Is CADA recognition automatic for SMEs at Level 1?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), recognition for Union Assurance Level 1 is automatic for small and medium-sized enterprises (SMEs). As explicitly stated in Article 17(3), second subparagraph, an SME's EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This procedural derogation removes the formal evaluation step for qualifying providers, though they must still rigorously complete the mandatory self-assessment and issue the statement in accordance with Article 19.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty. This framework is structured around four "Union assurance levels," ranging from Level 1 (baseline) to Level 4 (highest security). Union Assurance Level 1 serves as the minimum baseline for public sector cloud procurement across the Union. To achieve this status, providers must demonstrate compliance with specific criteria regarding establishment, data localisation, cybersecurity, and operational autonomy, as detailed in Annex II of the proposal.

For the majority of cloud computing service providers, the path to recognition is a formal administrative procedure. Under Article 17(1) and Article 17(3), first subparagraph, a candidate provider must submit an application for recognition to the national competent authority of their establishment. This authority then assesses the evidence, potentially requests further information, and issues a recognition decision that is valid across the entire EU. This process ensures a uniform standard but can be resource-intensive.

However, the proposal introduces a significant procedural shortcut specifically designed to reduce administrative burdens and foster market entry for smaller European providers. This mechanism is a targeted derogation for SMEs, acknowledging that the cost of formal authority review could disproportionately hinder smaller players from competing in the sovereign cloud market.

The Automatic Recognition Mechanism

The core provision governing this exemption is found in Article 17(3) of the CADA proposal. The article first establishes the general rule: for Union Assurance Level 1, the candidate provider shall submit the EU statement of conformity and all necessary evidence to the evaluating national competent authority.

Immediately following this, the second subparagraph of Article 17(3) creates a specific exception for SMEs:

"By way of derogation from the first subparagraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This text is unambiguous. If a cloud provider qualifies as an SME under the definition set out in Article 2(8) of CADA—which references the definition in Commission Recommendation 2003/361/EC—they bypass the formal evaluation and recognition procedure entirely. They do not need to wait for a national authority to review their file, conduct an assessment, or issue a formal recognition decision. Their self-issued EU statement of conformity is, in itself, sufficient to prove their status as a Level 1 provider across the Union.

This "direct and automatic" recognition means that the moment the SME issues the statement in compliance with Article 19, the service is recognised. There is no waiting period for administrative approval, and no national authority stamp is required to validate the status for cross-border procurement.

The Role of the EU Statement of Conformity

While SMEs skip the authority-led recognition step, they are not exempt from the underlying compliance obligations. The automatic recognition relies entirely on the validity and accuracy of the EU statement of conformity. The burden of proof shifts entirely to the provider.

Under Article 19(1), providers seeking Union Assurance Level 1 must carry out a conformity self-assessment against the criteria set out in Annex II. This self-assessment is not a mere formality; it must be based on "documented evidence, internal control procedures and continuous monitoring that are sufficient to demonstrate that the applicable criteria have been fulfilled."

Following this assessment, Article 19(2) requires the provider to issue an EU statement of conformity. The text states: "By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II." This is a critical legal point: the provider assumes full liability for the accuracy of the statement.

Furthermore, Article 19(3) mandates that the cloud computing service provider "shall make the EU statement of conformity publicly available." For an SME, the workflow is therefore streamlined but rigorous:

1. Verify Status: Confirm eligibility as an SME under Article 2(8).
2. Conduct Self-Assessment: Rigorously evaluate the service against all Level 1 criteria in Annex II.
3. Issue Statement: Draft and sign the EU statement of conformity under Article 19(2), assuming full responsibility.
4. Publish: Make the statement publicly available as required by Article 19(3).
5. Operate: Rely on the automatic recognition provided by Article 17(3) to offer services to public bodies across the EU without further administrative steps.

