Summary The CADA central repository and the European Cybersecurity Certification Scheme for Cloud Services (EUCS) serve distinct, complementary functions within the EU's digital sovereignty framework. The repository, established under Article 22 of the proposed Cloud and AI Development Act (CADA), is a public register of cloud services formally recognised for meeting specific "Union assurance levels" regarding sovereignty, third-country control, and operational autonomy. In contrast, EUCS is a technical cybersecurity certification that addresses security controls but does not cover broader sovereignty risks. CADA explicitly positions EUCS as a technical baseline that can be leveraged within its sovereignty assessment for higher assurance levels, but the two instruments are not interchangeable. A service can be EUCS-certified yet absent from the CADA repository if it fails sovereignty criteria, while CADA recognition for levels 2–4 generally requires a cybersecurity certificate of at least "substantial" assurance.

Detail

To understand the relationship between the CADA repository and the EUCS, it is necessary to distinguish between the sovereignty assurance framework established by the Cloud and AI Development Act (CADA) and the cybersecurity certification developed under the Cybersecurity Act (Regulation (EU) 2019/881). While both aim to build trust in European cloud infrastructure, they address different dimensions of risk and operate through different legal mechanisms.

The CADA Central Repository: A Register of Sovereign Assurance

Under CADA, the European Commission is required to establish and maintain a dedicated central repository of cloud computing services that have been recognised as offering specific "Union assurance levels." Article 22(1) of the proposed Regulation states: "The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17 ('central repository')."

This repository is not merely a list of compliant vendors; it is the operational output of CADA's sovereignty framework. To appear in the repository, a cloud service provider must undergo a rigorous recognition process defined in Article 17. This process involves national competent authorities assessing whether a provider meets the cumulative criteria for one of four Union assurance levels (Level 1 to Level 4), which are detailed in Annex II of the proposal. These criteria extend far beyond technical security to include:

  • Establishment: The provider must be established in the Union.
  • Location: Infrastructure, assets, and personnel must be located in the Union (with specific nuances for levels 3 and 4).
  • Data Localisation: Customer data must remain exclusively within the Union unless explicitly required otherwise by the public sector body.
  • Third-Country Control: The provider must not be subject to control by a third country or legal entity established in a third country, unless specific derogations under Article 18 apply.

The repository serves as a single source of truth for public sector bodies and other entities. According to Article 22(4), the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." Its primary function is to enable contracting authorities to verify that a cloud service meets the specific sovereignty and autonomy requirements determined by their own risk assessments (as required under Article 29).

EUCS: The Cybersecurity Baseline

In contrast, the European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a certification scheme being developed under the Cybersecurity Act. Its scope is strictly limited to cybersecurity. It evaluates whether a cloud service meets specific technical and organisational security controls to protect data and systems from cyber threats.

CADA explicitly acknowledges that cybersecurity is a necessary but insufficient condition for sovereignty. The explanatory memorandum notes that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Sovereignty, in the CADA context, encompasses additional risks such as:

  • Third-country control: Whether a provider is subject to laws that could compel data access or service disruption (e.g., extraterritorial laws like the US CLOUD Act).
  • Operational autonomy: The ability of the provider to continue services without interference from third-country actors.
  • Data localisation and residency: Strict requirements on where data is stored and processed, which may exceed EUCS requirements.

Complementary Roles: How They Interact

CADA does not replace EUCS; rather, it leverages it. The proposal is designed to work in conjunction with the Cybersecurity Act revision. As stated in the explanatory memorandum, "When finalised, [EUCS] could be leveraged in the framework for sovereign cloud computing services as a way of ensuring that an audited service meets the highest cybersecurity standards."

This complementary relationship is codified in the criteria for the higher Union assurance levels in Annex II:

  • Union assurance level 2: Providers must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (i.e., EUCS), "provided that such a scheme has been established... and is available." Until such a scheme is established, national cybersecurity certification schemes shall apply.
  • Union assurance level 3: Similarly requires a certificate of at least assurance level 'substantial'.
  • Union assurance level 4: Requires a certificate of at least assurance level 'high'.

Therefore, the relationship can be summarised as follows:

  1. EUCS provides the technical cybersecurity validation (the "security" layer).
  2. CADA adds layers of sovereignty, autonomy, and legal compliance checks on top of that cybersecurity baseline (the "sovereignty" layer).
  3. The CADA Repository lists the services that have successfully passed both the cybersecurity (via EUCS or equivalent) and the broader sovereignty assessments.

