How often are the CADA assurance level criteria reviewed and updated?

Summary As proposed in the Cloud and AI Development Act (CADA), the European Commission is legally required to review the criteria for Union assurance levels at least every 18 months. This mandatory review, explicitly mandated by Article 16(3), covers both the substantive criteria in Annex II and the audit evidence requirements in Annex III to ensure they remain current with legal and technical developments. Furthermore, Article 16(2) empowers the Commission to amend these annexes via delegated acts at any time, allowing for agile updates without waiting for the full legislative cycle.

Detail

The proposed CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (1 through 4) to classify cloud computing services based on their resilience against third-country interference and their alignment with Union public order. Given the rapid evolution of cloud technologies, cybersecurity threats, and geopolitical risks, the proposal incorporates specific mechanisms to prevent these criteria from becoming obsolete.

The Mandatory 18-Month Review Cycle

Article 16(3) of the CADA proposal sets a clear, non-negotiable timeline for regulatory maintenance. The text states: "To ensure Annex II and Annex III remain up to date with new legal or technical developments, the Commission shall review them at least every 18 months."

This provision creates a standing obligation for the Commission to actively monitor the regulatory and technological environment. The review is not merely a procedural formality; it is a substantive assessment of whether the existing criteria still effectively safeguard the Union's strategic autonomy. The review focuses on two critical annexes:

• Annex II (Criteria for Union Assurance Levels): This annex defines the cumulative criteria cloud computing service providers must meet to be recognized at levels 1, 2, 3, and 4. These criteria encompass establishment location, infrastructure and asset location, data residency, personnel citizenship, cybersecurity certification levels, and software supply chain controls.
• Annex III (Audit Evidence for the Audit Procedure): This annex details the specific evidence auditing organisations must request to verify compliance with the criteria in Annex II. It covers everything from proof of Union incorporation and infrastructure location to software bill of materials (SBOM) and data flow diagrams.

The 18-month interval is designed to strike a balance between regulatory stability—giving providers time to adapt—and necessary agility. It ensures that changes in cybersecurity standards (such as the maturation of the European Cybersecurity Certification Scheme for Cloud Services), data protection laws, or emerging geopolitical risks can be reflected in the assurance criteria before they significantly impact the market or undermine public order.

Delegated Acts Power for Agile Updates

In addition to the periodic review, the proposal grants the Commission the power to make direct amendments to the criteria without waiting for the 18-month cycle to conclude. Article 16(2) states: "The Commission is empowered to adopt delegated acts in accordance with Article 45 to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III."

Delegated acts are a legislative tool that allows the Commission to update technical details or clarify requirements without going through the full ordinary legislative procedure (which involves the European Parliament and the Council). This mechanism is crucial for addressing urgent technical vulnerabilities, incorporating newly established cybersecurity certification schemes, or responding to sudden shifts in the threat landscape.

However, this power is not unchecked. Under Article 45, the delegation of power is subject to control by the European Parliament and the Council. Either body can revoke the delegation of power or object to a specific delegated act within a period of two months of its notification (extendable by three months). This ensures that while the Commission can act swiftly to maintain the integrity of the sovereignty framework, it remains accountable to the co-legislators.

Scope of Potential Updates

The reviews and potential amendments under Article 16 may affect various aspects of the assurance levels, including:

• Cybersecurity Standards: As the European Cybersecurity Certification Scheme for Cloud Services (EUCS) is established and evolves, the criteria for assurance levels 2, 3, and 4 may be updated to require specific EUCS assurance levels (e.g., "substantial" or "high") rather than relying on national schemes or general standards.
• Data Residency and Sovereignty: Changes in international data transfer agreements or new risks related to third-country access laws could lead to stricter or more nuanced data localization requirements in Annex II.
• Audit Evidence: As auditing methodologies for cloud services evolve, the types of evidence required to prove compliance (e.g., specific log retention periods, penetration testing results, or source code audit protocols) may be updated in Annex III to ensure audits remain effective.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the 18-month review cycle and the delegated acts power mean that compliance with CADA assurance levels is not a "set and forget" exercise.

• Continuous Monitoring: You must establish a process to monitor Commission publications for any delegated acts amending Annex II or Annex III. Failure to comply with updated criteria could result in the loss of your recognized assurance level status, potentially disqualifying you from public sector contracts.
• Audit Preparedness: Since Annex III defines the audit evidence, changes here directly impact your audit readiness. Ensure your internal controls and documentation practices are flexible enough to adapt to new evidence requirements without significant re-engineering. For example, if the Commission updates the required SBOM format or data flow diagram standards, your audit trail must be ready to reflect this immediately.
• Contractual Implications: If your organization procures cloud services, review your contracts to include clauses that allow for adjustments in service specifications if the underlying assurance criteria change. Conversely, if you are a provider, ensure your service level agreements (SLAs) with customers allow for necessary technical updates to maintain compliance with evolving delegated acts.
• Transition Planning: While the proposal does not specify automatic transition periods for every delegated act, best practice suggests engaging with the Commission and national competent authorities early if significant changes are anticipated. Understanding any grace periods for compliance is essential to avoid service disruptions.

Common misconceptions

• "The criteria are fixed for the life of the regulation." This is incorrect. Article 16(3) mandates regular reviews, and Article 16(2) allows for amendments via delegated acts. The criteria are dynamic by design.
• "Only the Commission can change the criteria." While the Commission adopts the delegated acts, the European Parliament and the Council retain oversight and can block changes through objection or revocation of the delegation. Additionally, Member States play a role in the broader implementation and risk assessment processes that inform these updates.
• "Updates will only happen every 18 months." The 18-month period is a maximum interval for a formal review. The Commission can adopt delegated acts at any time if urgent legal or technical developments require immediate action, meaning the criteria could change more frequently than the review cycle suggests.
• "Annex II and Annex III are the only things reviewed." While Article 16(3) specifically mentions Annex II and III for the assurance criteria, the broader CADA framework includes other review clauses (e.g., Article 47 for the overall regulation). However, for the specific assurance level criteria, Annexes II and III are the exclusive focus of the 18-month mandate.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• What criteria must a provider meet for CADA assurance level 1?
• Is hardware covered by the CADA assurance level criteria?

This is general information about a draft EU regulation, not legal advice.