it is the only level recognised through provider self-assessment; Levels 2, 3 and 4 would instead require independent third-party audits (Article 20). The Level 1 route is governed mainly by Article 19 (the self-assessment and statement of conformity) and Article 17 (the recognition procedure carried out by national authorities).
Step 1 โ Conformity self-assessment (Article 19)
Under Article 19(1), a provider seeking recognition under Article 17 as offering Level 1 would carry out a conformity self-assessment of its compliance with the Level 1 criteria set out in Annex II. The self-assessment is an internal exercise: the provider, not an auditor, examines whether its service meets each criterion.
The Level 1 criteria in Annex II are cumulative and include, as proposed, that the provider is established in the Union; that the provider's infrastructure and assets (including those of subcontractors involved in the service) are located in the Union unless the public sector body explicitly requires otherwise; that customer data โ including metadata and telemetry โ processed, stored or transferred by the provider and its subcontractors remains exclusively within the Union (subject to the same explicit-requirement carve-out) at any time; that the service complies with state-of-the-art cybersecurity standards; and that there is full transparency on the use of subcontractors, who are subject to due diligence, contractual obligations and ongoing oversight. As the explanatory material accompanying the proposal indicates, self-assessments would be expected to rest on documented evidence, internal control procedures and continuous monitoring.
Step 2 โ Issuing the EU statement of conformity (Article 19(2)-(3))
Following the self-assessment, Article 19(2) provides that the provider would issue an "EU statement of conformity" stating that compliance with the Level 1 criteria has been demonstrated. The proposal is explicit about what this entails: by issuing such a statement, the provider would "assume responsibility for the compliance of the cloud computing service" with the Level 1 criteria in Annex II. The statement is therefore a substantive legal attestation, not a mere formality.
Article 19(3) then requires the provider to make the EU statement of conformity publicly available, so that public sector buyers and others can see the claimed status.
Step 3 โ Application to the evaluating national competent authority (Article 17)
Recognition itself runs through Article 17. Under Article 17(1), a provider aiming to be recognised submits an application for recognition to the national competent authority of establishment, including all relevant evidence. Under Article 17(2), that authority of establishment is designated the "evaluating national competent authority," and it may where necessary ask competent authorities of other Member States to collaborate; an authority that receives such a request replies within 15 days.
For Level 1 specifically, Article 17(3) sets out what the candidate provider submits: the EU statement of conformity referred to in Article 19(2), plus "all the necessary evidence." This is where the self-assessment route plugs into the recognition machinery โ there is no audit report or audit opinion at this level (those belong to Levels 2 to 4 under Article 17(4)).
The assessment timeline is set by Article 17(5). Within 60 days of accepting an application, the evaluating authority would either (a) prepare a draft recognition decision and notify the other Member States' authorities for a 60-day review period; (b) request further information, which suspends the 60-day clock (the suspension not to exceed 30 days in total unless justified by the nature of the information or exceptional circumstances); or (c) reject the application, after first giving the provider 30 days to comment on the conclusions.
During the review period, another Member State's authority may submit a reasoned objection or a request for clarification (Article 17(6)). If none is submitted, the evaluating authority's conclusions are deemed accepted, it adopts the recognition decision, and the service is recognised throughout the Union at Level 1 (Article 17(7)). If a reasoned objection is maintained and the dispute persists, the matter may be referred to the Commission, which adopts a binding decision (Article 17(10)).
The SME derogation (Article 17(3))
Article 17(3) contains a derogation for smaller providers. As proposed, an EU statement of conformity issued under Article 19(2) by a provider that is an SME "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." In other words, a qualifying SME would still carry out the self-assessment and issue the public statement, but would not need to go through the Article 17(5) assessment-and-review process before being recognised Union-wide. CADA's SME definition derives from Article 2(8), which points to Annex I of Commission Recommendation 2003/361/EC. This is a deliberate simplification to lower the administrative burden for smaller players, not a relaxation of the underlying Level 1 criteria.
Accuracy and ongoing obligations
The statement of conformity carries real exposure. Under Article 17(11), the evaluating authority may revoke recognition where it finds that a provider intentionally or negligently supplied incorrect or misleading information. Separately, Article 24 requires Member States to lay down penalties for infringements of this Chapter that are "effective, proportionate and dissuasive," with a non-exhaustive list of factors (including the nature, gravity and duration of the infringement and the provider's annual Union turnover).
Recognition is not a one-off. Under Article 23, on becoming aware of a material change that may affect the recognition under Article 17, the recognised provider would, as soon as possible, notify the national competent authority of establishment, which then assesses whether to amend or revoke the recognition.
What this means for you
For providers targeting the public-sector baseline, Level 1 is the lightest-touch route โ but "self-assessment" does not mean "low stakes."
1. Build the evidence file before you declare. You will not just claim compliance; under Article 17(3) you must submit "all the necessary evidence" alongside the statement. Make sure your data-residency records, subcontractor agreements and cybersecurity documentation can substantiate every Annex II Level 1 criterion on request.
2. Treat the statement as a liability instrument. By issuing the EU statement of conformity you assume responsibility for the service's compliance (Article 19(2)). Inaccurate or misleading information can lead to revoked recognition (Article 17(11)) and penalties (Article 24) โ so align it with what you can actually demonstrate.
3. Check your SME status early. If you qualify as an SME (Article 2(8), via Annex I of Commission Recommendation 2003/361/EC), the derogation in Article 17(3) gives you direct, automatic Union-wide recognition without the authority's prior assessment. That changes your go-to-market timeline materially โ but the public statement and its accuracy obligations still apply in full.
4. Manage subcontractors as part of your own compliance. The Level 1 criteria reach subcontractors' infrastructure, assets and data handling (Annex II ยง1.1(b)-(c), (f)). Your recognition depends on their conduct, so due diligence and ongoing oversight are not optional.
5. Expect public scrutiny. Your statement of conformity is published (Article 19(3)). Buyers, competitors and regulators can read it โ keep your technical and marketing claims consistent with it.
Common misconceptions
Misconception: Level 1 requires an independent third-party audit. Correction: As proposed, it does not. Level 1 uses the self-assessment and statement-of-conformity route (Article 19). Independent third-party audits are required only for Levels 2, 3 and 4 (Article 20). There is no "accredited auditor" step at Level 1.
Misconception: Issuing the statement automatically grants recognition for everyone. Correction: Automatic, prior-recognition-free Union-wide recognition is the SME derogation under Article 17(3). Other providers must apply to the evaluating national competent authority, which runs the 60-day assessment and notifies other Member States for a 60-day review before recognition takes effect (Article 17(5)-(7)).
Misconception: Level 1 is optional for public-sector contracts. Correction: As proposed, Article 30(2) provides that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use" services recognised under Article 17 as having Union assurance level 1. For activities identified as contributing to public order in the relevant sectors, Article 30(3) requires Levels 2, 3 or 4. Level 1 is the procurement floor, not a nice-to-have.
Misconception: The authority re-runs a full technical audit of your infrastructure. Correction: Under Article 17(3) and (5), the evaluating authority assesses the statement of conformity and the necessary evidence you submit. The Level 1 model places the substantive compliance burden on the provider's self-assessment; there is no statutory third-party audit at this level.
Related
- How does a provider get recognised at CADA assurance level 4?
- How does a provider get recognised at CADA assurance level 3?
- How does a provider get recognised at CADA assurance level 2?
- CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
- What criteria must a provider meet for CADA assurance level 4?
This is general information about a draft EU regulation, not legal advice.