How does cross-border review of a CADA recognition work?

Summary Under the proposed Cloud and AI Development Act (CADA), the recognition of a cloud computing service provider (CCSP) as offering a specific Union assurance level is a centralized procedure led by the national competent authority of the provider's establishment. However, to ensure uniform sovereignty standards across the single market, Article 17 mandates a rigorous cross-border review mechanism. Once the evaluating authority prepares a draft recognition decision, it must notify all other Member States, triggering a mandatory 60-day review period. During this window, other national competent authorities may submit reasoned objections or requests for clarification if they believe the draft decision does not comply with the assurance level criteria in Annex II. If an objection is raised and the evaluating authority intends to maintain its draft decision despite the objection, the matter may be referred to the European Commission. The Commission then adopts a binding decision determining whether the recognition can proceed. This ensures that a recognition granted in one Member State is valid across the entire Union only if no valid cross-border objections are sustained.

Detail

The CADA proposal aims to create a harmonised Union cloud computing sovereignty framework. A core challenge in such a framework is preventing regulatory arbitrage, where a provider might seek recognition in a Member State with laxer enforcement while operating across the Union. To address this, Article 17 of the CADA proposal establishes a "one-stop-shop" application process that is nevertheless subject to a robust peer-review mechanism involving all Member States.

The Role of the Evaluating Authority

The process is initiated when a cloud computing service provider submits an application for recognition to the national competent authority of its establishment. Under Article 17(2), this authority becomes the "evaluating national competent authority." While the evaluating authority may request collaboration from other Member States' authorities within 15 days of receiving such a request (Article 17(2)), the primary responsibility for assessing the evidence lies with the evaluating authority.

The evaluating authority has 60 days from the acceptance of the application to assess the evidence submitted. As outlined in Article 17(5), this assessment leads to one of three outcomes:

1. Draft Recognition: The authority prepares a draft recognition decision and notifies other Member States.
2. Request for Information: If evidence is insufficient, the authority may request further information, suspending the 60-day clock (for up to 30 days, unless justified by exceptional circumstances).
3. Rejection: The authority rejects the request, granting the provider 30 days to provide written comments before the final decision.

If the evaluating authority proceeds to a draft recognition, it must immediately notify the competent authorities of all other Member States. This notification is the trigger for the critical cross-border review phase.

The 60-Day Cross-Border Review Period

Article 17(5)(a) explicitly mandates that the evaluating authority notifies the competent authorities of other Member States and opens a 60-day review period. The text states that this notification includes the evidence submitted by the provider. The purpose of this period is to allow other Member States to verify that the draft recognition decision complies with the applicable Union assurance levels set out in Annex II of the CADA proposal.

During this 60-day window, a national competent authority of another Member State has two primary tools to challenge or scrutinize the draft decision:

1. Request for Clarification: Under Article 17(6) and Article 17(8), another Member State may submit a request for clarification if it considers the draft decision non-compliant. Upon receiving this request, the evaluating authority must take it into account. It may confirm its original draft, modify it, or request new information from the applicant (suspending the timeline again if necessary). If the requesting authority remains unsatisfied after the evaluating authority's response, it may escalate to a reasoned objection.
2. Reasoned Objection: Also under Article 17(6), a Member State may submit a reasoned objection directly if it believes the draft recognition decision does not comply with the assurance level criteria. This is a formal challenge that requires the evaluating authority to assess the objection's merits.

Resolving Objections and Commission Referral

The mechanism for resolving disputes is designed to balance national sovereignty concerns with the need for a unified single market. If a reasoned objection is submitted within the review period (or following a clarification request under Article 17(8)), the evaluating authority must assess the objection. Under Article 17(9), the evaluating authority has two options:

• Maintain the draft decision: If the evaluating authority disagrees with the objecting Member State, it maintains its original draft.
• Revoke the draft decision: If the evaluating authority agrees with the objection, it revokes the draft, and the recognition process effectively fails at this stage.

Crucially, if the evaluating authority intends to maintain its draft decision despite a reasoned objection, the objecting Member State has the right to escalate the dispute to the European Commission. Article 17(10) states: "In case the evaluating national competent authority intends to maintain its draft decision, the concerned national competent authority may refer the matter to the Commission."

Once referred, the Commission assesses the referral and may request additional information from the national authorities involved. The Commission then adopts a binding decision determining whether the evaluating national competent authority may adopt the recognition decision. This Commission decision is final in the context of the administrative procedure, ensuring that disputes over sovereignty standards do not stall indefinitely and that a uniform interpretation of the assurance levels is applied across the Union. This step is vital for preventing a single Member State from blocking a recognition that is compliant with Union law, or conversely, for preventing a "race to the bottom" where a provider is recognized in one state despite failing to meet Union-wide criteria.

