How is the CADA central repository kept up to date?

Summary The proposed Cloud and AI Development Act (CADA) ensures the integrity of its central repository through a strict, multi-layered notification chain rather than manual daily checks. As proposed, cloud computing service providers must notify their auditing organisation and national competent authority (NCA) "as soon as possible" of any material change affecting their Union assurance level. This triggers a cascade: the auditor assesses and potentially amends or revokes the audit report, the NCA then assesses and potentially amends or revokes the recognition, and finally, the Commission and NCAs update the public repository. Crucially, under Article 22(3), any revocation of an audit report or recognition must remain published in the repository for five years, ensuring that historical non-compliance remains visible to public sector buyers. The repository itself is mandated to be "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website" (Article 22(4)).

Detail

The CADA proposal establishes a centralised, publicly accessible repository of cloud computing services that have been recognised as offering specific Union assurance levels. This repository, established and maintained by the European Commission, serves as the single source of truth for public sector bodies and private entities seeking sovereign cloud services. Unlike static registries, the CADA framework treats the repository as a dynamic record, dependent on a rigorous, automated update mechanism designed to prevent stale or inaccurate information from misleading procurement decisions.

Registration and Initial Entry

The lifecycle of an entry begins with the initial recognition of a service. Under Article 22(2), the national competent authority of establishment—the authority in the Member State where the cloud provider has its main establishment—is responsible for registering the recognised cloud computing service in the central repository. This registration occurs only after the evaluating national competent authority has successfully concluded the recognition procedure, verifying that the provider meets the cumulative criteria for Union assurance levels 1 through 4 as set out in Annex II. Once the NCA adopts the recognition decision, it must register the service, creating the initial public record.

The Notification Chain for Updates

The repository's accuracy relies on a mandatory transparency obligation for cloud providers, detailed in Article 23, which feeds directly into the update mechanism described in Article 22. The process operates as a sequential chain of responsibility:

1. Provider Notification: When a cloud computing service provider becomes aware of any information or material change in circumstances that may affect its audit report, audit opinion, or recognition, it must notify its auditing organisation and the national competent authority of establishment "as soon as possible." This obligation covers critical changes such as shifts in ownership, infrastructure relocation, changes in subcontractor relationships, or cybersecurity incidents that could impact the provider's ability to meet the assurance level criteria.
2. Auditor Assessment: Upon receiving this notification, the auditing organisation must assess whether the audit report or the 'positive' audit opinion needs to be amended or revoked. If the auditor determines that the provider no longer complies with the required criteria, it amends or revokes the report and notifies the national competent authority of establishment.
3. Authority Action: The national competent authority then assesses whether its initial recognition of the service needs to be amended or revoked. If the authority decides to amend or revoke the recognition, it must notify the national competent authorities of all other Member States and the Commission. This cross-border notification ensures that all Member States are aware of changes to a provider's status, maintaining the mutual recognition principle across the EU.
4. Repository Update: The Commission and the national competent authorities of establishment are jointly responsible for the final step. Article 22(4) mandates that the repository be "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This ensures that any revocation or amendment is reflected in the public register promptly, preventing public sector buyers from procuring services that no longer meet the required sovereignty standards.

Handling Revocations and the "Shadow Record"

Transparency regarding non-compliance is a core feature of the CADA framework. Article 22(3) stipulates that the revocation of an audit report and audit opinion by an auditing organisation, or the revocation of a recognition by a competent authority, shall be published in the central repository. Crucially, this information must remain available in the repository for five years.

This "shadow record" serves as a powerful deterrent against bad faith practices and allows public sector bodies to conduct thorough due diligence on a provider's historical compliance. It ensures that a provider cannot simply disappear from the register when revoked and reappear later without a clear history of non-compliance. The five-year retention period provides a significant window for market participants to assess the stability and reliability of potential suppliers.

Commission Oversight and Technical Maintenance

While national competent authorities handle the day-to-day registration and revocation processes, the Commission retains overarching responsibility for the repository's existence and accessibility. The Commission ensures that the technical infrastructure supports the regular updates from national authorities and that the data presented to the public is accurate, machine-readable, and easily navigable. This centralised oversight prevents fragmentation and ensures that a provider recognised in one Member State is either universally recognised or universally flagged as non-compliant across the entire Union. The "regularly updated" requirement in Article 22(4) implies a continuous cycle of data synchronization rather than periodic batch updates.

What this means for you

For CTOs, procurement officers, and architects evaluating cloud providers for public sector contracts or high-criticality private sector use, the CADA central repository's update mechanism offers both a critical tool and a strategic responsibility.

For Procurement and Due Diligence: You can rely on the central repository as the definitive source for verifying a provider's current Union assurance level. However, you should not treat the initial check as a one-time event. Because the repository is updated based on material changes and revocations, you should implement regular monitoring of the provider's status, especially for long-term contracts. If a provider's recognition is revoked, the entry remains visible for five years, providing you with historical context on their compliance stability. This historical data is vital for risk assessment; a provider with a recent revocation may pose a higher risk than one with a clean, long-standing record.

For Cloud Providers: If you are a cloud computing service provider aiming for Union assurance levels 2–4, you must establish robust internal processes to detect and report material changes. The "as soon as possible" notification requirement means that delays in reporting can lead to regulatory penalties and loss of market access. Your relationship with your auditing organisation is critical; you must provide them with timely information to ensure their audit opinions remain accurate. Failure to notify the auditor and the competent authority of material changes is a direct infringement of the proposal's transparency obligations and could trigger a revocation that remains public for five years.

For SMEs: While SMEs have a streamlined path for Union assurance level 1 (automatic recognition of their EU statement of conformity), they are still part of this ecosystem. If an SME's circumstances change such that they no longer meet the criteria for level 1, the national competent authority may revoke their recognition. This revocation will be published in the central repository, potentially impacting their ability to win public sector contracts. Therefore, even SMEs must maintain rigorous compliance monitoring and be prepared to notify authorities of any significant operational changes to avoid being flagged in the public register.

Common misconceptions

Misconception 1: The Commission manually updates the repository daily. The Commission does not manually verify every provider's status every day. Instead, the repository is updated based on the formal notifications from national competent authorities and auditing organisations. The Commission maintains the platform and ensures the data is published, but the trigger for updates is the regulatory action taken by national authorities following provider or auditor notifications. The "regularly updated" language in Article 22(4) refers to the frequency of these automated or semi-automated updates driven by the notification chain, not manual daily audits by Commission staff.

Misconception 2: Revoked recognitions are removed from the repository immediately. No. Article 22(3) explicitly requires that revocations remain published in the central repository for five years. This is a deliberate design choice to ensure transparency and accountability. A provider with a revoked status will still appear in the register, clearly marked as revoked, allowing buyers to see the history of non-compliance. This prevents "rebranding" strategies where a provider might attempt to hide past failures.

Misconception 3: Only the national competent authority of establishment can update the record. While the authority of establishment is the primary actor for registration and initial revocation, the update mechanism is a chain. The auditing organisation plays a crucial role by amending or revoking the audit report, which triggers the authority's action. Furthermore, the Commission is jointly responsible for the regular updating and public availability of the repository. All three entities—auditor, national authority, and Commission—contribute to the accuracy of the final public record.

Related

• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?
• CADA Central Repository: Who can access it and is it public?
• CADA Repository: How long are audit opinion revocations kept?
• How does a cloud provider get listed in the CADA central repository?

This is general information about a draft EU regulation, not legal advice.