Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers (CSPs) must obtain formal recognition to sell sovereign cloud services to EU public sector bodies. This recognition grants a "Union assurance level" (1 to 4) and is governed by Article 17 of the proposal. The process is centralised at the national level: the national competent authority of establishment (where the provider has its main establishment) evaluates the application. Level 1 is achieved via a self-assessment and an EU statement of conformity (with an automatic recognition derogation for SMEs), while Levels 2, 3, and 4 require an independent third-party audit and a "positive" audit opinion. Once granted, recognition is valid across the entire EU, preventing market fragmentation.

Detail

The recognition mechanism is the operational heart of CADA's sovereignty framework. It transforms the abstract criteria for "trusted" cloud services into a legally enforceable status that public sector buyers are mandated to procure. The entire procedure is codified in Article 17 of the proposal, which establishes a harmonised, one-stop-shop approach to avoid providers navigating divergent national regimes.

1. The Competent Authority: Who Assesses the Provider?

CADA eliminates the need for providers to seek separate approvals in every Member State where they wish to operate. Instead, it designates a single evaluating authority: the national competent authority of establishment.

This authority is located in the Member State where the cloud computing service provider has its main establishment. The proposal defines this as the location of the provider's head office or registered office from which the principal financial functions and operational control are exercised. This authority holds exclusive competence for enforcing the sovereignty chapter regarding that provider.

While the evaluation is centralised, the process includes a built-in cooperation mechanism. If the evaluating authority requires information or evidence located in another Member State, it may request collaboration from the competent authority of that other state. The requested authority must respond within 15 days, either agreeing to collaborate or refusing the request. This ensures that cross-border operational realities are accounted for without fragmenting the decision-making power.

2. The Application Process: Evidence by Level

To initiate recognition, a cloud service provider must submit a formal application to the national competent authority of establishment. Crucially, the evidence required depends entirely on the Union assurance level sought. The proposal creates a distinct bifurcation between the baseline level and the higher sovereignty tiers.

Union Assurance Level 1: Self-Assessment

For providers seeking Level 1 recognition, the process is administrative and self-declaratory. The provider must submit:

  • An EU statement of conformity.
  • All necessary evidence supporting that statement.

The EU statement of conformity is issued following a conformity self-assessment by the provider, as detailed in Article 19. By issuing this statement, the provider assumes full responsibility for demonstrating compliance with the Level 1 criteria set out in Annex II (e.g., establishment in the Union, data localisation, and transparency on subcontractors).

The SME Derogation: A significant simplification exists for small and medium-sized enterprises (SMEs). Under Article 17(3), the EU statement of conformity issued by an SME is directly and automatically recognised in all Member States. SMEs do not need to wait for prior recognition by the evaluating national competent authority. This "automatic recognition" mechanism is designed to lower barriers to entry for smaller European providers.

Union Assurance Levels 2, 3, and 4: Independent Audit

For providers seeking the higher assurance levels (2, 3, or 4), the process is rigorous and requires third-party validation. The application must include a comprehensive package:

  • The full audit report.
  • A 'positive' audit opinion issued by an independent auditing organisation (as defined in Article 20).
  • All evidence that was provided to the auditing organisation during the audit procedure.

Providers seeking Level 2, 3, or 4 must satisfy all cumulative criteria of the lower levels as well. For instance, a Level 4 provider must meet all Level 1, 2, and 3 criteria. The audit must be performed by an organisation that is independent, technically competent, and free from conflicts of interest. The audit report must substantiate the provider's compliance with the specific criteria in Annex II, such as the location of personnel, the absence of third-country control, and the implementation of software supply chain measures.

3. The Evaluation Timeline and Procedures

Once the evaluating national competent authority accepts the application, a strict timeline governs the assessment.

The 60-Day Assessment Window: The authority has 60 days from the acceptance of the application to assess the submitted evidence. During this period, three outcomes are possible:

  1. Draft Recognition Decision: If the evidence is sufficient, the authority prepares a draft recognition decision. It must immediately notify the competent authorities of all other Member States. This notification triggers a 60-day review period for the rest of the Union. The notification must include the evidence submitted by the provider to allow for peer review.
  2. Request for Information: If the evidence is insufficient, the authority may request further information. The 60-day clock is suspended from the date of the request until the information is received. This suspension is capped at 30 days in total, unless the nature of the information or exceptional circumstances justify a longer period.
  3. Rejection: If the authority intends to reject the request, it must provide the provider with an opportunity to provide written comments on the conclusions within 30 days. The authority must take these comments into account before finalising its decision.

4. Cross-Border Review and Objections

The 60-day review period is a critical safeguard to ensure consistent application of the criteria across the EU. During this window, other Member States can scrutinise the draft decision.