Why This Matters for the Ecosystem

The CADA explanatory memorandum highlights that reducing dependencies on non-European providers is a key objective. The proposal notes that the EU market share of European providers has stagnated, and high regulatory barriers can prevent smaller, agile providers from entering the market. By streamlining the process for SMEs, the EU aims to encourage the entry of smaller, homegrown cloud providers.

The automatic recognition removes a significant regulatory hurdle. Without this provision, an SME might face months of administrative delay and legal costs to secure recognition in one Member State, only to face similar hurdles in others. The "direct and automatic" nature of the recognition ensures that an SME can compete for public sector contracts across the entire single market immediately upon issuing their statement.

However, this ease of access comes with heightened responsibility. Because there is no prior check by a national authority, the integrity of the self-assessment is paramount. Public sector bodies procuring these services will rely on the published EU statement of conformity as the primary evidence of trustworthiness. If a provider issues a false statement, they face significant consequences. Article 24 establishes that Member States must lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." Additionally, Article 26 grants national competent authorities the power to investigate suspected infringements and order the cessation of non-compliant activities.

What this means for you

If you are a cloud service provider classified as an SME, you can significantly accelerate your time-to-market for sovereign cloud services in the EU. You do not need to budget for a lengthy engagement with a national competent authority to get your Level 1 status approved.

Actionable steps for SMEs:

• Verify your status: Ensure you meet the strict SME definition in Article 2(8) of CADA, which relies on Commission Recommendation 2003/361/EC. If your company exceeds the staff headcount or turnover/balance sheet thresholds, you are not an SME and must go through the standard recognition process.
• Robust self-assessment: Since there is no external pre-approval, your internal self-assessment under Article 19 must be rigorous. Document your compliance with all Level 1 criteria in Annex II meticulously. This includes proving establishment in the Union, data localisation, and cybersecurity standards.
• Publish your statement: Issue your EU statement of conformity and make it publicly accessible as required by Article 19(3). This document is your legal ticket to the market.
• Maintain records: Keep all evidence of your self-assessment ready. While the authority does not review it upfront, national competent authorities retain enforcement powers under Article 26. If a provider is found to have issued a false statement, they face penalties under Article 24 and potential revocation of recognition.

For public sector buyers, this means you can confidently procure from SMEs that have published a valid EU statement of conformity. You do not need to wait for a separate recognition certificate from a national authority. The statement itself, issued by an SME, is the proof of compliance.

Common misconceptions

Misconception 1: SMEs do not need to do any compliance work. False. Automatic recognition does not mean automatic compliance. SMEs must still perform the full self-assessment under Article 19 and meet all technical and legal criteria for Level 1. The exemption is only from the administrative step of getting the authority to stamp your paperwork.

Misconception 2: The EU statement of conformity is optional for SMEs. False. The statement is the legal instrument that triggers the automatic recognition. Without it, there is no proof of Level 1 status. It must be issued in accordance with Article 19(2) and made publicly available under Article 19(3).

Misconception 3: This applies to Levels 2, 3, and 4. False. The automatic recognition exemption in Article 17(3) applies specifically to Union Assurance Level 1. For Levels 2, 3, and 4, providers must undergo independent third-party audits under Article 20 and submit the audit report to the competent authority for formal recognition. There is no automatic recognition for these higher levels, regardless of company size.

Misconception 4: Any small company can claim SME status. False. CADA uses the specific EU definition of an SME. If your company exceeds the staff headcount or turnover/balance sheet total thresholds defined in Commission Recommendation 2003/361/EC, you are not an SME and must go through the standard recognition process with the national competent authority.

Misconception 5: The recognition is only valid in the country of establishment. False. The text of Article 17(3) explicitly states that the statement shall be "directly and automatically recognised in all Member States." This is a Union-wide recognition, not a national one.

Related

• CADA Recognition: SMEs vs Large Providers – Automatic Level 1 vs Full Audit
• CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services
• CADA SME Route: How Startups Get Automatic Level 1 Recognition
• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement

This is general information about a draft EU regulation, not legal advice.