Is the CADA central repository publicly available?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) central repository of recognised cloud computing services would be publicly available. Article 22(4) explicitly mandates that the Commission must make the repository publicly accessible on a "dedicated and easily accessible website." Furthermore, the text requires that the repository be "regularly updated" by both the Commission and the national competent authorities of establishment. This ensures that procurement officers, public sector bodies, and the general public can verify the sovereignty status of cloud providers in real-time.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a comprehensive framework for cloud sovereignty. At the heart of this framework is the central repository, designed to serve as the single, authoritative source of truth for cloud services that have been officially recognised as meeting the Union's assurance levels.

Under Article 16, the proposal creates four distinct Union assurance levels (1 through 4) based on criteria regarding establishment, infrastructure location, personnel, and third-country control. To make these levels actionable for the market, Article 22 establishes the mechanism for a central repository. This tool is not merely an internal administrative list; it is a public-facing transparency instrument designed to facilitate informed purchasing decisions and ensure compliance with the Act's sovereignty requirements.

Public Accessibility and Maintenance Obligations

The proposal places a non-negotiable emphasis on transparency and ease of access. Article 22(4) contains the specific mandate regarding the repository's availability:

"The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This provision establishes three critical operational requirements for the repository as proposed:

1. Public Availability: The repository is not restricted to government insiders, auditors, or industry players. It must be accessible to any citizen, researcher, business, or public body. This openness is intended to foster market trust and allow for external scrutiny of the sovereignty framework's implementation.
2. Dedicated Platform: The repository must reside on a specific website that is "easily accessible." This requirement aims to reduce friction for procurement officers who need to verify a provider's status during tender processes, ensuring they do not have to navigate complex bureaucratic portals to find essential compliance data.
3. Regular Updates by Multiple Actors: The data within the repository will not be static. The obligation to update falls on two distinct sets of actors: the European Commission, which maintains the platform, and the national competent authorities of establishment (the authorities in the Member State where the cloud provider is established). This dual responsibility ensures that the information reflects the most current regulatory decisions, including new recognitions, amendments, and revocations.

Content and Lifecycle of Data in the Repository

The repository serves as the definitive record for the lifecycle of a cloud service's recognition under CADA.

Article 22(2) mandates that the national competent authority of establishment, which grants recognition under Article 17, must register the cloud computing service in the central repository. This applies to services recognised at all four assurance levels.

Crucially, the repository also functions as a mechanism for accountability and historical tracking. Article 22(3) specifies that:

• The revocation of an audit report and audit opinion by an auditing organisation.
• The revocation of a recognition by a competent authority.

...shall be published in the central repository. These revocations must remain available in the repository for five years. This historical record allows public sector bodies to assess the track record of providers, understand past compliance failures, and make informed risk assessments before entering into contracts.

Integration with Procurement Obligations

The public availability of the repository is directly linked to the procurement obligations set out in Article 30. Contracting authorities are legally required to procure cloud computing services that have been recognised under Article 17.

• Article 30(2) requires public sector bodies whose activities do not contribute to the preservation of public order to use services recognised at Union assurance level 1.
• Article 30(3) mandates that contracting authorities whose activities do contribute to the preservation of public order (e.g., national security, defence, justice, law enforcement) must only procure services recognised at Union assurance levels 2, 3, or 4.

Because these procurement decisions are legally binding, the repository acts as the primary verification tool. Procurement officers can consult the public website to confirm that a bidder's service holds the necessary assurance level before awarding a contract. If a service is not listed, or if its recognition has been revoked (and the revocation is still within the five-year publication window), it cannot be procured for these sensitive use cases, unless specific derogations under Article 30(4) apply (e.g., absence of suitable alternatives).

Role of National Competent Authorities

While the Commission maintains the technical platform, the data entry and verification are decentralised. Under Article 25, Member States must designate one or more national competent authorities responsible for enforcing the sovereignty framework. These authorities are responsible for:

• Evaluating applications for recognition.
• Registering recognised services in the central repository.
• Notifying the Commission and other Member States of any revocations or amendments.

This shared responsibility model ensures that the repository reflects the most up-to-date regulatory decisions from across the Union, while maintaining a unified, EU-wide interface for users.

What this means for you

For public-sector procurement officers, compliance officers, and cloud service providers, the public central repository is a vital tool for compliance and risk mitigation.

• Simplified Verification: You no longer need to manually collect and verify complex audit reports or self-assessment statements from providers. Instead, you can check the dedicated website to confirm a provider's Union assurance level instantly.
• Mandatory Due Diligence: Before launching a tender for cloud services, especially for critical infrastructure or sensitive data processing, you must ensure that the shortlisted providers are listed in the repository with the appropriate assurance level. A provider not listed cannot be used for public-order-relevant activities.
• Monitoring Changes: Because the repository is "regularly updated," you must establish a process to monitor it for changes. If a provider's recognition is revoked or downgraded, you may need to take immediate action to ensure continuity of service and compliance with public order requirements.
• Transparency and Accountability: The public nature of the repository supports transparent procurement practices. It allows for public scrutiny of which providers are trusted with public data, fostering greater trust in the digital infrastructure supporting public services.

Common misconceptions

• "The repository is only for EU-based providers."
  • While the framework prioritises Union sovereignty, Article 18 allows for the recognition of third countries as providing sufficient assurances for Union assurance level 3. Providers controlled by legal entities in these "associated third countries" can be audited and recognised, and their services would appear in the repository.
• "Listing in the repository guarantees unlimited service continuity."
  • The repository indicates compliance with sovereignty criteria at a specific point in time. It does not guarantee operational uptime or commercial stability. Revocations can occur if a provider fails to maintain compliance, as noted in Article 22(3), and these revocations are published for five years.
• "The repository contains technical performance metrics."
  • The repository focuses strictly on sovereignty assurance levels and recognition status. It does not necessarily contain detailed technical benchmarks, pricing, or performance metrics, which remain the responsibility of the procurement process and service level agreements.

Related

• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?
• CADA Central Repository: Who can access it and is it public?
• How does a cloud provider get listed in the CADA central repository?
• What is the CADA central repository of cloud computing services?

This is general information about a draft EU regulation, not legal advice.