Summary As proposed, the Cloud and AI Development Act (CADA) establishes a single, publicly accessible central repository to help public-sector buyers compare sovereign cloud providers. Mandated by Article 22, this digital register lists only those cloud services formally recognised at specific Union assurance levels (1 through 4). It serves as the definitive source for verifying a provider's sovereignty status, allowing procurement officers to instantly filter providers based on audited criteria rather than marketing claims. By consolidating audit results and recognition decisions, the framework removes the need for fragmented, manual due diligence across different national jurisdictions, ensuring that buyers can compare providers against a uniform EU-wide standard.

Detail

The Cloud and AI Development Act addresses a critical pain point for European public-sector buyers: the difficulty of verifying and comparing the sovereignty guarantees of different cloud computing services. Currently, sovereignty claims are often marketing-driven, opaque, or defined by divergent national standards, making cross-border procurement risky and inefficient. As proposed, CADA resolves this by creating a harmonised, auditable framework centred on a centralised digital repository.

The Central Repository as a Comparison Tool

The cornerstone of this comparison mechanism is the central repository of cloud computing services, established under Article 22. This repository is not merely a list of providers; it is a legally binding register of services that have successfully undergone the rigorous assessment procedures defined in Title IV of the regulation.

Article 22(1) mandates that the European Commission shall establish and maintain this dedicated repository. It serves as the authoritative source for identifying which cloud computing services have been officially recognised as offering Union assurance levels 1, 2, 3, or 4. The national competent authority of establishment that recognised a service is responsible for registering it in this central repository.

Crucially for procurement officers, Article 22(4) states that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This provision ensures transparency. Buyers do not need special credentials, internal Commission access, or legal clearance to view the status of a provider. They can visit the website, search for a specific service or provider, and see exactly which assurance level it holds. This public accessibility is the key enabler for market comparison, allowing any contracting authority to verify a vendor's status before launching a tender.

How the Comparison Works

The repository enables comparison by standardising the data points available for every recognised service. Instead of comparing vague marketing claims, buyers compare concrete, audited statuses:

  1. Assurance Level Verification: The repository explicitly states whether a service is recognised at Union assurance level 1, 2, 3, or 4. This allows buyers to quickly filter providers based on the minimum assurance level required by their risk assessment (as determined under Article 29). For example, a ministry of defence requiring Level 4 can instantly filter out providers only recognised at Level 1 or 2. This filtering capability transforms the procurement process from a manual review of hundreds of documents into a targeted search for compliant solutions.
  2. Recognition Status and History: The repository indicates whether a service's recognition is active, suspended, or revoked. Article 22(3) specifies that any revocation of an audit report or recognition by a competent authority "shall be published in the central repository and shall remain available there for five years." This historical transparency allows buyers to assess the stability and reliability of a provider over time. A provider with a history of revocations, even if currently re-recognised, presents a different risk profile than one with a clean record.
  3. Competent Authority Oversight: The repository identifies the national competent authority of establishment that granted the recognition. This provides a clear line of accountability and regulatory oversight, which is a key factor in sovereignty evaluations. It ensures that the recognition is not a self-declared status but one backed by a designated public authority.

The Underlying Assurance Framework

The comparison is only meaningful because of the strict criteria behind each assurance level, detailed in Annex II of CADA. The repository reflects the outcome of these complex audits, acting as a summary of the provider's compliance with sovereignty requirements:

  • Union Assurance Level 1: Requires a conformity self-assessment and an EU statement of conformity. It ensures basic establishment in the Union and data residency, unless the public sector body explicitly requires otherwise.
  • Union Assurance Levels 2, 3, and 4: Require independent third-party audits. These levels impose progressively stricter criteria regarding personnel citizenship, infrastructure location, absence of third-country control, and cybersecurity certifications.

By listing the assurance level, the repository effectively communicates the depth of the sovereignty guarantees. A provider at Level 3, for instance, has been audited to ensure that its subcontractors are established in the Union, its personnel are Union citizens (conditional on public body requirements for Level 2, mandatory for Level 3), and it is not subject to the control of a third country (with limited exceptions for associated third countries under Article 18). A Level 4 provider further requires a "high" assurance cybersecurity certificate and stricter controls on third-country influence.

