Summary Under the proposed Cloud and AI Development Act (CADA), self-assessment and national competent authority (NCA) recognition are two different steps on the same road, not alternatives. Self-assessment is how a provider generates evidence for Union assurance level 1: it would carry out a conformity self-assessment, issue a public EU statement of conformity, and assume responsibility for compliance. Recognition is the validation step: the provider would apply to the NCA of its establishment, which assesses the evidence and, if no other Member State objects, grants recognition that applies EU-wide. For levels 2-4 the evidence would instead come from an independent third-party audit. One important shortcut: an SME's level 1 EU statement of conformity would be directly and automatically recognised in all Member States, without prior NCA recognition.
Detail
The CADA proposal, as drafted, would set up a Union cloud computing sovereignty framework of four assurance levels (Article 16), with the criteria for each set out in Annex II. To supply cloud services to Union entities and public sector bodies at a given level, a provider would need its service formally recognised at that Union assurance level. The relationship between self-assessment and recognition is procedural: self-assessment (or audit) produces the evidence; recognition validates it. They are sequential, not a choice between two routes.
The role of the national competent authority (NCA)
Whatever the assurance level, the gateway would be the NCA of the provider's establishment. Article 17 establishes this mechanism. A provider seeking recognition would submit an application to that NCA, which acts as the "evaluating national competent authority," including all the evidence required under Article 17(3) or (4).
Recognition would not be automatic on submission. Under Article 17(5), within 60 days of accepting the application the evaluating NCA would either:
- prepare a draft recognition decision and notify the other Member States for a 60-day review period; or
- request further information if the evidence is insufficient, suspending the 60-day clock until the information arrives (the suspension not exceeding 30 days in total unless justified by the nature of the request or exceptional circumstances); or
- reject the request — but only after giving the provider 30 days to submit written comments, which the NCA must take due account of.
The evaluating NCA may also, where necessary, ask competent authorities of other Member States to collaborate in the procedure (Article 17(2)). If no reasoned objection or request for clarification is raised during the review period, the conclusions are deemed accepted, the NCA adopts the recognition decision, and the service is recognised throughout the Union at the appropriate assurance level (Article 17(7)). This is, in effect, a "recognise once, valid everywhere" model. Where objections cannot be resolved, the matter can ultimately be referred to the Commission for a binding decision (Article 17(10)).
Path 1: Union assurance level 1 (self-assessment)
For Union assurance level 1, the proposal would rely on a conformity self-assessment rather than an independent audit. Article 19 sets out the process:
- Self-assessment: the provider would carry out a conformity self-assessment of compliance with the level 1 criteria in Annex II.
- EU statement of conformity: following the assessment, the provider would issue an EU statement of conformity. By issuing it, the provider would assume responsibility for the compliance of the service with the level 1 criteria.
- Public availability: the provider would make the EU statement of conformity publicly available.
How this feeds recognition. Under Article 17(3), the candidate provider would submit the EU statement of conformity referred to in Article 19(2), plus all necessary evidence, to the evaluating NCA, which then reviews it before proceeding.
SME derogation. Article 17(3) contains a significant carve-out: an EU statement of conformity issued under Article 19(2) by a provider that is an SME would be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating NCA. For SMEs at level 1, this would bypass the standard NCA review.
Path 2: Union assurance levels 2, 3 and 4 (independent audit)
For higher levels, a self-assessment would not suffice. Article 20 would require providers seeking recognition at levels 2, 3 or 4 to undergo, at their own expense, independent third-party audits and obtain an audit report and an audit opinion from an auditing organisation. A provider audited at a higher level must satisfy all the cumulative Annex II criteria of the lower levels; failing any lower-level requirement would preclude conformity at the higher level.
How this feeds recognition. Under Article 17(4), for levels 2, 3 and 4 the candidate provider would submit to the evaluating NCA the audit report, the 'positive' audit opinion referred to in Article 20, and all the evidence provided to the auditing organisation during the audit procedure. The NCA would not re-audit the service; it would assess whether that third-party evidence supports recognition before moving to the Member State review phase.
Summary of the path difference
| Feature | Union assurance level 1 | Union assurance levels 2, 3, 4 |
|---|---|---|
| Primary evidence | Conformity self-assessment (Art 19) | Independent third-party audit (Art 20) |
| Key document | EU statement of conformity | Audit report + 'positive' audit opinion |
| Responsibility | Provider assumes responsibility (Art 19(2)) | Auditing organisation gives the opinion; provider remains accountable |
| NCA role | Reviews the self-declaration (Art 17(3)) | Reviews audit evidence (Art 17(4)) |
| SME treatment | Automatic, EU-wide recognition (Art 17(3)) | No automatic recognition; standard process applies |
What this means for you
For cloud service providers and data centre operators planning a CADA compliance strategy, the self-assessment-versus-recognition distinction would shape both cost and timeline.
- Resource planning. Targeting only level 1 would let you avoid the cost and lead time of an independent auditing organisation — your internal team could prepare the self-assessment and EU statement of conformity. But because you would be legally assuming responsibility for that statement under Article 19(2), your internal evidence and controls must be genuinely robust.
- SME advantage. If you qualify as an SME, the Article 17(3) automatic-recognition clause would let you issue your level 1 EU statement of conformity and treat it as recognised across all Member States without waiting for NCA approval — a real go-to-market advantage.
- Audit preparation. For levels 2, 3 or 4, engage an auditing organisation early. The audit under Article 20 would require access to data and premises and cooperation with questions, and the criteria are cumulative across levels — so weaknesses at a lower level would block the higher one.
- NCA engagement. Identify your NCA of establishment early. Under Article 25(4), that is the Member State where your main establishment — the head office or registered office from which principal financial functions and operational control are exercised — is located, and it would have exclusive competence for enforcing this Chapter.
Common misconceptions
Misconception 1: Self-assessment means no oversight. Level 1 would rely on self-assessment, but it would not be unregulated. Except where the SME automatic-recognition rule applies, the NCA still reviews the application. NCAs would also hold investigative powers under Article 26, and under Article 17(11) the evaluating NCA may revoke recognition where a provider intentionally or negligently supplied incorrect or misleading information.
Misconception 2: Recognition is automatic once you pass an audit. A 'positive' audit opinion is only the evidence you submit; it is not recognition. The NCA would still have to adopt a recognition decision, and other Member States would have a 60-day window to raise a reasoned objection (Article 17(5)-(7)). Only after that process concludes would the service be recognised EU-wide.
Misconception 3: SMEs are exempt from all recognition procedures. The SME carve-out is narrow. It would exempt SMEs only from prior NCA recognition for level 1 (Article 17(3)); they would still have to carry out the self-assessment, issue the EU statement of conformity, make it public, and ensure it is accurate. For levels 2, 3 and 4, SMEs would get no automatic recognition.
Misconception 4: You can choose the most lenient NCA. There would be no forum shopping. Under Article 25(4) the NCA of establishment is fixed by where your main establishment is located, and that Member State would have exclusive competence to enforce the sovereignty framework chapter.
Related
- CADA self-assessment vs independent audit: which applies to my tier?
- CADA conformity self-assessment vs third-party assessment: cost and credibility compared
- CADA voluntary recognition vs mandatory procurement levels
- CADA Union assurance recognition vs ISO 27001: are they comparable?
- Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
This is general information about a draft EU regulation, not legal advice.