How much does CADA compliance cost a cloud provider?

Summary Under the proposed Cloud and AI Development Act (CADA), compliance costs are not uniform but depend entirely on the targeted Union assurance level and the provider's size. For Union assurance level 1, costs are minimal, relying on a self-assessment under Article 19. Crucially, Article 17(3) grants Small and Medium-sized Enterprises (SMEs) automatic recognition across the EU, bypassing national authority fees and administrative delays. In contrast, Union assurance levels 2, 3, and 4 mandate paid independent third-party audits under Article 20(1), incurring significant upfront fees and recurring annual review costs. Providers must budget for these audits, the preparation of extensive evidence, and potential operational changes to meet stricter sovereignty criteria.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a tiered sovereignty framework that creates a distinct cost structure for cloud computing service providers. The financial burden is not a flat regulatory fee but a function of the assurance level sought, the complexity of the provider's infrastructure, and whether the entity qualifies as an SME. The regulation explicitly differentiates between the low-barrier entry for Level 1 and the rigorous, paid verification required for Levels 2 through 4.

The Low-Cost Path: Level 1 Self-Assessment and SME Exemptions

For providers targeting Union assurance level 1, the compliance pathway is designed to be accessible, minimizing direct financial outlays. The core mechanism is the conformity self-assessment mandated by Article 19. Under Article 19(1), providers must internally verify compliance with the criteria set out in Annex II, such as being established in the Union and ensuring infrastructure remains within the Union unless explicitly required otherwise by a public sector body.

Following this internal verification, the provider issues an EU statement of conformity. Article 19(2) clarifies that by issuing this statement, the provider "shall assume responsibility for the compliance of the cloud computing service with the criteria." While this statement must generally be submitted to the national competent authority of establishment for recognition, the proposal introduces a critical cost-saving derogation for smaller entities.

Article 17(3) states that for SMEs, the EU statement of conformity "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This provision effectively eliminates the administrative processing costs and potential fees associated with national authority reviews for SMEs. It removes the barrier of waiting for a formal decision, allowing SMEs to compete for standard public sector contracts immediately upon issuing their statement. For these providers, the primary cost is internal: the man-hours required to conduct the self-assessment and document the evidence, rather than external audit fees or authority charges.

The High-Cost Path: Independent Audits for Levels 2, 3, and 4

The financial landscape shifts dramatically for providers seeking Union assurance levels 2, 3, or 4. These levels are reserved for public sector activities contributing to the preservation of public order and require rigorous, independent verification.

Under Article 20(1), providers seeking these levels "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation." This is a mandatory financial obligation. The provider bears the full cost of hiring an external entity that meets the strict independence and competence requirements outlined in Article 20(4). These auditors must be free from conflicts of interest, possess proven technical competence in auditing cloud services, and adhere to high professional ethics.

The cost structure for these levels includes several distinct components:

1. Initial Audit Fees: The provider must pay for a comprehensive assessment of its infrastructure, data flows, personnel, and governance against the cumulative criteria of the target assurance level. The scope is extensive, requiring the auditor to verify evidence of data localisation, the absence of third-country control, and the possession of appropriate cybersecurity certifications. The complexity of verifying these conditions, particularly for global providers with intricate supply chains, drives the initial fee.
2. Recurring Annual Review Costs: Compliance under CADA is not a one-time event. Article 20(8) mandates that "the audited provider shall annually submit for review the audit report and the associated 'positive' audit opinion to the same or a different auditing organisation." This annual review assesses continued compliance with the applicable criteria. This creates a recurring operational cost, ensuring that sovereignty standards are maintained over time. Providers must budget for this expense indefinitely to maintain their recognised status.
3. Evidence Preparation Costs: While not a direct fee paid to an auditor, the preparation of necessary documentation represents a significant indirect cost. Article 21 outlines the content and quality of audit evidence, requiring providers to supply "relevant and sufficient" and "reliable" information. This includes compiling Software Bills of Materials (SBOMs), detailed data flow diagrams, proof of personnel citizenship, and evidence of legal separation from third-country subsidiaries. The internal resources required to gather, validate, and present this evidence can be substantial.

