Summary Under the proposed Cloud and AI Development Act (CADA), compliance officers must construct a readiness programme anchored in the four-tier Union assurance framework (Article 16) and mandatory risk assessments for public-order-relevant activities (Article 29). The programme requires mapping data flows to specific assurance levels, securing independent third-party audits for levels 2–4 (Article 20), and implementing rigorous transparency duties to report material changes to competent authorities (Article 23). Crucially, compliance is not static; it demands annual reviews and continuous monitoring to avoid the revocation of recognition and the imposition of effective, proportionate, and dissuasive penalties (Article 24).

Detail

Building a CADA readiness programme requires a fundamental shift from traditional data privacy compliance to a sovereignty-centric model. As a draft regulation, CADA would establish a harmonised Union cloud computing sovereignty framework, mandating that public sector bodies and certain private entities procure services based on strict assurance levels. For in-house counsel and compliance officers, the programme must be structured around four interlocking pillars: governance and risk assessment, gap analysis and evidence collection, audit scheduling and recognition, and ongoing monitoring with transparency duties.

1. Governance and Risk Assessment (Articles 29–30)

The cornerstone of any CADA readiness programme is the risk assessment. Article 29(1) mandates that Member States and Union entities carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine which Union assurance level (2, 3, or 4) is appropriate for specific activities, particularly in sectors falling under Annex I or II of the NIS2 Directive, or in areas such as national security, internal security, external border management, defence, justice, or law enforcement.

Compliance officers must establish a governance framework that:

  • Identifies Critical Activities: Map all cloud computing services used by the organisation to determine if they support activities contributing to public order. This involves a granular analysis of data sensitivity, criticality, and magnitude, as required by Article 29(2).
  • Determines Assurance Levels: Use the methodology specified by the Commission (to be defined in implementing acts under Article 29(3)) to assign the correct assurance level. If an activity is deemed to contribute to public order, Article 30(3) restricts procurement to services recognised as offering Union assurance levels 2, 3, or 4. Conversely, Article 30(2) mandates that activities not identified as contributing to public order must use services recognised at Union assurance level 1.
  • Considers Multi-Cloud Strategies: Article 29(9) explicitly requires entities to consider whether a multi-vendor or multi-cloud strategy is appropriate to enhance resilience and limit dependency on a single provider.

For private sector entities referred to in Annex I of the NIS2 Directive, Article 31 allows for similar impact assessments. While not always mandatory for all private entities, the Commission may require these assessments for entities in sectors of high criticality through delegated acts (Article 31(3)).

2. Gap Analysis and Evidence Collection (Articles 16–21)

Once the required assurance level is identified, the compliance programme must conduct a rigorous gap analysis against the criteria set out in Annex II of the proposal. The requirements escalate significantly between levels, demanding distinct evidence portfolios.

  • Union Assurance Level 1: Requires a conformity self-assessment (Article 19). The provider must issue an EU statement of conformity. For SMEs, this statement is automatically recognised across the Union without prior recognition by a national competent authority (Article 17(3)). The evidence required is primarily internal documentation demonstrating compliance with criteria such as Union establishment and data localisation.
  • Union Assurance Levels 2, 3, and 4: Require independent third-party audits (Article 20). The compliance officer must ensure the organisation can produce the audit evidence listed in Annex III. Key areas include:
    • Union Establishment: Proof of incorporation and stable presence in the Union, including verification of physical offices and banking functions (Annex III, Criterion A).
    • Data Localisation: Evidence that customer data remains exclusively within the Union, supported by access logs, network diagrams, and data flow maps (Annex III, Criterion C).
    • Personnel: For levels 3 and 4, evidence that personnel are Union citizens and, where appropriate, hold national security clearances (Annex II, Section 3.1(d) and 4.1(d)). Note that for Level 2, Union citizenship is conditional, only required if the public sector body explicitly demands it (Annex II, Section 2.1(d)).
    • Third-Country Control: Demonstrating that no third country exercises control over the provider that could compromise service continuity or data access. For Level 3, a derogation exists if the Commission has adopted an implementing act under Article 18 (often mis-cited as Article 19 in drafts) identifying the third country as providing sufficient assurances (Annex II, Section 3.1(g)).
    • Cybersecurity Certification: For levels 2 and 3, the service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, Section 2.1(e) and 3.1(e)). For Level 4, the requirement escalates to a 'high' assurance level (Annex II, Section 4.1(e)).

The gap analysis must also address software supply chain transparency. Article 20 requires providers to demonstrate that software components do not contain remote features that could tamper with the service. Annex III (Criterion I) requires a complete Software Bill of Materials (SBOM) and evidence of risk-based processes to mitigate dependencies on external manufacturers, including migration plans for third-country vendors.

3. Audit Scheduling and Recognition (Articles 17, 20, 22)

For services targeting assurance levels 2–4, the compliance programme must manage the independent audit process. Article 20(1) states that providers shall undergo these audits at their own expense. The audit must result in a 'positive' audit opinion.

