Summary Under the proposed Cloud and AI Development Act (CADA), existing national sovereignty certificationsβ€”such as France's SecNumCloud, Germany's C5, or the UK's ENSβ€”do not automatically grant EU-wide recognition for public sector cloud procurement. Instead, CADA establishes a harmonised Union cloud computing sovereignty framework with four specific assurance levels that providers must meet to serve Union entities and public sector bodies. While evidence from national schemes may support a provider's application for CADA recognition, they cannot replace the mandatory EU-wide recognition process administered by national competent authorities. Providers holding national certificates must undergo a specific CADA recognition procedure to access the broader EU public market.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, represents a fundamental shift from a fragmented landscape of national sovereignty schemes to a single, harmonised Union framework. Currently, Member States have developed distinct national approaches to assess cloud trustworthiness. CADA aims to replace this patchwork with a unified legal framework to ensure the functioning of the internal market and safeguard the Union's public order.

The Union Cloud Computing Sovereignty Framework

As established in Article 16, CADA creates a framework comprising four distinct "Union assurance levels." These levels define the cumulative criteria that cloud computing service providers must meet to offer services to Union entities and public sector bodies. The specific criteria are detailed in Annex II of the proposal:

  • Union Assurance Level 1: Focuses on basic establishment in the Union, data residency within the Union, and compliance with state-of-the-art cybersecurity standards. It relies on a self-assessment.
  • Union Assurance Level 2: Adds requirements for independent third-party audits, strict data localisation, and conditional personnel screening. It requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Union Assurance Level 3: Raises the bar to mandatory Union citizenship for personnel (unless the public body waives this), requires a 'substantial' cybersecurity certificate, and generally prohibits third-country control. Crucially, Article 18 provides a derogation mechanism: the Commission may adopt implementing acts identifying specific third countries where providers subject to that country's control may still be audited for Level 3, provided strict safeguards are met.
  • Union Assurance Level 4: The highest tier, requiring a 'high' assurance cybersecurity certificate, mandatory Union citizenship for all personnel, and a strict prohibition on third-country control with no derogation possible under Article 18.

This framework is designed to preserve public order by ensuring public-sector bodies maintain control and agency. The proposal notes that while most public services would not require the highest levels, specific cases involving national security, defence, or critical infrastructure may necessitate Union assurance levels 3 or 4.

Recognition, Not Automatic Equivalence

A critical distinction in CADA is that national certifications do not automatically equate to Union assurance levels. Article 17 sets out the exclusive mechanism for cloud computing service providers to be recognised as offering a specific Union assurance level. To achieve this, a provider must submit an application for recognition to the national competent authority of establishment.

The process differs by level:

  • For Level 1: Providers must submit an EU statement of conformity based on a self-assessment. Notably, for Small and Medium-sized Enterprises (SMEs), this statement is directly and automatically recognised in all Member States without prior review by the competent authority.
  • For Levels 2, 3, and 4: Providers must undergo independent third-party audits and submit an audit report with a 'positive' audit opinion to the evaluating national competent authority.

Once the mechanism of recognition is positively concluded by the national competent authority, the cloud computing service is recognised across the Union as offering the applicable Union assurance level. This creates a "single passport" effect: a service recognised in one Member State is recognised in all. However, this recognition is contingent on meeting the specific CADA criteria in Annex II, not merely holding a national certificate.

The Role of National Schemes (SecNumCloud, C5, ENS)

National schemes like SecNumCloud, C5, and ENS predate CADA and have played a crucial role in building trust in sovereign cloud services within their respective jurisdictions. Under CADA, these schemes do not disappear, but their legal function changes. They become evidence-based tools rather than regulatory endpoints for EU-wide procurement.

When a cloud provider applies for CADA recognition under Article 17, they must provide all relevant evidence required to demonstrate compliance with the Union assurance level criteria. Evidence derived from existing national certifications can be used to substantiate parts of this application. For example:

  • A SecNumCloud certificate might provide robust evidence regarding data residency, operational autonomy, and cybersecurity controls, which are key components of CADA's higher assurance levels.
  • Germany's C5 or the UK's ENS could similarly serve as proof of compliance with specific technical or organisational measures.

However, the final determination of CADA recognition rests with the national competent authority assessing compliance against the harmonised Union criteria, not the issuing body of the national scheme. The national scheme acts as a supporting document, not a substitute for the CADA recognition decision.