Automatic Recognition if No Objections

If the 60-day review period expires without any reasoned objection or request for clarification being submitted, Article 17(7) provides that the conclusions by the evaluating national competent authority are deemed accepted by all Member States. The evaluating authority then adopts the recognition decision, and the audited service is recognized throughout the Union at the appropriate Union assurance level. This "silence equals consent" mechanism is vital for ensuring legal certainty and speed in the market, allowing providers to scale across borders without needing separate national approvals.

Transparency and Central Repository

Once recognized, the service is registered in the central repository established by the Commission under Article 22. This repository is publicly available and ensures that public sector bodies across the EU can easily identify which services have been recognized for which assurance levels. If a recognition is later revoked due to non-compliance or incorrect information supplied by the provider (Article 17(11)), this revocation is also published in the central repository for five years (Article 22(3)). This transparency ensures that the cross-border review process has lasting visibility and that the market can react to changes in a provider's status.

What this means for you

For in-house counsel, compliance officers, and legal teams at cloud computing service providers, the cross-border review mechanism under the proposed CADA introduces specific strategic and operational considerations that go beyond standard national compliance.

1. Prepare for Scrutiny from Multiple Jurisdictions Even though you apply in one Member State (your establishment), your application will be visible to and reviewable by competent authorities in all other 26 Member States. Your compliance evidence must be robust enough to withstand scrutiny from authorities that may have different cultural, political, or security sensitivities regarding data sovereignty. Ensure your documentation clearly maps to the cumulative criteria in Annex II of the CADA proposal, as any ambiguity could be exploited by an objecting Member State.

2. Manage the 60-Day Clocks Carefully The timeline is tight and rigid. You have 60 days for the initial assessment, followed by a 60-day cross-border review. If the evaluating authority requests more information, the clock pauses, but the total delay can extend your time-to-market significantly. Proactively provide complete, high-quality evidence in the initial application to avoid "requests for further information" under Article 17(5)(b), which can suspend the timeline and delay your market entry.

3. Engage Early with Potential Objectors If your service operates in sensitive sectors (e.g., health, defense, or critical infrastructure) in specific Member States, consider pre-engaging with those national competent authorities before submitting your application. While not formally required before the 60-day review, informal dialogue may help identify and resolve potential concerns before they become formal "reasoned objections" that could trigger a Commission referral. A referral to the Commission can be a lengthy and resource-intensive process.

4. Monitor the Central Repository Once recognized, monitor the central repository under Article 22. If a competitor's recognition is revoked or if there are changes to your own status, the public nature of this repository means market participants will see these changes immediately. Ensure your internal processes for notifying material changes (Article 23) are agile to avoid automatic revocation risks, which could be triggered if you fail to report changes that affect your compliance status.

5. Understand the Commission's Role as Arbitrator If a Member State objects to your recognition, the evaluating authority in your home state is the first line of defense. However, if they maintain the decision, the Commission becomes the arbiter. Prepare for the possibility that the Commission may request additional information or conduct its own assessment. Your legal team should be ready to defend the technical and legal merits of your sovereignty controls before EU-level authorities if a dispute escalates. The Commission's binding decision under Article 17(10) is the final administrative step, and its outcome will set a precedent for your service's status across the Union.

Common misconceptions

Misconception 1: "If I am recognized in my home country, I am automatically safe everywhere." Correction: Recognition in your home country is only the start of the cross-border validity. Other Member States have a statutory right to object during the 60-day review period. If a reasoned objection is sustained (either by the evaluating authority or the Commission), your recognition can be blocked or revoked. It is not an automatic passport until the review period closes without valid objections.

Misconception 2: "Only the home country's competent authority matters." Correction: While the home country's authority is the "evaluating" authority, the CADA framework is designed to be collaborative. Other Member States' authorities have the power to request clarification, submit objections, and refer disputes to the Commission. Ignoring the perspectives of other Member States, especially those where you have significant customer bases, is a strategic risk.

Misconception 3: "Objections are just formalities and rarely lead to rejection." Correction: Given the high stakes of data sovereignty and national security, reasoned objections are likely to be taken seriously. The CADA proposal explicitly provides for a Commission binding decision in case of disputes (Article 17(10)), indicating that the EU legislature anticipated significant disagreements. Providers should treat objections as substantive legal challenges, not mere procedural hurdles.

Misconception 4: "The 60-day review period is fixed and cannot be extended." Correction: While the initial 60-day review period is fixed, the overall timeline can be extended if the evaluating authority requests further information from the applicant (Article 17(5)(b)) or if clarification requests are made by other Member States (Article 17(8)). These interactions can suspend or prolong the process, so providers should budget for potential delays.

Related

• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• What happens if another Member State objects to my CADA recognition?
• What evidence do I submit for CADA recognition?

This is general information about a draft EU regulation, not legal advice.