How does a managed service reseller position itself under CADA recognition rules?

Summary Under the proposed Cloud and AI Development Act (CADA), a managed service reseller cannot independently obtain a "Union assurance level" recognition for a cloud computing service it does not technically provide. Recognition under Article 17 attaches strictly to the legal entity defined as the "cloud computing service provider" and the specific service it offers. Consequently, a reseller's ability to offer sovereign cloud services to public sector bodies depends entirely on its contractual relationship with the underlying infrastructure provider and its status as a compliant subcontractor under Annex II criteria. The reseller must ensure its activities do not compromise the operational autonomy, data sovereignty, or personnel requirements of the recognised service it resells.

Detail

The CADA proposal establishes a rigorous sovereignty framework designed to mitigate risks associated with dependence on third-country providers. To understand how a managed service reseller positions itself, one must first distinguish between the "cloud computing service provider" and other actors in the value chain, such as resellers or subcontractors.

Recognition Attaches to the Provider, Not the Reseller

Article 17(1) of the CADA proposal explicitly states that "a cloud computing service provider that aims to be recognised as offering a Union assurance level, shall submit an application for recognition to the national competent authority of establishment." The definition of a "cloud computing service provider" in Article 2(2) is a "legal entity which provides a cloud computing service."

In the context of managed services, the "provider" is typically the entity that controls the infrastructure, manages the software stack, and holds primary responsibility for the service's security and sovereignty attributes. A reseller, which primarily markets, bills, and potentially manages access to services provided by another entity, is generally not the "provider" of the underlying cloud computing service in the technical and legal sense required for Article 17 recognition. Therefore, a reseller cannot submit an application for Union assurance level 1, 2, 3, or 4 for a service it does not technically operate or control.

The recognition decision is specific to the service and the provider. Article 22 establishes a central repository of recognised services, where the national competent authority registers the "cloud computing service provider" and the service. A reseller will not appear in this repository as a recognised provider unless it is the legal entity that submitted the application and met the criteria. Public sector buyers, under Article 30, are obligated to procure services that have been recognised in this repository; they will verify the provider's status, not the reseller's.

The Critical Role of Subcontractors and Annex II Criteria

If a reseller is not the primary provider, it often falls under the category of a "subcontractor" or a third-party service provider involved in the delivery of the cloud computing service. The CADA proposal explicitly regulates subcontractors through the criteria in Annex II.

For Union assurance levels 2, 3, and 4, the criteria in Annex II impose strict cumulative requirements on the audited provider and its subcontractors. The text of Annex II is clear:

• Annex II, Section 2.1(a) and (b) (Level 2): Require that "the audited provider and the subcontractors which are involved in the provision of the audited service are established in the Union" and that their "infrastructure, assets, and personnel... are located in the Union."
• Annex II, Section 2.1(c): Mandates that customer data "remain exclusively within the Union" when processed by subcontractors.
• Annex II, Section 2.1(g): Requires that if the provider or subcontractors are subject to the control of a third country, specific legal, technical, and organisational measures must be implemented to prevent third-country access to data or disruption of service.

Similar cumulative requirements apply to Level 3 (Annex II, Section 3.1) and Level 4 (Annex II, Section 4.1). For Level 4, the requirement for personnel to be Union citizens is mandatory (Annex II, Section 4.1(d)), whereas for Level 2 it is conditional ("if the public sector body determines...").

Consequently, a managed service reseller acting as a subcontractor must ensure it meets these location, establishment, and control criteria. If the reseller is established outside the Union, or if its personnel access the service from outside the Union, it may render the underlying service non-compliant with Union assurance levels 2–4, regardless of the primary provider's compliance. The "subcontractor" definition in Annex II (Sections 1.2, 2.2, 3.2, 4.2) clarifies that these are third parties with a direct contractual relationship contributing to the provision and delivery of the service. If a reseller performs technical support, data handling, or access management, they are a subcontractor in the eyes of the law.

Reseller Responsibilities and Transparency Obligations

Even if the reseller does not hold the recognition, it has critical obligations flowing from the primary provider's compliance. Article 16(1) requires providers to meet the criteria in Annex II. Annex II, Section 1.1(f) (for Level 1) and Section 2.1(f) (for Level 2) require the provider to "provide full transparency around the use of subcontractors" and subject them to "due diligence, contractual obligations and ongoing oversight."

