EUCS vs CADA

Summary No. Holding a European Cybersecurity Certification Scheme for Cloud Services (EUCS) certificate does not automatically mean you meet the Cloud and AI Development Act (CADA) sovereignty tiers. As proposed, CADA establishes a distinct "Union cloud computing sovereignty framework" with four assurance levels that assess non-technical risks—such as data sovereignty, personnel citizenship, and third-country control—which EUCS does not cover. While EUCS certification would satisfy the specific cybersecurity criterion within CADA's higher tiers (Levels 2, 3, and 4), it cannot replace the mandatory, holistic recognition process under Article 17. Providers must undergo independent audits covering the full set of cumulative criteria in Annex II, not just technical security.

Detail

To understand why EUCS certification is insufficient for CADA compliance, it is necessary to distinguish between the scope of cybersecurity certification and the broader concept of "sovereignty" as defined in the proposed Cloud and AI Development Act. The two instruments address different layers of risk: EUCS addresses technical security, while CADA addresses strategic autonomy and public order.

CADA's Sovereignty Framework vs. EUCS Cybersecurity Focus

The proposed CADA introduces a "Union cloud computing sovereignty framework" consisting of four "Union assurance levels" (Article 16). These levels are designed to mitigate risks to the Union's public order, including dependencies on third-country providers, unauthorized data access by foreign governments, and service disruption.

In contrast, the EUCS is a cybersecurity certification scheme developed under the Cybersecurity Act (Regulation (EU) 2019/881). Its primary purpose is to ensure that cloud services meet specific technical cybersecurity standards, such as those related to infrastructure security, operational security, and service security.

Recital 5 of the CADA proposal explicitly states that the proposal complements the Cybersecurity Act revision, which addresses supply chain risks. It notes that "certification under the Cybersecurity Act can address technical cybersecurity criteria but is not suited for addressing sovereignty concerns that go beyond these technical elements." Therefore, while EUCS proves that a service is secure from a technical standpoint, it does not prove that the service is sovereign in the legal and operational sense required by CADA.

The Role of EUCS Within CADA Tiers

Although EUCS does not equate to CADA sovereignty recognition, it plays a critical supporting role. The criteria for the higher CADA tiers (Levels 2, 3, and 4) explicitly require compliance with high cybersecurity standards.

According to Annex II of the CADA proposal, which sets out the criteria for Union assurance levels:

• Union Assurance Level 2: Criterion 2.1(e) requires the audited service to obtain a "European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services... provided that such a scheme has been established." Until such a scheme is fully established and available, national schemes or demonstrations of highest standards apply.
• Union Assurance Level 3: Criterion 3.1(e) repeats this requirement for a certificate of at least assurance level 'substantial'.
• Union Assurance Level 4: Criterion 4.1(e) requires a certificate of at least assurance level 'high'.

Thus, if EUCS is adopted as the relevant European cybersecurity certification scheme, holding an EUCS certificate would satisfy the cybersecurity component of these tiers. However, it would not satisfy the other cumulative criteria, such as data localization, personnel citizenship, or the absence of third-country control.

The Mandatory Recognition Process Under Article 17

Even if a provider holds EUCS and meets all other criteria, they cannot simply claim compliance. CADA establishes a strict recognition mechanism.

Article 17 sets out the procedure for cloud computing service providers to be recognized as offering a specific Union assurance level. A provider must submit an application for recognition to the national competent authority of their establishment.

• For Level 1, providers conduct a conformity self-assessment and issue an EU statement of conformity (Article 19).
• For Levels 2, 3, and 4, providers must undergo independent third-party audits (Article 20). The audit evidence must demonstrate compliance with all criteria in Annex II, not just cybersecurity.

Article 17(4) states that for Levels 2, 3, and 4, the candidate provider must submit the audit report and a "positive" audit opinion to the evaluating national competent authority. Only after the competent authority assesses this evidence and completes the review period (including checks by other Member States) is the service formally recognized as offering that assurance level across the Union. The central repository of recognized services (Article 22) will list only those services that have completed this full process.

Non-Technical Sovereignty Controls: The Gap EUCS Cannot Fill

The primary reason EUCS is insufficient is that CADA tiers include extensive non-technical controls that EUCS does not assess. These controls are designed to ensure operational autonomy and prevent third-country interference.

