Summary Yes, under the proposed Cloud and AI Development Act (CADA), a recognition of a cloud computing service as meeting a specific Union assurance level is valid across the entire European Union. Article 17(7) explicitly establishes that once a recognition decision is adopted by the evaluating national competent authority, the service is "recognised throughout the Union at the appropriate Union assurance level." This mechanism creates a "single recognition, single market access" model, eliminating the need for cloud providers to undergo separate national approval processes in each of the 27 Member States.
Detail
The proposed Cloud and AI Development Act (CADA) addresses a critical fragmentation in the European digital market: the existence of divergent national approaches to cloud trustworthiness and sovereignty. To resolve this, CADA introduces a harmonised "Union cloud computing sovereignty framework" (Article 16). A cornerstone of this framework is the recognition mechanism for cloud computing service providers (CSPs) seeking to serve Union entities and public sector bodies.
The "Single Recognition" Mechanism
As proposed, CADA establishes a streamlined, EU-wide procedure. A CSP submits an application for recognition solely to the national competent authority of its establishment (Article 17(1)). This authority, designated as the "evaluating national competent authority," is responsible for assessing the evidence provided.
The evidentiary requirements vary by assurance level:
- Union Assurance Level 1: The provider submits an EU statement of conformity based on a self-assessment (Article 17(3)). Notably, for SMEs, this statement is directly and automatically recognised in all Member States without prior evaluation by the authority (Article 17(3), second subparagraph).
- Union Assurance Levels 2, 3, and 4: The provider must submit an audit report and a "positive" audit opinion from an independent auditing organisation (Article 17(4)).
Once the evaluating authority is satisfied with the evidence, it prepares a draft recognition decision. Crucially, this decision is not immediately final. It triggers a 60-day review period during which the competent authorities of all other Member States are notified (Article 17(5)(a)). During this window, other Member States may submit reasoned objections or requests for clarification if they believe the draft decision does not comply with the applicable Union assurance level criteria set out in Annex II (Article 17(6)).
The Legal Effect of Article 17(7)
The pivotal moment for market access occurs if the review period passes without a successful objection. Article 17(7) codifies the principle of mutual recognition and single market access:
"Where no reasoned objection or request for clarification is submitted within the review period referred to in paragraph 5, point (a), the conclusions by the evaluating national competent authority shall be deemed accepted by all Member States, the evaluating national competent authority shall adopt the recognition decision and the audited service shall be recognised throughout the Union at the appropriate Union assurance level."
This provision ensures that a CSP does not face a patchwork of national certifications. Instead, one successful application leads to a status that is legally valid and enforceable in all 27 Member States. The recognition is not merely a recommendation; it is a binding legal status that public procurers across the EU must accept as meeting the sovereignty requirements for the specified assurance level.
Central Repository and Transparency
To ensure this single recognition is visible and actionable, CADA mandates the establishment of a "central repository" of recognised cloud computing services (Article 22). Once a service is recognised, the national competent authority of establishment must register it in this central repository (Article 22(2)).
This repository is publicly available and regularly updated (Article 22(4)). It serves as the single source of truth for procurement officers, allowing them to verify which services hold which Union assurance levels (1, 2, 3, or 4) and confirming their EU-wide validity. If a recognition is revoked, the revocation is also published in the repository and remains available for five years (Article 22(3)).
Post-Recognition Enforcement and Cross-Border Cooperation
While the initial recognition is EU-wide, CADA includes mechanisms to ensure ongoing compliance. If a competent authority in a Member State other than the one of establishment suspects that a recognised service no longer meets the criteria, it cannot unilaterally revoke the recognition. Instead, it must request the competent authority of establishment to assess the matter and take necessary investigatory or enforcement measures (Article 28(1)).
If the evaluating authority fails to act or if there is a disagreement, the matter can be referred to the Commission, which may adopt a binding decision (Article 17(10)). This ensures that the integrity of the single market is maintained without fragmenting the recognition status.
What this means for you
For public-sector procurement officers, cloud providers, and legal counsel, the cross-border validity of CADA recognition fundamentally changes the compliance landscape.
For Public-Sector Procurement Officers
- Unified Compliance: You no longer need to verify if a cloud service is approved under your specific Member State's national sovereignty scheme. If a service is listed in the central repository with a valid Union assurance level, it meets the EU-wide standard.
- Risk Assessment Alignment: Your procurement decisions remain guided by your Member State's risk assessment under Article 29. If your risk assessment determines that a public order activity requires Union assurance level 3, you must procure a service recognised at that level. Because the recognition is valid across the EU, you can choose from any provider in the central repository that holds that level, regardless of where the provider is established.
- Reduced Administrative Burden: The single recognition process eliminates the administrative overhead of evaluating multiple national certifications. You can rely on the EU-wide recognition decision, knowing it has undergone scrutiny from the provider's home Member State and a review period by peers.
For Cloud Service Providers (CSPs)
- One Application, One Market: You only need to apply for recognition in the Member State where you have your main establishment. You do not need to file separate applications in France, Germany, Italy, or Spain.
- Market Access: Once recognised, you can market your service to public sector bodies across the entire Union without additional sovereignty certifications.
- SME Advantage: If you are an SME seeking Level 1 recognition, your self-assessment is automatically recognised across the EU without a 60-day review period, accelerating your market entry (Article 17(3)).
For Legal and Compliance Teams
- Legal Certainty: The "deemed accepted" clause in Article 17(7) provides strong legal certainty. Once the 60-day period passes without a successful objection, the recognition is final and binding on all Member States.
- Dispute Resolution: If a Member State attempts to block a recognised service post-adoption, they must follow the strict cross-border cooperation procedures in Article 28, not unilateral blocking.
Common misconceptions
Misconception: "I still need to approve the service at the national level."
- Reality: No. Once the EU-wide recognition is adopted under Article 17, it is automatically valid in your Member State. You do not conduct a separate technical or sovereignty assessment of the service itself. Your role is strictly to ensure the service meets the assurance level required by your local risk assessment (Article 30).
Misconception: "A service recognised in one country can be blocked by another country at any time."
- Reality: While other Member States can raise objections during the initial 60-day review period (Article 17(6)), they cannot unilaterally block a recognised service after the decision is adopted. If a Member State believes a recognised service no longer complies, it must request the competent authority of establishment to investigate (Article 28). The recognition remains valid until formally revoked by the evaluating authority following due process.
Misconception: "Union assurance level 1 is only for small businesses."
- Reality: Union assurance level 1 is the baseline for all public sector procurement where activities do not contribute to the preservation of public order (Article 30(2)). It is not limited by company size. However, SMEs benefit from a streamlined process where their self-assessment is automatically recognised without a review period (Article 17(3)).
Misconception: "CADA replaces the need for cybersecurity certification."
- Reality: CADA sovereignty levels are distinct from, but complementary to, cybersecurity certification. For Levels 2, 3, and 4, providers must obtain a European cybersecurity certificate of at least "substantial" assurance (Levels 2 and 3) or "high" assurance (Level 4) under the Cybersecurity Act (Annex II, points 2(e), 3(e), 4(e)). CADA adds the sovereignty layer (location, control, personnel) on top of these technical security standards.
Official sources
Related
- CADA Recognition: When is a cloud service deemed accepted across the EU?
- Which authority do I apply to for CADA recognition?
- CADA Vulnerability Disclosure Rule: What the Draft Requires Across Tiers
- CADA Recognition: The Role of the National Competent Authority
- CADA Recognition and Transparency: How Material Changes Affect Your Status
This is general information about a draft EU regulation, not legal advice.