How does a public buyer verify a provider's CADA assurance level before awarding?

Summary As proposed in the Cloud and AI Development Act (CADA), a public buyer verifies a cloud provider's assurance level by consulting the central repository established by the Commission, where services are registered only after national competent authorities grant recognition. The buyer must then ensure the service's recognised level matches the minimum requirement determined by their mandatory risk assessment: Union assurance level 1 for standard activities, and levels 2, 3, or 4 for activities contributing to the preservation of public order. Verification is a mandatory pass/fail criterion; reliance on vendor self-declarations without repository confirmation is non-compliant.

Detail

Under the proposed Cloud and AI Development Act (CADA), public procurement of cloud computing services is strictly tied to a harmonised sovereignty framework. This framework is designed to mitigate risks associated with third-country control, data access, and service disruption. For public-sector procurement officers, verifying a provider's compliance is not a matter of trusting self-declared marketing materials or internal audit reports; it is a procedural obligation grounded in specific articles of the regulation. The verification process relies on two pillars: the central repository (Article 22) and the risk-based procurement mandate (Article 30).

The Verification Mechanism: The Central Repository

The primary tool for verification is the central repository of cloud computing services. Article 22 of the CADA proposal mandates that the Commission establish and maintain this dedicated repository. It serves as the single source of truth for the EU market, ensuring that recognition is transparent and uniform across Member States.

The recognition and registration process, which underpins the verification step, operates as follows:

1. Application and Recognition: A cloud computing service provider must apply to the national competent authority of its establishment to be recognised as offering a specific Union assurance level (1, 2, 3, or 4). This involves either a conformity self-assessment (for Level 1) or an independent third-party audit (for Levels 2–4).
2. Mandatory Registration: Once the national competent authority adopts a recognition decision, it is legally required to register the service in the central repository. Article 22(2) explicitly states: "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."
3. Public Accessibility: The repository is designed for public access. Article 22(4) requires that it be "regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

Therefore, before awarding a contract, a procurement officer must query this repository to confirm that the tenderer's specific cloud service holds a valid, current recognition for the required assurance level. If a service is not listed, or if its listed level is lower than required, it cannot be awarded the contract under the mandatory provisions of CADA. The repository also serves as a monitoring tool; Article 22(3) notes that "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

Matching Assurance Levels to Risk Assessments

Verification is not merely a technical check; it requires matching the provider's certified level to the buyer's specific operational needs. This linkage is defined in Article 30, which sets out the public procurement obligations based on the outcome of a mandatory risk assessment.

Article 30 distinguishes between two categories of public sector activities:

1. Standard Public Sector Activities (Union Assurance Level 1): For contracting authorities whose activities have not been identified as contributing to the preservation of public order, the minimum requirement is Union assurance level 1.

   • Article 30(2) states: "Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

2. Public Order-Relevant Activities (Union Assurance Levels 2, 3, or 4): For activities identified as contributing to the preservation of public order—specifically in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and areas like national security, internal security, external border management, defence, justice, or law enforcement—the requirements are stricter.

   • Article 30(3) states: "Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

The Procurement Workflow

To comply with these provisions, a public buyer's verification process should follow these steps:

1. Consult the National Risk Assessment: Before launching the procurement, the buyer must determine the classification of the specific activity they are supporting. This classification is derived from the Member State's risk assessment conducted under Article 29. This assessment identifies which activities require protection of public order and assigns the necessary Union assurance level (2, 3, or 4) or defaults to Level 1.
2. Define the Minimum Requirement in the Tender: The procurement documents must explicitly state the minimum Union assurance level required, based on the risk assessment outcome.
3. Verify via the Central Repository: During the evaluation of tenders, the buyer must check the central repository (per Article 22) to verify that the tenderer's specific cloud service is registered with the required level.
   • Crucial Note: The verification must be service-specific. A provider may be recognised for Level 1 for one service but only Level 2 for another. The repository will list the specific service and its recognised level.
4. Check for Validity and Revocations: The repository tracks revocations. Buyers must ensure the recognition is current and has not been revoked, as per Article 22(3).

Exceptions and Derogations

Article 30(4) provides limited derogations where a contracting authority may decide not to procure a recognised service. This applies only on an exceptional basis and where duly justified, such as:

• The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists.
• A similar procurement launched in the previous year received no suitable tenders.
• Applying the requirements would result in disproportionate costs.

Even in these cases, the buyer must document the justification meticulously, as these exceptions are narrow and intended to prevent market failure rather than bypass sovereignty requirements.

What this means for you

For public-sector procurement officers, CADA introduces a rigid, evidence-based verification step that replaces subjective vendor claims with an auditable, EU-wide register.

• Pre-procurement Preparation: You cannot simply ask vendors for their "sovereignty status." You must first know the output of your national risk assessment (Article 29) to know which level (1, 2, 3, or 4) you are legally required to procure under Article 30.
• Evaluation Criteria: Your evaluation matrix must include a mandatory pass/fail criterion: "Is the proposed cloud service registered in the CADA central repository with at least Union Assurance Level X?" Failure to verify this via the repository constitutes a breach of the procurement rules.
• Due Diligence: Relying solely on a vendor's certificate or audit report is insufficient. The definitive proof is the entry in the central repository maintained by the Commission. Ensure your contract templates include clauses that allow for termination if the provider's recognition in the repository is revoked or downgraded during the contract term.
• Multi-Cloud Strategies: Article 29(9) encourages buyers to consider whether a multi-vendor or multi-cloud strategy is appropriate to enhance resilience. When verifying multiple providers, you must check the repository for each distinct service component to ensure the entire stack meets the required assurance level.

Common misconceptions

• Misconception: "If a provider is EU-based, they automatically qualify for Level 1."
  • Reality: While Union establishment is a criterion for Level 1, the provider must still undergo the conformity self-assessment and submit an EU statement of conformity. For SMEs, this is automatically recognised across the Union, but for larger providers, national competent authorities must still process the application. The service must be explicitly registered in the central repository to be valid for procurement.
• Misconception: "I can accept a provider's internal audit report as proof of Level 2, 3, or 4."
  • Reality: No. Levels 2–4 require independent third-party audits. The procurement officer's role is not to audit the auditor but to verify that the service has been officially recognised and registered in the central repository by a national competent authority.
• Misconception: "Level 1 is sufficient for all government services."
  • Reality: Only for non-critical activities. If your activity falls under national security, defence, justice, or critical infrastructure (as defined in the risk assessment), Article 30(3) mandates Levels 2, 3, or 4. Using a Level 1 service for these activities would be a breach of the regulation.
• Misconception: "The central repository lists all cloud providers in the EU."
  • Reality: The repository only lists services that have successfully applied for and received recognition. Many providers may not be listed because they have not sought recognition or have not yet completed the process. If a preferred vendor is not listed, they cannot be awarded the contract unless a derogation under Article 30(4) applies.

Related

• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a public buyer justify procuring above the minimum CADA assurance level?
• How does a non-EU cloud provider qualify under CADA assurance level 3?
• How to determine the required CADA Union assurance level for public workloads
• How do I decide which CADA assurance level to target as a cloud provider?

This is general information about a draft EU regulation, not legal advice.