CADA Delegated & Implementing Acts

Summary The proposed Cloud and AI Development Act (CADA) does not freeze the definition of "sovereign" cloud services in its primary text. Instead, it empowers the European Commission to update technical standards and procedural rules through delegated acts and implementing acts. As proposed, delegated acts (under Articles 16(2), 20(9), and 21(1)) will amend the sovereignty criteria in Annex II, the audit evidence in Annex III, and the detailed rules for independent audits. Implementing acts (under Articles 17(12), 18, and 29(3)) will govern the practical recognition procedures, identify "associated third countries" eligible for Level 3, and standardize risk assessment methodologies. These acts are legally binding and essential for providers seeking Union assurance levels 2, 3, or 4.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16(1)). Recognizing that the technological landscape and geopolitical risks evolve rapidly, the proposal avoids hardcoding every technical detail into the primary legislation. Instead, it creates a dynamic regulatory architecture where the Commission adopts secondary legislation to operationalize the framework.

For legal and compliance teams, distinguishing between these two types of acts is critical, as they follow different legislative procedures, timelines, and scopes of authority.

Delegated Acts: Updating Criteria, Evidence, and Audit Rules

Delegated acts allow the Commission to supplement or amend non-essential elements of the regulation without triggering the full ordinary legislative procedure. Under CADA, these acts are the primary mechanism for keeping the sovereignty framework technically relevant.

1. Amending Sovereignty Criteria and Audit Evidence The core of the sovereignty framework lies in Annex II (criteria for assurance levels) and Annex III (audit evidence).

• Article 16(2) explicitly empowers the Commission to adopt delegated acts to amend the Union assurance levels set out in Annex II and the evidence set out in Annex III. This ensures that the definition of "sovereign" can adapt to new legal interpretations or technical developments.
• Article 16(3) mandates that the Commission review these annexes at least every 18 months to ensure they remain up to date.
• Article 21(1) reinforces this by granting the Commission power to amend Annex III specifically to lay down the necessary evidence needed to assess the audit criteria under Annex II. This ensures that the proof providers must supply remains aligned with current cybersecurity and data governance standards.

2. Defining Independent Audit Methodologies For Union assurance levels 2, 3, and 4, cloud computing service providers must undergo independent third-party audits (Article 20(1)). The primary text sets the obligation but leaves the "how" to secondary legislation.

• Article 20(9) empowers the Commission to adopt delegated acts to supplement the Regulation by laying down detailed rules on the performance of audits. This includes procedural steps, rules for auditing organizations (including their technical competences), auditing methodologies, and templates for audit reports.
• This is a critical compliance lever: the specific methodology for proving sovereignty, the format of the audit report, and the qualifications of the auditor will be defined in these acts, not just in the proposal text.

3. Private Sector Impact Assessments

• Article 31(3) allows the Commission to adopt delegated acts to specify the need for impact assessments and risk mitigation measures for private sector entities operating in sectors of high criticality. This extends the sovereignty logic beyond the public sector where deemed necessary by the Commission.

Procedural Note: Under Article 45(6), a delegated act enters into force only if neither the European Parliament nor the Council objects within two months of notification (extendable by three months).

Implementing Acts: Procedures, Third Countries, and Standardization

Implementing acts are used to ensure uniform conditions for the application of the regulation across all Member States. They are adopted via the examination procedure (involving a committee of Member State representatives) as per Article 46(2).

1. Recognition Procedures The mechanics of how a provider becomes "recognised" are not detailed in the primary text.

• Article 17(12) empowers the Commission to adopt implementing acts concerning the practical arrangements for the recognition procedures. This covers the submission of applications, the evaluation process by national competent authorities, and the cross-border notification steps required for Union-wide recognition.

2. Identifying Associated Third Countries A unique feature of the CADA proposal is the possibility for providers controlled by a third country to qualify for Union assurance level 3, provided specific safeguards are met.

• Article 18(1) allows the Commission to adopt implementing acts identifying third countries whose cloud providers may be audited against the criteria for Union assurance level 3.
• To be listed, a third country must meet cumulative criteria, including having an adequacy decision under the GDPR (Article 45 of Regulation (EU) 2016/679) and having no measures enabling extraterritorial data access or service disruption.
• The Commission is required to publish a list of qualifying third countries and those that no longer qualify. This list is dynamic; a change in a country's legal landscape could remove it from the list, immediately jeopardizing Level 3 status for providers under its control.

