Summary Under the proposed Cloud and AI Development Act (CADA), small and medium-sized enterprises (SMEs) benefit from a streamlined, "fast-track" pathway to EU-wide market access for Union Assurance Level 1 cloud services. As explicitly provided in Article 17(3), second subparagraph, an EU statement of conformity issued by an SME is directly and automatically recognised in all Member States. This means qualifying SMEs do not need to undergo prior recognition by a national competent authority (NCA) to offer their services across the Union. This mechanism significantly reduces administrative barriers, eliminates the 60-day assessment and review periods required for larger providers, and accelerates time-to-market for smaller entities while maintaining a baseline of trust.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised sovereignty framework for cloud computing services, structured around four Union Assurance Levels. For many SMEs, Union Assurance Level 1 represents the foundational requirement for accessing the public sector market, particularly for non-critical activities where the highest levels of sovereignty (Levels 2–4) are not mandated by risk assessments. The legislative design recognises that smaller entities often lack the resources to navigate complex, multi-stage administrative procedures. Consequently, CADA introduces a proportionate mechanism for achieving and leveraging recognition that balances market access with regulatory oversight.

The Automatic Recognition Mechanism

The core provision governing this process is found in Article 17 of the CADA proposal, which outlines the general procedure for the recognition of cloud computing service providers. Under the standard procedure, providers seeking recognition for Union Assurance Level 1 must submit an application to the national competent authority (NCA) of their establishment, accompanied by an EU statement of conformity and all necessary evidence (Article 17(1) and Article 17(3), first subparagraph). The NCA then assesses this evidence. If satisfied, it prepares a draft recognition decision and notifies other Member States for a 60-day review period (Article 17(5)). Only after this review period, if no reasoned objections are raised, is the service recognised across the Union (Article 17(7)).

However, CADA introduces a specific derogation for SMEs to accelerate their market entry and reduce administrative burdens. Article 17(3), second subparagraph states:

"By way of derogation from the first subparagraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This provision creates a "passporting" effect for SMEs. Once an SME has conducted its conformity self-assessment and issued a valid EU statement of conformity in accordance with Article 19, that statement serves as sufficient proof of compliance with Union Assurance Level 1 criteria across the entire European Union. The SME does not need to wait for an NCA to review its application, nor does it need to navigate the 60-day assessment and 60-day review periods that apply to other providers. The recognition is immediate upon the issuance of the statement, provided the provider correctly qualifies as an SME.

The Role of the EU Statement of Conformity

To leverage this automatic recognition, the SME must first produce a compliant EU statement of conformity. Article 19 outlines the conformity self-assessment process specifically for Union Assurance Level 1. The provider must:

  1. Carry out a conformity self-assessment against the criteria set out in Annex II of CADA (Article 19(1)).
  2. Issue an EU statement of conformity stating that compliance with the criteria for Union Assurance Level 1 has been demonstrated (Article 19(2)).
  3. Assume full responsibility for the compliance of the cloud computing service with the Level 1 criteria by issuing this statement (Article 19(2)).
  4. Make the EU statement of conformity publicly available (Article 19(3)).

The definition of an SME for this purpose is aligned with Commission Recommendation 2003/361/EC, as referenced in Article 2(8) of CADA. It is crucial that the provider correctly categorises itself as an SME to qualify for this automatic recognition. If a provider exceeds the SME thresholds (typically fewer than 250 employees and a turnover or balance sheet total not exceeding specified limits), they must follow the standard NCA recognition procedure under Article 17(3), first subparagraph. The automatic recognition is a privilege tied strictly to the size and status of the entity.

Implications for Market Access and Enforcement

For contracting authorities and public sector bodies, the presence of a valid EU statement of conformity from an SME is sufficient to treat the service as recognised for Union Assurance Level 1. This simplifies procurement processes, as public buyers do not need to verify a separate recognition decision from an NCA. The central repository of recognised services, established under Article 22, will likely include these SME-provided services, further enhancing visibility and trust. The national competent authority of establishment is responsible for registering the service in the central repository once the statement is issued, ensuring the service is visible to the market.

However, automatic recognition does not exempt SMEs from the substantive requirements of Union Assurance Level 1. The criteria in Annex II still apply in full, including requirements for establishment in the Union, data localisation within the Union (unless explicitly required otherwise by the public sector body), and compliance with state-of-the-art cybersecurity standards. The self-assessment must be robust, as the provider assumes full responsibility for the accuracy of the statement.

Furthermore, the lack of prior NCA approval does not mean a lack of oversight. National competent authorities retain full investigative and enforcement powers under Article 26. If an NCA suspects an infringementβ€”for example, if an SME has issued a false statement of conformityβ€”it can order the cessation of infringements, impose fines, or request the revocation of the recognition. The burden of proof shifts to the provider to demonstrate compliance if challenged.

What this means for you

If you are an SME cloud service provider or data centre operator looking to expand across the EU under the proposed CADA, this provision offers a significant competitive advantage. Here is how you should prepare:

  1. Verify SME Status Rigorously: Ensure your company meets the EU definition of an SME as defined in Article 2(8) and Commission Recommendation 2003/361/EC. Keep documentation ready to prove this status if requested by auditing bodies, contracting authorities, or NCAs. If you grow beyond these limits, you lose the automatic recognition benefit.
  2. Focus on Self-Assessment Quality: Since there is no NCA pre-approval, the onus is entirely on you to conduct a thorough self-assessment against the Annex II criteria for Level 1. Errors in your assessment can lead to liability, loss of trust, and potential penalties under Article 24. The statement is a legal declaration, not a marketing slogan.
  3. Issue a Clear and Public Statement: Follow Article 19(2) and 19(3) strictly. Your EU statement of conformity must be clear, unambiguous, and publicly accessible. Consider linking to it in your marketing materials, tender responses, and on your website.
  4. Monitor Changes and Notify: Be aware that if your company grows and exceeds SME thresholds, you will need to transition to the standard NCA recognition process under Article 17(3), first subparagraph. Plan for this transition to avoid gaps in your recognised status. Additionally, under Article 23, you must notify the relevant authorities of any material changes that affect your compliance.
  5. Engage with Public Buyers: Educate potential public sector clients about the validity of your EU statement of conformity. Emphasise that under the proposed CADA, this document carries the same legal weight as an NCA-issued recognition for Level 1 services across all Member States.

Common misconceptions

  • "Automatic recognition means no compliance checks." Incorrect. While you do not need NCA pre-approval, you must still comply with all Union Assurance Level 1 criteria in Annex II. The self-assessment is not a formality; it is a legal declaration of compliance. National competent authorities retain investigative powers under Article 26 to check for infringements, even for automatically recognised SMEs.

  • "This applies to all assurance levels." Incorrect. The automatic recognition derogation in Article 17(3), second subparagraph applies only to Union Assurance Level 1. For Levels 2, 3, and 4, all providers, including SMEs, must undergo independent third-party audits and obtain recognition from the NCA (Article 17(4) and Article 20).

  • "I don't need to register anywhere." Misleading. While you don't need NCA recognition, the national competent authority of establishment is still responsible for registering the service in the central repository maintained by the Commission under Article 22. Being listed in the repository enhances market visibility and is likely a requirement for public procurement.

  • "My statement is valid forever." Incorrect. The EU statement of conformity reflects your compliance at the time of issue. Under Article 23, you must notify the relevant authorities of any material changes that affect your compliance. If your circumstances change (e.g., you outsource to non-EU subcontractors in a way that violates Level 1 criteria), your statement may no longer be valid, and you risk penalties for non-compliance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.