Public Procurement Implications

The drive for harmonised recognition is closely tied to public procurement rules. Article 30 mandates that Union entities and public sector bodies whose activities contribute to the preservation of public order must procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4. Conversely, contracting authorities whose activities have not been identified as contributing to public order must use services recognised at Union assurance level 1.

This means that a cloud provider holding only a national sovereignty certification (e.g., SecNumCloud), without formal CADA recognition, would not be eligible to bid for these specific public sector contracts across the EU. The harmonised framework ensures that public authorities across the Union can rely on a consistent baseline of sovereignty and security, reducing the complexity of assessing providers from different Member States.

Transition and Oversight

The proposal acknowledges the transition from national to Union-level frameworks. Member States are required to designate national competent authorities responsible for enforcing the cloud sovereignty framework (Article 25). These authorities will have the power to investigate and enforce compliance, including the power to order the cessation of infringements and impose fines (Article 26).

The Commission will also establish and maintain a central repository of cloud computing services that have been recognised under the Union assurance levels (Article 22). This repository will be publicly available, allowing public sector buyers to easily identify which providers have met the required sovereignty standards. This transparency is intended to reduce information asymmetry and foster a more competitive market for European cloud providers.

What this means for you

For cloud service providers and data centre operators, particularly those already certified under national schemes like SecNumCloud, C5, or ENS, CADA introduces both challenges and opportunities.

1. Recertification is likely necessary: Holding a national sovereignty certificate will not automatically qualify you for EU-wide public sector procurement. You will need to undergo the CADA recognition process under Article 17. This involves submitting your evidence to the national competent authority of your establishment and, for levels 2–4, undergoing an independent audit against the specific CADA criteria in Annex II.

2. Leverage existing evidence: While you must meet CADA's specific criteria, you can use your existing national certifications as part of your evidence package. If your SecNumCloud or C5 certification already demonstrates compliance with data residency, personnel screening, or supply chain controls, document this clearly. This can streamline the audit process, as auditors and competent authorities will already have verified some of your controls.

3. Prepare for harmonised audits: The CADA framework requires independent third-party audits for levels 2, 3, and 4. Ensure your internal processes and documentation are aligned with the CADA criteria, not just your national scheme's requirements. The audit criteria in Annex II are cumulative; for example, to achieve Level 3, you must also meet all Level 1 and Level 2 criteria.

4. Monitor national competent authority designations: Each Member State will designate one or more national competent authorities to handle CADA recognition and enforcement. Identify your relevant authority early and engage with them to understand their specific procedural requirements for submitting applications for recognition.

5. Update procurement strategies: If you target the public sector, update your marketing and sales materials to highlight your CADA assurance level once recognised. Public sector buyers will rely on the central repository and the recognised assurance levels when making procurement decisions under Article 30.

Common misconceptions

Misconception 1: National sovereignty certifications are obsolete. While CADA provides the EU-wide legal framework for public procurement, national schemes like SecNumCloud and C5 still hold value. They may be required by specific national public bodies for non-EU-harmonised reasons, or they may serve as valuable evidence in the CADA recognition process. They are not "replaced" in terms of their technical rigor, but they are superseded in terms of EU-wide regulatory recognition for public sector contracts.

Misconception 2: CADA recognition is automatic for nationally certified providers. CADA does not provide for automatic mutual recognition of national schemes. Each provider must undergo the specific CADA recognition process outlined in Article 17. The national competent authority makes the final decision based on evidence submitted against the Union assurance level criteria, not on the existence of a national certificate alone.

Misconception 3: Only EU-based providers can achieve recognition. While CADA emphasises reducing dependence on third-country providers, it does not explicitly ban non-EU providers from achieving recognition. However, the criteria for higher assurance levels (particularly Levels 3 and 4) include strict requirements regarding third-country control, data residency, and personnel citizenship. Article 18 provides a mechanism for the Commission to identify third countries that offer sufficient assurances, but this is subject to strict cumulative criteria, including adequacy decisions and the absence of measures that could compel service disruption or data access.

Misconception 4: CADA replaces the GDPR or Cybersecurity Act. CADA is complementary to existing EU laws. It does not replace the GDPR's data protection requirements or the Cybersecurity Act's certification schemes. In fact, CADA's criteria for Union assurance levels explicitly reference compliance with state-of-the-art cybersecurity standards and, where applicable, European cybersecurity certificates. Providers must comply with all applicable EU regulations simultaneously.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.