How does CADA transparency support cross-border cloud procurement in the EU?

Summary As proposed, the Cloud and AI Development Act (CADA) establishes a single, publicly accessible central repository of cloud services recognised for Union assurance levels, enabling public buyers across the EU to verify provider sovereignty status in one step. By mandating that national competent authorities (NCAs) register recognised services in this central hub and immediately notify all other Member States of any changes or revocations, CADA ensures that a cloud service's compliance status is consistent and visible across all borders. This transparency mechanism eliminates the need for buyers to navigate fragmented national verification processes, allowing for efficient, legally sound cross-border procurement of sovereign cloud services.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, addresses a critical bottleneck in the European cloud market: the lack of a harmonised, transparent mechanism for verifying the sovereignty and trustworthiness of cloud computing services. For public-sector procurement officers, the inability to easily verify whether a cloud provider meets specific sovereignty criteria—such as data localisation, personnel citizenship, or the absence of third-country control—has historically forced reliance on complex, jurisdiction-specific due diligence. CADA resolves this by creating a unified transparency framework centred on a central repository and strict notification obligations for national competent authorities.

The Central Repository as a Single Source of Truth

At the heart of CADA's transparency regime is the establishment of a central repository. Under Article 22, the European Commission is required to establish and maintain a dedicated repository of cloud computing services that have been recognised under the Union cloud computing sovereignty framework. This repository serves as the definitive public record for which services meet the criteria for Union assurance levels 1 through 4.

The regulation ensures this repository is not merely an internal administrative tool but a functional instrument for the market. Article 22(4) explicitly states that "the central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This provision guarantees that any public-sector body, regardless of its location within the EU, can access the same, up-to-date information regarding a cloud provider's recognised assurance level.

The repository contains critical data points, including the identity of the provider, the specific Union assurance level achieved, and the status of the recognition. Crucially, it also records revocations. Article 22(3) mandates that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years." This ensures that transparency extends to negative outcomes, preventing buyers from inadvertently procuring services that have lost their sovereign status.

National Competent Authorities and Cross-Border Notification

The integrity of the central repository relies on the rigorous obligations placed on national competent authorities (NCAs). Under CADA, the recognition of a cloud service is granted by the NCA of the Member State where the provider has its main establishment. However, this recognition is not confined to that single Member State; it is valid across the entire Union. To ensure this cross-border validity is transparent, CADA imposes strict notification duties.

Article 22(2) requires the national competent authority of establishment that recognised a cloud computing service to register that service in the central repository. This creates a direct link between the national assessment and the EU-wide public record.

Furthermore, Article 23 outlines the transparency obligations for cloud computing service providers and the subsequent notification duties of the NCAs. Providers must notify their auditing organisation and the NCA of establishment of any material change in circumstances that may affect their audit report or recognition status. Upon receiving such a notification, the NCA must assess whether its recognition needs to be amended or revoked.

Article 23(3) is pivotal for cross-border procurement. It stipulates that "where the national competent authority of establishment amends or revokes its recognition of a cloud computing service, it shall, as soon as possible, notify the national competent authorities of the other Member States and the Commission." This mechanism ensures that if a provider's sovereignty status changes in one Member State, all other Member States are immediately informed. This synchronisation prevents discrepancies where a service might be considered compliant in one jurisdiction but non-compliant in another due to information lag.

Consistent Recognition and Procurement Efficiency

The combination of the central repository and the NCA notification framework creates a system of consistent recognition. As proposed, once a cloud service is recognised at a specific Union assurance level, that recognition is deemed accepted by all Member States unless a reasoned objection is raised during the specific review period outlined in Article 17. Once finalised, the status is immutable until changed by the NCA of establishment, with changes broadcast via the mechanisms in Article 23.

For procurement officers, this means that the legal status of a cloud service is portable. A public body in Germany can rely on the same assurance level data for a French provider as a public body in France can. This removes the legal uncertainty that previously plagued cross-border cloud contracts, where buyers feared that a provider's compliance in their home state might not be recognised or verified in the buyer's state.

