Summary Under the proposed Cloud and AI Development Act (CADA), the standard recognition process for a cloud computing service provider takes approximately 120 days (roughly four months). This timeline is split into two distinct phases: a 60-day assessment by the evaluating national competent authority, followed by a 60-day cross-border review by other Member States. Crucially, the initial 60-day clock can be suspended if the authority requests additional information; this suspension "shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances" (Article 17(5)). While SMEs seeking only Union assurance level 1 benefit from an automatic recognition derogation, providers seeking levels 2, 3, or 4 must navigate this full timeline, which can extend if objections are raised or the Commission is involved.

Detail

The proposed CADA establishes a harmonised, Union-wide mechanism for recognising cloud computing services that meet specific sovereignty criteria. Article 17 of the proposal sets out the procedural timeline and the roles of national competent authorities. The process is designed to be predictable but includes safeguards to ensure the quality of evidence submitted.

Phase 1: The Initial Assessment (60 Days)

The clock starts when a cloud computing service provider submits an application for recognition to the national competent authority of establishment (the authority in the Member State where the provider has its main establishment).

According to Article 17(5), the evaluating national competent authority has 60 days from the acceptance of the application to assess the evidence submitted. During this period, the authority must verify whether the provider meets the cumulative criteria for the requested Union assurance level (Level 1, 2, 3, or 4) as set out in Annex II.

At the conclusion of this 60-day window, the authority must take one of three actions:

  1. Prepare a draft recognition decision: If the evidence is sufficient, the authority prepares a draft decision to recognise the service. It must then notify the competent authorities of all other Member States, triggering the cross-border review phase.
  2. Request further information: If the evidence is insufficient, the authority may request additional details. This action suspends the 60-day assessment clock.
  3. Reject the request: If the evidence remains insufficient or the criteria are not met, the authority may reject the request. However, Article 17(5)(c) mandates that prior to rejection, the authority must give the provider an opportunity to provide written comments on the conclusions of the evaluation within 30 days.

The Suspension Mechanism: Pausing the Clock

A critical aspect of the timeline is the suspension clause found in Article 17(5)(b). If the authority requests further information, the 60-day assessment period is suspended "from the date of issue of the request until the date the information is received."

The regulation places a strict limit on this pause:

"The suspension shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances."

This means that in a standard scenario where a provider needs to supply missing documentation, the initial assessment phase can extend to 90 days (60 days initial + 30 days suspension). The text explicitly allows for the suspension to exceed 30 days, but only if justified by the complexity of the information or exceptional circumstances. This is not a routine extension but a specific exception to the general rule.

Phase 2: The Cross-Border Review (60 Days)

Once the evaluating authority is satisfied with the evidence and issues a draft recognition decision, the process moves to the Union-wide review stage. Under Article 17(5)(a), the authority notifies the competent authorities of other Member States, initiating a 60-day review period.

During this 60-day window, other Member States have the right to:

  • Submit a reasoned objection if they believe the draft decision does not comply with the applicable Union assurance level criteria.
  • Request clarification from the evaluating authority.

If no reasoned objection or request for clarification is submitted within this 60-day period, the conclusions of the evaluating authority are deemed accepted by all Member States. The evaluating authority then adopts the final recognition decision, and the service is recognised throughout the Union (Article 17(7)).

Handling Objections and Commission Referrals

If an objection or clarification request is raised, the timeline becomes more complex:

  • Clarification: The evaluating authority must take due account of the request. It may ask the applicant for new information (potentially triggering another suspension) or modify its draft decision.
  • Objection: If a reasoned objection is submitted, the evaluating authority must assess it and decide whether to maintain or revoke its draft decision. It must inform other authorities within 15 days of the end of the review period or 15 days after receiving the objection (Article 17(9)).
  • Commission Referral: If the evaluating authority intends to maintain its decision despite an objection, the concerned national competent authority may refer the matter to the European Commission. The Commission will then adopt a binding decision determining whether the recognition may proceed (Article 17(10)). This referral process introduces an indeterminate variable to the timeline, as the duration of Commission assessment is not fixed in the same way as the national phases.

The SME Exception for Level 1

It is important to note that the 120-day timeline does not apply to all providers. Article 17(3) provides a specific derogation for Small and Medium-sized Enterprises (SMEs) seeking Union assurance level 1.

For SMEs, the EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This means SMEs at Level 1 bypass both the 60-day assessment and the 60-day review entirely. However, this exception is strictly limited to Level 1; SMEs seeking Levels 2, 3, or 4 must undergo the full audit and recognition process.

What this means for you

For cloud service providers (CSPs) and data centre operators, the proposed CADA timeline dictates your market entry strategy and sales cycles.

Plan for a 4-to-5-month horizon While the statutory minimum is 120 days, you should build a buffer into your project plans. The possibility of a 30-day suspension for information requests means a realistic baseline is 5 months. If your application is incomplete or your evidence does not align perfectly with Annex II and Annex III, the clock stops, and your timeline extends.

Prepare your evidence upfront to avoid suspension The most significant risk to your timeline is the suspension clause in Article 17(5). To avoid the 30-day pause (or the potential for a longer suspension), ensure your application package is comprehensive from day one.

  • For Level 1: Ensure your EU statement of conformity is robust and covers all criteria.
  • For Levels 2, 3, and 4: Secure a "positive" audit opinion from an independent auditing organisation before submission. Work closely with your auditor to ensure all evidence listed in Annex III is gathered and documented.

Engage with the evaluating authority early While the text does not explicitly mandate pre-submission consultations, engaging in preliminary discussions with the national competent authority of your establishment can help clarify expectations. This proactive step can help you avoid a formal request for further information later, which would pause your 60-day clock.

Monitor the cross-border review Once your draft decision is issued, the 60-day review period begins. While you cannot directly influence other Member States' assessments, you should remain responsive. If another authority requests clarification, your evaluating authority may ask you for new information. Responding promptly to these secondary requests is vital to keeping the process moving.

Factor in the risk of objections If another Member State raises a reasoned objection, the timeline becomes less predictable. The evaluating authority has 15 days to respond, but if the matter is referred to the Commission, the process could extend significantly. Ensure your documentation is robust enough to withstand scrutiny from any Member State, not just your home authority.

Common misconceptions

"Recognition is automatic after 60 days." Many providers assume that once they submit their application, they will have a decision within 60 days. In reality, the 60-day clock is for the initial assessment by the home authority. The final recognition only occurs after the subsequent 60-day review period by other Member States concludes without objection. The total minimum timeline is 120 days, not 60.

"The 30-day suspension is a hard cap." Article 17(5) states that the suspension for further information "shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances." Some providers interpret this as a strict 30-day limit. However, the "unless" clause allows for extensions. While rare, complex technical audits or exceptional circumstances could justify a longer suspension. Do not treat the 30-day mark as an absolute guarantee of progress.

"SMEs are exempt from the timeline entirely." Article 17(3) provides a derogation for SMEs seeking Union assurance level 1. Their EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This means SMEs at Level 1 bypass the 60-day assessment and 60-day review entirely. However, this exception only applies to Level 1. SMEs seeking Levels 2, 3, or 4 must undergo the full audit and recognition process, including the 120-day timeline.

"The Commission decides most recognitions." The Commission is only involved if a Member State objects to a draft decision and the matter is referred to it (Article 17(10)). In the vast majority of cases, the process is resolved between the national competent authorities. The Commission does not review every application; it acts as a tie-breaker in disputes.

Related

This is general information about a draft EU regulation, not legal advice.