CADA voluntary recognition vs mandatory procurement levels

Summary Under the proposed Cloud and AI Development Act (CADA), seeking Union assurance recognition would be voluntary for cloud service providers: a provider chooses to apply to the national competent authority of its establishment (Article 17). Procuring recognised services would be mandatory for the demand side: public sector bodies whose activities are not identified as public-order relevant must use services recognised at Union assurance level 1 (Article 30(2)), and those identified as public-order relevant must procure only level 2, 3 or 4 (Article 30(3)). The result is a supply-and-demand mechanism — providers are not compelled to seek recognition, but without it they are largely excluded from public procurement. CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

CADA would create a dual-track system: voluntary obligations on the supply side (providers) and mandatory requirements on the demand side (public buyers).

Voluntary recognition for providers (Article 17)

For providers, recognition would be voluntary. A provider that "aims to be recognised as offering a Union assurance level" must proactively submit an application to the national competent authority of its establishment (Article 17(1)). The mechanism is tiered:

• Level 1: the provider carries out a conformity self-assessment and issues an EU statement of conformity (Article 19), submitting it with the evidence to the evaluating authority (Article 17(3)). For SMEs, the statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority" (Article 17(3)).
• Levels 2, 3 and 4: the provider must undergo an independent third-party audit and submit the audit report, the "positive" audit opinion (Article 20) and all the evidence provided to the auditing organisation (Article 17(4)).

The regulation would not compel any provider to seek recognition — it is a market-driven choice to access public contracts and signal trust to private clients. The evaluating authority assesses the evidence within 60 days of accepting the application; if sufficient, it prepares a draft recognition decision and notifies the other Member States for a 60-day review period, after which (absent a reasoned objection) the service is recognised across the Union at the applicable level (Article 17(5)–(7)).

Mandatory procurement for public buyers (Article 30)

While recognition is voluntary, procurement would be mandatory. Article 30 applies to contracting authorities procuring cloud services for their exclusive use (and to Union entities, without prejudice to the EU Financial Regulation).

• Baseline: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1" (Article 30(2)).
• Public-order activities: contracting authorities whose activities have been identified as contributing to the preservation of public order — in sectors under Annex I or II of the NIS2 Directive and in national security, internal security, external border management, defence, justice or law enforcement — "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4" (Article 30(3)).

This creates a "pull" factor: public buyers cannot pick any service; they are bound to choose from the pool that has been recognised under Article 17.

The supply-and-demand interplay

1. Supply side (voluntary): providers invest in self-assessment or third-party audit to gain recognition — a business decision to access the public sector market and differentiate as "sovereign."
2. Demand side (mandatory): public authorities must buy recognised services. They run risk assessments under Article 29 to set the appropriate level, but cannot drop below level 1 for ordinary activities.

If a provider does not seek recognition, it effectively excludes itself from the Article 30 procurement market. If too few providers seek recognition, buyers may have to rely on the limited, exceptional derogations in Article 30(4) — for example where no recognised service can supply the subject matter and no comparable alternative exists, where a similar procurement in the previous year drew no suitable tenders, or where compliance would require procurement at disproportionate cost.

What this means for you

As a provider or data centre operator, treat Article 17 as a market-entry strategy, not a passive burden.

• Assess your target market. Selling to the EU public sector would require recognition. Decide whether you target level 1 (self-assessment) or levels 2–4 (independent audit), based on the sensitivity of your prospective clients' activities.
• Prepare the application. For level 1, have a robust internal control system and a compliant EU statement of conformity. For levels 2–4, engage an independent auditing organisation early — the audit requires access to all relevant data and premises (Article 20(2)).
• Monitor risk assessments. Your demand side depends on Member State and Union-entity risk assessments under Article 29. Track which sectors are classified as public-order relevant, as that determines whether level 1 suffices or higher levels are needed.
• SME advantage. As an SME, the automatic recognition of your level 1 statement of conformity (Article 17(3)) can reduce administrative friction and speed your time-to-market.

Common misconceptions

• "All cloud providers must get recognised." No. Recognition under Article 17 would be voluntary. But without it, providers are largely shut out of public procurement under Article 30.
• "Level 1 is optional for public buyers." No. Article 30(2) would require public bodies to use services recognised at least at level 1, unless the activity is public-order relevant (requiring level 2, 3 or 4) or an exceptional derogation under Article 30(4) applies. There is no "unassured" baseline for public procurement.
• "Recognition is granted by the Commission." No. The national competent authority of the provider's establishment is the evaluating authority and adopts the recognition decision (Article 17). The Commission maintains a central repository of recognised services (Article 22), but the assessment is a national task, with Union-wide effect through the Member State review procedure.
• "Private companies can ignore these rules." Largely, but with caveats. Article 30 targets public buyers, while Article 31 allows private entities listed in NIS2 Annex I to carry out similar impact assessments, and procurement spillover may lead private buyers to demand comparable sovereignty assurances.

Related

• CADA Union assurance recognition vs ISO 27001: are they comparable?
• CADA Union added value criteria vs lowest-price procurement: what changes?
• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
• CADA self-assessment vs NCA recognition: how the two paths differ
• CADA public-order-relevant vs ordinary cloud procurement

This is general information about a draft EU regulation, not legal advice.