Is CADA mandatory or voluntary?

Summary As proposed, the Cloud and AI Development Act (CADA) is a hybrid: it combines binding obligations on Member States and public authorities with a voluntary, opt-in recognition scheme for cloud providers. Public-sector procurement rules and data centre permitting duties would be mandatory for governments and public buyers, while obtaining a "Union assurance level" is something providers choose to seek. The two halves interlock — mandatory public demand creates the incentive for providers to seek voluntary recognition.

Detail

To answer whether CADA is mandatory or voluntary, you have to separate the duties placed on governments and public buyers from the mechanisms available to providers. CADA would be a Regulation — directly applicable in all Member States without national transposition — but the nature of the duties varies by actor.

Mandatory obligations for public authorities and Member States

Public procurement and risk assessments. Under Article 30, contracting authorities face mandatory procurement rules. Public-sector bodies and Union entities whose activities are not identified as contributing to the preservation of public order must, as a minimum, use cloud services recognised at Union assurance level 1 (Article 30(2)). Where activities are identified as contributing to public order (e.g. national security, defence, justice), they must only procure services recognised at Union assurance levels 2, 3 or 4 (Article 30(3)). Upstream, Member States and Union entities must carry out mandatory risk assessments under Article 29 to determine which levels apply.

Data centre deployment. The data centre rules are mandatory for Member States. Under Article 10, where capacity is being deployed, a Member State must designate at least one data centre acceleration zone. Under Article 13, permit-granting procedures for projects in those zones must not exceed 12 months from a comprehensive application, and Member States must prepare an aggregated baseline permit for each zone. Under Article 12, Member States must designate single information points to assist operators. These are legal duties, not suggestions.

Voluntary recognition for cloud providers

For providers, the core sovereignty framework is opt-in. There is no blanket ban on non-sovereign services for all users — rather, a structured pathway to demonstrate compliance with EU sovereignty criteria.

Union assurance levels. Under Article 17, a provider that aims to be recognised at a given Union assurance level submits an application to the national competent authority of its establishment, including the required evidence. Providers are not automatically recognised; they choose to seek recognition by evidencing compliance with the Annex II criteria:

• Level 1: providers self-assess and issue an EU statement of conformity (Article 19). For SMEs, that statement is directly and automatically recognised across all Member States (Article 17(3)).
• Levels 2–4: providers must undergo an independent third-party audit and obtain a "positive" audit opinion.

Once recognised, the service is listed in the central repository the Commission maintains (Article 22). Recognition is voluntary for the provider, but it becomes a practical prerequisite for many public-sector contracts because of the mandatory procurement rules above.

Third-country providers. Even for providers controlled by third countries the system is opt-in: Article 18 lets the Commission, by implementing act, identify third countries whose controlled providers may be audited against the criteria for Union assurance level 3, provided cumulative criteria are met (such as a relevant adequacy decision under Article 45 GDPR). This is a formal Commission assessment, not an automatic right.

The mix of binding and opt-in

CADA's design relies on this interplay: the public sector is mandated to buy recognised services for the relevant functions, which creates the incentive for providers to voluntarily seek recognition. Without the mandatory demand the voluntary scheme might see little uptake; without the voluntary scheme the mandatory rules would have nothing eligible to buy.

What this means for you

For public-sector procurement officers and legal teams, the mandatory/voluntary split matters for compliance planning.

1. Map your activities. You are required to carry out risk assessments (Article 29) to determine which activities contribute to the preservation of public order; that classification sets your minimum level (Level 1 versus Levels 2–4).
2. Check the repository. When tendering, verify that providers are recognised in the central repository (Article 22). Procuring from a non-recognised provider for an in-scope function would breach Article 30.
3. You cannot force certification. You can mandate the use of recognised services but not compel a provider to seek recognition. Where no provider meets the required level, Article 30(4) allows limited, duly justified derogations — for example where no adequate alternative exists in the central repository and the absence is not the result of artificially narrowing the tender, or where applying the requirements would mean disproportionate cost.
4. Prepare for accelerated timelines. If you are involved in data centre deployment, expect single information points and capped permitting times you can leverage.

Common misconceptions

Misconception 1: CADA bans all non-EU cloud providers. As proposed, no. CADA creates a tiered system; third-country providers can still compete, particularly at Level 1, or at Level 3 if their country meets the Article 18 safeguards. The constraints focus on public-sector procurement for in-scope functions, not the private market.

Misconception 2: Sovereignty recognition is automatic for EU-based companies. No. Establishment in the EU does not by itself confer a Union assurance level. Providers must apply and demonstrate compliance with the Annex II criteria; Levels 2–4 require an independent audit.

Misconception 3: The data centre rules are just guidelines. No. The duties to designate acceleration zones, set up single information points and cap permitting times are binding obligations on Member States under Title III. Failing to implement them would breach EU law.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Article 31: voluntary private-sector impact assessments explained
• Why was the Cloud and AI Development Act (CADA) proposed?
• Why is the EU dependent on non-EU cloud providers?
• Why does CADA have two legal bases (Articles 114 and 173(3) TFEU)?
• Why does CADA focus so heavily on the public sector?

This is general information about a draft EU regulation, not legal advice.