How does the CADA central repository improve the EU cloud market?

Summary As proposed, the Cloud and AI Development Act (CADA) would establish a central repository of cloud computing services to fundamentally improve the EU cloud market by reducing information asymmetry and enhancing transparency. Under Article 22, this publicly available register allows public-sector buyers to easily identify and verify which providers have been formally recognised for specific Union assurance levels. By centralising this data, the repository drives procurement demand toward trusted, sovereign-compliant services, thereby strengthening the EU's digital sovereignty and supporting the autonomy objectives of the regulation.

Detail

The proposed Cloud and AI Development Act (CADA) aims to address the EU's critical dependence on a limited number of non-European cloud providers by creating a harmonised framework for sovereign cloud services. A cornerstone of this framework is the establishment of a central repository, which serves as a single source of truth for the trustworthiness and sovereignty status of cloud computing services available in the Union. This mechanism is designed to solve a fundamental market failure: the lack of transparent, comparable information regarding the sovereignty and security guarantees of cloud providers.

The Legal Basis: Article 22 and the Autonomy Framework

The creation and maintenance of this repository are explicitly mandated by Article 22 of the CADA proposal. The Article outlines the Commission's role in establishing and maintaining a "dedicated repository of cloud computing services that have been recognised in accordance with Article 17." This recognition process is the result of rigorous conformity assessments, ranging from self-assessments for Union assurance level 1 to independent third-party audits for levels 2, 3, and 4.

Under Article 22(1), the Commission is responsible for setting up this infrastructure. The registration process is decentralised in its initial phase but centralised in its presentation: the national competent authority that recognises a cloud service under Article 17 is obligated to register that service in the central repository, as stated in Article 22(2). This ensures that the data feeding the repository is authoritative and verified by the relevant national bodies, rather than being self-declared by providers.

Crucially, Article 22(4) stipulates that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This public accessibility is key to its market-improving function. It transforms sovereignty compliance from a hidden, contractual due diligence exercise into a visible, market-wide standard.

Furthermore, the repository is designed to handle negative outcomes transparently. Article 22(3) requires that any revocation of an audit report or a recognition by a competent authority be published in the repository and remain available there for five years. This ensures that the market has a complete historical record of a provider's compliance status, preventing providers with lapsed or revoked certifications from misleading buyers.

This mechanism directly supports the autonomy objectives set out in Article 1(3), which aims to "improve the functioning of the single market by laying down a uniform Union legal framework for increasing the Union's resilience and strategic autonomy in cloud and AI technologies." By making the sovereignty status of services transparent, the repository facilitates the functioning of the internal market and reduces the fragmentation caused by divergent national trust standards.

Reducing Information Asymmetry

In the current cloud market, public-sector buyers often face significant information asymmetry. Providers may claim to offer "sovereign" or "trusted" services, but verifying these claims requires expensive, time-consuming legal and technical audits. Buyers lack the resources to independently verify the complex criteria set out in CADA's Annex II, such as data localisation, personnel citizenship requirements, and freedom from third-country control.

The central repository mitigates this asymmetry by providing a pre-verified list of services. Instead of conducting duplicate due diligence for every procurement, public authorities can consult the repository to see which services have already been assessed and recognised by national competent authorities. This reduces transaction costs and accelerates procurement timelines. By making the sovereignty status of a service a matter of public record, the repository levels the playing field, allowing buyers to make informed decisions based on verified data rather than marketing claims.

This transparency is particularly vital for smaller public bodies that may lack the technical expertise to assess complex cloud architectures. The repository acts as a trusted intermediary, ensuring that the "Union assurance" label carries a consistent, verified meaning across all Member States.

Driving Demand Toward Recognised Services

The repository acts as a powerful demand-side driver for the CADA sovereignty framework. Article 30 of CADA mandates that contracting authorities must procure cloud services that have been recognised as offering at least Union assurance level 1, and higher levels (2, 3, or 4) for activities contributing to public order. However, these procurement obligations are only effective if buyers can easily identify which providers meet these criteria.

By listing only recognised services, the repository creates a clear "shortlist" for compliant procurement. This visibility incentivises cloud providers to seek recognition, as listing in the repository becomes a prerequisite for accessing the lucrative public-sector market. Providers that fail to achieve recognition are effectively excluded from the centralised view of compliant services, creating a strong market signal. This dynamic encourages providers to invest in the necessary technical and organisational measures to meet the sovereignty criteria, thereby increasing the overall supply of trusted European cloud services.

