TL;DR

A Gaia-X label would not be sufficient to meet the Cloud and AI Development Act (CADA) requirements for public sector procurement. As proposed, CADA would establish a mandatory, legally binding framework of four Union assurance levels that cloud computing service providers must achieve through formal recognition by a national competent authority. Gaia-X labels remain voluntary industry signals and would not equate to statutory recognition under CADA. Providers seeking to serve EU public sector bodies would need to complete the conformity self-assessment (for Level 1) or independent third-party audit (for Levels 2–4) set out in Articles 19, 20 and 21, rather than relying on existing Gaia-X labels.

Detail

As proposed, CADA would introduce a harmonised statutory framework for cloud sovereignty across the Union, distinct from industry-led initiatives such as Gaia-X. While Gaia-X has been a prominent effort to foster a secure, federated cloud ecosystem in Europe, CADA would create a statutory regime that providers must satisfy to access public procurement markets. The key difference is legal: Gaia-X offers voluntary labels based on industry best practice, whereas CADA would impose binding obligations with specific recognition procedures.

The Union assurance levels vs. Gaia-X labels

Under CADA, the framework would comprise four Union assurance levels (Article 16), with the criteria set out in Annex II. These criteria range from basic establishment and data-localisation requirements (Level 1) to stringent controls on personnel citizenship, software supply chains and third-country influence (Levels 2–4).

Gaia-X labels, while aligned with some security and sovereignty principles, are voluntary market signals. They would not confer the legal status of a "recognised" service under CADA. A provider holding a Gaia-X label has demonstrated alignment with community-defined trust frameworks, but that would not automatically satisfy the cumulative criteria in Annex II. For instance, while Gaia-X may encourage certain data-residency practices, Annex II, Section 1.1(c) would require that customer data, including metadata and telemetry data, remain exclusively within the Union unless the public sector body explicitly requires otherwise. Without formal recognition under Article 17, a Gaia-X label could not fulfil the procurement obligations in Article 30.

The recognition mechanism: self-assessment and independent audits

The core of CADA's enforcement would lie in its recognition mechanism (Article 17). Providers could not simply declare compliance; they would submit an application for recognition to the national competent authority of establishment. The evidence required depends on the level sought:

  • Union Assurance Level 1: The provider would carry out a conformity self-assessment under Article 19 and issue an "EU statement of conformity" (Article 19(2)), assuming responsibility for compliance with the Level 1 criteria. By way of derogation, an EU statement of conformity issued by a provider that is an SME would be directly and automatically recognised in all Member States without prior recognition by the evaluating national competent authority (Article 17(3)). Other providers would submit the statement to the competent authority for recognition.
  • Union Assurance Levels 2, 3 and 4: These levels would require independent third-party audits under Article 20. The provider would undergo an audit, at its own expense, by an independent auditing organisation to obtain an audit report and a "positive" audit opinion, submitted to the national competent authority as part of the recognition application (Article 17(4)). The audit evidence would be assessed against Annex III (Article 21), and a higher level requires meeting all the cumulative criteria of the lower levels.

The gap between Gaia-X and statutory recognition

The gap is procedural and legal. Gaia-X does not involve oversight by national competent authorities, nor does it issue the "EU statement of conformity" or the "positive" audit opinion that CADA would require. Consequently, a provider with a Gaia-X label but no CADA recognition could not lawfully serve public sector bodies that are obliged to procure only recognised services.

Article 30 would require Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order (under the Article 29 risk assessment) to use cloud computing services recognised at Union assurance level 1. Contracting authorities whose activities have been so identified — in sectors under Annex I or II of the NIS2 Directive, or in national security, internal security, external border management, defence, justice or law enforcement — would only be able to procure services recognised at level 2, 3 or 4 (Article 30(3)). Relying on a Gaia-X label in those contexts would breach CADA's procurement rules.

CADA would also introduce transparency and enforcement mechanisms absent from Gaia-X. Recognised services would be listed in a central repository maintained by the Commission (Article 22). Providers would have to notify any material change that could affect their audit report or recognition (Article 23), and national competent authorities would have investigative and enforcement powers (Article 26), while recognition or an audit opinion can be revoked where incorrect or misleading information was supplied (Articles 17(11) and 20(7)). Gaia-X provides for none of these statutory measures.

What this means for you

For cloud service providers and data centre operators, moving from voluntary Gaia-X alignment to mandatory CADA compliance would require strategic preparation:

  1. Initiate formal recognition early. Do not assume your Gaia-X label satisfies CADA. Plan the application for Union assurance level recognition with your national competent authority, and determine which level (1–4) your target public sector clients are likely to require based on their risk assessments.
  2. Prepare for audits. If targeting Levels 2–4, engage accredited auditing organisations early. Ensure your internal controls, SBOMs and personnel records meet the strict criteria in Annex II; the audit must yield a "positive" opinion to support recognition under Article 17.
  3. Update contractual and technical controls. Review data residency, subcontractor oversight and third-country exposure. CADA's criteria would be cumulative and strict — for example, ensure subcontractors involved in service provision are covered by due diligence and that data flows remain within the Union unless explicitly permitted.
  4. Track competent-authority and implementing-act guidance. Practical arrangements for recognition, audit methodologies and evidence templates would be further specified through implementing and delegated acts; monitor these as they emerge.

Common misconceptions

  • "Gaia-X labels are equivalent to CADA assurance levels." Incorrect. Gaia-X labels are voluntary industry signals; CADA assurance levels would be statutory recognitions granted by national authorities after a self-assessment or audit. They would not be interchangeable.
  • "Self-assessment is optional for Level 1." For Level 1, a conformity self-assessment would be mandatory (Article 19). SMEs benefit from automatic cross-border recognition of their EU statement of conformity, but other providers would still submit it to the competent authority.
  • "CADA only applies to new cloud services." As proposed, CADA's procurement obligations would apply to services offered to Union entities and public sector bodies; providers already serving those sectors with Gaia-X-labelled services would need CADA recognition to remain compliant with the procurement mandates.
  • "The EU AI Act covers cloud sovereignty." The AI Act addresses the safety and fundamental-rights risks of AI systems, not the sovereignty or operational autonomy of cloud infrastructure. CADA would address sovereignty concerns left by other frameworks.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.