The transparency framework also supports the risk assessment obligations outlined in Article 29. Member States and Union entities must conduct risk assessments to determine the appropriate Union assurance level for their activities. The central repository allows these entities to quickly identify which providers meet the required assurance levels (Level 1 for general public sector use, and Levels 2, 3, or 4 for activities contributing to the preservation of public order). This streamlines the tender process, as buyers can pre-qualify providers based on their registered status in the central repository, reducing the administrative burden of individual due diligence.

Integration with Public Procurement Rules

The transparency measures in CADA are designed to work in tandem with public procurement directives. Article 30 mandates that contracting authorities procure cloud computing services that have been recognised under Article 17. For activities identified as contributing to the preservation of public order, authorities must procure services recognised at Union assurance levels 2, 3, or 4. The central repository provides the evidentiary basis for these procurement decisions. By referencing the repository, contracting authorities can demonstrate that they have met their legal obligations to procure sovereign services, as the repository serves as the official record of compliance.

Moreover, the transparency obligations support the principle of equal treatment in procurement. Because the repository is public and accessible to all, all potential bidders have equal access to information about the sovereignty status of competing providers. This prevents market distortion where large incumbents might have better resources to navigate opaque national verification systems, thereby fostering a more competitive market for European cloud providers.

What this means for you

For public-sector procurement officers and legal teams, the CADA transparency framework fundamentally changes how you verify and select cloud providers.

1. Simplified Due Diligence: You no longer need to conduct independent, jurisdiction-specific audits to verify a provider's sovereignty status. Instead, you can check the central repository to confirm that a provider holds the required Union assurance level. This reduces procurement timelines and legal costs.
2. Cross-Border Confidence: When procuring from a provider established in another Member State, you can rely on their recognition status with the same confidence as you would for a domestic provider. The notification mechanisms in Article 23(3) ensure that your national competent authority is aware of any changes to the provider's status, protecting you from compliance risks.
3. Dynamic Monitoring: You must monitor the central repository for changes to your contracted providers' status. If a provider's recognition is revoked or amended, the repository will reflect this. Your contracts should include clauses that trigger review or termination if a provider's registered assurance level drops below the required threshold for your specific use case.
4. Standardised Tendering: In your tender documents, you can reference the central repository as the definitive source for verifying compliance with Union assurance levels. This standardises your evaluation criteria and ensures that all bidders are assessed against the same, transparent benchmarks.

Common misconceptions

• Misconception: The central repository replaces the need for national risk assessments.
  • Reality: The repository provides data on provider compliance, but it does not determine which assurance level your organisation needs. Article 29 requires Member States and Union entities to conduct their own risk assessments to determine the appropriate assurance level based on the sensitivity of their data and the criticality of their operations. The repository only confirms if a provider meets the level you have identified as necessary.
• Misconception: Only EU-based providers can be listed in the repository.
  • Reality: While providers must be established in the Union to be recognised, Article 18 allows for the recognition of cloud computing services controlled by third-country legal entities under specific conditions, such as when the third country has implemented sufficient safeguards. If such a service is recognised, it will be listed in the repository, provided it meets the strict criteria for Union assurance level 3.
• Misconception: The repository is only for public-sector use.
  • Reality: Article 22(4) makes the repository publicly available. Private-sector entities, particularly those in high-criticality sectors listed in Annex I to the NIS2 Directive, can use the repository to verify the sovereignty status of their cloud providers, although they are not legally mandated to procure from recognised services unless specific delegated acts require it under Article 31.

Related

• Why list in the CADA repository? Public procurement access & market advantage
• Who sets the penalties for CADA transparency infringements?
• Who enforces CADA transparency obligations on cloud providers?
• CADA Repository Check: What Procurement Teams Must Verify Before Tendering
• CADA Marketplace Transparency: The Public Register Explained

This is general information about a draft EU regulation, not legal advice.