Must the CADA EU statement of conformity be public?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking recognition at Union assurance level 1 must make their EU statement of conformity publicly available. This mandatory transparency obligation is explicitly set out in Article 19(3) of the proposal. By requiring public disclosure, the Act ensures that public-sector buyers, auditors, and other stakeholders can independently verify a provider's self-declared compliance with baseline sovereignty criteria without needing to request the document through formal channels. This mechanism is designed to reduce information asymmetry in the market and facilitate informed procurement decisions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four distinct assurance levels. These levels are designed to help public bodies mitigate risks associated with dependence on non-European cloud providers and to safeguard the Union's public order. The framework is tiered: Union assurance level 1 serves as the minimum baseline for general public sector activities, while levels 2, 3, and 4 address progressively higher risks, including those related to public order, classified information, and critical infrastructure.

The mechanism for achieving Union assurance level 1 differs fundamentally from the higher tiers. While levels 2, 3, and 4 require rigorous independent third-party audits under Article 20, Union assurance level 1 relies on a conformity self-assessment conducted by the cloud computing service provider itself. This self-assessment process is governed by Article 19 of the proposal.

The Self-Assessment Process (Article 19)

Under Article 19(1), any cloud computing service provider aiming to be recognised as offering Union assurance level 1 must first carry out a conformity self-assessment. This assessment must demonstrate compliance with the specific cumulative criteria set out in Annex II of the Regulation. These baseline criteria generally include:

• The provider being established in the Union.
• Ensuring that infrastructure, assets, and customer data remain exclusively within the Union (unless the public sector body explicitly requires otherwise).
• Implementing measures to ensure traceability and security when outsourcing technical support to third parties outside the Union.
• Demonstrating compliance with state-of-the-art cybersecurity standards.

Once the provider has completed this self-assessment, Article 19(2) requires them to issue an "EU statement of conformity." By issuing this statement, the provider formally assumes full responsibility for the compliance of their cloud computing service with the criteria for Union assurance level 1. The statement serves as the provider's official declaration that they have met the regulatory baseline.

The Public Availability Mandate (Article 19(3))

The critical transparency requirement is found in Article 19(3), which states: "The cloud computing service provider shall make the EU statement of conformity publicly available."

This provision is not merely a recommendation; it is a mandatory obligation for any provider seeking recognition at this level. The requirement serves several strategic purposes within the CADA framework:

1. Market Transparency: By making the statement publicly available, providers allow the market to see who has declared compliance with the baseline sovereignty standards. This helps public buyers quickly identify potential vendors without engaging in a lengthy pre-procurement information gathering process.
2. Accountability: Since the statement is a self-declaration, public availability subjects the provider to external scrutiny. Competitors, civil society, and other stakeholders can review the declaration, creating a form of market-based accountability that complements regulatory oversight.
3. Facilitating Procurement: Public procurement officers can access these statements directly to verify that a bidder meets the minimum requirements for Union assurance level 1, as mandated by Article 30(2) for activities not identified as contributing to the preservation of public order.

Distinction from Higher Assurance Levels

It is important to distinguish the transparency regime for Union assurance level 1 from that of the higher levels. For Union assurance levels 2, 3, and 4, the process involves independent third-party audits under Article 20. In those cases, the provider submits an audit report and a "positive" audit opinion to the national competent authority for recognition. While the outcome of these recognitions is published in the central repository established under Article 22, the specific obligation to publish a self-declared "EU statement of conformity" is unique to the self-assessment mechanism of Union assurance level 1.

However, once a service is recognised at any level (1 through 4), it is registered in the central repository maintained by the Commission. This repository, accessible via a dedicated website, ensures that the status of all recognised services is transparent and up-to-date. Yet, the specific public availability of the statement itself remains a distinct feature of the level 1 self-assessment route.

What this means for you

For public-sector procurement officers, compliance teams, and cloud service providers, the public availability requirement under Article 19(3) has significant practical implications.

For Public-Sector Procurement Officers

• Streamlined Due Diligence: When procuring cloud services for standard activities that do not involve high-sensitivity data or critical public order functions (which would trigger the need for levels 2–4 under Article 30(3)), you are generally required to procure services recognised at Union assurance level 1 per Article 30(2). The public availability of the EU statement of conformity means you do not need to request this document internally or wait for a provider to send it upon request. You can expect providers to have already published it, significantly speeding up your initial vendor screening process.
• Verification of Claims: If a provider claims to be "sovereign" or "EU-aligned" but cannot produce a publicly available EU statement of conformity issued under CADA, they likely do not meet the regulatory baseline for Union assurance level 1. You can use the public nature of this document to quickly filter out non-compliant vendors during the tender evaluation phase.
• Risk Management Context: While the statement is public, remember that it is a self-assessment. It does not carry the same evidentiary weight as an independent audit opinion required for higher levels. For activities identified in your risk assessment under Article 29 as contributing to the preservation of public order, you must still procure services recognised at Union assurance levels 2, 3, or 4, which have undergone rigorous third-party auditing.

For Cloud Service Providers

• Compliance Obligation: If you seek recognition at Union assurance level 1, you must not only conduct the self-assessment and issue the statement but also ensure it is publicly available. Failure to do so would mean you cannot be recognised under the framework, effectively barring you from public procurement contracts that require at least level 1 assurance.
• Strategic Positioning: Publishing the statement can serve as a competitive advantage, signaling to the market your commitment to EU sovereignty standards. It allows you to demonstrate compliance proactively rather than reactively.
• Liability Awareness: By making the statement public, you are putting your declaration on the record. If the statement is found to be incorrect or misleading, you may face penalties under Article 24 for infringements of the sovereignty chapter, as well as potential compensation claims from recipients of the service.

Common misconceptions

"All cloud providers must publish this statement."

• Reality: Only providers seeking recognition specifically for Union assurance level 1 are required to issue and publish an EU statement of conformity under Article 19. Providers aiming for levels 2, 3, or 4 undergo independent audits under Article 20 and do not issue this specific self-declaration document, although their audit outcomes and recognition status are published in the central repository.

"A public statement guarantees full sovereignty."

• Reality: Union assurance level 1 is the minimum baseline. It ensures basic criteria like EU establishment and data residency but does not include the stringent personnel screening, specific cybersecurity certification levels, or supply chain controls required for levels 2, 3, and 4. A public statement confirms compliance with the entry-level criteria, not the highest levels of sovereignty.

"The statement is only visible to the Commission or national authorities."

• Reality: Article 19(3) explicitly states the provider must make it publicly available. This means it should be accessible to anyone, including competitors, journalists, researchers, and the general public, not just regulatory bodies.

"This replaces the need for contract review."

• Reality: While the statement provides a snapshot of compliance, procurement contracts must still include specific clauses to enforce these standards and manage ongoing obligations. The public statement is a transparency tool and a prerequisite for recognition, not a substitute for robust contractual governance and ongoing monitoring.

Related

• What is the EU statement of conformity under CADA?
• CADA Level 1 vs Level 2: What Public Buyers Must Know
• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• Who must meet CADA Union assurance levels?

This is general information about a draft EU regulation, not legal advice.