Summary If your application for recognition under the proposed Cloud and AI Development Act (CADA) is refused, you are not permanently barred from the EU cloud market. The proposal establishes a specific procedural safeguard: under Article 17(5)(c), the evaluating national competent authority must give you a 30-day opportunity to provide written comments on the evaluation conclusions before finalising the rejection. This window allows you to challenge factual errors or clarify ambiguous evidence. If the refusal is finalised, the proposal does not impose a permanent ban; instead, you may address the identified deficiencies in your technical setup or documentation and submit a new application for recognition at a later date.

Detail

The CADA proposal establishes a rigorous, EU-wide sovereignty framework for cloud computing services, categorised into four "Union assurance levels." To operate in the public sector, providers must be recognised at one of these levels by the national competent authority of their establishment. The recognition process is governed by Article 17 of the proposal, which outlines a strict timeline and procedural safeguards to ensure fairness while maintaining high security standards.

The Refusal Procedure under Article 17

When an application for recognition is submitted, the evaluating national competent authority has 60 days to assess the evidence. During this assessment, the authority may determine that the submitted evidence is insufficient to demonstrate compliance with the relevant Union assurance level. In such cases, the authority may request further information, suspending the 60-day clock for up to 30 days.

If, after receiving any additional information, the authority still concludes that the provider does not meet the criteria, it may proceed to reject the request. However, the proposal includes a critical procedural right for the applicant. According to Article 17(5)(c), before formally rejecting the request for recognition, the evaluating competent authority shall give the candidate cloud computing service provider the opportunity to provide written comments on the conclusions of the evaluation within 30 days.

The text of the proposal is explicit on this point:

"Prior to rejecting the request for recognition, the evaluating competent authority shall give the candidate cloud computing service provider the opportunity to provide written comments on the conclusions of the evaluation within 30 days. The evaluating competent authority shall take due account of those comments when finalising its conclusions."

This 30-day window is your primary recourse during the application process. It allows you to:

  1. Challenge factual errors: If the authority misunderstood specific technical configurations, legal structures, or the location of assets, you can clarify these points in writing.
  2. Supplement explanations: If certain audit evidence was ambiguous or if the authority failed to grasp the context of your compliance measures, you can provide additional narrative support.
  3. Address specific criteria gaps: You can explain how your measures, though perhaps non-standard, still meet the cumulative criteria set out in Annex II of the proposal.

The evaluating competent authority is legally bound to take due account of those comments when finalising its conclusions. This means the authority cannot ignore your rebuttal; it must consider your arguments before issuing the final rejection decision. If the authority maintains its decision after considering your comments, it will issue a formal rejection.

Post-Refusal: Remediation and Re-application

If the authority maintains its decision and issues a formal rejection, the immediate application process ends. However, CADA does not impose a permanent ban on re-applying. The refusal is based on the specific evidence and state of compliance at the time of evaluation. Therefore, the strategic path forward involves remediation and re-application.

1. Analyze the Deficiencies The rejection decision should be reasoned, indicating which specific criteria in Annex II were not met. Common reasons for refusal include:

  • Insufficient Audit Evidence: For Union assurance levels 2, 3, and 4, the provider must undergo independent third-party audits under Article 20. A negative audit opinion or insufficient audit evidence (as detailed in Annex III) will lead to rejection.
  • Structural Non-Compliance: Failure to demonstrate that infrastructure, assets, and personnel are located in the Union, or failure to prove that data remains exclusively within the Union (unless explicitly required otherwise by the public sector body).
  • Third-Country Control Issues: Inability to demonstrate effective legal, technical, and organisational separation from third-country controllers. For Level 3, this may involve the complex derogation mechanism under Article 18 (noting that Annex II currently references Article 19 in a drafting slip, but the substantive rule is in Article 18).

2. Implement Corrective Measures Once the deficiencies are identified, the provider must implement technical, organisational, or contractual changes. This may involve:

  • Re-structuring Subcontracting Chains: Ensuring all subcontractors involved in service provision meet the Union establishment and location criteria.
  • Enhancing Data Localisation Controls: Implementing stricter technical controls to ensure no customer data, metadata, or telemetry leaves the Union.
  • Improving Audit Readiness: Working with your auditing organisation to address specific gaps in the software bill of materials (SBOM), supply chain transparency, or cybersecurity certifications (e.g., obtaining a "substantial" certificate for Levels 2/3 or "high" for Level 4).

3. Re-Apply for Recognition After remediation, the provider can submit a new application for recognition. There is no statutory "cooling-off" period specified in the proposal, but the new application must be accompanied by new, sufficient evidence demonstrating that the previously identified deficiencies have been resolved. The evaluating national competent authority will treat this as a fresh application, subject to the same 60-day assessment timeline.

The Role of the Central Repository

It is important to note that a rejected service will not appear in the central repository of cloud computing services maintained by the Commission under Article 22. This repository only lists services that have been successfully recognised across the Union. Therefore, until a new application is successful, the service cannot be procured by public sector bodies under the mandatory sovereignty requirements of Article 30.

What this means for you

For cloud service providers and data centre operators, a refusal is a significant operational setback but not a terminal event. The key to navigating a refusal lies in proactive engagement during the 30-day comment period and a disciplined approach to remediation.

Actionable Steps:

  • Monitor Deadlines Closely: The 30-day window for written comments under Article 17(5)(c) is strict. Ensure your legal and compliance teams are ready to draft a robust response immediately upon receiving preliminary negative conclusions. Missing this window effectively waives your right to comment before the final rejection.
  • Engage with Your Auditor: For levels 2–4, your auditing organisation is a critical partner. If the audit opinion was negative or qualified, work with them to understand the exact evidence gaps. You may need to re-audit specific components before re-applying.
  • Document Everything: Keep detailed records of all communications with the competent authority. If you believe the authority failed to take your written comments into account, this documentation may be relevant for any subsequent administrative appeals under national law.
  • Plan for Re-Application: Treat the refusal as a diagnostic report. Prioritise remediation efforts that address the most critical compliance gaps (e.g., data localisation, personnel location, third-country control). Once fixed, gather new audit evidence and submit a fresh application.

Common misconceptions

Misconception 1: A refusal is an appealable court case. Reality: CADA establishes an administrative recognition process. While national laws may provide general administrative appeal rights, the proposal itself focuses on the procedural right to comment (Article 17(5)(c)). The primary remedy is not litigation but remediation and re-application.

Misconception 2: You can "appeal" the refusal by submitting more evidence during the 30-day window. Reality: The 30-day window is for written comments on the conclusions, not for submitting entirely new, unrequested evidence. However, you can use this window to clarify existing evidence or provide context that was previously misunderstood. If new evidence is required, the authority should have requested it earlier under Article 17(5)(b), suspending the clock.

Misconception 3: A refusal at one national level applies EU-wide. Reality: Recognition is granted by the national competent authority of establishment but is valid across the Union (Article 17(7)). However, a refusal is specific to that application. If you re-apply and are successful, the recognition is again valid EU-wide. The central repository (Article 22) will only list the successful recognition.

Misconception 4: You can continue offering services to the public sector while appealing. Reality: No. Public sector bodies must procure only from services listed in the central repository as having the required Union assurance level (Article 30). If your recognition is refused or revoked, you are effectively excluded from these mandatory public procurement markets until a new recognition is granted.

Related

This is general information about a draft EU regulation, not legal advice.