How does a public buyer find CADA-recognised cloud services?

Summary Public buyers will locate CADA-recognised cloud services through a single, centralised online repository established and maintained by the European Commission. Created under Article 22 of the proposed Cloud and AI Development Act (CADA), this database lists all cloud computing services formally recognised as meeting specific Union assurance levels. Crucially, providers cannot self-register; only the national competent authority that granted the recognition can register the service in the central repository, ensuring data integrity and official validation.

Detail

Under the proposed Cloud and AI Development Act (CADA), the European Commission is mandated to create a unified mechanism for transparency. This mechanism is the central repository, a dedicated digital platform designed to eliminate market fragmentation and provide public authorities with a single source of truth for sovereign cloud services.

The Legal Basis: Article 22

The repository is not merely a suggestion but a statutory requirement. Article 22(1) of the CADA proposal explicitly states:

"The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17 ('central repository')."

This provision establishes the repository as the definitive EU-wide catalogue. Its primary purpose is to facilitate the secure and efficient storage, access, and exchange of information between public sector customers, auditing organisations, competent authorities, and the Commission. By centralising this data, the proposal aims to prevent public buyers from relying on unverified marketing claims or navigating inconsistent national databases.

The Registration Process: Who Lists What?

A critical feature of the Article 22 framework is the strict control over who can list a service. The proposal prevents "self-certification" or direct provider uploads to the repository. The workflow is strictly hierarchical:

1. Application and Assessment: A cloud computing service provider applies for recognition to the national competent authority of establishment (the authority in the Member State where the provider is established). This authority assesses the service against the criteria for Union assurance levels 1, 2, 3, or 4, as defined in Annex II.
2. Recognition Decision: If the authority is satisfied, it adopts a recognition decision.
3. Mandatory Registration: Once recognition is granted, the responsibility shifts to the authority, not the provider. Article 22(2) mandates:

   "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

This ensures that every entry in the repository is backed by an official act of a national authority. The Commission maintains the technical platform, but the Member States are the gatekeepers of the data.

What Information Is Visible?

The repository serves as a verification tool for procurement officers. While the specific technical fields are subject to implementation acts, the core function is to display:

• The identity of the cloud computing service provider.
• The specific Union assurance level (1, 2, 3, or 4) for which the service is recognised.
• The status of the recognition (active, suspended, or revoked).

This allows a public buyer to immediately filter services based on their specific risk profile. For example, if a contracting authority has conducted a risk assessment under Article 29 and determined that their activity contributes to the preservation of public order (e.g., law enforcement or defence), Article 30(3) requires them to procure only services recognised at level 2, 3, or 4. The repository enables them to instantly identify which providers meet this threshold.

Handling Revocations and Historical Data

The repository is a dynamic record, not a static list. It must reflect the current compliance status of providers. Article 22(3) addresses the transparency of negative outcomes:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This "five-year look-back" period is a significant due diligence feature. It ensures that if a provider loses their recognition due to non-compliance, this history remains visible to the public. This prevents providers from simply rebranding or reapplying immediately without a visible record of past failures. The data remains available for five years even after the revocation, providing a historical audit trail for public buyers.

Accessibility and Updates

The repository is designed for broad public access. Article 22(4) requires that:

"The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This ensures that the tool is not restricted to government insiders but is available to any stakeholder, including private sector entities and civil society, fostering market transparency. The obligation to "regularly update" ensures that the data remains current, reflecting any changes in assurance levels or new recognitions as they occur.

What this means for you

For public-sector procurement officers and contracting authorities, the Article 22 repository fundamentally changes the sourcing landscape for cloud services.

• Single Source of Truth: You no longer need to verify sovereignty claims individually or rely on national lists that may not be interoperable. The repository provides a harmonised, EU-wide view of recognised services.
• Risk-Based Filtering: By cross-referencing the repository with your Article 29 risk assessment, you can efficiently narrow your tender to only those services that meet your required assurance level. If your risk assessment dictates a need for Level 3, you can filter the repository to exclude Level 1 and 2 services, ensuring compliance with Article 30.
• Enhanced Due Diligence: The five-year publication of revocations allows you to assess the long-term reliability of a provider. A service currently listed at Level 4 might have a history of revocation visible in the repository, prompting further scrutiny.
• Reduced Administrative Burden: Since the national competent authority handles the registration, the burden of proof shifts from the buyer to the authority. If a service is listed, it has already passed the rigorous conformity assessment or independent audit required by the proposal.

Common misconceptions

"Providers can upload their own services to the repository." No. This is a critical distinction. Under Article 22(2), only the national competent authority of establishment that granted the recognition is authorised to register the service. Providers cannot self-list, ensuring that the repository contains only officially validated data.

"The repository guarantees compliance with the GDPR or the AI Act." The repository confirms recognition under the CADA sovereignty framework (Article 17). It does not certify compliance with other regulations. A service listed at Level 4 is recognised for its sovereignty criteria (e.g., location of infrastructure, personnel, and control), but it must still independently comply with the GDPR, the AI Act, and other sector-specific laws.

"Revocation means a provider is permanently banned." Revocation is published for five years to ensure transparency, but it does not constitute a permanent ban. A provider may rectify the issues that led to revocation and apply for recognition again. However, the five-year record of the revocation will remain visible in the repository, serving as a permanent historical record of the non-compliance.

"Only EU-based providers will appear in the repository." While the criteria heavily favour EU establishment, the proposal includes mechanisms for third-country services. Under Article 18, the Commission may identify third countries where services subject to their control can be audited for Union assurance level 3. If such a service meets the criteria and is recognised by a national authority, it will be registered in the central repository.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Central Repository: How to Find Recognised Cloud Services
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• Which CADA tier suits a financial services workload?

This is general information about a draft EU regulation, not legal advice.