CADA Self-Assessment vs. Audited Tiers

Summary Under the proposed Cloud and AI Development Act (CADA), the choice between self-assessed Union Assurance Level 1 and independently audited Levels 2–4 is not a matter of vendor preference but a legal mandate driven by risk. Article 19 establishes a conformity self-assessment for Level 1, where providers issue an EU statement of conformity. In contrast, Article 20 mandates independent third-party audits for Levels 2, 3, and 4, requiring a "positive" audit opinion and annual re-evaluation. Legal teams must rely on the mandatory risk assessments under Article 29 to determine if their activities contribute to "public order." If they do, Article 30(3) legally compels the procurement of audited tiers (2–4); if not, Level 1 is the baseline. The decision is binary: risk dictates the tier, and the tier dictates the compliance mechanism.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. For legal counsel, the critical operational distinction lies in the divergent conformity assessment procedures for the baseline level versus the higher tiers. This bifurcation is designed to balance administrative efficiency for low-risk public sector activities with rigorous oversight for those impacting public order.

The Legal Mechanism: Self-Assessment (Level 1)

Article 19 of the proposal explicitly defines the procedure for Union Assurance Level 1. It states that cloud computing service providers seeking recognition at this level "shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II."

Following this internal assessment, the provider must issue an "EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated." Crucially, Article 19(2) imposes a direct legal liability on the provider: "By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II."

For legal teams, this mechanism implies:

• No Third-Party Validation: There is no requirement for an external auditor to verify the provider's claims at Level 1.
• Public Transparency: The statement must be made publicly available, allowing contracting authorities to verify its existence.
• Baseline Criteria: While self-assessed, Level 1 still requires the provider to be established in the Union, keep infrastructure and data within the Union (unless explicitly required otherwise), and ensure no third-country control compromises operational autonomy.

This tier is the default for public sector activities that do not trigger the "public order" threshold. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

The Legal Mechanism: Independent Audits (Levels 2–4)

For activities deemed critical, the regulatory burden shifts from self-declaration to independent verification. Article 20 mandates that providers seeking recognition for Union Assurance Levels 2, 3, or 4 "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

The requirements for these tiers are significantly more rigorous:

• Mandatory Audit Opinion: The provider must secure a "positive" audit opinion. A "negative" opinion precludes recognition.
• Annual Review: Compliance is not static. Article 20(8) requires the audited provider to "annually submit for review the audit report and the associated 'positive' audit opinion." The auditing organisation must then assess continued compliance and may confirm, update, or revoke the opinion.
• Cumulative Criteria: Higher levels build upon lower ones. For example, Level 2 requires infrastructure and personnel in the Union and prohibits using service data to train third-country AI systems. Level 3 adds a requirement for personnel to be Union citizens (conditional on public body requirements) and introduces stricter controls on third-country influence. Level 4, the highest tier, requires a "high" assurance cybersecurity certificate and mandates that personnel handling classified information possess national security clearance.

The criteria for these levels are detailed in Annex II, which specifies cumulative requirements for establishment, data localisation, personnel citizenship, cybersecurity certification, and the absence of third-country control.

The Decision Driver: Article 29 Risk Assessments

The choice between the self-assessed Level 1 and the audited Levels 2–4 is not discretionary for the contracting authority; it is dictated by a mandatory risk assessment. Article 29 obliges Member States and Union entities to carry out risk assessments "by [date of entry into force plus 1 year], and thereafter every two years."

These assessments must:

1. Identify Public Order Activities: Determine which public sector activities "contribute to the preservation of public order" in sectors such as national security, internal security, external border management, defence, justice, or law enforcement.
2. Determine the Appropriate Level: Based on the sensitivity, criticality, and magnitude of the data processed, the assessment must determine whether Union Assurance Level 2, 3, or 4 is appropriate.

The legal consequence is explicit in Article 30(3): "Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

Conversely, if the risk assessment concludes that an activity does not contribute to public order, the authority is legally bound to the baseline: Article 30(2) mandates the use of Level 1 services. This creates a strict legal corridor:

• Public Order Relevance: Mandatory procurement of Audited Tiers (2, 3, or 4).
• No Public Order Relevance: Mandatory procurement of Self-Assessed Tier (1).

