Summary Under the proposed Cloud and AI Development Act (CADA), how you demonstrate compliance with the Union assurance framework depends entirely on the tier you target. For Union assurance level 1, you carry out a conformity self-assessment and issue your own EU statement of conformity — no third party involved (Article 19, as proposed). For levels 2, 3 and 4, you must undergo an independent third-party audit at your own expense, ending in an audit report and a "positive" audit opinion from a qualified auditing organisation (Article 20). The audit must rest on the audit evidence in Annex III, which must be relevant, sufficient and reliable (Article 21). Both routes lead to recognition by a national competent authority under Article 17. CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

CADA's Article 16 would establish a tiered "Union cloud computing sovereignty framework," with the criteria in Annex II. The proposal draws a sharp line between the lowest tier (level 1) and the higher tiers (levels 2-4): a self-declaration model below, independent verification above. Both feed into the recognition procedure in Article 17, where a national competent authority of establishment evaluates the evidence and, after a cross-Member-State review period, may recognise the service across the Union.

Level 1: conformity self-assessment (Article 19)

For level 1, CADA uses self-declaration. A provider seeking recognition carries out a conformity self-assessment of compliance with the level 1 criteria in Annex II (Article 19(1)). The exercise is internally driven: you assess your own infrastructure, data handling and legal structures against those criteria. On concluding the service is compliant, you issue an EU statement of conformity declaring that compliance has been demonstrated, and by issuing it you assume responsibility for the service's compliance (Article 19(2)). The statement must be made publicly available (Article 19(3)).

To be recognised, you then submit the EU statement of conformity and all necessary evidence to the national competent authority of establishment (Article 17(3)). For SMEs, a derogation streamlines this: an EU statement of conformity issued by an SME is directly and automatically recognised in all Member States without prior recognition by the evaluating authority (Article 17(3)).

Levels 2, 3 and 4: independent third-party audit (Articles 20-21)

For the higher tiers, self-assessment is not available. The provider must undergo, at its own expense, an independent third-party audit to obtain an audit report and an audit opinion from an auditing organisation (Article 20(1)). The criteria are cumulative: a service audited at a higher level must satisfy all criteria applicable to the lower levels, and failing any lower-level requirement precludes the higher level (Article 20(1)).

Independence of the auditor (Article 20(4)). The auditing organisation must be independent and free of conflicts of interest. In particular, it must not have provided non-audit services on the matters audited in the 12 months before the audit (and must commit not to for the 12 months after); must not have audited the same provider in the prior 10 years; and must not be paid fees contingent on the result. It must also have proven expertise and technical competence in auditing cloud computing services, and proven objectivity and professional ethics.

Cooperation and access (Article 20(2)). The provider must cooperate and give the auditor access to all relevant data and premises, answer oral or written questions, and refrain from hampering, unduly influencing or undermining the audit.

The report and opinion (Article 20(5)). The auditor prepares a substantiated written audit report containing, among other things, a description of the aspects audited and methodology, the main findings, and a "positive" or "negative" audit opinion against the Annex II criteria for the relevant level. A "negative" opinion must include operational recommendations and a recommended timeframe to achieve compliance; a "positive" opinion identifies the Union assurance level to be recognised under Article 17. Only the audit report and a "positive" opinion (plus the evidence given to the auditor) support a recognition application (Article 17(4)).

Ongoing review (Article 20(8)). The provider must annually submit the report and positive opinion for review to the same or a different auditing organisation, which assesses continued compliance and may confirm, update or revoke them. The auditor may also revoke the report and opinion where the provider supplied incorrect or misleading audit evidence (Article 20(7)).

Audit evidence (Article 21)

The audit's rigour rests on Article 21. The auditing organisation assesses compliance with the Annex II criteria on the basis of the audit evidence listed in Annex III (Article 21(1)); the Commission may adopt delegated acts amending Annex III to keep the evidence aligned with the criteria. The evidence must be relevant and sufficient to enable the auditor to prepare a report and opinion, and reliable according to the auditor's professional judgment and scepticism (Article 21(2)). In practice this means granular, verifiable material — for example infrastructure-location records, SBOMs, personnel and citizenship records, and contractual clauses — rather than high-level summaries. If the evidence is insufficient or unreliable, the auditor cannot give a positive opinion, and recognition is blocked.

What this means for you

For cloud service providers and data centre operators, the target tier dictates your compliance model, cost and overhead.

If you target level 1:

  • Own the declaration. With no third-party validator, the burden of proof rests on you. Your EU statement of conformity must be accurate and publicly accessible (Article 19); a national competent authority can revoke recognition where a provider intentionally or negligently supplied incorrect or misleading information (Article 17(11)).
  • SME fast track. If you qualify as an SME, the automatic cross-EU recognition in Article 17(3) speeds market entry.
  • Self-assessment is not "no scrutiny." National competent authorities have investigative powers (Article 26) and can challenge a self-assessment.

If you target levels 2, 3 or 4:

  • Prepare evidence early. The audit is a deep dive against every Annex II criterion, evidenced per Annex III (Article 21). Build the evidence package — locations, SBOMs, personnel and citizenship records, contracts — before you engage an auditor.
  • Pick a qualified, independent auditor. Apply the Article 20(4) tests, watching the 12-month and 10-year look-back periods, the no-contingent-fees rule, and the competence requirements.
  • Budget for cost and cooperation. You pay for the audit (Article 20(1)) and must grant access and assistance (Article 20(2)).
  • Stay continuously ready. Recognition is not a one-off: annual review (Article 20(8)) plus a duty to notify any material change that could affect the audit opinion or recognition (Article 23).

For data centre operators: CADA's assurance framework is addressed to cloud computing service providers, but if you supply infrastructure that forms part of a service seeking level 2-4 recognition, you will typically be a subcontractor whose operations fall within the provider's audit. Annex II's cumulative criteria reach subcontractors "involved in the provision of the service," so align your own practices — data localisation, personnel location and, at the higher tiers, Union citizenship and screening — or you may cause the provider to fail.

Common misconceptions

  • "Level 1 self-assessment is informal." The Annex II level 1 criteria still apply in full, the provider takes legal responsibility for its statement (Article 19(2)), and national authorities can investigate (Article 26) and revoke recognition for misleading information (Article 17(11)). No auditor does not mean no scrutiny.
  • "Any auditor can do a level 2-4 audit." No. Article 20(4) sets strict independence, look-back and competence barriers; a general consultant who fails the conflict-of-interest or competence tests cannot perform the audit.
  • "A positive opinion is permanent." No. Article 23 obliges you to report material changes; the auditor reassesses (Article 20(8)) and may update or revoke the report and opinion, and recognition can follow.
  • "The evidence package is fixed forever." No. Article 21(1) lets the Commission amend the Annex III evidence by delegated act, and the annual review may call for fresh evidence.

Related

This is general information about a draft EU regulation, not legal advice.