How does a cloud service get listed in the CADA central repository?

Summary A cloud computing service is not listed in the CADA central repository by applying to the European Commission. Listing follows recognition: once a service is recognised as offering a Union assurance level (1, 2, 3 or 4) under Article 17, the national competent authority of establishment that granted the recognition registers it in the repository. As proposed in Article 22(2), registration is the final administrative step, performed by the authority rather than by the provider. CADA is a draft proposal, so this process is not yet operational.

Detail

CADA proposes a Union cloud computing sovereignty framework, and the central repository of cloud computing services is the public-facing record of which services have been recognised under it. Getting into the repository means separating two distinct steps: recognition (where the provider proves compliance) and registration (where the authority enters the recognised service into the public record). They are sequential, and only an authority performs the second.

Step 1: recognition under Article 17

Listing is the outcome of the recognition procedure in Article 17, not an entry point of its own.

A provider applies to its national competent authority of establishment for recognition at a chosen Union assurance level, submitting the evidence required for that level:

• For level 1: the EU statement of conformity issued after a conformity self-assessment under Article 19, plus the necessary evidence (Article 17(3)). For an SME, the level 1 EU statement of conformity is, by derogation, directly and automatically recognised in all Member States without prior recognition by the evaluating authority (Article 17(3)).
• For levels 2, 3 and 4: the audit report and the "positive" audit opinion from an independent auditing organisation, plus all the evidence provided during the audit (Article 17(4), Article 20).

The procedure then runs broadly as follows (Article 17(5)-(10)):

• Evaluation — within 60 days of accepting the application, the evaluating national competent authority assesses the evidence and either prepares a draft recognition decision, requests further information, or rejects the application.
• Cross-border review — where it intends to recognise the service, it notifies the other Member States' authorities for a 60-day review period in which they may raise a reasoned objection or request clarification.
• Decision — if no reasoned objection is raised, the conclusions are deemed accepted, the evaluating authority adopts the recognition decision, and the service is recognised throughout the Union at the relevant level. Unresolved objections can be referred to the Commission for a binding decision.

Only once a recognition decision is adopted is the service eligible for the repository.

Step 2: registration under Article 22(2)

The provider does not register its own service. Article 22(2) is explicit:

"The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

The administrative burden therefore sits with the authority that conducted the evaluation and issued the recognition. The Commission, under Article 22(1), establishes and maintains the repository itself, but the data entry for each recognised service is the authority's duty. By registering the service, the authority records that it met the cumulative Annex II criteria for its assurance level.

Public availability and ongoing status

Article 22(4) requires the repository to be publicly available and regularly updated on a dedicated, easily accessible website maintained by the Commission and the national authorities. The aim, reflected in Recital 57, is to give public-sector customers, auditing organisations and authorities efficient, shared access to recognised-status information.

Listing is not a one-off event. For levels 2 to 4, the audit report and positive opinion are submitted annually for review, and the auditing organisation may confirm, update or revoke them (Article 20(8)). If a recognition is revoked — for example because the provider supplied incorrect or misleading information (Article 17(11)), or because an audit opinion was revoked (Article 20(7)) — that revocation is published in the repository and remains available for five years (Article 22(3)).

The cross-border dimension

One feature that distinguishes the CADA model from a purely national register is that recognition has Union-wide effect. The evaluating authority notifies the other Member States' authorities of its draft recognition decision for a 60-day review period; if no reasoned objection is raised, the conclusions are deemed accepted across the Union and the service is recognised throughout it (Article 17(5)-(7)). Where an objection is maintained, the matter can be referred to the Commission, which adopts a binding decision on whether the recognition may proceed (Article 17(10)). Only after a recognition decision survives that process and is adopted does the authority register the service. The single entry in the central repository therefore reflects a decision that all Member States have, in effect, had the chance to scrutinise — which is what allows a buyer in any Member State to rely on it.

A note on associated third countries

A provider need not be EU-controlled to be listed. Level 1 in Annex II sets conditions for providers under third-country control rather than excluding them. Separately, under Article 18 the Commission may, by implementing act, identify "associated third countries" whose controlled providers may be audited against the level 3 criteria, where that country meets cumulative conditions (including a relevant GDPR adequacy decision and the absence of measures that would conflict with lawful-access, continuity and open-market requirements). A provider relying on that route still reaches the repository through the same Article 17 recognition and Article 22(2) registration steps. The Commission publishes, on its website, the list of third countries that meet the Article 18 conditions and those that no longer do (Article 18(3)), and may repeal, amend or suspend an associated-country decision where the country ceases to qualify (Article 18(2)) — so the eligibility underpinning such a listing can itself change over time.

What this means for you

If you are a cloud service provider or data centre operator aiming at the EU public sector, the route into the repository is indirect but decisive for market access.

1. Focus on recognition, not registration. Do not try to register directly with the Commission. Your engagement is with your national competent authority of establishment. Make the Article 17 application complete and well-evidenced (self-assessment for level 1; independent audit for levels 2-4).
2. Plan for the timeline. Build in the 60-day evaluation window and the subsequent 60-day cross-border review period, and allow for possible suspension if the authority requests further information.
3. Maintain audited levels. For levels 2 to 4, the annual review of the audit report and opinion is what keeps your recognition — and therefore your listing — current.
4. Aim at the right level. A higher recognised level widens your addressable market, because public-order-relevant activities must procure level 2, 3 or 4 services under Article 30. Match your target level to the risk assessments your prospective public-sector customers run under Article 29.

Common misconceptions

"Providers apply directly to the Commission to be listed." No. There is no provider-facing listing portal. You apply to your national competent authority for recognition; the authority registers the recognised service (Article 22(2)).

"Listing guarantees you are compliant forever." Listing records recognition at a point in time. It does not remove ongoing duties — annual audit review for levels 2-4 (Article 20(8)), transparency reporting (Article 23) — and recognition can be revoked.

"The repository holds all your technical details." It records recognised services and their assurance level (and revocations). Sensitive audit evidence stays with the auditing organisation and competent authorities under confidentiality (Article 20(3)).

"Level 1 recognition is just paperwork." For SMEs the level 1 statement of conformity is automatically recognised (Article 17(3)), but it must rest on a genuine conformity self-assessment under Article 19, for which the provider assumes responsibility. If a competent authority later finds the information was incorrect or misleading, it can revoke recognition (Article 17(11)), and the revocation is published for five years.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does a cloud provider get listed in the CADA central repository?
• Who registers a cloud service in the CADA central repository?
• CADA Central Repository: What it means for a cloud provider to be listed
• CADA Central Repository Fee: Is there a cost to be listed?
• CADA Procurement: Can a buyer rely on the repository when a service is not listed?

This is general information about a draft EU regulation, not legal advice.