Summary Holding a European Cybersecurity Certification Scheme for Cloud Services (EUCS) certificate provides a significant advantage for Cloud and AI Development Act (CADA) recognition, but it is not an automatic pass. Under the proposed CADA, an EUCS certificate at the "substantial" assurance level satisfies the specific cybersecurity criterion for Union Assurance Levels 2 and 3, while a "high" assurance level is required for Level 4. However, CADA recognition demands compliance with a broader set of sovereignty criteriaβ€”including data localisation, personnel nationality, and the absence of third-country controlβ€”that EUCS does not cover. Providers must submit their EUCS certificate as part of the audit evidence to an independent auditing organisation, which will verify compliance with the remaining Annex II criteria before the provider can apply for formal recognition by a national competent authority under Article 17.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a new Union cloud computing sovereignty framework comprising four assurance levels. This framework is explicitly designed to mitigate risks related to operational autonomy, data sovereignty, and public order, addressing a gap that existing technical regimes like EUCS do not fill. For cloud service providers already certified under EUCS, the pathway to CADA recognition leverages this existing compliance as a foundational element but requires rigorous additional verification of sovereignty-specific criteria.

The Specific Role of EUCS in CADA Assurance Levels

CADA explicitly integrates EUCS as the primary mechanism for demonstrating compliance with the cybersecurity requirements for higher assurance levels. The text of Annex II sets out precise mapping rules:

  • Union Assurance Level 2: Under Annex II, Section 2.1(e), a provider must obtain a European cybersecurity certificate of at least assurance level "substantial" under a European cybersecurity certification scheme covering cloud computing services (i.e., EUCS), provided such a scheme has been established and is available. Until EUCS is fully operational, national cybersecurity certification schemes apply where they exist.
  • Union Assurance Level 3: Similarly, Annex II, Section 3.1(e) requires a certificate of at least assurance level "substantial". It is a common misconception that Level 3 requires a "high" certificate; the text explicitly aligns Level 3 with the "substantial" tier, reserving "high" for Level 4.
  • Union Assurance Level 4: Annex II, Section 4.1(e) raises the bar, requiring a European cybersecurity certificate of at least assurance level "high".

If EUCS is not yet fully established or available for a specific service scope, CADA provides a fallback: providers may demonstrate compliance through valid national cybersecurity certification schemes or by demonstrating that the service complies with the highest cybersecurity standards under applicable Union law. However, once EUCS is operational, it becomes the definitive benchmark for the cybersecurity component of CADA recognition.

Crucially, Union Assurance Level 1 does not require an independent audit or an EUCS certificate. Instead, providers must carry out a conformity self-assessment and issue an EU statement of conformity under Article 19. Therefore, an EUCS certificate is not a prerequisite for Level 1, though it may serve as a market signal of technical robustness.

Mapping EUCS to CADA: The Two-Step Audit Process

Holding an EUCS certificate does not automatically grant CADA recognition. The CADA framework mandates a two-step process involving independent third-party audits and formal recognition by national competent authorities.

1. Independent Third-Party Audit (Article 20)

For Union Assurance Levels 2, 3, and 4, providers must undergo independent third-party audits to obtain an audit report and a "positive" audit opinion from an auditing organisation. This is a mandatory requirement under Article 20. The auditing organisation assesses compliance with the cumulative criteria set out in Annex II.

In this phase, the EUCS certificate serves as key audit evidence for the cybersecurity criterion (Annex II, Section 2.1(e), 3.1(e), or 4.1(e)). The auditing organisation can rely on the existing EUCS assessment to verify the technical security posture. However, the auditor must also verify compliance with other critical sovereignty criteria that EUCS does not assess. These include:

  • Data Localisation: Customer data, including metadata and telemetry, must remain exclusively within the Union, unless the public sector body explicitly requires otherwise (Annex II, Section 2.1(c)).
  • Personnel Requirements:
    • Level 2: Personnel screening and Union citizenship requirements are conditional. If the public sector body determines they are necessary, the provider must ensure such personnel are available (Annex II, Section 2.1(d)).
    • Levels 3 & 4: All personnel involved in service provision must be Union citizens, and where appropriate, must hold national security clearance when handling classified information (Annex II, Sections 3.1(d) and 4.1(d)).
  • Absence of Third-Country Control: Providers and subcontractors must demonstrate they are not subject to the control of a third country or a legal entity established in a third country. A derogation exists for Level 3 if the Commission has adopted an implementing act identifying a third country as providing sufficient assurances (Article 18 and Annex II, Section 3.1(g)).
  • Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and demonstrate controls against remote tampering or disruption (Annex II, Sections 2.1(i), 3.1(i), and 4.1(i)).