Moreover, the repository supports the objective of reducing dependencies on critical technologies, as outlined in Article 1(1)(d). By making it easier for buyers to find and select EU-based or EU-compliant providers, the repository helps shift market share away from non-European incumbents, fostering a more competitive and resilient European cloud ecosystem.

Supporting Autonomy and Sovereignty Objectives

The broader goal of CADA is to strengthen the Union's technological sovereignty and reduce strategic dependencies on third-country providers. The central repository supports this by enabling the EU to monitor and steer the market toward services that align with Union values and security requirements. By aggregating data on recognised services, the Commission and Member States can gain insights into the availability and distribution of sovereign cloud capacity across the Union. This data can inform further policy measures, such as targeted support for domestic providers or initiatives to address capacity gaps in specific regions.

Moreover, the repository fosters trust in the European cloud ecosystem. When public authorities see a transparent, auditable list of trusted providers, it reinforces confidence in the security and resilience of European digital infrastructure. This trust is essential for the widespread adoption of cloud services in critical sectors such as healthcare, defence, and justice, where data confidentiality and operational autonomy are paramount.

The repository also aligns with the broader EU strategy of digital sovereignty, complementing other initiatives like the Data Act and the Cybersecurity Act. While the Data Act focuses on switching and interoperability, and the Cybersecurity Act on technical standards, CADA's repository specifically addresses the sovereignty dimension, ensuring that the cloud infrastructure underpinning the EU's digital economy is under Union control.

What this means for you

For public-sector procurement officers, the CADA central repository will become an essential tool for compliant and efficient cloud procurement. Once the regulation is in force, your due diligence process will shift from verifying sovereignty claims from scratch to checking the repository for recognised status.

• Simplified Due Diligence: You will no longer need to conduct exhaustive technical audits to verify a provider's sovereignty claims. Instead, you can rely on the repository's listing, which confirms that the service has been assessed by a national competent authority against the CADA criteria.
• Compliance Assurance: The repository will help you ensure that your procurement meets the mandatory requirements of Article 30. By selecting services listed in the repository with the appropriate Union assurance level, you can demonstrate compliance with the regulation's autonomy and public order requirements.
• Market Transparency: The repository will provide you with a clear overview of the available sovereign cloud options in the EU. This transparency will help you compare providers, negotiate better terms, and avoid vendor lock-in by identifying multiple compliant alternatives.
• Risk Management: The public availability of revocation data (as per Article 22(3)) allows you to monitor the ongoing compliance of your providers. If a provider's recognition is revoked, you will be alerted through the repository, enabling you to take timely action to mitigate risks.

For cloud service providers, the repository represents a strategic opportunity. Gaining recognition and being listed in the repository will become a key competitive advantage, opening access to the public sector market. Providers should prepare for the recognition process under Article 17 and ensure they can meet the rigorous criteria for the desired Union assurance level.

Procurement officers and providers alike should prepare for this transition by familiarising themselves with the Union assurance levels and the criteria for recognition. Engaging with national competent authorities early on will help ensure that your procurement strategies and service offerings are aligned with the upcoming repository framework.

Common misconceptions

• Misconception: The repository lists all cloud providers in the EU.
  • Reality: The repository only lists cloud computing services that have been formally recognised under Article 17. It does not include providers that have not applied for recognition or have been rejected. It is a register of compliance, not a general market directory.
• Misconception: Listing in the repository guarantees absolute security.
  • Reality: Recognition indicates compliance with the specific sovereignty and security criteria of the relevant Union assurance level. It does not guarantee immunity from all cyber threats. Buyers should still conduct their own risk assessments, particularly for high-assurance levels, as required by Article 29.
• Misconception: The repository is managed by cloud providers.
  • Reality: The repository is established and maintained by the European Commission, with data entered by national competent authorities. Providers do not self-list; they are listed only after a successful recognition process by a national authority. This ensures the integrity and authority of the information.
• Misconception: The repository replaces the need for contractual agreements.
  • Reality: While the repository confirms a provider's recognised status, buyers still need to enter into contracts that specify the service level agreements, data processing terms, and other commercial conditions. The repository is a tool for identification and verification, not a substitute for legal contracts.
• Misconception: The repository is a static list.
  • Reality: Under Article 22(4), the repository is "regularly updated." It reflects the dynamic nature of compliance, including new recognitions, changes in status, and revocations, ensuring that buyers always have access to the most current information.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why list in the CADA repository? Public procurement access & market advantage
• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?
• CADA Central Repository: Who can access it and is it public?
• How does a cloud provider get listed in the CADA central repository?

This is general information about a draft EU regulation, not legal advice.