Summary Under the proposed Cloud and AI Development Act (CADA), the 60-day assessment period for recognizing a cloud computing service as meeting a Union assurance level is subject to a strict suspension mechanism. As set out in Article 17(5)(b), if a national competent authority requests further information due to insufficient evidence, the clock stops from the date of the request until the information is received. This suspension is capped at 30 days in total, unless the nature of the information requested or exceptional circumstances justify a longer period. This rule prevents indefinite delays while ensuring authorities can obtain necessary data for complex sovereignty assessments.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for recognizing cloud computing services that offer specific levels of "Union assurance." For providers seeking recognition at levels 2, 3, or 4, the process is rigorous, requiring independent third-party audits and a formal assessment by the national competent authority of establishment. The predictability of this timeline is critical for market access, particularly for public sector bodies that must procure services meeting specific assurance levels under Article 30.

The Baseline: The 60-Day Assessment Window

Article 17(5) of the CADA proposal establishes the standard timeline for the evaluating national competent authority. Once an application for recognition is accepted, the authority has 60 days to assess the evidence submitted. This evidence must include the audit report, the "positive" audit opinion, and all underlying evidence provided during the audit procedure (as referenced in Article 17(4)).

Within this 60-day window, the authority must take one of three actions:

  1. Prepare a draft recognition decision and notify other Member States for a 60-day review period (Article 17(5)(a));
  2. Request further information from the applicant if the evidence is insufficient (Article 17(5)(b)); or
  3. Reject the request for recognition (Article 17(5)(c)).

The Suspension Mechanism: Article 17(5)(b)

The most critical procedural safeguard for applicants regarding timeline predictability is found in Article 17(5)(b). If the evaluating competent authority determines that the submitted evidence is insufficient to allow for recognition, it may request further information. The applicant is then required to submit this information within a specified time limit.

Crucially, the regulation explicitly states that the 60-day period "shall be suspended from the date of issue of the request until the date the information is received." This suspension ensures that the authority is not penalized for delays caused by the applicant's inability to immediately produce complex technical or legal documentation, such as detailed software bills of materials (SBOMs), proof of legal separation from third-country subsidiaries, or evidence of personnel citizenship.

The 30-Day Cap and Exceptions

To prevent the recognition process from being stalled indefinitely through repeated, broad, or strategic information requests, the CADA imposes a strict limit on this suspension. Article 17(5)(b) specifies the following constraint:

"The suspension shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances."

This provision creates a two-tiered framework for handling delays:

  1. Standard Suspension (The 30-Day Cap): In the vast majority of cases, the clock stops for a maximum of 30 days. This provides a reasonable window for applicants to retrieve logs, clarify contractual arrangements with subcontractors, or provide additional evidence regarding infrastructure location. The cap applies to the total duration of the suspension, meaning multiple requests within the same assessment phase cannot cumulatively exceed this limit without justification.
  2. Exceptional Extensions: The regulation allows for the suspension to exceed 30 days only under two specific conditions:
    • Nature of the Information: If the requested data is inherently complex, voluminous, or technically intricate (e.g., a full forensic audit of a global software supply chain), the authority may justify a longer suspension.
    • Exceptional Circumstances: Unforeseen events or unique situations that prevent a timely response may also justify an extension.

The text does not define a hard upper limit for these exceptions, implying that any extension must be proportionate to the justification provided. However, the burden of proof lies with the authority to demonstrate that the delay is necessary and not arbitrary. This ensures that the suspension mechanism serves its purpose of ensuring thorough assessment without becoming a tool for administrative stalling.

Interaction with Cross-Border Review

It is important to distinguish the suspension under Article 17(5)(b) from the subsequent cross-border review process. The suspension applies specifically to the initial 60-day assessment period of the evaluating authority. It does not directly pause the subsequent 60-day review period by other Member States (under Article 17(5)(a)) or the procedures for reasoned objections and clarifications under Articles 17(6)–10.

However, if a reasoned objection from another Member State leads to a need for new information from the applicant, the evaluating authority may again invoke Article 17(5)(b) to suspend the clock, subject to the same 30-day default cap and the requirement for justification if an extension is needed. This ensures that the entire recognition process remains time-bound and efficient, even in complex cross-border scenarios.

What this means for you

For in-house counsel, compliance officers, and cloud service providers managing sovereignty certifications, understanding the suspension mechanics is vital for project planning and risk management.

1. Proactive Evidence Preparation Since the 60-day clock pauses only upon the issue of a request, the most effective strategy is to ensure the initial submission is comprehensive. The audit evidence required for Union assurance levels 2–4 (detailed in Annex III of CADA) is extensive, covering infrastructure location, personnel citizenship, software supply chain transparency, and third-country control assessments. Gaps in this initial submission will trigger an information request, starting the suspension clock. Aim to pre-empt likely questions from competent authorities to avoid triggering Article 17(5)(b) altogether.

2. Managing the 30-Day Window If a request for further information is received, you have a limited window before the suspension cap is reached. If the authority requests complex data (e.g., detailed lineage of training data for AI models or proof of legal separation from third-country subsidiaries), begin gathering this immediately. If you anticipate needing more than 30 days, communicate early with the authority to document why the "nature of the information" justifies an extension beyond the standard cap. Documenting these exceptional circumstances is crucial for defending against potential allegations of procedural delay or inefficiency.

3. Impact on Public Procurement Timelines Public sector bodies are required to conduct risk assessments (Article 29) and procure services meeting specific assurance levels (Article 30). Delays in your recognition can bottleneck these procurement processes. Use the suspension period to engage with prospective public sector clients, providing interim assurances or updates on the status of your application to maintain commercial momentum.

4. Strategic Use of Clarifications If another Member State raises a reasoned objection during the 60-day review period (Article 17(6)), the evaluating authority may need to request new information from you (Article 17(8)). This can trigger another suspension under Article 17(5)(b). Be prepared for multiple suspension cycles if cross-border objections arise, particularly regarding nuanced interpretations of "third-country control" or "data localization."

Common misconceptions

Misconception 1: The suspension is unlimited. Some providers assume that if an authority requests more information, the 60-day clock stops indefinitely until the information is provided. This is incorrect. The default cap is 30 days. Only in justified cases of complex information or exceptional circumstances can this extend. Authorities cannot use information requests to stall the process without cause.

Misconception 2: The suspension applies to the entire recognition process. The suspension under Article 17(5)(b) applies specifically to the evaluating authority's initial 60-day assessment. It does not suspend the subsequent 60-day review period by other Member States, nor does it pause the clock for the applicant's own internal delays in responding. The clock resumes only when the information is received by the authority.

Misconception 3: "Exceptional circumstances" is a free pass. While the text allows for extensions beyond 30 days, "exceptional circumstances" is a high threshold. It is not intended for routine administrative delays or minor data gaps. It likely refers to situations involving significant legal complexity, national security sensitivities, or unforeseen technical hurdles that genuinely prevent a timely response. Providers should not rely on this exception for standard delays.

Related

This is general information about a draft EU regulation, not legal advice.