CADA and eIDAS 2.0

Summary The proposed Cloud and AI Development Act (CADA) does not create a new digital identity scheme, nor does it establish a standalone authentication system for cloud services. Instead, the proposal explicitly mandates that its key digital platforms—specifically the central repository of recognised sovereign cloud services (Article 22) and the EuroCloud Federation (Article 34)—must "re-use, in so far as relevant, the eIDAS framework." This architectural decision ensures that the identity mechanisms used to access CADA's infrastructure align with the EU's existing Digital Identity Wallet standards, preventing fragmentation and allowing public sector bodies and providers to leverage their existing eIDAS 2.0 credentials for sovereignty-related tasks.

Detail

No New Identity Scheme, But Mandatory Interoperability

A frequent point of confusion for technical leaders and architects is whether CADA introduces a bespoke identity management system to manage access to sovereign cloud services. The answer is a definitive no. The proposal is designed to integrate with, rather than duplicate, the EU's digital identity infrastructure.

The source corpus for CADA's "Digital Dimensions" explicitly states that for the Union repository of recognised sovereign services, the implementation "will re-use, in so far as relevant, the eIDAS framework." This is a critical architectural constraint. It means CADA's platforms are not intended to be standalone silos requiring new credentials. Instead, they are designed to plug directly into the broader EU digital identity ecosystem established by Regulation (EU) No 910/2014 (eIDAS) and its successor, eIDAS 2.0, which introduces the European Digital Identity Wallet.

This approach aligns with the EU's "once-only" principle and the goal of a seamless digital single market. By re-using eIDAS, CADA ensures that the authentication of entities—whether they are cloud providers applying for recognition, auditors verifying compliance, or public sector bodies accessing the federation—relies on the same qualified trust services and digital wallets already being deployed across the Union.

Article 22: The Central Repository and Authentication

The core mechanism for this integration is found in Article 22, which establishes the "Central repository of cloud computing services." This repository is a publicly available, regularly updated database maintained by the Commission and national competent authorities. Its primary function is to list cloud services that have been recognised as offering specific Union assurance levels (the sovereignty certifications defined in Annex II).

While Article 22 itself focuses on the registration, maintenance, and public availability of these service listings, the technical implementation of how users access, submit data to, or verify information within this repository is inextricably linked to eIDAS. The CADA proposal's digital dimensions section clarifies that for the central repository, "The repository will re-use, in so far as relevant, the eIDAS framework."

For system architects, this implies that authentication to the repository will likely leverage qualified electronic signatures or advanced electronic signatures as defined under the eIDAS Regulation. This ensures that:

1. Integrity: Entities submitting recognition applications or audit reports are properly identified and authenticated according to EU standards.
2. Non-Repudiation: Actions taken within the repository (such as a national competent authority registering a service) are legally binding and traceable to a verified identity.
3. Security: The repository benefits from the high-security standards of the eIDAS framework, reducing the risk of spoofing or unauthorised access to sensitive sovereignty data.

The EuroCloud Federation and eIDAS

The second major digital platform under CADA is the EuroCloud Federation, established under Article 34. This federation facilitates the sharing of data centre services and cloud computing services between Union entities and public sector bodies. It is designed to allow Member States to share idle capacity and interconnect their infrastructures securely.

Similar to the central repository, the CADA proposal specifies that for the EuroCloud platform, the integration with eIDAS is a foundational requirement. The digital dimensions section notes that for the EuroCloud platform, "This will be specified by the Commission at a later stage" regarding the precise technical implementation, but the overarching principle remains: the platform "will re-use, in so far as relevant, the eIDAS framework."

This means that when public sector bodies interconnect their cloud infrastructures through the EuroCloud Federation, the identity verification of the participating entities will not rely on a bespoke CADA login system or a new set of credentials. Instead, it will leverage the eIDAS 2.0 digital identity wallets or existing qualified trust services. This significantly reduces the administrative burden on public sector IT departments, as they can use the same identity credentials for accessing sovereign cloud resources and sharing capacity as they do for other EU digital services, such as cross-border public services or tax filings.

Specification of Authentication Details by the Commission

While the principle of re-using eIDAS is clear in the proposal, the specific technical details of how authentication will be implemented are not fully defined in the current text. The CADA proposal acknowledges this by noting that for both the central repository and the EuroCloud platform, the need for further interoperability assessments under the Interoperable Europe Act (Regulation (EU) 2024/903) will be evaluated once operational details become available.

Furthermore, the Commission is empowered to adopt implementing acts to specify the procedures and technical measures. For instance, Article 34(4) empowers the Commission to adopt implementing acts to specify the procedure to participate in the EuroCloud Federation. Similarly, Article 40 and Article 41 empower the Commission to adopt acts specifying technical and operational measures for the federation and procurement platforms.

