How does the CADA repository support EU digital sovereignty goals?

Summary The proposed Cloud and AI Development Act (CADA) establishes a central repository of recognised cloud computing services to operationalise the EU's digital sovereignty framework. As proposed in Article 22, this publicly available register allows public-sector bodies to easily identify providers that have met specific Union assurance levels through rigorous self-assessment or independent audit. By making sovereignty credentials transparent and verifiable, the repository steers public procurement toward trusted, sovereign-aligned services, thereby reducing critical dependencies on third-country providers and ensuring the protection of public order.

Detail

The Cloud and AI Development Act (CADA) is designed to strengthen Europe's cloud and AI ecosystem by addressing the Union's heavy reliance on a limited number of third-country cloud providers. A core mechanism for achieving this strategic autonomy is the Union cloud computing sovereignty framework, detailed in Title IV of the proposal. This framework defines four "Union assurance levels" (Level 1 to Level 4) that categorise cloud services based on their compliance with strict criteria regarding data localisation, personnel citizenship, cybersecurity certification, and freedom from third-country control.

However, a sovereignty framework is only effective if buyers can easily identify which services comply with it. Without a centralised source of truth, verifying a provider's status would be fragmented, inconsistent, and prone to error across the single market. This is where the central repository becomes critical.

The Role of Article 22: A Single Source of Truth

Article 22 of the CADA proposal mandates the establishment and maintenance of a dedicated repository of cloud computing services that have been formally recognised as offering Union assurance levels 1 through 4. This repository serves as the single source of truth for the EU's sovereign cloud market, ensuring that the "sovereign" label is not merely a marketing claim but a verified legal status.

Key features of the repository, as outlined in Article 22, include:

• Centralised Maintenance: The European Commission is responsible for establishing and maintaining the repository. This ensures a uniform, EU-wide view of the market rather than a patchwork of national lists.
• Mandatory Registration: National competent authorities (NCAs) that recognise a cloud service under Article 17 must register that service in the central repository. This ensures that once a service is recognised in one Member State, its status is immediately visible and valid across the entire Union.
• Public Accessibility: The repository must be publicly available and regularly updated on a dedicated, easily accessible website. This transparency is crucial for building trust among public and private sector users and enabling market transparency.
• Revocation Visibility: If a recognition is revoked—whether by an auditing organisation or a competent authority—this revocation must be published in the repository and remain available there for five years. This ensures that past non-compliance or loss of status is transparent to potential buyers, preventing "zombie" recognitions from misleading procurement officers.

Supporting Procurement and Trust Objectives

The repository is not merely an informational tool; it is a functional enabler for the demand-side measures in CADA. Title IV, Chapter II, sets out strict procurement rules for public-sector bodies that rely directly on the data in this register:

1. Minimum Baseline (Level 1): All contracting authorities must procure, at a minimum, services recognised as Union assurance level 1 (Article 30(2)).
2. Higher Assurance for Critical Functions: Where a risk assessment determines that public sector activities contribute to the preservation of public order (e.g., in defence, justice, or critical infrastructure), authorities must only procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

Without the repository, verifying whether a provider meets these mandatory assurance levels would be administratively burdensome and prone to error. The repository allows procurement officers to:

• Verify Compliance Instantly: Confirm that a vendor holds a valid recognition for the required assurance level without needing to request and validate complex audit reports manually.
• Ensure Cross-Border Recognition: Rely on the fact that a service recognised in one Member State is recognised across the Union, facilitating a true single market for sovereign cloud services.
• Mitigate Risk: Access up-to-date information on any revocations or changes in status, ensuring that public bodies do not inadvertently contract with services that no longer meet sovereignty criteria.

Steering Demand Toward Sovereign Services

By linking procurement obligations directly to the repository, CADA creates a powerful market signal. Providers who invest in meeting the stringent criteria for Union assurance levels gain visibility and access to the lucrative public-sector market. Conversely, providers who do not meet these standards—or whose status is revoked—are effectively excluded from public procurement for activities related to public order.

This mechanism supports the broader EU goal of technological sovereignty. It reduces the risk of operational discontinuity, unauthorised data access by third-country authorities, and dependency on vendors subject to extraterritorial laws. By creating a transparent, auditable, and EU-wide list of trusted providers, the repository helps build a resilient cloud infrastructure that is under the effective control of EU law and authorities.

