Summary Under the proposed Cloud and AI Development Act (CADA), startup cloud providers classified as small and medium-sized enterprises (SMEs) gain a decisive market advantage through a streamlined "fast-track" to market access. As proposed in Article 17(3), the second subparagraph explicitly states that an SME's "EU statement of conformity" for Union assurance level 1 is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This mechanism eliminates the administrative lag and costs of national-level assessments, allowing startups to compete for public sector contracts across the EU immediately upon self-certification, effectively lowering the barrier to entry for the sovereign cloud market.
Detail
The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive "Union cloud computing sovereignty framework" designed to reduce the EU's dependence on third-country providers while fostering a competitive, secure internal market. For cloud service providers, particularly startups and SMEs, the proposal includes specific provisions to ease the burden of compliance and facilitate cross-border expansion. The core of this benefit lies in the distinction between self-assessment for lower assurance levels and third-party auditing for higher levels, coupled with a unique fast-track recognition mechanism for SMEs at the entry level.
The Four-Tier Sovereignty Framework
CADA establishes a framework comprising four Union assurance levels (Article 16). These levels dictate the criteria a cloud computing service must meet to be considered trustworthy for public sector use. The levels range from Level 1, which requires basic establishment in the Union and data localisation, to Level 4, which imposes strict requirements on personnel citizenship, absence of third-country control, and "high" assurance cybersecurity certification.
For most providers, achieving recognition involves submitting an application to the national competent authority of their establishment (Article 17). For Levels 2, 3, and 4, this requires undergoing independent third-party audits (Article 20) to obtain a "positive" audit opinion. These audits are rigorous, costly, and time-consuming, posing a significant barrier to entry for smaller players who lack the resources for extensive external verification.
The SME Advantage at Level 1
Union assurance Level 1 serves as the baseline for cloud services used by public sector bodies whose activities have not been identified as contributing to the preservation of public order (Article 30(2)). It is the most accessible tier, relying on a conformity self-assessment rather than a full external audit.
Article 19 outlines the process for this self-assessment. Providers seeking Level 1 recognition must assess their compliance with the criteria in Annex II, issue an "EU statement of conformity," and make it publicly available. By issuing this statement, the provider assumes responsibility for compliance.
The critical benefit for startups emerges in Article 17(3). The first subparagraph generally requires a candidate provider to submit their EU statement of conformity to the evaluating national competent authority for formal recognition. However, the second subparagraph of Article 17(3) introduces a vital derogation specifically for SMEs:
"By way of derogation from the first subparagraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."
This provision means that an SME startup does not need to wait for a national authority to review and approve its Level 1 status. Once the SME issues its EU statement of conformity in accordance with Article 19, it is immediately recognised across the entire European Union. This eliminates the administrative lag and potential friction points associated with national-level evaluations, allowing startups to market their services as "Union assurance level 1" compliant immediately upon self-certification.
Lowering Barriers to Public Sector Markets
The primary commercial value of CADA's sovereignty framework is access to public procurement. Article 30 mandates that contracting authorities procure cloud computing services that meet specific Union assurance levels. For non-critical public sector activities, Level 1 is the minimum requirement.
By granting automatic recognition, CADA effectively removes the "first hurdle" for SMEs. Without this provision, an SME would need to navigate the administrative processes of each Member State or rely on a single point of recognition that might involve delays. The automatic recognition ensures that a startup in one Member State can immediately bid for tenders in another, fostering a true single market for cloud services. This is particularly crucial for startups that lack the resources to maintain a physical presence or legal teams in multiple jurisdictions.
Furthermore, the criteria for Level 1, while mandatory, are designed to be achievable for smaller entities. They focus on fundamental aspects such as establishment in the Union, data localisation (unless the public sector body explicitly requires otherwise), and basic cybersecurity standards. They do not require the extensive supply chain transparency, personnel screening, or separation from third-country control measures that are mandatory for Levels 2, 3, and 4.
Strategic Implications for Startups
For a startup cloud provider, the SME route under CADA offers a strategic entry point. It allows the company to:
- Reduce Time-to-Market: By bypassing the national competent authority's review for Level 1, startups can launch their sovereign cloud offerings faster.
- Lower Compliance Costs: Avoiding the initial administrative burden of national recognition reduces legal and operational costs, preserving capital for product development.
- Build Credibility: Achieving Level 1 recognition, even via self-assessment, provides a verified credential that can be used in marketing and tender documents, distinguishing the startup from non-compliant providers.
- Scale Gradually: Startups can establish a foothold in the public sector with Level 1 services and later invest in the audits required for higher assurance levels as they grow and target more sensitive use cases.
What this means for you
If you are a startup cloud provider or a data centre operator classified as an SME, CADA's provisions offer a clear, low-friction path to participating in the EU's public cloud market.
- Focus on Level 1 Compliance: Prioritize meeting the criteria for Union assurance level 1 as set out in Annex II of the proposal. These include ensuring your infrastructure and assets are located in the Union, keeping customer data within the Union, and demonstrating compliance with state-of-the-art cybersecurity standards.
- Prepare Your EU Statement of Conformity: Develop a robust internal process for self-assessment. Your EU statement of conformity must be accurate, as you assume full responsibility for its contents. Ensure you have documented evidence to support your claims, as you may still be subject to market surveillance and enforcement actions by national competent authorities.
- Leverage Automatic Recognition: Market your Level 1 status aggressively. You can state that your service is recognised across the Union without needing to wait for national approvals. This is a unique selling point against larger incumbents that may be bogged down in more complex compliance procedures for higher levels.
- Plan for Growth: While Level 1 is your entry ticket, be aware that certain public sector activities will require Levels 2, 3, or 4. Use the revenue and experience gained from Level 1 contracts to fund the independent audits required for higher assurance levels.
Common misconceptions
"Automatic recognition means no oversight." This is incorrect. While SMEs are exempt from prior recognition by the national competent authority for Level 1, they are still subject to the supervision and enforcement powers of the competent authority in their Member State of establishment (Article 25). Authorities can investigate infringements and impose penalties if a provider is found to be non-compliant.
"SMEs can only offer Level 1 services." No. SMEs can choose to undergo independent audits and seek recognition for Levels 2, 3, or 4 if they wish to serve more critical public sector needs. The automatic recognition applies specifically to the Level 1 self-assessment route.
"Level 1 is too basic to be useful." Level 1 is the mandatory baseline for a vast portion of public sector cloud procurement. Many public administration tasks do not involve high-risk data or critical infrastructure, making Level 1 the appropriate and legally required standard. It is a significant market segment, not a negligible one.
"The definition of SME is flexible." The proposal refers to the definition in Commission Recommendation 2003/361/EC (Article 2(8)). This is a strict legal definition based on staff headcount, turnover, and balance sheet total. Startups must ensure they fall within these limits to qualify for the automatic recognition derogation.
Related
- CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services
- Is CADA recognition automatic for SMEs at Level 1?
- CADA Recognition: SMEs vs Large Providers – Automatic Level 1 vs Full Audit
- How does a provider get recognised at CADA assurance level 4?
- How does a provider get recognised at CADA assurance level 3?
This is general information about a draft EU regulation, not legal advice.