CADA Union assurance recognition vs ISO 27001

Summary No. Under the proposed Cloud and AI Development Act (CADA), Union assurance recognition is not comparable to ISO 27001 certification. ISO 27001 is a voluntary international standard for an information security management system (ISMS) — it shows how you manage security risk. CADA's Union assurance framework (Article 16, with the criteria in Annex II) would assess sovereignty: corporate control, EU establishment and location, data residency, personnel, software supply chain and operational autonomy — and, as proposed, would determine whether a service may lawfully be procured by the EU public sector at all. The two answer different questions and, for many providers, you would need both. CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

The difference lies in purpose and scope. ISO 27001 is a best-practice standard for establishing, maintaining and continually improving an ISMS, focused on confidentiality, integrity and availability through risk assessment and treatment. It does not mandate where data is stored, who owns the provider, or whether third-country laws could compel data access.

CADA's "Union cloud computing sovereignty framework" (Article 16) would establish four Union assurance levels, with cumulative criteria set out in Annex II, that providers must meet to provide cloud services to Union entities and public sector bodies. As proposed, it evaluates sovereignty, not just security hygiene.

1. Scope: security management vs sovereignty

ISO 27001 proves you have robust security controls. CADA recognition would prove you are structurally independent from third-country control and that data remains within the Union.

• ISO 27001: policies, procedures and technical controls to mitigate security risk. A US-based hyperscaler can hold ISO 27001 while storing EU customer data outside the EU and being subject to laws such as the US CLOUD Act.
• CADA assurance: focuses on control and location. Article 16(1) would establish the four-level framework. Annex II sets cumulative criteria — for example, level 1 would require the provider to be established in the Union with infrastructure and assets located in the Union (Annex II §1.1). Higher levels would add stricter conditions: level 2 would require infrastructure, assets and personnel located in the Union; levels 3 and 4 would require personnel to be Union citizens (Annex II §§3.1(d), 4.1(d)) and would prohibit control by a third country or a legal entity established in a third country (Annex II §§3.1(g), 4.1(g)), with a limited derogation at level 3 for "associated third countries" recognised by Commission implementing act (Article 18).

2. Assessment mechanism: certification body vs regulatory recognition

ISO 27001 is achieved through an audit by an accredited certification body, resulting in a certificate. CADA would use a formal recognition mechanism run by national competent authorities:

• Level 1: a conformity self-assessment and an EU statement of conformity (Article 19). For SMEs, the statement of conformity would be "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority" (Article 17(3)).
• Levels 2–4: independent third-party audits (Article 20), where the auditing organisation issues a "positive" audit opinion.
• Recognition: the national competent authority of establishment is the evaluating authority; it assesses the evidence within 60 days of accepting the application, then notifies other Member States for a 60-day review period before adopting the recognition decision, which is valid Union-wide (Article 17).

3. Data and operational autonomy

ISO 27001 does not restrict data transfers or support locations. CADA would.

• Data residency: Annex II levels would require customer data — including metadata and telemetry — to remain exclusively within the Union (subject, at level 1, to the public sector body requiring otherwise) (Annex II §§1.1(c), 2.1(c), 3.1(c), 4.1(c)). ISO 27001 sets no geographic restriction.
• Operational support: levels 2–4 would require technical and operational support to be initiated and performed exclusively within the Union (Annex II §§2.1(h), 3.1(h), 4.1(h)). ISO 27001 allows global support.
• Third-country control: CADA expressly assesses whether a provider is subject to third-country control (Annex II level criteria). ISO 27001 is silent on ownership or jurisdictional control.

4. Legal consequence

• ISO 27001: a market differentiator that builds trust, but it carries no mandate in EU public procurement.
• CADA recognition: a procurement prerequisite. As proposed, public sector bodies whose activities are not identified as contributing to the preservation of public order must use services recognised at Union assurance level 1 (Article 30(2)); those whose activities are so identified must procure only services recognised at level 2, 3 or 4 (Article 30(3)).

What this means for you

For providers and data centre operators, holding ISO 27001 would be insufficient to access the EU public sector market under CADA. You would need to pursue Union assurance recognition as well.

1. Map your gaps. A non-EU-controlled provider would likely be unable to reach levels 2–4 without restructuring, given the ownership, location and data-residency rules. Level 1 may be reachable by establishing a Union entity and keeping assets and data in the EU.
2. Prepare for audit. For levels 2–4, engage an auditing organisation early. The audit (Article 20) would be rigorous — covering software supply chains (SBOMs), personnel citizenship and third-country control structures — and providers must give access to all relevant data and premises (Article 20(2)).
3. Engage competent authorities. Apply to the national competent authority of your establishment (Article 17). The process involves a 60-day assessment, then a 60-day Member State review period during which reasoned objections may be raised.
4. Maintain compliance. Recognition would not be permanent: providers must report material changes that could affect the audit report or recognition (Article 23) and submit the audit report for annual review (Article 20(8)).

Common misconceptions

• "ISO 27001 proves sovereignty." No. It proves you have security controls. It does not prove data stays in the EU or that you are free from third-country legal compulsion.
• "CADA replaces ISO 27001." No. CADA would not abolish ISO 27001. You may need both — ISO 27001 for general market trust and CADA recognition for public sector contracts. Annex II would, where a scheme exists, require a European cybersecurity certificate (e.g. under the Cybersecurity Act, Regulation (EU) 2019/881) as a criterion, which is distinct from ISO 27001.
• "All providers need level 4." No. Level 4 is the most stringent tier, intended for the most critical activities (e.g. defence). The level required for each public sector activity would be set by risk assessment (Article 29).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
• Gaia-X label vs CADA Union assurance recognition: which carries legal weight?
• EUCS high level vs CADA Union assurance level 4: are they equivalent?
• CADA voluntary recognition vs mandatory procurement levels
• CADA Union assurance level 3 vs level 4: what is the highest tier?

This is general information about a draft EU regulation, not legal advice.