Summary As proposed, the Cloud and AI Development Act (CADA) establishes a specific, low-cost compliance pathway for small and medium-sized enterprises (SMEs) seeking Union assurance level 1. Under Article 17(3), SMEs are granted a derogation from the standard national competent authority (NCA) recognition process. Instead of undergoing a formal evaluation, their self-issued EU statement of conformity under Article 19 is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This mechanism allows SMEs to bypass the costs of independent third-party audits (mandatory for levels 2–4) and administrative delays, achieving immediate EU-wide market access for non-critical public sector procurement through a streamlined self-assessment.

Detail

The proposed Cloud and AI Development Act (CADA) creates a four-tier sovereignty framework for cloud computing services, known as Union assurance levels. While the framework is designed to ensure resilience and strategic autonomy, the proposal explicitly acknowledges the administrative burden this could place on smaller market participants. Consequently, it carves out a simplified, cost-efficient procedure for SMEs aiming for Union assurance level 1, the baseline level of trust required for standard public sector procurement.

The SME Fast-Track: Article 17(3) Derogation

The core mechanism for cost-efficient compliance for SMEs is found in Article 17(3) of the CADA proposal. The standard procedure outlined in Article 17 requires any cloud computing service provider to submit an application for recognition to the national competent authority of their establishment. This authority then assesses the evidence, potentially requests further information, and issues a recognition decision. This process, while rigorous, involves administrative fees, legal review, and a mandatory 60-day review period by other Member States (Article 17(5)), creating significant time and cost barriers.

However, Article 17(3) introduces a specific derogation for SMEs. The text states:

"By way of derogation from the first subparagraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This provision is the cornerstone of the "cheapest" compliance strategy. It fundamentally alters the market entry process for SMEs by removing three major cost drivers:

  1. Formal Application Fees: SMEs are exempt from paying for the NCA's administrative processing of a recognition application.
  2. Third-Party Audits: Unlike levels 2, 3, and 4, which require independent third-party audits under Article 20, Union assurance level 1 relies solely on the provider's self-assessment.
  3. Administrative Lag: The automatic recognition means the provider can market their service as compliant immediately upon issuing the statement, rather than waiting for the 60-day evaluation period and potential cross-border objections.

The Role of the EU Statement of Conformity (Article 19)

To utilize this fast-track, an SME must issue an EU statement of conformity. Article 19 governs this entire process, shifting the burden of proof from an external auditor to the provider's internal governance.

Article 19(1) requires providers seeking recognition for Union assurance level 1 to carry out a conformity self-assessment of compliance with the criteria for that level set out in Annex II. This is not a superficial check; it requires the provider to verify that they meet every cumulative criterion.

Following this self-assessment, Article 19(2) mandates that the provider issues the EU statement of conformity. The text is explicit about the legal weight of this document:

"By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II."

Crucially, Article 19(3) requires that this statement be made publicly available. This transparency allows public sector buyers to verify the provider's compliance status without requiring an intermediary certification body. The statement serves as the sole evidence of compliance for the purpose of market access under the fast-track.

Meeting the Criteria: Annex II Requirements

While the process is simplified, the substance of compliance remains strict. The SME must meet the cumulative criteria for Union assurance level 1 as defined in Annex II of the CADA proposal. Failure to meet these criteria, even with a self-assessment, constitutes an infringement. The key criteria include:

  • Establishment: The provider must be established in the Union.
  • Infrastructure Location: The infrastructure and assets of the provider, including those of subcontractors involved in the service, must be located in the Union, unless the public sector body explicitly requires otherwise.
  • Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Cybersecurity: The provider must demonstrate that the service complies with state-of-the-art cybersecurity standards.
  • Subcontractor Transparency: The provider must provide full transparency around the use of subcontractors, subjecting them to due diligence, contractual obligations, and ongoing oversight.
  • Third-Country Control: If the provider is subject to the control of a third country, they must guarantee that no laws in that country require reporting software vulnerabilities to foreign authorities prior to exploitation.

For an SME, the cost-efficiency comes from managing these internal controls rather than paying for external verification. The provider must maintain documented evidence, internal control procedures, and continuous monitoring to substantiate their self-assessment. While they do not pay an auditing organization, they must invest in the internal capacity to generate the evidence that would otherwise be scrutinized by an auditor.

Procurement Implications

The value of this low-cost compliance path is realized in public procurement. Under Article 30(2) of CADA, Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order (i.e., non-critical activities) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1.

By leveraging the Article 17(3) derogation, SMEs can access this significant segment of the public market without the heavy financial burden of higher-level assurance certifications. This is particularly relevant for general administrative services, non-sensitive data processing, and other standard public sector functions where the risk assessment under Article 29 does not mandate levels 2, 3, or 4.

What this means for you

If you are an SME cloud provider, you can significantly reduce your compliance costs by targeting Union assurance level 1 and utilizing the automatic recognition mechanism. However, this "cheap" path requires rigorous internal discipline.

  1. Prioritize Internal Controls: Invest in robust internal documentation and monitoring systems. Since there is no external auditor to catch gaps, your internal processes must be rigorous enough to withstand scrutiny from national competent authorities if a complaint is lodged or a random check is performed.
  2. Document Everything: Your self-assessment under Article 19 must be based on documented evidence. Maintain clear records of data residency, subcontractor agreements, and cybersecurity measures. This documentation is your proof of compliance and your defense against potential penalties.
  3. Publish Your Statement: Ensure your EU statement of conformity is publicly accessible as required by Article 19(3). This transparency builds trust with potential public sector clients and proves your eligibility for level 1 procurement.
  4. Monitor Subcontractors: A common pitfall for SMEs is overlooking subcontractors. Annex II requires that subcontractors involved in service provision also meet location and data residency criteria. Ensure your contracts with subcontractors explicitly mandate these requirements and that you have ongoing oversight mechanisms in place.
  5. Stay Informed on Updates: The criteria for assurance levels are subject to review by the Commission every 18 months (Article 16(3)). Keep your internal controls updated to reflect any changes in the delegated acts or Annex II criteria.

Common misconceptions

  • "Level 1 is 'no compliance'": Union assurance level 1 is not a free pass. It requires strict adherence to data residency, infrastructure location, and cybersecurity standards. The difference is that you verify this compliance, not an external auditor.
  • "SMEs can skip documentation": While SMEs skip the audit, they do not skip the evidence. National competent authorities retain investigative powers under Article 26. If a provider's statement is challenged, the NCA can inspect premises and demand information. Poor documentation will lead to revocation of recognition and potential penalties under Article 24.
  • "Automatic recognition means no oversight": The national competent authority of establishment still has supervisory powers. They can investigate suspected infringements and impose penalties. The derogation only removes the pre-market recognition step, not the post-market oversight.
  • "All public contracts require Level 1": Only non-critical public sector activities require Level 1. Critical activities (e.g., defense, justice, law enforcement) require Levels 2–4, which do require independent audits and do not benefit from the SME fast-track. SMEs must carefully assess which procurement opportunities they are eligible for based on the risk assessment under Article 29.

Related

This is general information about a draft EU regulation, not legal advice.