3. Standardizing Risk Assessments Public sector bodies must determine which assurance level is required for their activities.

• Article 29(3) requires the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account by Member States and Union entities when carrying out risk assessments. This standardization is vital for public sector buyers and the providers serving them, ensuring consistent application of the "public order" test across the EU.

4. EuroCloud Federation and Fees

• Implementing acts also govern the European public sector cloud federation (Article 34(4)), specifying participation procedures and templates.
• Furthermore, Article 36(4) and Article 40(5) allow for implementing acts to determine the fees for the administration of the EuroCloud Federation and the common procurement framework, ensuring cost recovery from participating entities.

Interaction with National Competent Authorities

While the Commission sets the framework via delegated and implementing acts, national competent authorities (designated by Member States under Article 25) are responsible for enforcement. They recognize providers based on the evidence and audits defined by the Commission's secondary legislation. If a provider fails to comply with criteria updated by delegated acts, or fails to follow procedures set by implementing acts, the competent authority can revoke recognition (Article 17(11)).

What this means for you

For in-house counsel and compliance officers in cloud computing or AI services, the reliance on delegated and implementing acts creates a dynamic compliance landscape. You cannot rely solely on the primary text of CADA.

1. Monitor the Commission's Rulemaking: You must track the Commission's adoption of delegated acts under Articles 16, 20, and 21. The specific audit methodologies (Article 20(9)) and the exact evidence required (Article 21(1)) will define your day-to-day compliance burden. When these acts are published in the Official Journal, they become binding. Ensure your internal audit processes are flexible enough to adapt to these updates.

2. Prepare for Audit Readiness: If you target Union assurance levels 2, 3, or 4, you must undergo independent audits. The delegated acts under Article 20(9) will dictate the auditor's scope and your reporting format. Start aligning your internal controls with the current criteria in Annex II and Annex III, knowing these will be updated every 18 months (Article 16(3)).

3. Third-Country Providers: If you are a provider controlled by a third country, monitor the implementing acts under Article 18(1). Recognition at Level 3 is only possible if your home country is identified as providing sufficient assurances. This list will be dynamic; a change in your home country's legal landscape could remove it from the list, immediately jeopardizing your Level 3 status.

4. Public Sector Procurement: Public sector buyers must conduct risk assessments using the methodology specified in the implementing act under Article 29(3). As a provider, you should align your marketing and technical documentation with these standardized templates to facilitate procurement.

5. Penalties and Revocation: Non-compliance with the criteria (as updated by delegated acts) or failure to follow recognition procedures (as set by implementing acts) can lead to the revocation of your recognition status (Article 17(11)). Member States must impose effective, proportionate, and dissuasive penalties for infringements of this Chapter (Article 24(1)).

Common misconceptions

• "The sovereignty criteria are static." This is incorrect. Article 16(2) and (3) explicitly allow the Commission to amend the criteria in Annex II and review them every 18 months. The definition of a "sovereign" cloud service will evolve with technology and geopolitics.

• "Implementing acts are just guidance." Implementing acts are legally binding. They set the mandatory procedures for recognition (Article 17(12)) and third-country identification (Article 18(1)). Failure to comply with these procedural rules can result in the rejection of your recognition application.

• "Only the Commission decides on audits." While the Commission sets the rules for audits via delegated acts (Article 20(9)), the actual audit is performed by independent auditing organizations of your choice (subject to independence rules in Article 20(4)), and the recognition is granted by the national competent authority of your establishment (Article 17).

• "Level 1 requires an audit." No. Level 1 relies on a conformity self-assessment and an EU statement of conformity (Article 19). Independent audits are only required for Levels 2, 3, and 4 (Article 20(1)).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why does CADA create a four-tier cloud sovereignty framework?
• What is the Union cloud computing sovereignty framework under CADA?
• What is the four-tier sovereignty framework in CADA in plain English?
• What implementing acts govern the CADA recognition procedure?
• What delegated acts govern CADA audit procedures?

This is general information about a draft EU regulation, not legal advice.