Summary As proposed in the Cloud and AI Development Act (CADA), small and medium-sized enterprises (SMEs) benefit from a unique "fast track" for Union assurance level 1: their EU statement of conformity is automatically recognised across all Member States without prior evaluation by a national competent authority. In contrast, large providers (non-SMEs) and any provider seeking levels 2, 3, or 4 must undergo a rigorous process involving independent third-party audits and a formal 60-day evaluation plus a 60-day cross-border review period. This distinction aims to lower market entry barriers for smaller European innovators while maintaining strict sovereignty controls for higher-risk services.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised "Union cloud computing sovereignty framework" comprising four assurance levels. The pathway to recognition under Article 17 diverges sharply based on two variables: the legal status of the provider (SME vs. large) and the assurance level sought.

The SME Fast Track: Automatic Recognition at Level 1

For providers qualifying as SMEs under Commission Recommendation 2003/361/EC, the proposal introduces a specific derogation designed to accelerate the uptake of sovereign cloud services from smaller European entities.

Under Article 17(3), an SME seeking recognition for Union assurance level 1 must still submit an EU statement of conformity and the necessary evidence to the evaluating national competent authority. However, the text explicitly states: "By way of derogation from the first subpragraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This mechanism fundamentally alters the compliance timeline for SMEs at the baseline level:

  • No Prior Evaluation: The national competent authority does not need to assess the evidence or issue a formal recognition decision before the service is valid Union-wide.
  • Immediate Effect: Once the SME issues the statement of conformity (following the self-assessment requirements of Article 19), the service is recognised across the Union.
  • Administrative Relief: This removes the 60-day evaluation clock and the subsequent 60-day cross-border review period that applies to all other applicants.

The policy intent, as reflected in the proposal's structure, is to reduce administrative burdens and foster competition by allowing smaller providers to enter the public procurement market for baseline sovereign services rapidly.

The Standard Path: Full Evaluation for Large Providers and Higher Levels

Large providers (entities exceeding SME thresholds) and all providersβ€”regardless of sizeβ€”seeking Union assurance levels 2, 3, or 4 are excluded from the automatic recognition derogation. They must navigate the full procedural framework outlined in Article 17.

1. Application and Evidence Requirements

The provider must submit an application to the national competent authority of establishment.

  • For Level 1 (Large Providers): While they also rely on self-assessment under Article 19, they must submit their EU statement of conformity to the authority for processing. They do not receive the "automatic" status granted to SMEs.
  • For Levels 2–4: The application must include an audit report and a "positive" audit opinion from an independent auditing organisation, as mandated by Article 17(4) and Article 20.

2. The 60-Day Evaluation Period

Once the evaluating national competent authority accepts the application, it has 60 days to assess the evidence.

  • If the evidence is insufficient, the authority may request further information, suspending the 60-day clock for up to 30 days.
  • If the evidence is sufficient, the authority prepares a draft recognition decision.

3. The 60-Day Cross-Border Review

Before the recognition becomes final, the evaluating authority must notify the competent authorities of all other Member States.

  • Review Period: Other Member States have 60 days to submit reasoned objections or requests for clarification if they believe the draft decision does not comply with the Union assurance level criteria set out in Annex II.
  • Dispute Resolution: If an objection is raised, the evaluating authority must assess it. If the objection is maintained and not resolved, the matter may be referred to the Commission, which adopts a binding decision under Article 17(10).

4. Final Recognition

Only if no reasoned objection is submitted within the review period does the evaluating authority adopt the recognition decision, rendering the service recognised throughout the Union.

Key Differences in Assessment Mechanisms

The divergence in treatment is rooted in the assessment methodology required for each level and the policy goal of balancing market entry with sovereignty assurance.

