Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing services seeking Union Assurance Level 2 must obtain a European cybersecurity certificate of at least the 'substantial' assurance level. This requirement is anchored in Annex II, Section 2.1(e) of the proposal and references the European Cybersecurity Certification Scheme for Cloud Services (EUCS) established under Regulation (EU) 2019/881. Crucially, the proposal includes a transitional mechanism: if the EUCS scheme is not yet established or available, providers may rely on existing national cybersecurity certification schemes. In the absence of both, providers must demonstrate compliance with the highest cybersecurity standards under applicable Union law. This 'substantial' threshold is distinct from Level 4, which as proposed would require a 'high' assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised Union cloud computing sovereignty framework. This framework is designed to mitigate risks associated with third-country control and ensure operational autonomy for public sector bodies. The framework is structured around four distinct Union assurance levels, each with cumulative criteria regarding establishment, data localisation, personnel, and cybersecurity.

For providers targeting Union Assurance Level 2, the cybersecurity requirement represents a significant escalation from Level 1. While Level 1 relies on a self-declaration of conformity, Level 2 mandates independent third-party audits and specific, verifiable cybersecurity certification.

The Specific Certification Mandate

The precise technical requirement for Level 2 is codified in Annex II, Section 2.1(e) of the CADA proposal. The text explicitly states that for a service to be recognised at this level, the audited service must:

"obtain a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881, provided that such a scheme has been established under that Regulation and is available to cloud computing service providers."

This provision creates a direct legal link between CADA and the Cybersecurity Act (Regulation (EU) 2019/881). The EUCS is the mechanism through which the EU intends to standardise cloud security certification across the single market. The 'substantial' assurance level is specifically calibrated to address risks beyond basic compliance, ensuring a high degree of confidence in the security of cloud services processing sensitive data or supporting critical public functions.

The Transitional Fallback Mechanism

The CADA proposal acknowledges that the EUCS scheme may not be fully operational or available to all providers immediately upon the regulation's entry into force. To prevent a regulatory vacuum and ensure market continuity, Annex II, Section 2.1(e) establishes a clear, tiered fallback hierarchy:

"Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law."

This creates a three-step compliance path for the transition period:

  1. EUCS Availability: Once the EUCS scheme is formally established and available, providers seeking Level 2 recognition must obtain the 'substantial' certificate.
  2. National Schemes: If the EUCS is not yet available, providers may utilise existing national cybersecurity certification schemes (e.g., national cloud certifications currently in force in Member States).
  3. Highest Standards: If neither the EUCS nor a relevant national scheme exists, the burden shifts to the provider to demonstrate compliance with the "highest cybersecurity standards under applicable Union law." This likely entails adherence to rigorous industry best practices, ENISA guidelines, and relevant EU cybersecurity legislation, though specific benchmarks may be further clarified through delegated acts or guidance from the European Commission.

Distinguishing Level 2 from Other Assurance Levels

It is critical to distinguish the Level 2 cybersecurity threshold from the other tiers in the CADA sovereignty framework to avoid compliance errors:

  • Level 1: Does not require a specific cybersecurity certificate. It relies on a conformity self-assessment where the provider demonstrates compliance with state-of-the-art cybersecurity standards (Annex II, Section 1.1(e)).
  • Level 2: Requires a 'substantial' EUCS certificate (or equivalent national/highest standards during the transition). This level introduces independent auditing and stricter sovereignty criteria, such as the requirement that infrastructure and personnel be located in the Union.
  • Level 3: Like Level 2, it requires at least a 'substantial' EUCS certificate (Annex II, Section 3.1(e)). However, Level 3 imposes significantly stricter sovereignty criteria, including a general prohibition on third-country control over the provider (with limited derogations for "associated third countries" under Article 18) and mandatory Union citizenship for personnel handling classified information.
  • Level 4: Requires the highest cybersecurity threshold. Under Annex II, Section 4.1(e), Level 4 providers must obtain a European cybersecurity certificate of at least the 'high' assurance level under EUCS. This 'high' level is reserved for services handling the most sensitive data and critical public order functions.

Audit and Verification Procedures

Under CADA, the cybersecurity certificate is not merely a static document; it is a dynamic component of the independent audit process required for Levels 2, 3, and 4. Article 20 of the proposal mandates that providers seeking recognition at these levels undergo independent third-party audits.

The auditing organisation is responsible for verifying the existence and validity of the cybersecurity certificate as part of the audit evidence listed in Annex III. The audit report must include a 'positive' audit opinion confirming that the provider complies with all cumulative criteria, including the specific cybersecurity certification requirement. If a provider fails to maintain the required certificate, or if the certificate expires, the auditing organisation may revoke its audit opinion. Consequently, the national competent authority of establishment may revoke the service's recognition at that assurance level, effectively disqualifying the provider from public procurement under the relevant criteria.

What this means for you

For CTOs, cloud architects, and compliance officers in the EU, the CADA proposal signals a definitive shift toward mandatory, standardized cybersecurity certification for public sector contracts.

  1. Prioritize EUCS Readiness: If your organisation targets public sector contracts requiring Union Assurance Level 2 or higher, you must prepare for EUCS certification immediately. The 'substantial' level involves a rigorous assessment of your security architecture, operational processes, and supply chain. Do not wait for the scheme to be fully launched; engage with certification bodies early to understand the gap analysis required.
  2. Monitor National Schemes: If the EUCS launch is delayed, identify whether your primary Member State has a recognized national cybersecurity certification scheme. Obtaining this national certification can serve as a critical bridge to compliance with CADA Level 2 requirements during the transition period.
  3. Document "Highest Standards": If you operate in a jurisdiction without a national scheme, ensure your security documentation is robust enough to demonstrate compliance with the "highest cybersecurity standards under applicable Union law." This will likely involve aligning with ENISA guidelines, ISO/IEC 27001, and other relevant EU cybersecurity frameworks, and maintaining evidence of continuous monitoring and improvement.
  4. Factor in Audit Costs and Timelines: The certification is part of a broader, mandatory independent audit process. Budget for the costs of accredited auditing organisations and the time required to achieve and maintain the 'substantial' EUCS certificate. Non-compliance or failure to maintain the certificate can lead to the loss of your Union assurance level recognition, effectively excluding you from relevant public procurement markets.

Common misconceptions

"Level 2 requires the 'high' EUCS certificate." Incorrect. Level 2 requires the 'substantial' EUCS certificate. The 'high' EUCS certificate is exclusively required for Union Assurance Level 4. Confusing these levels could lead to over-engineering for Level 2 or under-compliance for Level 4.

"Self-assessment is sufficient for Level 2." Incorrect. Self-assessment is only permitted for Union Assurance Level 1 (Article 19). Levels 2, 3, and 4 strictly require independent third-party audits and specific certifications.

"EUCS is already mandatory for all cloud providers." Incorrect. EUCS is currently a voluntary scheme under development. CADA would make it mandatory only for providers seeking formal recognition under the Union assurance levels for public sector contracts. The proposal also includes transitional provisions allowing national schemes if EUCS is not yet available.

"National schemes are a permanent alternative to EUCS." Incorrect. National schemes are a transitional fallback ("Until the establishment of such a scheme"). Once the EUCS is established and available, the requirement shifts to the European certificate.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.