Attempting to procure Level 1 for a public-order-relevant activity would constitute a breach of Article 30, while procuring Level 4 for a low-risk administrative task would likely violate the principle of proportionality and impose unnecessary costs, though the Regulation primarily focuses on the minimum requirement.

Penalties and Liability

The stakes for non-compliance are significant. Article 24 requires Member States to lay down rules on penalties for infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." The article lists criteria for imposing penalties, including the nature, gravity, and duration of the infringement, as well as the financial benefits gained.

Furthermore, Article 24(3) grants a specific right of action to public sector bodies: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

For legal teams, this means that relying on a provider's self-assessment for a high-risk activity (where an audit was required) exposes the public body to potential liability if the provider fails to meet the actual criteria. Similarly, procuring a Level 1 service for a public-order activity creates a direct breach of the procurement mandate, potentially invalidating the contract and exposing the authority to regulatory sanctions.

What this means for you

For in-house counsel and compliance officers, the implementation of CADA requires a disciplined, three-step approach to align procurement with the sovereignty framework:

1. Execute the Article 29 Risk Assessment: Before any procurement begins, your organisation must participate in or conduct the mandatory risk assessment. You must clearly categorize whether your cloud usage contributes to "public order" (e.g., law enforcement, defence, critical infrastructure). This categorization is the legal trigger. If the answer is "yes," you are legally barred from Level 1 and must proceed to Levels 2, 3, or 4.
2. Verify the Conformity Mechanism:
   • For Level 1: Request the provider's "EU statement of conformity" issued under Article 19. Verify it is publicly available and that the provider has assumed responsibility for compliance. Do not expect an audit report.
   • For Levels 2–4: Demand the "positive" audit opinion and the full audit report from an independent auditing organisation as required by Article 20. Verify that the audit is current (not older than one year) and that the auditing organisation meets the independence criteria (e.g., no conflicts of interest, no non-audit services in the preceding 12 months).
3. Embed Continuous Monitoring: Compliance is not a one-time event. Article 20(8) requires annual re-auditing for Levels 2–4. Your contracts must include clauses requiring the provider to notify you immediately of any material changes that could affect their recognition (as per Article 23) and to provide updated audit opinions annually. Monitor the central repository established under Article 22 for any revocations of recognition.

Common misconceptions

"Self-assessment means Level 1 is unregulated." Incorrect. Article 19 requires a formal self-assessment against the criteria in Annex II, and the provider assumes full legal responsibility for the statement. Level 1 still mandates Union establishment, data localisation, and the absence of third-country control that compromises autonomy. It is a proportionate mechanism for low-risk activities, not a loophole.

"I can choose Level 4 for everything to be extra safe." While technically possible, this is legally inefficient and potentially non-compliant with the principle of proportionality. Article 29 is designed to ensure that the highest assurance levels are reserved for activities where public order is at stake. Using Level 4 for low-risk administrative tasks imposes unnecessary costs and administrative burdens on the supply chain without a corresponding legal requirement. The risk assessment determines the minimum required level; exceeding it is permitted but not mandated.

"A one-time audit is enough for Levels 2–4." No. Article 20(8) explicitly requires the audited provider to "annually submit for review the audit report and the associated 'positive' audit opinion." Compliance is a continuous obligation. Legal teams must ensure their vendors have processes for annual re-auditing and that they monitor the central repository for any revocations.

"Article 19 and Article 20 are optional choices for the provider." They are not optional for the procuring authority. The provider's choice of mechanism is dictated by the level they seek, but the authority's choice of level is dictated by the Article 29 risk assessment. If the risk assessment mandates Level 2, the authority cannot accept a Level 1 self-assessment, regardless of the provider's willingness to offer it.

Related

• Does a provider take legal responsibility under CADA self-assessment?
• When does CADA require self-assessment versus an independent audit?
• CADA Conformity Self-Assessment: The Level 1 Pathway Explained
• CADA Assurance Levels: What 'Self-Assessed' vs 'Audited' Means for Cloud Providers
• CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services

This is general information about a draft EU regulation, not legal advice.