How does a provider self-assess for CADA level 1?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition at Union assurance level 1 must conduct a conformity self-assessment against the specific criteria in Annex II. As proposed in Article 19, providers are solely responsible for this assessment, which culminates in the issuance and public publication of an EU statement of conformity. This self-declaration assumes full legal responsibility for the service's compliance with Union legal obligations. Unlike higher assurance levels, this process does not require independent third-party audits, serving as the mandatory baseline for general public sector procurement.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonised Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on third-country providers. Central to this framework is the classification of cloud services into four "Union assurance levels." Level 1 serves as the baseline for public sector procurement, requiring a streamlined but rigorous self-assessment process that distinguishes it from the independent audit requirements for levels 2, 3, and 4.

The Legal Basis for Self-Assessment

The mechanism for demonstrating compliance with Union assurance level 1 is explicitly defined in Article 19 of the CADA proposal. This article establishes that providers are not subject to third-party audits for this lowest tier of assurance. This distinction is critical: while higher levels demand independent verification under Article 20, Level 1 relies on the provider's own internal controls and documentation.

According to Article 19(1), a cloud computing service provider seeking recognition as offering Union assurance level 1 "shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II." This provision places the onus entirely on the provider to verify that their service meets the cumulative technical, legal, and operational requirements defined in the Regulation. The self-assessment is not a formality; it is a substantive exercise requiring the provider to gather documented evidence, implement internal control procedures, and ensure continuous monitoring to demonstrate that the applicable criteria have been fulfilled.

Assessing Compliance with Annex II Criteria

The self-assessment is a verification against the objective criteria listed in Annex II, Section 1 of the CADA proposal. Providers must ensure their service meets all the following cumulative criteria before issuing their statement:

1. Establishment in the Union: The cloud computing service provider must be established in the Union. This is the foundational requirement for any level of Union assurance.
2. Infrastructure and Asset Location: The infrastructure and assets of the provider, including those of its subcontractors involved in the provision of the service, must be located in the Union. An exception applies only if the public sector body explicitly requires otherwise.
3. Data Localisation: Customer data, including metadata and telemetry data, that is processed, stored, and transferred by the provider and its subcontractors, must remain exclusively within the Union. Similar to infrastructure, exceptions are permitted only if the public sector body explicitly requires otherwise, and this must hold true at any time, including before, during, or after the configuration or use of the service.
4. Subcontracting Controls: Where the provider outsources technical or operational support to third-party service providers outside the Union, necessary legal, technical, and organisational measures must be implemented to ensure traceability, security, and governance. Crucially, these operations must not, in any way, compromise the operational autonomy of the cloud computing service provider.
5. Cybersecurity Standards: The provider must demonstrate that the service complies with state-of-the-art cybersecurity standards. Unlike Levels 2–4, Level 1 does not yet mandate a specific European cybersecurity certificate (pending the establishment of such a scheme), but the burden of proof for "state-of-the-art" compliance remains.
6. Transparency and Due Diligence: The provider must provide full transparency around the use of subcontractors. This includes subjecting subcontractors to due diligence, contractual obligations, and ongoing oversight to ensure they meet Union legal obligations.
7. Vulnerability Reporting: If the provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited. This criterion directly addresses the risks associated with extraterritorial data access laws, such as those exemplified by the US CLOUD Act.

Issuing the EU Statement of Conformity

Once the self-assessment confirms compliance, Article 19(2) mandates the next step: "Following the self-assessment referred to in paragraph 1, the cloud computing service provider shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated."

By issuing this statement, the provider formally "shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II." This is a legally binding act of self-declaration. It is not merely an internal document; it is the primary evidence required for recognition. The statement serves as the provider's formal assertion that they have met the rigorous standards of the sovereignty framework.

Public Publication and Recognition

Article 19(3) adds a transparency layer to the process: "The cloud computing service provider shall make the EU statement of conformity publicly available." This publication serves two purposes. First, it allows public sector buyers and potential auditing organisations to verify the provider's claimed status. Second, it feeds into the broader recognition mechanism under Article 17.

Under Article 17(3), for Union assurance level 1, the candidate provider must submit this EU statement of conformity, along with all necessary evidence, to the evaluating national competent authority. However, the proposal includes a significant simplification for smaller providers. Article 17(3), second subparagraph, states that by way of derogation, the EU statement of conformity issued by providers that are small and medium-sized enterprises (SMEs) "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This reduces administrative friction for SMEs, allowing them to immediately offer their services as Level 1 compliant across the EU single market.

For non-SME providers, the submission triggers a review process where the national competent authority assesses the evidence. If sufficient, the service is recognised across the Union as offering Union assurance level 1. This recognition is then registered in the central repository established under Article 22, making it visible to all contracting authorities.

What this means for you

For cloud service providers and data centre operators, the CADA proposal shifts the burden of proof for baseline sovereignty onto the provider through self-assessment. To prepare for implementation, providers should take the following steps:

• Audit Your Supply Chain: You must map your entire subcontractor chain. For Level 1, you need documented due diligence and contractual clauses that ensure subcontractors adhere to Union legal obligations and do not compromise your operational autonomy. If you outsource support outside the Union, you must prove that your operational autonomy remains intact.
• Verify Data Flows: Conduct a thorough technical audit of your data flows. Ensure that metadata, telemetry, and customer data remain within the Union unless a specific client contract explicitly permits otherwise. Document these flows clearly to support your self-assessment, as the default position is exclusive Union location.
• Review Cybersecurity Posture: Align your security practices with "state-of-the-art" standards. While Level 1 does not yet require a specific European cybersecurity certificate (unlike Levels 2-4), you must be able to demonstrate compliance with high standards through internal documentation and evidence.
• Prepare the Statement: Draft a template for the EU statement of conformity. Ensure it clearly references Annex II criteria and includes all necessary evidence. If you are an SME, remember that your statement will be automatically recognised, so accuracy is paramount to avoid future enforcement actions or revocation of recognition.
• Monitor Control Structures: If you are part of a multinational group, ensure that no third-country parent entity can compel you to disclose vulnerabilities prematurely or access customer data. Document the legal and technical separation between your EU entity and any third-country affiliates to satisfy the vulnerability reporting criterion.

Common misconceptions

• "Level 1 is voluntary or optional." Incorrect. Under Article 30(2), public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1. It is the mandatory baseline for general public procurement.
• "Self-assessment means no oversight." Incorrect. While there is no third-party audit for Level 1, the provider is subject to the investigative and enforcement powers of the national competent authority under Article 26. Authorities can request information, conduct inspections, and impose fines for non-compliance or misleading statements.
• "SMEs do not need to submit evidence." Incorrect. While SMEs benefit from automatic recognition without prior approval, they still must carry out the conformity self-assessment and issue the EU statement of conformity. They must be prepared to provide evidence to competent authorities if challenged.
• "Level 1 allows data to leave the EU freely." Incorrect. The default position under Annex II is that data must remain exclusively within the Union. Export is only permitted if the public sector body explicitly requires it. Providers cannot unilaterally decide to route data outside the EU for processing.
• "Level 1 requires a cybersecurity certificate." Incorrect. Unlike Levels 2, 3, and 4, which require a European cybersecurity certificate of at least "substantial" assurance, Level 1 only requires a demonstration of compliance with state-of-the-art cybersecurity standards.

Related

• Why choose a CADA Level 1 provider? The baseline for public procurement
• CADA Conformity Self-Assessment: The Level 1 Pathway Explained
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services
• What does CADA Level 4 mean for a CTO choosing a provider?

This is general information about a draft EU regulation, not legal advice.