Summary The proposed Cloud and AI Development Act (CADA) does not replace the European Cybersecurity Certification Scheme for Cloud Services (EUCS); instead, it elevates EUCS to a mandatory technical benchmark within its new Union cloud computing sovereignty framework. As proposed, CADA would require cloud providers seeking Union assurance Levels 2, 3, and 4 to hold a valid EUCS certificate at specific assurance levels: "substantial" for Levels 2 and 3, and "high" for Level 4. Because EUCS is not yet formally adopted, the proposal includes transitional provisions allowing providers to use existing national cybersecurity certifications or demonstrate adherence to the highest available standards until the scheme is finalized. Crucially, an EUCS certificate alone is insufficient for CADA compliance; it serves only as evidence of the technical cybersecurity pillar, which must be combined with sovereignty criteria like data localization, personnel citizenship, and third-country control assessments.

Detail

To understand the operational relationship between the proposed Cloud and AI Development Act (CADA) and the European Cybersecurity Certification Scheme for Cloud Services (EUCS), one must distinguish between the distinct but complementary objectives of the two instruments. The EUCS, developed under the Cybersecurity Act (Regulation (EU) 2019/881), is designed to address technical cybersecurity risks, ensuring the integrity, confidentiality, and availability of cloud services. In contrast, CADA establishes a broader "Union cloud computing sovereignty framework" that addresses not only cybersecurity but also data sovereignty, operational autonomy, and protection against extraterritorial legal access and geopolitical disruption.

CADA introduces four "Union assurance levels" (Levels 1 through 4) in Article 16. These levels represent a graduated set of cumulative criteria that cloud computing service providers must meet to be recognized as offering a specific level of trust to public sector bodies. The relationship between CADA and EUCS is most prominent in the criteria for Union assurance levels 2, 3, and 4, which are detailed in Annex II of the proposal.

EUCS as a Core Criterion for Higher Assurance Levels

Under CADA, achieving Union assurance level 1 relies primarily on a conformity self-assessment by the provider, as outlined in Article 19. This level requires the provider to demonstrate compliance with state-of-the-art cybersecurity standards but does not mandate a specific third-party certification scheme. However, for the more stringent levels (2, 3, and 4), the proposal mandates independent third-party audits and specific cybersecurity benchmarks that directly reference EUCS.

According to Annex II, Section 2.1(e), to qualify for Union assurance level 2, an audited service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881. This is a direct reference to EUCS. The text explicitly states that the certificate must be issued under a scheme covering cloud computing services, ensuring that the technical security posture matches the specific risks of cloud environments.

Similarly, Annex II, Section 3.1(e) requires the same 'substantial' EUCS certification for Union assurance level 3. This indicates that for the mid-tier sovereignty requirements, the technical cybersecurity bar remains at the "substantial" level, while other sovereignty criteria (such as personnel citizenship and stricter third-country control measures) are elevated.

For the highest tier, Union assurance level 4, Annex II, Section 4.1(e) raises the bar significantly. It requires a European cybersecurity certificate of at least assurance level 'high' under the same scheme. This distinction is critical: while Levels 2 and 3 require "substantial" assurance, Level 4β€”which is intended for the most critical public order activitiesβ€”demands the highest level of technical cybersecurity certification available under the EUCS framework.

This structure means that EUCS is not merely a voluntary best practice under CADA; for any provider aiming to serve high-risk public sector use cases (which typically require levels 2, 3, or 4 based on risk assessments mandated by Article 29), obtaining the relevant EUCS certification would be a de facto prerequisite. The proposal effectively hardcodes EUCS assurance levels into the CADA sovereignty tiers.

Transitional Provisions: What Happens Before EUCS Is Finalized?

A critical nuance in the proposal is that EUCS has not yet been formally adopted. The explanatory memorandum notes that work will resume on EUCS, but its finalization is pending. CADA acknowledges this timeline gap through specific transitional language in Annex II.

For all three higher assurance levels (2, 3, and 4), the text states: "Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law."

This provision ensures that the CADA sovereignty framework can begin functioning even if EUCS adoption is delayed. It allows providers to use existing national certifications (such as those from Germany's BSI or France's ANSSI) as interim evidence of compliance. However, once EUCS is established, it would become the harmonized standard, replacing the patchwork of national schemes for the purpose of CADA compliance. The proposal explicitly frames EUCS as the future "single point of truth" for technical cybersecurity within the sovereign cloud ecosystem.

The Role of Auditing Organizations and Evidence

CADA places significant emphasis on the verification process. Under Article 20, cloud computing service providers seeking recognition for levels 2, 3, or 4 must undergo independent third-party audits. The auditing organization is responsible for verifying that the provider meets the cumulative criteria in Annex II, including the cybersecurity certification requirement.

The proposal specifies that auditing organizations must have proven expertise and technical competence in auditing cloud computing services (Article 20(4)(b)). When assessing the cybersecurity criterion, the auditor would examine the validity of the EUCS certificate (or the interim national certificate) and ensure it covers the specific service being audited. This creates a clear chain of evidence: the EUCS certificate proves the technical security posture, while the CADA audit confirms that this security posture, combined with sovereignty criteria (like data localization, personnel citizenship, and third-country control), meets the broader Union assurance level.

Annex III, which details the audit evidence required, reinforces this. Under "Audit criterion E – European cybersecurity certification scheme," auditors are instructed to request a valid certificate demonstrating compliance with the 'basic', 'substantial', or 'high' assurance levels. Until the EUCS scheme is established, the auditor may accept valid certificates issued under national schemes or evidence demonstrating adherence to the highest level of cybersecurity standards available on the market.

