CADA and eIDAS

Summary As proposed, the Cloud and AI Development Act (CADA) does not create a new, standalone digital identity scheme for its digital infrastructures. Instead, the proposal explicitly states that key solutions—including the central repository of recognised cloud services, the EuroCloud Federation platform, and the EU Open Source Solutions Catalogue—will "re-use, in so far as relevant, the eIDAS framework." While the EuroCloud platform's specific identity mechanisms may be detailed by the Commission at a later stage, the legislative intent is clear: CADA would leverage existing EU identity standards rather than fragmenting the digital landscape with bespoke authentication mechanisms. No new "CADA ID" would be created.

Detail

The CADA proposal establishes a suite of critical digital infrastructures to support the EU's cloud and AI ecosystem. These include a central repository for sovereign cloud services (Article 22), a European public sector cloud federation platform (Article 34), and an EU Open Source Solutions Catalogue (Article 43). A recurring theme in the proposal's impact assessment and digital dimensions analysis is the principle of interoperability and the avoidance of duplicate technical solutions. Consequently, the relationship between CADA and the eIDAS Regulation (Regulation (EU) No 910/2014) is one of technical reliance and future integration, not legislative overlap.

The Central Repository of Recognised Cloud Services

Article 22 of CADA mandates the Commission to establish and maintain a "central repository" of cloud computing services recognised as offering Union assurance levels 1 through 4. This repository serves as a public-facing, machine-readable database allowing public sector bodies to identify compliant providers and ensuring transparency in the sovereignty framework.

While the enacting text of Article 22 does not explicitly cite eIDAS, the accompanying impact assessment and the "Digital Dimensions" section of the legislative financial statement clarify the technical architecture. Under the specific analysis of the "Union repository of recognised sovereign services," the document states that the repository will "re-use, in so far as relevant, the eIDAS framework." This indicates that the repository would likely leverage eIDAS nodes, qualified trust services, or electronic identification means for secure data exchange, user authentication, and digital signatures where necessary.

For instance, when national competent authorities register services, or when public procurers access detailed assurance data, they would likely use eIDAS-qualified electronic signatures or identification means to verify their identity and ensure the integrity of the data flow. This approach avoids the need to build a separate, parallel identity infrastructure for repository access, ensuring that the repository integrates seamlessly with the broader EU digital identity ecosystem.

The EuroCloud Federation Platform

Article 34 establishes the EuroCloud Federation, a mechanism for public sector bodies to share idle cloud and data centre capacity. To facilitate this, the Commission is required to establish a platform providing a catalogue of available services and a service platform for the exchange and orchestration of computing, storage, and network resources.

The proposal acknowledges the critical need for secure access to this platform. The impact assessment notes that the EuroCloud platform should include mechanisms for secure access and incident management, such as "shared identity management" and "mutual authentication tools." Regarding the specific integration with eIDAS, the digital dimensions section states that this integration "will be specified by the Commission at a later stage."

This phrasing suggests that while the platform is designed with identity federation in mind, the precise technical reliance on eIDAS—such as using eIDAS nodes for cross-border authentication of public servants managing shared capacity—would be defined through implementing acts or technical specifications post-adoption. The goal is to ensure that public sector actors can seamlessly authenticate across borders using their national eIDAS-compliant credentials, rather than creating new CADA-specific accounts. The platform would not generate a new identity layer but would act as a federation point for existing national identities.

The EU Open Source Solutions Catalogue

Article 43 requires the Commission to provide and maintain an EU Open Source Solutions Catalogue (EU OSS Catalogue), hosted on the Interoperable Europe portal. Similar to the central repository, the impact assessment confirms that this catalogue will "re-use, in so far as relevant, the eIDAS framework."

This ensures that when public sector bodies upload open-source software, verify contributions, or manage intellectual property rights within the catalogue, they can rely on existing qualified trust services for electronic signatures and seals. This maintains consistency with the broader EU digital identity ecosystem and ensures that the provenance of software contributions can be cryptographically verified using established standards.

No New Identity Scheme

Crucially, CADA does not introduce a new regulatory regime for electronic identification. The proposal relies entirely on the existing eIDAS framework for any necessary identity verification, digital signatures, or secure electronic communications related to its platforms. This is consistent with the broader EU policy of promoting a single, cohesive digital identity framework. By re-using eIDAS, CADA ensures that its technical implementations are compatible with the forthcoming European Digital Identity Wallet (EUDI Wallet) and other eIDAS 2.0 developments, provided those developments are aligned with the current eIDAS trust services. The legislative text and impact assessment make it clear that the Act would not duplicate the identity infrastructure already established by the EU.

What this means for you

For CTOs, architects, and compliance officers evaluating CADA's impact, the reliance on eIDAS significantly simplifies integration efforts. You do not need to design bespoke identity solutions for interacting with CADA's repositories or platforms.

• For Cloud Providers: When submitting applications for Union assurance level recognition to national competent authorities, or when registering services in the central repository, expect that digital signatures and secure submissions may rely on eIDAS-qualified trust services. Ensure your internal processes support eIDAS-compliant electronic signatures if you are submitting official documentation digitally. There is no need to prepare for a proprietary "CADA login."
• For Public Sector Integrators: If your organisation plans to join the EuroCloud Federation to share or consume idle capacity, anticipate that the platform will support eIDAS-based authentication. This means your staff may use their national eIDAS-compliant credentials to access the federation platform, facilitating cross-border cooperation without new credential management overhead. The platform would act as a bridge between national identity providers.
• For Open Source Contributors: When publishing software to the EU OSS Catalogue, the platform will likely support eIDAS-based verification for publishers. This ensures the integrity of the published software and the identity of the contributing public body, leveraging the same trust services used for other EU digital public services.
• Architectural Planning: Design your systems to be eIDAS-agnostic in terms of identity provider selection. Since CADA platforms would re-use eIDAS, your systems should be able to accept standard eIDAS attributes or signatures. Avoid hard-coding assumptions about a "CADA-specific" identity scheme, as the proposal explicitly rules one out.

Common misconceptions

• Misconception: CADA creates a new "sovereign ID" scheme for cloud services.
  • Reality: CADA creates assurance levels for cloud services, not a new identity scheme. Identity verification for platform access relies on existing eIDAS infrastructure, as confirmed in the impact assessment.
• Misconception: The central repository is a closed system with proprietary authentication.
  • Reality: The repository is publicly available, but interactions requiring authority (e.g., registration by competent authorities) would leverage eIDAS trust services for security and integrity, as stated in the impact assessment.
• Misconception: EuroCloud Federation requires a new set of credentials for all members.
  • Reality: The platform is designed to integrate with existing identity frameworks. The proposal explicitly states that eIDAS integration will be specified later, implying a federation model rather than a siloed credential system.
• Misconception: CADA ignores the Interoperable Europe Act.
  • Reality: CADA is deeply aligned with the Interoperable Europe Act. The EU OSS Catalogue is hosted on the Interoperable Europe portal, and the repository's design considers the need for interoperability assessments under that Act.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and eIDAS 2.0: How the Cloud Act Reuses the EU Digital Identity Wallet
• CADA vs the Digital Networks Act: Connectivity vs. Compute
• CADA and the Chips Act 2.0: How the EU's Digital Stack Laws Interact
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?
• Why does CADA call the Data Act an 'enabler'?

This is general information about a draft EU regulation, not legal advice.