This means the primary cloud provider must formally contract with the reseller, ensuring the reseller's operational practices align with the recognised assurance level. The reseller must cooperate with the auditing process. Article 20(2) requires audited providers to cooperate with auditing organisations, providing access to relevant data and premises. If the reseller handles customer data or manages access controls, it must provide evidence to the auditor that its activities comply with the Annex II criteria (e.g., data remains in the Union, no third-country control).

Furthermore, Article 23 imposes transparency obligations on recognised providers. If the reseller experiences a material change in circumstances (e.g., a change in ownership, a breach of data locality, or a change in personnel location) that may affect the audit report or recognition, the provider must notify the auditing organisation and the competent authority. The reseller must have mechanisms to trigger this notification.

Union Assurance Level 1 and the SME Derogation

For Union assurance level 1, Article 17(3) introduces a derogation for small and medium-sized enterprises (SMEs). An SME provider's EU statement of conformity "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

If a managed service reseller is an SME and technically qualifies as the "provider" of a distinct cloud service (rather than just reselling another's service), it may benefit from this simplified self-assessment route under Article 19. However, this is rare for pure resellers of infrastructure; it applies more to managed service providers that build their own stack or offer a distinct service layer. If the reseller is merely a channel for another provider's service, it cannot claim this SME derogation for that service.

The Central Repository and Public Procurement

Article 22 establishes a central repository of recognised services. Only the national competent authority of establishment registers a service after a positive recognition decision under Article 17. A reseller will not appear in this repository as a recognised provider unless it is the legal entity that submitted the application and met the criteria.

Public sector buyers, under Article 30, are obligated to procure services that have been recognised. Article 30(2) requires a minimum of Level 1 for activities not identified as contributing to public order, while Article 30(3) mandates Level 2, 3, or 4 for activities contributing to public order. The buyer will verify the provider's recognition in the repository. If the reseller is not the provider, the buyer will look to the underlying provider's status. The reseller's role is to ensure the underlying provider's recognition remains valid by adhering to subcontractor rules.

What this means for you

If you are a managed service reseller or a distributor of cloud services targeting the EU public sector, you must restructure your compliance strategy around the underlying provider's recognition status:

1. Verify the Underlying Provider's Recognition: Ensure your supplier holds a valid recognition under Article 17 for the specific Union assurance level your customers require. Check the central repository (Article 22) to confirm their status. Do not rely on marketing claims; verify the official recognition.
2. Audit Your Subcontractor Status: Review your contracts with the primary provider. You must be listed as a subcontractor and must comply with the Annex II criteria applicable to that assurance level. This includes ensuring your staff, infrastructure, and data handling processes are located within the Union and free from third-country control if aiming for levels 2–4.
3. Implement Strict Data Locality Controls: If you manage access to the cloud environment, ensure no data leaves the Union. Your operational procedures must not compromise the "exclusive" data location requirement in Annex II.
4. Cooperate with Audits: Be prepared to provide evidence to the primary provider's auditing organisation. This may include proof of your Union establishment, staff location records, and technical measures preventing third-country access. Article 20(2) mandates this cooperation.
5. Contractual Alignment: Ensure your service level agreements (SLAs) with the primary provider include clauses that mandate their ongoing compliance with CADA recognition rules and require them to notify you of any changes to their recognised status. You must also agree to notify them of any material changes in your own operations that could affect their recognition (Article 23).

Common misconceptions

• Misconception: "As a reseller, I can get my own Union assurance level recognition for the services I sell."
  • Reality: Recognition is tied to the legal entity providing the technical cloud service (Article 17). Resellers are typically subcontractors. You inherit the provider's recognition status but do not hold it independently.
• Misconception: "If my provider is Level 4, I can access the service from anywhere in the world."
  • Reality: Annex II criteria for Level 4 require that personnel and infrastructure involved in the service provision are located in the Union (Annex II, Section 4.1(b) and (d)). If your reseller staff accesses the service from outside the Union, you may be violating the criteria, jeopardising the provider's recognition.
• Misconception: "I don't need to worry about CADA if I'm just billing and marketing."
  • Reality: If you provide any technical support, access management, or data handling, you are a subcontractor involved in the provision of the service. You must comply with Annex II subcontractor criteria, or the primary provider cannot maintain its recognition.
• Misconception: "The SME derogation applies to all small resellers."
  • Reality: The SME derogation in Article 17(3) applies only to the "cloud computing service provider" submitting the statement of conformity. If you are reselling another entity's service, you are not the provider for that service and cannot use this derogation.

Related

• Which National Competent Authority Do I Apply to for CADA Recognition?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• What happens if another Member State objects to my CADA recognition?

This is general information about a draft EU regulation, not legal advice.