• Data Localization: Annex II requires that customer data (including metadata and telemetry) remain exclusively within the Union for Levels 1–4, unless the public sector body explicitly requires otherwise. EUCS does not mandate data residency; it focuses on the security of the data, not its geographic location.
• Third-Country Control: Annex II requires that providers and subcontractors for Levels 3 and 4 are not subject to the control of a third country or a legal entity established in a third-country. Article 18 provides a limited derogation for Level 3 if the Commission adopts an implementing act for a specific third country, but this is a political and legal assessment, not a technical one. EUCS does not assess corporate control structures or extraterritorial legal risks.
• Personnel Requirements: Levels 3 and 4 require that the personnel involved in the provision of the service are Union citizens (Annex II, 3.1(d) and 4.1(d)). Where appropriate, they must also have national security clearance. EUCS has no such requirement regarding the nationality or citizenship of staff.
• Software Supply Chain: Annex II requires specific measures for the software supply chain, including a complete Software Bill of Materials (SBOM), controls on remote features that could disrupt service, and migration plans for third-country components. While EUCS covers supply chain security, CADA adds specific requirements regarding the control of the software and the ability to migrate away from third-country vendors.

What this means for you

For cloud service providers and data centre operators aiming to sell to the EU public sector, you must treat EUCS and CADA recognition as separate, albeit complementary, compliance tracks.

1. Do Not Assume Equivalence: Holding an EUCS certificate does not exempt you from the CADA recognition process. You must still apply for recognition under Article 17 for the specific tier your customers require. An EUCS certificate is evidence, not a verdict.
2. Prepare for Cumulative Audits: To achieve Union Assurance Levels 2, 3, or 4, you will need an independent audit that covers both EUCS-equivalent cybersecurity criteria and the additional sovereignty criteria in Annex II. The auditor will need to verify data flows, personnel citizenship, corporate control structures, and legal jurisdiction, in addition to technical security controls.
3. Monitor EUCS Finalization: The CADA text references a "European cybersecurity certification scheme... provided that such a scheme has been established." If EUCS is not fully finalized or recognized as the reference scheme by the time CADA applies, you may need to rely on national cybersecurity certifications or demonstrate compliance with the highest applicable standards, as noted in Annex II.
4. Public Sector Procurement: Public sector bodies will likely require proof of recognition from the central repository maintained by the Commission (Article 22), not just an EUCS certificate. Ensure your audit trail clearly maps EUCS controls to the CADA cybersecurity criteria to streamline the audit process.
5. Strategic Planning for Levels 3 and 4: If you aim for the highest tiers, you must address the "Union citizen" personnel requirement and the "no third-country control" requirement. This may require restructuring your corporate governance, hiring strategies, and data center operations well before the regulation enters into force.

Common misconceptions

"EUCS is the EU's sovereignty certification." No. EUCS is a cybersecurity certification. CADA's sovereignty framework includes cybersecurity but also covers legal, operational, and geopolitical risks that EUCS does not address. The Commission explicitly states in Recital 5 that the Cybersecurity Act is "not suited for addressing sovereignty concerns that go beyond these technical elements."

"If I have EUCS, I automatically qualify for CADA Level 2 or 3." No. EUCS may satisfy one criterion (cybersecurity) for Levels 2 and 3, but you must still meet all other cumulative criteria in Annex II (e.g., data localization, no third-country control, personnel citizenship) and undergo the full Article 17 recognition process. Failure to meet any single criterion precludes recognition at that level.

"CADA replaces EUCS." No. CADA complements EUCS. CADA mandates the use of such cybersecurity certifications for higher assurance levels, meaning you will likely need both EUCS (for the technical security proof) and CADA recognition (for the sovereignty proof). The two are designed to work together, with EUCS serving as a building block for the broader CADA framework.

"CADA only cares about where the data is stored." No. While data localization is a key criterion, CADA also assesses the location of infrastructure, assets, and personnel, the control structure of the provider, the software supply chain, and the ability to prevent third-country interference. It is a holistic assessment of the provider's ability to operate autonomously within the Union.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and EUCS: How the Cloud Certification Scheme Fits the Sovereignty Framework
• Does the EUCS sovereignty debate matter for CADA tiers?
• Why a Cybersecurity Act certificate cannot prove cloud sovereignty under CADA
• CADA for SaaS Providers: How NIS2, Data Act and Sovereignty Tiers Stack
• CADA for CTOs: Mapping EU Compliance, Sovereignty Tiers & Procurement

This is general information about a draft EU regulation, not legal advice.