Is Gaia-X required to comply with CADA?

Summary Gaia-X is not required to comply with the proposed Cloud and AI Development Act (CADA), nor does CADA mandate the use of Gaia-X labels. Gaia-X remains a voluntary, industry-led framework, whereas CADA establishes a binding legal regime for public-sector procurement. To sell cloud services to the EU public sector under the proposal, providers must seek formal recognition under CADA's Union assurance levels (Article 16), not merely hold Gaia-X conformity. While the two can coexist, Gaia-X participation is optional and does not substitute for the statutory recognition process.

Detail

The text of the proposed Cloud and AI Development Act (COM(2026) 502 final) is entirely silent on "Gaia-X." The proposal does not reference the Gaia-X label, the Gaia-X Framework Agreement, or any specific Gaia-X certification scheme. Consequently, there is no legal obligation for the Gaia-X initiative to "comply" with CADA, nor is there a requirement for CADA to align its criteria with Gaia-X standards. The two operate in distinct spheres: one is a voluntary market initiative, the other is a proposed legislative framework.

CADA creates a mandatory, EU-wide sovereignty framework for cloud computing services used by public bodies. This framework is centered on Article 16, which establishes four "Union assurance levels" (levels 1 to 4). These levels define the cumulative criteria a cloud computing service provider must meet to offer services to Union entities and public sector bodies. The criteria are detailed in Annex II and cover establishment, infrastructure location, personnel citizenship, cybersecurity certification, and third-country control.

The relationship between the two initiatives is defined by their legal nature:

1. CADA is Binding Law (as proposed): If adopted, CADA would require contracting authorities to procure cloud services that have been formally recognized as meeting a specific Union assurance level (Article 30). This recognition is granted by national competent authorities based on specific evidence: an EU statement of conformity for Level 1 (Article 19) or a positive audit opinion from an independent auditing organization for Levels 2–4 (Article 20).
2. Gaia-X is Voluntary: Gaia-X is a collaborative initiative aiming to create a federated, sovereign data and cloud ecosystem. Participation is optional for providers. While Gaia-X defines its own trust and compliance frameworks, these are contractual and community-based, not legislative.

How They Interact

While CADA does not require Gaia-X, the two can coexist. A cloud provider might choose to participate in Gaia-X to demonstrate market alignment with European sovereignty goals while simultaneously undergoing the formal CADA recognition process to legally qualify for public contracts. In this scenario, Gaia-X participation could serve as a qualitative indicator of a provider's commitment to European standards, but it would not constitute the legal proof required for procurement.

However, Gaia-X conformity is not a substitute for CADA recognition. Under Article 17 of CADA, a provider must submit an application for recognition to the national competent authority of its establishment. This process involves providing specific evidence, such as an EU statement of conformity (for Level 1) or a positive audit opinion from an independent auditing organization (for Levels 2–4). The Gaia-X label does not automatically confer these CADA assurance levels, nor does it trigger the automatic recognition mechanism described in Article 17(7).

Furthermore, CADA includes specific mechanisms for third-country involvement that Gaia-X does not address. Article 18 allows the Commission to recognize third countries as providing sufficient assurances, allowing services controlled from those countries to qualify for Union assurance level 3. Gaia-X participation does not bypass these stringent legal tests or the specific criteria regarding third-country control outlined in Annex II.

What this means for you

For public-sector procurement officers, cloud providers, and legal counsel, the distinction between CADA and Gaia-X is critical for compliant tendering and market strategy:

• Do not accept Gaia-X labels as proof of CADA compliance. When drafting tender documents for cloud services, you must require evidence of recognition under the CADA Union assurance levels (as defined in Article 16). A provider's Gaia-X membership or conformity statement is not sufficient to prove they meet the legal sovereignty requirements for public order preservation. Relying solely on Gaia-X could render a procurement procedure non-compliant with the proposed Regulation.
• Check the Central Repository. CADA mandates the creation of a central repository of recognized services (Article 22). You should verify that the tenderer is listed in this repository with the appropriate assurance level for your specific use case. If a provider is not in the repository, they have not been recognized under CADA, regardless of their Gaia-X status.
• Use Risk Assessments to Determine Levels. Under Article 29, you must conduct risk assessments to determine which Union assurance level (1, 2, 3, or 4) is appropriate for your activities. For activities contributing to the preservation of public order (e.g., national security, justice, law enforcement), you must procure services recognized at Level 2, 3, or 4 (Article 30(3)). Gaia-X does not define these legal tiers or the specific risk assessment methodology required by CADA.
• Encourage, but Do Not Mandate, Gaia-X. While you cannot mandate Gaia-X as a legal prerequisite for CADA compliance, you may encourage providers to participate in broader European ecosystems as part of qualitative evaluation criteria, provided this does not distort competition or conflict with CADA's non-discrimination principles. However, the binding requirement remains the CADA recognition.
• For Providers: If you are a cloud provider, participating in Gaia-X may be a strategic market move, but it is not a compliance shortcut. You must still undergo the specific audit or self-assessment procedures defined in Articles 19 and 20 to be recognized. Do not market Gaia-X conformity as equivalent to CADA recognition.

Common misconceptions

• Misconception: "Gaia-X is the EU's official cloud sovereignty certification."
  • Fact: Gaia-X is an industry-led initiative. CADA is the EU's legislative framework. Only CADA's Union assurance levels carry legal weight for public procurement under the proposal.
• Misconception: "If a provider is Gaia-X conformant, they automatically meet CADA Level 1 or higher."
  • Fact: No. CADA requires specific procedural steps, including self-assessment or independent audits against criteria in Annex II of CADA. Gaia-X conformity checks different, non-legal criteria and does not trigger the recognition mechanism in Article 17.
• Misconception: "CADA replaces Gaia-X."
  • Fact: CADA does not mention Gaia-X, so it does not replace it. Gaia-X can continue to operate as a voluntary framework for market alignment, but it cannot replace the legal recognition process mandated by CADA for public sector buyers.
• Misconception: "CADA will adopt Gaia-X standards as its baseline."
  • Fact: The proposal sets its own baseline in Annex II. While the criteria may overlap conceptually (e.g., data localization), the legal requirements, evidence standards, and audit procedures are distinct and defined solely by the Regulation.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Is there any EU law I can comply with that exempts me from CADA?
• If I comply with the Chips Act, do I comply with CADA?
• If I comply with FIDA, do I comply with CADA?
• If I already comply with the GDPR, do I comply with CADA?
• If I already comply with the Data Act, do I comply with CADA?

This is general information about a draft EU regulation, not legal advice.