What does CADA mean by a 'recognised cloud computing service'?

Summary Under the proposed Cloud and AI Development Act (CADA), a "recognised cloud computing service" is a service that has undergone a formal assessment and been granted a specific Union assurance level (1, 2, 3, or 4) by a national competent authority. As proposed, once this recognition is granted, the status is valid throughout the entire European Union, eliminating the need for duplicate national certifications. Crucially, every recognised service must be registered in a central repository managed by the European Commission, which serves as the definitive public source for procurement officers to verify a provider's sovereign status.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, seeks to reduce the EU's strategic dependence on non-European cloud providers by establishing a harmonised "Union cloud computing sovereignty framework." At the heart of this framework is the legal concept of a recognised cloud computing service. This status is not merely a marketing claim; it is a formal legal designation that triggers specific procurement obligations for public sector bodies.

The Path to Recognition

A cloud computing service becomes "recognised" only after it successfully demonstrates compliance with the cumulative criteria set out in Annex II of the proposal. These criteria define four distinct Union assurance levels, ranging from basic establishment and data localisation (Level 1) to strict requirements regarding personnel citizenship and the absence of third-country control (Levels 3 and 4).

The process begins with the cloud computing service provider (CSP) submitting an application to the national competent authority of the Member State where the provider is established. The nature of the evidence required depends on the assurance level sought:

• Union Assurance Level 1: The provider must carry out a conformity self-assessment and issue an EU statement of conformity. Notably, for Small and Medium-sized Enterprises (SMEs), this statement is automatically recognised across the Union without prior formal review by the competent authority, as per Article 17(3). For non-SMEs, the authority reviews the evidence.
• Union Assurance Levels 2, 3, and 4: The provider must undergo an independent third-party audit. They must submit the resulting audit report and a "positive" audit opinion to the competent authority.

The Mechanism of EU-Wide Validity

A critical innovation of the CADA proposal is the mechanism that transforms a national decision into a Union-wide status. Once the evaluating national competent authority receives a complete application, it has 60 days to assess the evidence. If the evidence is sufficient, the authority prepares a draft recognition decision and notifies the competent authorities of all other Member States.

This triggers a 60-day review period during which other Member States may raise reasoned objections. However, if no such objection is raised, the proposal explicitly mandates mutual recognition. Article 17(7) states:

"Where no reasoned objection or request for clarification is submitted within the review period referred to in paragraph 5, point (a), the conclusions by the evaluating national competent authority shall be deemed accepted by all Member States, the evaluating national competent authority shall adopt the recognition decision and the audited service shall be recognised throughout the Union at the appropriate Union assurance level."

This provision ensures that a service recognised in one Member State is legally valid in every other Member State. This prevents market fragmentation and allows providers to scale their sovereign offerings across the single market without facing redundant national certification processes.

The Central Repository: The Single Source of Truth

To ensure transparency and facilitate procurement, the proposal establishes a centralised tracking system. Article 22 mandates that the Commission shall "establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17."

The workflow for this repository is strict:

1. Registration: The national competent authority that granted the recognition is responsible for registering the service in the central repository.
2. Public Access: The repository is "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."
3. Revocation Tracking: If a recognition is withdrawn (e.g., due to non-compliance or the discovery of incorrect information), this revocation is published in the repository and "shall remain available there for five years."

For a public sector body, the central repository is the definitive tool for due diligence. If a cloud service is not listed in the central repository, it cannot be considered a "recognised cloud computing service" under CADA, and procuring it would likely violate the mandatory assurance level requirements set out in Article 30.

Why This Matters for Sovereignty

The recognition mechanism is designed to mitigate specific risks associated with third-country control, such as unauthorised data access, service disruption, or the application of extraterritorial laws. By requiring formal recognition against strict assurance levels, CADA ensures that services used by the public sector are subject to EU law and continuous oversight.

The status is dynamic, not static. Providers must report any material changes that could affect their recognition status to both their auditing organisation and the competent authority. This triggers a reassessment process that can lead to the amendment or revocation of the recognition, ensuring that the "recognised" status reflects the current reality of the provider's operations.

What this means for you

For public-sector procurement officers, IT directors, and compliance teams, the introduction of "recognised cloud computing services" fundamentally alters the vendor selection landscape.

1. Mandatory Verification: You are required to procure cloud services that have been formally recognised under Article 17. For general public sector activities, the baseline is Union Assurance Level 1. However, if your risk assessment (under Article 29) identifies your activities as contributing to the preservation of public order (e.g., in defence, justice, or critical infrastructure), you must procure services recognised at Level 2, 3, or 4.
2. Streamlined Due Diligence: You no longer need to conduct bespoke sovereignty audits for every tender. Instead, your primary verification step is to check the central repository established under Article 22. If a provider's service is listed at the required assurance level, the heavy lifting of sovereignty assessment has already been performed by the competent authority and auditors.
3. Cross-Border Confidence: Because recognition is valid throughout the Union (Article 17(7)), you can confidently procure services from providers established in other Member States. A service recognised in Germany is equally valid for a procurement in France, provided it meets the assurance level required by your specific risk assessment.
4. Active Monitoring: Recognition is not a "set and forget" status. You must monitor the central repository for updates. If a provider's recognition is revoked or amended, you may need to initiate migration plans to a recognised alternative within the transition periods allowed by the regulation.

Common misconceptions

• "Recognition is permanent." Recognition is not a lifetime badge. It is contingent on ongoing compliance. Providers must undergo annual reviews for Levels 2–4 and must report material changes. If a provider fails to meet criteria or supplies misleading information, the competent authority can revoke the recognition, and this revocation is immediately published in the central repository.

• "Any EU-based provider is automatically recognised." Being established in the EU is a necessary criterion for Union Assurance Level 1, but it is not sufficient on its own. The provider must actively apply for recognition, submit the necessary evidence (self-assessment or audit report), and have the application approved. Without this formal step, the service is not "recognised" under CADA.

• "Recognition is only valid in the Member State where it was granted." This is incorrect. A core feature of CADA is the mutual recognition across the EU. As per Article 17(7), once a service is recognised by one Member State's competent authority and no objections are raised by others, it is recognised throughout the Union. This ensures a single market for sovereign cloud services.

• "The central repository is a private database for authorities only." The central repository established under Article 22 is explicitly publicly available. It is designed to provide transparency to all market participants, including public buyers, cloud providers, and the general public, ensuring that the status of services is clear and accessible.

Related

• CADA Recognition: When is a cloud service deemed accepted across the EU?
• What is the Union cloud computing sovereignty framework under CADA?
• CADA Central Repository: How to Find Recognised Cloud Services
• What does reliable audit evidence mean under CADA?
• What does 'operational autonomy' mean in CADA?

This is general information about a draft EU regulation, not legal advice.