Factors Influencing Audit Costs

The financial burden of the independent audit under Article 20 will vary based on several specific factors:

• Assurance Level Stringency: Union assurance level 4 is the most stringent. It requires that the provider and subcontractors are not subject to third-country control and that all personnel are Union citizens with necessary security clearances. Verifying these conditions, especially for large providers with complex global supply chains, will likely drive audit fees higher than for Level 2, which allows for some conditional third-country control under specific safeguards.
• Provider Size and Complexity: Larger providers with distributed infrastructure, multiple subcontractors, and complex data processing activities will require more extensive auditing efforts. The auditing organisation must verify that all subcontractors involved in the service provision also meet the criteria, expanding the scope of the audit and the associated fees.
• Market Dynamics: As the market for CADA-compliant auditing services develops, competition among auditing organisations may influence pricing. However, the high barrier to entry for auditors—requiring specific technical competence, independence, and adherence to Article 20(4)—may initially limit supply and keep prices elevated.

Indirect Costs and Operational Adjustments

Beyond the direct fees paid to auditing organisations, providers may face significant indirect costs related to operational adjustments required to meet the criteria for higher assurance levels:

• Supply Chain Restructuring: Ensuring that subcontractors are established in the Union and not subject to third-country control may require terminating contracts with non-compliant vendors or investing in new local partnerships. Annex II criteria for Levels 2, 3, and 4 impose strict requirements on the location of infrastructure, assets, and personnel, which may necessitate physical or legal restructuring.
• Cybersecurity Certification: Levels 2, 3, and 4 require obtaining a European cybersecurity certificate of at least assurance level 'substantial' (or 'high' for Level 4) under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until such a scheme is available, national schemes or the highest cybersecurity standards apply. Achieving these certifications involves its own set of costs, separate from the CADA sovereignty audit.
• Personnel Screening: For Levels 3 and 4, ensuring that all personnel are Union citizens and have necessary security clearances may require hiring adjustments, investment in clearance processes, or the recruitment of specific talent pools, all of which carry financial implications.

What this means for you

For cloud service providers and data centre operators, the CADA proposal introduces a clear trade-off between market access and compliance costs.

• If you are an SME: You can leverage the automatic recognition mechanism for Union assurance level 1 under Article 17(3). This allows you to compete for standard public sector contracts with minimal upfront compliance costs, as you avoid the need for a formal recognition procedure by national authorities. Focus on ensuring your self-assessment under Article 19 is thorough and your EU statement of conformity is robust, as you assume full responsibility for compliance.
• If you are a larger provider or targeting critical sectors: You must budget for significant recurring costs associated with independent audits under Article 20. Engage with potential auditing organisations early to understand their fee structures and requirements. Consider the long-term cost of annual reviews mandated by Article 20(8) when calculating the total cost of ownership for your sovereign cloud offering.
• Strategic Planning: Evaluate which assurance levels are necessary for your target customer base. If your primary clients are public sector bodies with activities contributing to the preservation of public order, you will need Levels 2, 3, or 4. For less critical services, Level 1 may suffice, keeping costs lower.

Common misconceptions

• "CADA compliance is a flat annual fee." Incorrect. Costs are variable and depend on the assurance level. Level 1 is largely self-managed (especially for SMEs), while Levels 2-4 require paid third-party audits and annual reviews.
• "SMEs are exempt from all compliance costs." Incorrect. SMEs are not exempt from meeting the technical criteria for Union assurance level 1. They still must perform the self-assessment under Article 19 and issue the EU statement of conformity. The exemption is only from the recognition procedure by national authorities, not from the underlying compliance obligations.
• "Audits are a one-time cost." Incorrect. Article 20(8) explicitly requires annual reviews of the audit report and opinion. Providers must budget for this recurring expense to maintain their recognised status.
• "The Commission sets the audit fees." Incorrect. Providers select their auditing organisation and pay them directly. The fees are determined by the market and the complexity of the audit, not by a fixed regulatory tariff.
• "Level 1 requires an audit." Incorrect. Level 1 relies on a conformity self-assessment under Article 19. Independent third-party audits are only mandatory for Levels 2, 3, and 4 under Article 20(1).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Where do I start with CADA compliance if I am completely new to it?
• CADA Application Date: What Organisations Must Do Before Compliance Kicks In
• What should a cloud provider do before CADA's application date?
• CADA Compliance Checklist: Roles, Deadlines & Assurance Levels
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition

This is general information about a draft EU regulation, not legal advice.