Feature SMEs at Level 1 Large Providers at Level 1 All Providers at Levels 2–4
Assessment Method Conformity self-assessment (Article 19) Conformity self-assessment (Article 19) Independent third-party audit (Article 20)
Authority Role None prior to recognition (Automatic) Evaluation and notification required Evaluation and notification required
Cross-Border Review None Yes (60-day period) Yes (60-day period)
Time to Recognition Immediate upon statement issuance Minimum ~120 days (60 eval + 60 review) Minimum ~120 days + audit time
Legal Basis Article 17(3) derogation Article 17(3) first subparagraph Article 17(4)

Note on Level 1 for Large Providers: While large providers use the same self-assessment mechanism as SMEs for Level 1, they do not benefit from the "automatic" recognition clause. They must submit their statement to the authority, triggering the standard evaluation and notification procedures. This ensures that larger market players, even at the baseline level, undergo a degree of supervisory scrutiny that SMEs are exempted from to foster agility.

What this means for you

For cloud service providers (CSPs), data centre operators, and their legal/compliance teams, correctly classifying your entity and selecting the appropriate assurance level is critical for resource planning.

For SMEs

  • Speed to Market: You can launch sovereign cloud services for public procurement (Level 1) almost immediately after completing your self-assessment. You bypass the 120-day minimum timeline that applies to others.
  • Cost Efficiency: You avoid the direct costs of independent audits for Level 1 and the administrative costs of managing a cross-border review process.
  • Strategic Limitation: The automatic recognition is strictly limited to Level 1. If your growth strategy targets public-sector activities requiring higher assurance (e.g., law enforcement, defence, or critical infrastructure under Article 29), you must prepare for the full audit and evaluation regime.
  • Compliance Responsibility: "Automatic" does not mean "unregulated." You remain fully liable for the accuracy of your self-assessment under Article 19. If you supply incorrect information, the authority can revoke recognition under Article 17(11).

For Large Providers

  • Timeline Management: You must budget for a minimum of 120 days (60 days evaluation + 60 days review) for Level 1 recognition, excluding the time required to prepare the application. For Levels 2–4, add the time required for the independent audit (which can take months depending on complexity).
  • Audit Preparation (Levels 2–4): Engage independent auditing organisations early. Article 20 imposes strict independence rules: auditors cannot have provided non-audit services to you in the 12 months prior or after the audit, and must rotate every 10 years.
  • Cross-Border Readiness: Be prepared to respond to queries from other Member States during the review period. Under Article 17(5)(b), failure to provide requested information can suspend the evaluation clock, delaying your market entry.
  • Level 1 Strategy: Even for Level 1, do not assume a "self-service" approach. You must formally submit your statement to the national authority and wait for the notification process to conclude before claiming Union-wide recognition.

Common misconceptions

Misconception 1: "SMEs are exempt from all audits and oversight." Correction: The exemption applies only to the recognition procedure for Level 1. SMEs must still perform a conformity self-assessment under Article 19. Furthermore, if an SME seeks Level 2, 3, or 4, it is subject to the exact same independent audit requirements (Article 20) and full evaluation process as a large provider. The automatic recognition derogation in Article 17(3) does not extend to higher levels.

Misconception 2: "Automatic recognition means SMEs don't need to submit anything." Correction: SMEs must still submit their EU statement of conformity and all necessary evidence to the evaluating national competent authority under Article 17(3). The "automatic" nature refers to the legal effect of that submission (immediate recognition) rather than the submission process itself. The authority receives the data for monitoring purposes, even if it does not issue a prior decision.

Misconception 3: "Large providers can skip the cross-border review for Level 1." Correction: No. The derogation in Article 17(3) is explicitly limited to "cloud computing service providers that are SMEs." Large providers must follow the standard procedure in Article 17(3) (first subparagraph), which includes the 60-day evaluation and the 60-day cross-border review period.

Misconception 4: "The audit for Level 2 is optional if you are a small provider." Correction: Article 20(1) states that "Cloud computing service providers seeking recognition... as offering Union assurance level 2, 3, or 4, shall undergo... independent third-party audits." This obligation applies to all providers seeking these levels, regardless of size.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.