Ensuring Accuracy and Updates

For the repository to be a reliable comparison tool, the data must be current. CADA imposes transparency obligations on providers to ensure this. Article 23 requires recognised cloud computing service providers to notify their auditing organisation and the national competent authority of any material changes that could affect their assurance level.

If a provider's circumstances change such that they no longer meet the criteria for their recognised level, the auditing organisation may amend or revoke the audit report. Consequently, the competent authority may amend or revoke the recognition. These changes are then reflected in the central repository. This dynamic updating mechanism ensures that buyers are comparing against the most recent, verified status of a provider, rather than outdated information. The repository thus acts as a living document of the market's sovereignty landscape.

What this means for you

For public-sector procurement officers and legal teams, the CADA central repository transforms the due diligence process from a manual, high-risk activity into a streamlined, verifiable step.

1. Streamlined Procurement Processes Previously, verifying a provider's sovereignty status might have required engaging legal experts to review complex contractual clauses, auditing reports, or national certifications. With the repository, you can perform an initial check in minutes. If a provider claims to offer "sovereign cloud services," you can verify this claim by checking if they are listed in the repository with the appropriate assurance level. This reduces the time and cost associated with pre-qualification phases of procurement, allowing teams to focus on technical and functional requirements.

2. Risk-Based Decision Making CADA requires Member States and Union entities to conduct risk assessments to determine the necessary assurance level for specific activities (Article 29). The repository allows you to directly map these risk-based requirements to available market options. If your risk assessment dictates that a service must be at least Level 2, you can confidently exclude any provider not listed at Level 2, 3, or 4 in the repository. This alignment between risk assessment and procurement criteria strengthens the legal defensibility of your purchasing decisions, ensuring compliance with Article 30 procurement obligations.

3. Enhanced Market Transparency The public nature of the repository levels the playing field. It prevents providers from making unsubstantiated sovereignty claims. If a provider is not in the repository, they have not been formally recognised under the CADA framework. This clarity helps you avoid vendors who may be "sovereign-washing" — using the term loosely without meeting the strict, audited criteria of the regulation. It creates a clear distinction between recognised sovereign offers and standard commercial cloud services.

4. Ongoing Monitoring Procurement is not a one-time event. The repository serves as a monitoring tool for existing contracts. If a provider's recognition is revoked or downgraded, this change will be published in the repository. This allows you to proactively manage risks and trigger contract review clauses if a provider's sovereignty status deteriorates during the contract term. It provides a mechanism for continuous compliance monitoring without requiring constant re-audits by the buyer.

5. Cross-Border Procurement Confidence The repository facilitates cross-border procurement by providing a single, EU-wide standard. A provider recognised in one Member State is recognised across the Union. This means a procurement officer in Germany can trust the recognition granted by a competent authority in France, as both feed into the same central repository. This harmonisation is essential for the development of a true European cloud market, reducing fragmentation and enabling the EuroCloud Federation.

Common misconceptions

Misconception 1: The repository lists all cloud providers. The repository does not list every cloud provider operating in the EU. It only lists those that have applied for and received formal recognition under the CADA framework. If a provider is not listed, it does not necessarily mean they are non-compliant with all EU laws (such as GDPR or NIS2), but it does mean they have not been formally recognised as offering a specific Union assurance level under CADA. Buyers should not assume a provider is "sovereign" simply because they are not listed; they should verify their status explicitly.

Misconception 2: Being in the repository guarantees suitability for all use cases. Inclusion in the repository confirms that a service meets the technical and legal criteria for a specific assurance level. It does not automatically mean the service is suitable for every public-sector use case. Buyers must still conduct their own risk assessments (Article 29) to determine which assurance level is appropriate for their specific data sensitivity and operational requirements. A Level 1 service might be perfectly suitable for a low-risk administrative task, but inappropriate for a high-security defence application.

Misconception 3: The repository replaces the need for contractual due diligence. While the repository provides a verified starting point, it does not replace the need for robust contractual agreements. Buyers should still include specific clauses in their contracts regarding data protection, security incident response, and audit rights. The repository confirms the provider's baseline status, but the contract governs the ongoing relationship and specific service-level agreements.

Misconception 4: Recognition is permanent. Recognition is not a one-time stamp of approval. Providers must maintain their compliance with the assurance level criteria. As noted in Article 22(3), revocations are published and remain visible for five years. Buyers should periodically check the repository to ensure that a provider's status has not changed during the contract term.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.