How does CADA recognition support trust in the EU cloud market?

Summary As proposed, the Cloud and AI Development Act (CADA) would transform trust in the EU cloud market by replacing vague marketing claims with a standardized, auditable sovereignty framework. Under Article 17, cloud providers must undergo a formal recognition process to prove they meet specific "Union assurance levels," while Article 22 mandates a central public repository where buyers can verify these credentials. This system allows procurement officers to confidently compare services based on verified, independent audits rather than unverified vendor promises, ensuring that critical public data is protected against external dependencies and operational disruptions.

Detail

The current European cloud market is characterized by a significant information asymmetry. While many providers claim their services are "sovereign" or "trusted," there has historically been no harmonized EU-wide definition of what this means. This lack of standardization creates uncertainty for public-sector buyers who need to ensure that their digital infrastructure is resilient, secure, and free from undue third-country control. CADA addresses this by introducing a structured trust mechanism centered on formal recognition and transparency, turning "sovereignty" from a buzzword into a verifiable legal status.

The Recognition Mechanism: Article 17

At the heart of CADA's trust framework is the recognition process outlined in Article 17. This article establishes a clear, legal pathway for cloud computing service providers to demonstrate that their services meet one of the four Union assurance levels (Level 1 through Level 4). These levels represent increasing degrees of sovereignty, with Level 4 offering the highest protection for critical public order activities.

For a provider to be recognized, they cannot simply self-declare compliance for the higher levels. For Union assurance levels 2, 3, and 4, providers must undergo independent third-party audits. Article 17(4) requires the candidate provider to submit an audit report and a "positive" audit opinion to the national competent authority of their establishment. This opinion must confirm that the provider complies with the strict criteria set out in Annex II of the regulation, such as data localization, personnel citizenship, and the absence of third-country control over the infrastructure.

The recognition process is designed to be rigorous and cooperative. Once a national competent authority receives an application, it has 60 days to assess the evidence. Crucially, Article 17(5) introduces a cross-border review period. The evaluating authority must notify other Member States, which have 60 days to raise reasoned objections. This mutual recognition mechanism ensures that a service recognized in one Member State is valid across the entire Union, provided no other Member State raises valid compliance concerns. If no objections are raised, the service is recognized throughout the Union at the appropriate assurance level.

This process transforms "trust" from a subjective marketing concept into an objective legal status. A recognized service is one that has been verified by national authorities and independent auditors to meet specific, harmonized criteria. For procurement officers, this means that the "trust" in a provider is backed by a formal EU legal procedure, significantly reducing the risk of relying on unverified claims.

Transparency and Comparison: Article 22

Recognition alone is not enough if buyers cannot easily find and verify it. This is where Article 22 plays a pivotal role. This article mandates the establishment of a central repository of cloud computing services that have been recognized under Article 17.

Article 22(1) tasks the European Commission with establishing and maintaining this dedicated repository. The national competent authority that grants recognition is responsible for registering the service in this central database. This creates a single source of truth for the entire EU market.

The repository is not just an internal administrative tool; it is designed for public access. Article 22(4) states that the central repository shall be publicly available and regularly updated by the Commission and national competent authorities on a dedicated and easily accessible website. This transparency is a powerful tool for building market trust. It allows procurement officers to:

1. Verify Claims: Buyers can check if a provider's claim to offer a specific Union assurance level is officially recognized.
2. Compare Providers: By listing recognized services side-by-side, the repository enables objective comparison based on verified sovereignty levels rather than marketing brochures.
3. Monitor Changes: Article 22(3) ensures that if a recognition is revoked—due to a provider failing to maintain compliance or an auditor revoking their opinion—this change is published in the repository and remains visible for five years. This historical transparency helps buyers assess the long-term reliability of a provider.

By making this information publicly available, CADA reduces the "imperfect information" problem that currently hampers the EU cloud market. Buyers no longer need to conduct exhaustive due diligence to verify basic sovereignty claims; they can rely on the central repository as a primary source of verified data.

Building Buyer Confidence

The combination of Article 17's rigorous recognition process and Article 22's transparent repository creates a robust foundation for trust. For public-sector bodies, particularly those in critical sectors like healthcare, justice, or defense, the risk of using non-compliant or insecure cloud services is high. CADA mitigates this risk by:

• Standardizing Criteria: All providers are assessed against the same Annex II criteria, ensuring a level playing field.
• Ensuring Independence: The requirement for independent third-party audits for levels 2-4 ensures that compliance is verified by experts, not just the provider itself.
• Facilitating Procurement: With a clear list of recognized services, procurement officers can confidently specify Union assurance levels in their tender documents, knowing that only verified providers can meet these requirements.

This structured approach helps shift the EU market away from dependence on a few non-EU hyperscalers by creating a credible, transparent market for European cloud providers. It gives public buyers the confidence that the services they procure are genuinely sovereign, secure, and resilient, thereby strengthening the overall trust in the EU cloud ecosystem.

What this means for you

As a public-sector procurement officer, CADA's recognition framework would change how you evaluate and select cloud providers. Instead of relying on vendor self-assessments or ambiguous "sovereign" labels, you would have access to a legally verified standard.

• Use the Central Repository: Before issuing a tender, consult the central repository established under Article 22. Use it to identify providers who have already achieved recognition for the specific Union assurance level required by your risk assessment. This saves time and ensures you are only considering compliant providers.
• Specify Assurance Levels in Tenders: Your procurement documents should explicitly require services recognized at a specific Union assurance level (e.g., Level 2, 3, or 4) based on your organization's risk assessment. This ensures that only providers who have passed the Article 17 recognition process can bid.
• Monitor for Changes: Keep an eye on the repository for any revocations or changes in recognition status. If a provider's recognition is withdrawn, you may need to reassess your contract or migration plans, as the service no longer meets the verified sovereignty criteria.
• Leverage Mutual Recognition: You can confidently accept services recognized in other Member States. The mutual recognition process in Article 17 ensures that a service verified in one country is valid across the EU, expanding your pool of trusted providers without compromising on standards.

Common misconceptions

• "All cloud providers will be automatically recognized." Recognition is not automatic. Providers must actively apply and undergo the assessment process described in Article 17. Only those that submit the necessary evidence and, for levels 2-4, obtain a positive independent audit opinion, will be recognized.

• "The central repository includes all cloud services." No. Article 22 specifies that the repository contains only those services that have been formally recognized under Article 17. Unrecognized services, or those that have not applied for recognition, will not appear in this central list.

• "Recognition means the service is 100% risk-free." Recognition means the service meets specific sovereignty and security criteria defined in Annex II. It does not eliminate all risks, but it significantly mitigates risks related to third-country control, data access, and operational disruption. Procurement officers should still conduct their own risk assessments to determine the appropriate assurance level for their specific use case.

• "Self-assessment is enough for high-security needs." For Union assurance level 1, providers can self-assess and issue an EU statement of conformity. However, for levels 2, 3, and 4, which are required for activities contributing to public order, independent third-party audits are mandatory. Self-assessment is not sufficient for these higher levels.

Related

• CADA Recognition: How One Approval Opens the Entire EU Market
• CADA Recognition: What it means for a provider's go-to-market
• Which authority do I apply to for CADA recognition?
• CADA Recognition: When is a cloud service deemed accepted across the EU?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control

This is general information about a draft EU regulation, not legal advice.