CADA Central Repository Fee

Summary No, there is no fee for being listed in the Cloud and AI Development Act (CADA) central repository. As proposed in Article 22, the European Commission must establish and maintain this repository, and the national competent authority of establishment is required to register recognized services without charging a listing fee.

However, while the act of listing is free, the path to eligibility involves significant costs. Cloud computing service providers seeking recognition at Union assurance levels 2, 3, or 4 must bear the full cost of independent third-party audits and the recognition procedure themselves. The repository is a public transparency tool, not a paid certification service.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" to enhance trust in cloud services for public sector procurement. A cornerstone of this framework is the central repository of cloud computing services, designed to provide a single, authoritative source of truth for contracting authorities, auditing organizations, and competent authorities.

The Legal Basis: Article 22 and the Free Listing Mandate

Article 22 of the CADA proposal explicitly governs the creation and operation of this repository. The text is unambiguous regarding the absence of a listing fee:

"The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17 ('central repository')."

The article further details the registration mechanism:

"The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

Nowhere in Article 22, nor in the surrounding provisions of Title IV (Autonomy), is there any mention of a fee, charge, or payment obligation for the act of registration or listing. The repository is described as "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." Its primary function is to facilitate secure procurement and reduce information asymmetry, not to generate revenue.

Distinguishing Free Listing from Paid Qualification Costs

It is critical for providers to distinguish between the administrative act of listing (which is free) and the substantive qualification process (which is costly). The CADA proposal imposes a clear cost structure on providers to ensure the integrity of the assurance levels.

1. Union Assurance Level 1: Self-Assessment Costs

For providers seeking Union assurance level 1, the process involves a conformity self-assessment under Article 19.

• Costs: Providers bear the internal administrative and technical costs of demonstrating compliance with the criteria in Annex II. They must issue an EU statement of conformity.
• Listing: Once the statement is issued (and automatically recognized for SMEs under Article 17(3)), the competent authority registers the service in the central repository. There is no fee for this registration.

2. Union Assurance Levels 2, 3, and 4: Independent Audit Costs

For higher assurance levels, the proposal mandates independent third-party audits under Article 20. The financial burden is explicitly placed on the provider:

• Mandatory Expense: Article 20(1) states that providers seeking recognition at levels 2, 3, or 4 "shall undergo at their own expense, independent third-party audits."
• Audit Scope: Providers must contract an auditing organization, provide access to all relevant data and premises, and answer oral or written questions.
• Outcome: The auditing organization issues an audit report and a "positive" audit opinion.
• Recognition & Listing: The provider submits this evidence to the national competent authority under Article 17. Upon granting recognition, the authority registers the service in the central repository.

Crucial Distinction: The cost of the audit is a prerequisite for eligibility, but the subsequent registration in the central repository remains free. The provider pays the auditor, not the Commission or the national authority, for the listing.

No Fee for Commission or Member States

The CADA proposal does not authorize the European Commission or Member State competent authorities to levy a fee for maintaining the list or for the inclusion of a provider's service. The repository is a public good intended to support the internal market and sovereignty objectives.

While the proposal introduces fee-based revenue streams for other specific activities—such as the administration of the EuroCloud Federation (Article 36) and common procurement activities (Article 40)—these fees are strictly tied to those specific operational frameworks. They do not extend to the central repository established under Article 22. The costs of establishing and maintaining the repository are intended to be covered by the relevant administrative budgets of the Commission and Member States.

What this means for you

For cloud service providers (CSPs) and data center operators aiming to serve the European public sector under the proposed CADA framework, understanding this cost structure is vital for financial planning and market strategy.

• Budget for Audits, Not Listings: When calculating the total cost of ownership (TCO) to achieve a Union assurance level, allocate significant funds for third-party auditing organizations, legal compliance, and technical adjustments to meet the criteria in Annex II. Do not budget for a "listing fee" payable to the Commission or national authorities. The only direct cost to the regulator is the time spent by the competent authority to process the recognition, which is funded by public budgets.
• Transparency as a Competitive Advantage: Since the repository is public and easily accessible, being listed—particularly at higher assurance levels (2, 3, or 4)—serves as a powerful marketing tool. It signals to public contracting authorities that your service has been independently verified and officially recognized. This visibility is free, but the credibility it confers is built on the paid audit.
• Maintain Accuracy and Compliance: Listing is not a one-time event. Under Article 23, providers must notify the auditing organization and competent authority of any material changes that may affect their recognition. Furthermore, Article 20(8) requires an annual review of the audit report. Failure to maintain compliance can lead to the revocation of recognition and removal from the repository, damaging your market position.
• SME Advantages: If you are a Small or Medium-sized Enterprise (SME), Article 17(3) offers a streamlined path for Level 1. Your EU statement of conformity is directly and automatically recognized in all Member States without prior recognition by the evaluating national competent authority. This reduces administrative friction and ensures your service is listed in the central repository at no cost, lowering barriers to entry.

Common misconceptions

Misconception 1: "The central repository is a paid certification badge." Some providers may confuse the CADA repository with commercial certification schemes or industry-led trust marks that often charge annual fees for listing or "badging." The CADA repository is a statutory, public register mandated by Article 22. There is no commercial element to its maintenance, and no fee is charged for inclusion.

Misconception 2: "I can list my service without an audit or recognition." You cannot self-list in the central repository. Listing is strictly contingent upon formal recognition by a national competent authority under Article 17. For Levels 2–4, this requires a positive audit opinion from an independent auditor. For Level 1, it requires a valid EU statement of conformity. The repository only contains recognized services.

Misconception 3: "The Commission charges a fee to maintain the website." While the Commission incurs costs to build and host the platform, the proposal does not provide a mechanism for recovering these costs from individual listed providers. The repository is part of the broader regulatory infrastructure funded by public budgets. This is distinct from the fees levied for the EuroCloud Federation or joint procurement, which are explicitly authorized under Articles 36 and 40.

Misconception 4: "Listing guarantees compliance forever." Listing is an ongoing status, not a permanent certificate. Providers must undergo annual reviews of their audit reports (Article 20(8)) and report material changes (Article 23). If compliance is lost, the recognition is revoked, and the listing is removed (or marked as revoked) in the repository. The "cost" is the ongoing effort to maintain compliance, not a recurring listing fee.

Related

• How does a cloud provider get listed in the CADA central repository?
• CADA Central Repository: What it means for a cloud provider to be listed
• How does a cloud service get listed in the CADA central repository?
• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?

This is general information about a draft EU regulation, not legal advice.