  • Requests for Clarification: If a Member State believes the draft decision does not comply with the assurance level criteria, it may request clarification. The evaluating authority must consider this request and may ask the applicant for new information or modify its draft decision. If the requesting state remains unsatisfied after this exchange, it may escalate to a reasoned objection.
  • Reasoned Objections: A Member State may submit a reasoned objection if it considers the draft decision non-compliant with Annex II. Upon receiving an objection, the evaluating authority must assess it and decide to either maintain or revoke its original draft decision. It must inform all other Member States of this outcome within 15 days of the end of the review period (or 15 days after receiving the objection).

5. Dispute Resolution: The Role of the Commission

If the evaluating authority intends to maintain its draft decision despite a reasoned objection from another Member State, the matter can be escalated. The concerned national competent authority may refer the dispute to the European Commission.

The Commission will assess the referral, potentially requesting information from the national authorities involved. The Commission then adopts a binding decision determining whether the evaluating national competent authority may adopt the recognition decision. This mechanism ensures that technical or political disputes between Member States do not indefinitely stall the recognition process or create market barriers.

6. Final Recognition and Revocation

If no reasoned objection is submitted within the review period, the conclusions of the evaluating authority are deemed accepted by all Member States. The authority then adopts the recognition decision, and the service is recognised throughout the Union at the appropriate assurance level.

Recognition is not a permanent status. The evaluating national competent authority may revoke recognition if it finds that the provider intentionally or negligently supplied incorrect or misleading information. Furthermore, under Article 23, providers have a continuous obligation to notify the authority of any material changes in circumstances that could affect their recognised status. If such changes occur, the authority may amend or revoke the recognition, potentially triggering a new audit or self-assessment.

What this means for you

For cloud service providers, the recognition process under Article 17 is not merely a compliance hurdle; it is the primary gateway to the EU public sector market. Public procurement rules under Article 30 mandate that contracting authorities procure only services recognised at the appropriate assurance level.

  • Strategic Establishment: Your "main establishment" determines your regulator. Ensure your corporate structure clearly identifies the Member State where principal financial functions and operational control are exercised, as this will be your primary point of contact for the entire EU.
  • Audit Readiness for Levels 2-4: If you aim for Levels 2, 3, or 4, your relationship with your auditing organisation is pivotal. The audit report and the "positive" opinion are the core of your application. Ensure your auditor is familiar with the specific criteria in Annex II and the evidence requirements in Annex III. Delays in the audit phase will directly delay your market entry.
  • Leverage the SME Advantage: If you are an SME, the Level 1 pathway offers a significant speed advantage. You can issue your EU statement of conformity and achieve automatic recognition across the EU without waiting for national authority approval. This allows for rapid market entry for standard cloud services.
  • Prepare for Cross-Border Scrutiny: Even with a single evaluating authority, your application will be reviewed by other Member States. Maintain transparent, auditable records regarding data localisation, third-country control, and personnel location. Be prepared to clarify how your service meets the sovereignty criteria if a Member State raises a reasoned objection.
  • Continuous Compliance: Recognition is dynamic. You must monitor your operations for material changes (e.g., changes in ownership, new subcontractors, or shifts in data flows) and notify the authority immediately. Failure to do so can lead to revocation, which would disqualify you from public procurement contracts.

Common misconceptions

"Recognition is granted by the European Commission." Correction: Recognition is granted by the national competent authority of establishment. The Commission's role is limited to resolving disputes between Member States (via binding decisions) and maintaining the central repository of recognised services. It does not issue the initial recognition.

"Level 1 requires an independent audit." Correction: Level 1 is based on a self-assessment and an EU statement of conformity. Independent third-party audits are mandatory only for Levels 2, 3, and 4. This distinction is a key feature of the proposal to reduce administrative burden for lower-risk services.

"Recognition is only valid in my home country." Correction: Once recognised by the authority of establishment, the recognition is valid throughout the Union. The proposal explicitly states that the service is recognised across the EU, and other Member States must accept this recognition unless they successfully raise a reasoned objection that is upheld by the Commission.

"SMEs must go through the same recognition process as large providers." Correction: SMEs seeking Level 1 recognition benefit from a specific derogation. Their EU statement of conformity is directly and automatically recognised in all Member States without the need for prior evaluation or approval by the national competent authority. This is a deliberate policy choice to foster competition from smaller European providers.

"The 60-day evaluation clock is fixed." Correction: The 60-day assessment period can be suspended if the authority requests further information. The suspension lasts until the information is received, up to a maximum of 30 days. Providers should ensure their applications are complete to avoid these delays.

Related

This is general information about a draft EU regulation, not legal advice.