Integration with the Broader Autonomy Framework

The repository works in tandem with other CADA provisions to create a cohesive autonomy strategy:

• Risk Assessments (Article 29): Member States and Union entities must conduct risk assessments to determine the appropriate assurance level for their activities. The repository provides the data needed to match these risk profiles with compliant services.
• Independent Audits (Article 20): For levels 2–4, services must undergo independent third-party audits. The repository reflects the outcome of these audits, ensuring that the "sovereign" label is backed by rigorous verification.
• Transparency Obligations (Article 23): Providers must report material changes that could affect their recognition status. The repository ensures these changes are publicly visible, maintaining the integrity of the assurance levels.

What this means for you

For public-sector procurement officers and legal teams, the introduction of the CADA repository will fundamentally change how cloud services are sourced and managed.

1. Simplified Vendor Due Diligence

Instead of manually verifying complex technical and legal criteria for every potential cloud provider, you will be able to consult the central repository. If a service is listed with the appropriate Union assurance level, it has already undergone the necessary conformity self-assessment (for Level 1) or independent audit (for Levels 2–4). This significantly reduces the administrative burden and legal risk associated with cloud procurement.

2. Mandatory Compliance Checks

Once CADA is in force, you will be legally required to ensure that your cloud contracts align with the Union assurance levels dictated by your risk assessment. For standard administrative tasks, Level 1 recognition will be the minimum requirement. For sensitive or critical functions, you must procure services recognised at Levels 2, 3, or 4. The repository will be your primary tool for verifying this compliance.

3. Monitoring for Changes

Recognitions are not permanent. Providers must report material changes, and auditing organisations or competent authorities can revoke recognitions. As a procurement officer, you must monitor the repository for any changes to the status of your current providers. A revocation published in the repository may trigger a need to reassess your contract or migrate services to maintain compliance with CADA.

4. Supporting European Providers

By prioritising services listed in the repository, you are actively supporting the growth of European cloud providers who have invested in meeting EU sovereignty standards. This aligns with the CADA objective of fostering a competitive and resilient EU cloud market, reducing dependence on non-European incumbents.

5. Preparation for Implementation

While the repository is not yet live, you can begin preparing by:

• Reviewing your current cloud contracts to identify services used for public order activities.
• Assessing whether your current providers are likely to meet the Union assurance level criteria.
• Engaging with potential providers to understand their roadmap for achieving recognition under CADA.

Common misconceptions

Misconception 1: The repository is a certification body. The repository itself does not certify or audit providers. It is a passive register that reflects decisions made by national competent authorities and auditing organisations. The actual assessment and recognition process is governed by Articles 17–21 of CADA.

Misconception 2: Only EU-based providers can be listed. While the criteria heavily favour EU-established providers with data and personnel located in the Union, the framework does allow for third-country providers to be audited against Union assurance level 3 under specific conditions (Article 18). If a third-country provider meets the strict criteria and is recognised by a national competent authority, their service will be listed in the repository. However, the criteria for Levels 2–4 are so stringent that EU-established providers will dominate the register.

Misconception 3: Listing in the repository guarantees unlimited use. Being listed in the repository means a service meets the technical and legal criteria for a specific assurance level. It does not automatically qualify a service for all use cases. Procurement officers must still conduct risk assessments (Article 29) to determine the appropriate assurance level for their specific activities. A Level 1 service, while listed, cannot be used for activities requiring Level 3 assurance.

Misconception 4: The repository replaces national procurement rules. The repository supports and complements national and EU procurement rules; it does not replace them. Contracting authorities must still follow standard public procurement procedures. However, the repository provides the technical evidence needed to justify award criteria and mandatory requirements related to sovereignty.

Related

• How public buyers verify CADA sovereignty claims against the central repository
• How do I check a cloud service's sovereignty tier in the CADA repository?
• Does the CADA central repository list all four sovereignty tiers?
• Does CADA repository listing guarantee full cloud sovereignty?
• Why list in the CADA repository? Public procurement access & market advantage

This is general information about a draft EU regulation, not legal advice.