This means that while the framework is eIDAS, the protocols (e.g., specific API standards for wallet integration, the exact trust service providers to be used, or the specific attributes required from the digital wallet) will be detailed in secondary legislation. This allows the Commission to adapt the technical implementation to the evolving state of eIDAS 2.0 deployment without needing to amend the primary regulation.

Alignment with the Interoperable Europe Act

CADA's reliance on eIDAS is consistent with the broader EU digital strategy and the Interoperable Europe Act. The proposal mentions that the EU Open Source Solutions Catalogue (another CADA platform under Article 43) will be hosted on the Interoperable Europe portal, which itself is designed to work with eIDAS.

This creates a unified "digital public infrastructure" layer where CADA's sovereignty tools sit on top of eIDAS's identity layer and the Interoperable Europe Act's interoperability standards. The digital dimensions section explicitly states that for the EU Open Source Solutions Catalogue, "The catalogue will re-use, in so far as relevant, the eIDAS framework." This ensures a consistent user experience across all CADA digital tools: a public sector body or provider logs in once using their eIDAS wallet and can access the central repository, the EuroCloud Federation, and the Open Source Catalogue without needing separate accounts.

What this means for you

For CTOs and Architects

• Plan for eIDAS Integration: If your organization is building a cloud service that seeks Union assurance level certification, you must ensure your customer-facing portals and administrative interfaces can integrate with eIDAS-compliant identity providers. You do not need to build a new identity system from scratch, but you must support the authentication methods that will be mandated for accessing the CADA central repository and the EuroCloud Federation.
• Monitor Implementing Acts: The exact technical specifications for how CADA platforms will interface with eIDAS wallets are "to be defined in secondary legislation." Keep a close watch on Commission implementing acts related to Article 22, Article 34, and Article 43 for specific API specifications, security protocols, and trust service requirements.
• Leverage Existing Investments: If you have already integrated eIDAS 2.0 digital identity wallets for other EU services (e.g., for cross-border public services), those investments will directly apply to CADA compliance. There is no need for parallel identity infrastructure, which reduces development costs and time-to-market.

For SMEs and Cloud Providers

• Reduced Complexity: You do not need to worry about a new, complex identity scheme unique to CADA. The reliance on eIDAS means you can use established, widely supported identity solutions. This lowers the barrier to entry for smaller providers who may not have the resources to develop a custom identity management system.
• Access to Sovereign Clouds: As an SME providing cloud services, gaining recognition in the Article 22 central repository will require you to interact with national competent authorities. Understanding how eIDAS authentication will be used in this process will help you prepare your onboarding workflows. You will likely need to demonstrate that your organisation can authenticate its representatives using qualified eIDAS credentials.

For Public Sector Bodies

• Unified Access: When participating in the EuroCloud Federation or accessing the central repository, your IT teams can utilise the same digital identity wallets used for other EU digital services. This simplifies the user experience for public servants and reduces the risk of credential fatigue.
• Security and Trust: By re-using eIDAS, CADA ensures that access to sensitive sovereignty data and shared cloud capacity is protected by the highest standards of EU digital identity, including qualified electronic signatures and advanced electronic signatures.

Common misconceptions

• Misconception: "CADA creates a new EU-wide digital ID for cloud users."
  • Reality: CADA creates no new identity scheme. It mandates the re-use of the existing eIDAS framework. The identity layer remains separate from the sovereignty layer, with eIDAS serving as the trusted foundation.
• Misconception: "I need to wait for eIDAS 2.0 to be fully operational before I can comply with CADA."
  • Reality: While eIDAS 2.0 will be the future standard, the proposal states that platforms will re-use the eIDAS framework "in so far as relevant." This allows for flexibility during the transition period, potentially supporting existing qualified trust services alongside new wallet capabilities. The Commission will specify the exact transition path in implementing acts.
• Misconception: "CADA's central repository is a public-facing directory with no access controls."
  • Reality: While the repository is publicly available for viewing, the authentication mechanisms for submitting data, managing listings, and accessing certain sensitive information (such as audit reports or detailed compliance data) will likely leverage eIDAS to ensure the integrity, security, and non-repudiation of the sovereignty framework.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and eIDAS: How the Act uses existing digital identity for its platforms
• CADA vs the Digital Networks Act: Connectivity vs. Compute
• CADA and the Chips Act 2.0: How the EU's Digital Stack Laws Interact
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?
• Why does CADA call the Data Act an 'enabler'?

This is general information about a draft EU regulation, not legal advice.