  • Selecting Auditing Organisations: The provider is free to select an auditing organisation, but it must be independent and meet strict criteria under Article 20(4). This includes having no conflicts of interest (e.g., no non-audit services in the preceding 12 months), proven expertise, and no contingent fees.
  • Submission for Recognition: Upon receiving a positive audit opinion, the provider submits an application for recognition to the national competent authority of establishment (Article 17(1)). The authority has 60 days to assess the evidence (Article 17(5)). If the authority finds the evidence insufficient, it may request further information, suspending the 60-day clock.
  • Central Repository: Once recognised, the service is registered in the central repository maintained by the Commission (Article 22). This recognition is valid across the Union. The repository is publicly available and updated regularly.

Compliance officers must schedule these audits well in advance of procurement deadlines, as the process involves significant evidence gathering, potential requests for additional information, and a review period where other Member States may raise reasoned objections (Article 17(6)).

4. Ongoing Monitoring and Transparency Duties (Article 23)

CADA compliance is not a one-time event; it is a continuous obligation. Article 23 imposes strict transparency obligations on recognised providers.

  • Reporting Material Changes: Providers must notify the auditing organisation and the national competent authority as soon as they become aware of any material change in circumstances that may affect the audit report or recognition (Article 23(1)). This includes changes in data flows, personnel, subcontractors, or third-country control structures.
  • Annual Reviews: For levels 2–4, the audited provider must annually submit the audit report and positive opinion for review by the same or a different auditing organisation (Article 20(8)). This annual review assesses continued compliance with the criteria in Annex II.
  • Revocation Risks: If a provider fails to maintain compliance, the auditing organisation may revoke the audit report, and the competent authority may revoke the recognition (Article 23(2)(3)). Such revocations are published in the central repository for five years (Article 22(3)).

The compliance programme must include continuous monitoring mechanisms to detect changes that could trigger a reporting obligation under Article 23. This includes automated monitoring of data flows, regular reviews of subcontractor contracts, and periodic checks on the citizenship and clearance status of personnel.

5. Penalties and Enforcement (Article 24)

Non-compliance carries significant risks. Article 24(1) requires Member States to lay down rules on penalties that are effective, proportionate and dissuasive. When determining penalties, authorities will consider the nature, gravity, scale, and duration of the infringement, as well as any financial benefits gained (Article 24(2)). Furthermore, recipients of cloud services have the right to seek compensation for damages suffered due to a provider's infringement of their obligations under this Chapter (Article 24(3)).

What this means for you

For in-house counsel and compliance officers, building a CADA readiness programme means integrating sovereignty checks into your existing procurement and risk management workflows.

  1. Map Your Services: Create an inventory of all cloud computing services used by your organisation. For public sector bodies, this is mandatory. For private entities in critical sectors (NIS2 Annex I), this is a strong best practice.
  2. Assess Public Order Relevance: Work with legal and security teams to determine if your activities contribute to the preservation of public order. If yes, you cannot use Level 1 services; you must procure from providers with Level 2, 3, or 4 recognition.
  3. Prepare for Audits: If you are a provider, begin collecting evidence for Annex III criteria now. Focus on data localisation logs, SBOMs, and third-country control analyses. Ensure your contract management systems can track subcontractor locations and citizenship where required.
  4. Establish Monitoring Protocols: Implement tools to monitor for material changes in your service architecture or data flows. Assign responsibility for notifying the auditing organisation and competent authority under Article 23.
  5. Plan for Annual Reviews: Budget for annual independent audits for Level 2–4 services. Ensure your internal compliance team is prepared to facilitate these audits annually.

Common misconceptions

  • "CADA is just the GDPR for cloud." While CADA complements the GDPR, it focuses on sovereignty and operational autonomy, not just data protection. The assurance levels require physical and legal separation from third-country control, which goes beyond GDPR's adequacy decisions.
  • "Level 1 is enough for all public sector work." No. Article 30(3) mandates that if a risk assessment identifies an activity as contributing to public order, the contracting authority must procure services with Level 2, 3, or 4 recognition. Level 1 is only for activities not identified as contributing to public order.
  • "Open source software is automatically compliant." While open source is encouraged (Article 41), it must still meet the assurance criteria. Providers must demonstrate controls to prevent remote tampering and ensure the software supply chain is transparent (Annex II, Section 2.1(j) and Annex III, Criterion J).
  • "Recognition is permanent." Recognition is subject to annual review (Article 20(8)) and can be revoked if material changes occur (Article 23). Continuous compliance is required.
  • "L3 cybersecurity certification is 'high'." No. Under Annex II, Level 3 requires a 'substantial' assurance level certificate, while only Level 4 requires a 'high' assurance level certificate (Annex II, Section 4.1(e)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.