2. Formal Recognition (Article 17)

Once the auditing organisation issues a positive audit opinion, the provider submits an application for recognition to the national competent authority of establishment under Article 17. The competent authority assesses the evidence, including the audit report and the EUCS certificate.

If satisfied, the authority prepares a draft recognition decision and notifies other Member States' competent authorities for a 60-day review period. If no reasoned objections are raised, the service is recognised across the Union at the appropriate assurance level. If objections are raised, the matter may be referred to the Commission for a binding decision.

Sovereignty vs. Cybersecurity: The Critical Distinction

A fundamental distinction in CADA is the separation of cybersecurity from sovereignty. EUCS focuses on technical security controls, risk management, and incident response. CADA adds a layer of political and operational sovereignty designed to protect the Union's public order.

For example, a provider might have excellent cybersecurity controls (EUCS compliant) but still fail CADA Level 3 if their parent company is subject to the laws of a third country that could compel data access or service disruption. CADA requires legal, technical, and organisational measures to ensure such third-country control is effectively neutralised (Annex II, Section 3.1(g)). This includes demonstrating that the third country has no measures to compel the provider to degrade service continuity or comply with restrictive measures like sanctions, unless legitimate under Union law.

Therefore, while EUCS certification is a strong indicator of technical robustness, it does not address the geopolitical risks that CADA aims to mitigate. Providers must conduct a gap analysis to identify where their current EUCS compliance falls short of the broader CADA Annex II criteria.

What this means for you

If you are a cloud service provider already certified under EUCS, you should view this as a foundational step rather than the final destination for CADA compliance. The following actions are essential to bridge the gap between your current status and CADA recognition.

1. Leverage Your Existing Audit Evidence

Use your EUCS certificate as the primary evidence for the cybersecurity criterion in your CADA audit. This can significantly streamline the audit process for that specific criterion, as the auditing organisation can rely on the existing EUCS assessment rather than duplicating technical security tests. Ensure your EUCS certificate is valid and covers the specific scope of the cloud service you intend to recognise.

2. Conduct a Sovereignty Gap Analysis

Review Annex II thoroughly to identify gaps in areas EUCS does not cover. Key areas to address include:

  • Data Localisation: Verify that your data flows, backup strategies, and disaster recovery plans ensure customer data remains exclusively within the Union.
  • Personnel Nationality: For Levels 3 and 4, audit your workforce to ensure all personnel involved in service provision are Union citizens. For Level 2, prepare to demonstrate the ability to provide Union citizens if requested by a public sector body.
  • Third-Country Control: Review your corporate structure, shareholder agreements, and board composition to ensure you are not subject to third-country control. If you are, assess whether you qualify for the derogation under Article 18 (for Level 3) or if you need to restructure to meet the "no control" requirement.
  • Software Supply Chain: Ensure you have a complete SBOM and documented migration plans for third-country software components.

3. Prepare for Independent Audit

Engage an auditing organisation early to discuss how your EUCS certificate will be integrated into the broader CADA audit. Ensure you have all necessary documentation ready, including:

  • Data flow diagrams proving data stays in the Union.
  • Employment contracts and payroll records proving personnel location and nationality.
  • Corporate governance documents proving the absence of third-country control.
  • SBOMs and source code audit rights documentation.

4. Plan for Recognition

Once you have a positive audit opinion, prepare your application for recognition under Article 17. Be ready to engage with national competent authorities and address any potential objections from other Member States during the 60-day review period. Remember that recognition is a Union-wide status, but the application is processed by the authority of your main establishment.

Common misconceptions

"EUCS certification equals CADA recognition." This is incorrect. EUCS only covers the cybersecurity aspect. CADA recognition requires compliance with all cumulative criteria in Annex II, including sovereignty, data localisation, personnel requirements, and third-country control. An EUCS certificate is merely one piece of evidence within the broader audit.

"I don't need an audit if I have EUCS." For Union Assurance Levels 2, 3, and 4, CADA mandates an independent third-party audit under Article 20. EUCS certification is evidence within that audit, not a substitute for it. Only Level 1 relies on a self-assessment.

"Level 3 requires a 'high' EUCS certificate." No. Annex II, Section 3.1(e) explicitly requires a certificate of at least assurance level "substantial" for Level 3. The "high" assurance level is reserved for Level 4 (Annex II, Section 4.1(e)).

"Third-country control is irrelevant if I have EUCS." EUCS does not assess political or legal control by third countries. CADA explicitly requires measures to prevent third-country control from undermining service continuity or data confidentiality (Annex II). This is a critical gap for many global providers who may be EUCS certified but subject to extraterritorial laws.

"CADA replaces the AI Act." CADA does not replace the AI Act. The AI Act regulates AI systems for safety and fundamental rights, while CADA regulates the cloud infrastructure and sovereignty beneath it. They are complementary.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.