Distinction from the Cybersecurity Act and Sovereignty Scope

It is important to clarify that CADA does not amend the Cybersecurity Act or the EUCS scheme itself. Instead, it leverages the output of the Cybersecurity Act. The Cybersecurity Act focuses on mitigating cybersecurity risks to ensure the integrity, confidentiality, and availability of cloud services. CADA uses this technical assurance as a foundation upon which to build additional layers of sovereignty protection, such as restrictions on third-country control and guarantees against service disruption due to geopolitical factors.

As stated in the explanatory memorandum, "Certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, having an EUCS certificate does not automatically grant a CADA Union assurance level; it is only one component of a broader assessment that includes legal, operational, and data governance criteria. A provider could theoretically hold a "high" EUCS certificate but fail to meet CADA Level 4 requirements if, for example, their personnel are not Union citizens or if their infrastructure is subject to third-country control.

The proposal explicitly notes that the EUCS scheme is intended to be "leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards." This confirms that EUCS is the technical engine, while CADA is the sovereign chassis.

What this means for you

For CTOs, architects, compliance officers, and SMEs evaluating the practical impact of CADA, the relationship with EUCS presents both a compliance roadmap and a strategic planning opportunity.

1. EUCS Certification Becomes a Market Access Requirement for Public Sector Contracts If your organization aims to provide cloud services to EU public sector bodies, particularly those handling sensitive data or critical functions, you will likely need to target Union assurance levels 2, 3, or 4. Consequently, obtaining an EUCS certificate (or its national interim equivalent) will become a mandatory step in your compliance journey. You should begin aligning your security controls with the EUCS specification now, as the audit processes are rigorous and resource-intensive. The "substantial" level will be the entry point for most critical public services, while "high" will be reserved for the most sensitive national security and law enforcement use cases.

2. Prepare for the Transition from National to EU-Wide Standards If you currently rely on national cybersecurity certifications to demonstrate trustworthiness in specific EU markets, be aware that these may serve as interim compliance evidence under CADA. However, the long-term goal is harmonization under EUCS. Investing in EUCS-aligned controls now will future-proof your infrastructure and reduce the need for redundant audits once the scheme is fully operational. This harmonization will also lower barriers to cross-border expansion within the EU, as a single EUCS certificate will be recognized across all Member States for CADA purposes, replacing the current fragmentation of national schemes.

3. Integrate Cybersecurity and Sovereignty Audits CADA requires a holistic audit that combines cybersecurity evidence with sovereignty criteria. When engaging with auditing organizations, ensure they have the capability to assess both the technical security aspects (via EUCS or national equivalents) and the legal/operational sovereignty aspects (such as data localization, personnel screening, and third-country control). Your internal documentation should clearly map how your security measures support both the EUCS requirements and the broader CADA assurance levels. The audit report must explicitly link the EUCS certificate to the specific CADA assurance level being sought.

4. SMEs and Startups: Focus on Level 1 First For smaller providers, Union assurance level 1 may be a more achievable initial target. Level 1 does not require an EUCS certificate or a third-party audit for cybersecurity; instead, it relies on a conformity self-assessment (Article 19). However, even at Level 1, you must demonstrate compliance with state-of-the-art cybersecurity standards. While EUCS is not mandatory for Level 1, aligning your practices with EUCS principles can strengthen your self-assessment and position you for future upgrades to higher assurance levels as your business grows and you seek to serve more critical public sector clients.

5. Monitor the EUCS Adoption Timeline Since CADA's application depends on the finalization of EUCS, closely monitor the progress of the European Cybersecurity Certification Scheme for Cloud Services. The proposal indicates that national schemes will apply in the interim. Regulatory updates regarding the exact timeline for EUCS adoption will determine when the mandatory shift from national to EU-wide certification occurs. Staying informed will help you plan your certification roadmap effectively and avoid last-minute scrambles to meet the "substantial" or "high" thresholds once the scheme is live.

Common misconceptions

Misconception 1: EUCS and CADA are the same thing. EUCS is a technical cybersecurity certification scheme under the Cybersecurity Act. CADA is a broader regulatory framework that includes cybersecurity as one component of a multi-layered sovereignty model. EUCS proves your cloud is secure; CADA proves your cloud is secure, sovereign, and resilient against geopolitical risks.

Misconception 2: Having an EUCS certificate automatically grants a CADA Union assurance level. No. An EUCS certificate is only one of several cumulative criteria required for Union assurance levels 2, 3, and 4. You must also meet requirements related to data localization, personnel citizenship, third-country control, and operational support locations. A full audit by an accredited organization is required to confirm compliance with all criteria, not just the cybersecurity aspect.

Misconception 3: CADA replaces EUCS. CADA does not replace EUCS; it leverages it. EUCS remains the primary mechanism for demonstrating technical cybersecurity compliance within the CADA framework. The two schemes are designed to work together, with EUCS providing the technical assurance that CADA incorporates into its broader sovereignty assessment.

Misconception 4: National cybersecurity certifications are obsolete under CADA. Not immediately. Until EUCS is fully established, CADA explicitly allows the use of national cybersecurity certification schemes as interim evidence of compliance for Union assurance levels 2, 3, and 4. However, this is a transitional measure. Once EUCS is adopted, it will become the harmonized standard, and national schemes may no longer suffice for CADA compliance unless they are aligned with or recognized under the EUCS framework.

Misconception 5: Only large hyperscalers need to worry about EUCS and CADA. While large providers will be the first to target higher assurance levels, any cloud provider seeking to serve the EU public sector must comply with CADA's requirements. Even providers targeting Union assurance level 1 must demonstrate state-of-the-art cybersecurity standards. As public sector demand for sovereign cloud services grows, the market pressure to achieve higher assurance levelsβ€”and thus EUCS certificationβ€”will extend to mid-sized providers and specialized niche players.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.