Practical Distinctions for Evaluation

For CTOs and architects, the distinction is critical when evaluating vendors:

  • EUCS Certification proves a service is secure against cyber threats. It does not guarantee that the provider is not subject to foreign laws that could compromise data sovereignty.
  • CADA Repository Listing proves a service is both secure (often via EUCS) and sovereign (meeting specific criteria on establishment, personnel, data localisation, and third-country control).

A service can be EUCS-certified but not listed in the CADA repository if it fails the sovereignty criteria (e.g., if it is controlled by a third-country entity without the necessary safeguards under Article 18). Conversely, a service in the CADA repository for levels 2–4 will almost certainly have a strong cybersecurity posture, likely validated by EUCS or an equivalent national scheme, as this is a prerequisite.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers, the interplay between the CADA repository and EUCS changes how you assess compliance and risk.

1. Procurement and Compliance Strategy If you are a public sector body or a private entity in a high-criticality sector (as defined in Annex I of the NIS2 Directive), you will be required to conduct risk assessments under Article 29. If your risk assessment determines that your activities contribute to the preservation of public order, you may be mandated to procure only services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)). In this scenario, you cannot simply rely on an EUCS certificate. You must verify that the service is listed in the CADA central repository with the appropriate assurance level. The repository becomes your primary due diligence tool.

2. Vendor Evaluation for SMEs For SMEs looking to offer cloud services in the EU, the path to market involves two parallel tracks:

  • Cybersecurity: You must pursue EUCS certification (or an equivalent national scheme) to demonstrate technical robustness.
  • Sovereignty: You must engage with your national competent authority to seek recognition under CADA (Article 17). This involves submitting evidence of your establishment, data localisation practices, and independence from third-country control. Understanding that EUCS is a component of the CADA assessment (for levels 2–4) allows you to streamline your compliance efforts. You can use your EUCS audit evidence to satisfy the cybersecurity portion of the CADA audit, avoiding duplication of effort.

3. Risk Management and Autonomy If you are an enterprise architect designing a multi-cloud strategy, the CADA repository offers a clearer signal of operational autonomy than EUCS alone. EUCS ensures your data is encrypted and access-controlled, but CADA's higher assurance levels (particularly Level 3 and 4) ensure that the provider cannot be forced by a third country to decrypt your data or disrupt your service. For critical infrastructure or sensitive data, this distinction is vital. You should map your data sensitivity to the CADA assurance levels and use the repository to select providers that meet those specific sovereignty thresholds.

4. Monitoring Changes Because the repository is dynamic (Article 22(4)), you must monitor it for changes. Article 23 imposes transparency obligations on providers to report material changes that could affect their assurance level. If a provider's status in the repository changes (e.g., due to a change in ownership or a failed audit), it may trigger a need for migration. Your architecture should include contingency plans for such scenarios, as Article 29(6) allows for a reasonable transition period (not exceeding 12 months) if a risk assessment requires migration to a different service.

Common misconceptions

Misconception 1: EUCS certification is sufficient for CADA compliance. Reality: EUCS addresses cybersecurity, not sovereignty. A service can be highly secure (EUCS-certified) but still fail CADA's sovereignty criteria if, for example, it is controlled by a third-country entity that does not meet the strict safeguards of Article 18. CADA requires additional checks on legal jurisdiction, personnel nationality (for levels 3–4), and operational autonomy.

Misconception 2: The CADA repository replaces national certification lists. Reality: The repository complements national efforts. While it provides a harmonised EU-wide list, national competent authorities remain responsible for the initial recognition and ongoing supervision (Article 25). The repository aggregates these national recognitions into a single, accessible format, but it does not eliminate the need for national oversight.

Misconception 3: Only EU-based providers can be in the repository. Reality: While CADA strongly favours EU establishment, Article 18 provides a mechanism for third-country providers to be audited for Union assurance level 3 if the Commission determines that the third country provides sufficient safeguards (e.g., adequacy decisions, absence of conflicting laws). These services would also appear in the repository if recognised.

Misconception 4: The repository lists all cloud providers in the EU. Reality: The repository only lists services that have actively applied for and received recognition under Article 17. It is not a comprehensive directory of all cloud services. If a provider is not in the repository, it does not necessarily mean it is non-compliant with cybersecurity standards; it may simply not have sought CADA sovereignty recognition.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.