What does CADA mean for cloud service providers?

Summary As proposed, the Cloud and AI Development Act (CADA) would reshape the EU public-sector market for cloud service providers by creating a four-tier "Union assurance level" sovereignty framework. To sell cloud services to Union entities and public sector bodies, providers would need recognition at the relevant level — by self-assessment for Level 1 or by independent third-party audit for Levels 2, 3 and 4 — under a one-stop-shop run by the competent authority of their place of establishment. Recognised providers would carry ongoing transparency duties, face Member State penalties for infringements, and be exposed to compensation claims from recipients. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The proposed CADA would establish a framework to strengthen Europe's cloud and AI ecosystem and reduce dependence on a small number of non-EU providers. For cloud service providers, the core obligations sit in the Union cloud computing sovereignty framework (Title IV). As proposed, this framework — not a set of guidelines but a binding recognition, audit and enforcement mechanism — would determine which providers can sell cloud services to Union entities and public sector bodies.

The sovereignty recognition path (Article 17)

Article 16, as proposed, would set up a Union cloud computing sovereignty framework of four "Union assurance levels" (Levels 1–4), with the criteria set out in Annex II. Article 17 would establish the mechanism for being recognised as offering a given level. Recognition would be a prerequisite for serving the EU public sector.

A provider would apply to the national competent authority of its establishment, which acts as the evaluating authority (a one-stop-shop). The evidence required depends on the level:

• Union assurance level 1 would rely on self-assessment: the provider submits the EU statement of conformity issued under Article 19(2), plus the necessary evidence. Article 17(3) includes a significant simplification for SMEs — an EU statement of conformity issued by an SME "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."
• Union assurance levels 2, 3 and 4 would require independent third-party validation under Article 20: the provider submits the audit report, a "positive" audit opinion from an auditing organisation, and the evidence given to that organisation during the audit.

Within 60 days of accepting an application, the evaluating authority would, as proposed, either prepare a draft recognition decision, request further information (suspending the clock for up to 30 days), or reject the request. A draft recognition would then be notified to the other Member States for a 60-day review period. If no reasoned objection is raised, the conclusions are deemed accepted and the service is recognised throughout the Union at the applicable level (Article 17(7)). Objections that cannot be resolved may, under Article 17(10), be referred to the Commission, which would adopt a binding decision.

Transparency and ongoing obligations (Article 23)

Recognition would not be a one-time event. Article 23 would require a recognised provider, "on becoming aware of any information or any material change in circumstances" that may affect its audit report, positive opinion or recognition, to notify both the auditing organisation and the national competent authority of establishment "as soon as possible." The auditing organisation would then assess whether the audit report or opinion needs to be amended or revoked; on that basis the competent authority would assess whether the recognition itself needs to be amended or revoked. (Separately, Article 20(8) would require audited providers to submit the report and positive opinion for annual review.) The effect, as proposed, is continuous compliance rather than a static certificate.

Penalties and compensation (Article 24)

Article 24 would require Member States to lay down rules on penalties for infringements of the sovereignty chapter by cloud service providers, which must be "effective, proportionate and dissuasive."

Article 24(2) lists non-exhaustive criteria for imposing penalties:

• the nature, gravity, scale and duration of the infringement;
• any action taken to mitigate or remedy the damage caused;
• any previous infringements by the party;
• the financial benefits gained or losses avoided, where these can be reliably established;
• any other aggravating or mitigating factor;
• the party's annual turnover in the preceding financial year in the Union.

Article 24(3) would also give recipients of cloud computing services the right to seek compensation, in accordance with Union and national law, for any damage or loss suffered due to a provider's infringement of its obligations under the chapter. This introduces direct financial risk for providers that misrepresent or fail to maintain their assured status.

Opportunities for EU and SME providers

The framework is also designed to open the public-sector market to European providers. Harmonised, Union-wide criteria mean a single recognition is valid across all Member States, letting smaller providers scale cross-border without navigating 27 national regimes.

• SME simplification: under Article 17(3), an SME's Level 1 EU statement of conformity is automatically recognised across the Union without prior recognition by the evaluating authority.
• Visibility: Article 22 would require the Commission to establish and maintain a public central repository of recognised services, registered by the recognising national authority.
• Procurement preference: under Article 32, contracting authorities must include non-price "Union added value" award criteria in procurements for innovative cloud services and AI systems — for example rewarding use of software or hardware designed or manufactured in the Union — though these criteria must remain ancillary and not decisive.

What this means for you

If you provide, or want to provide, cloud services to the EU public sector, CADA as proposed would mean:

1. Audit readiness for Levels 2–4. Map your service against the cumulative Annex II criteria now: establishment and infrastructure in the Union, customer data remaining in the Union, software-supply-chain transparency (including an SBOM), and measures against third-country control and remote tampering. Higher levels add stricter requirements, including Union citizenship for personnel at Levels 3 and 4.
2. Change-management protocols. Article 23 requires prompt notification of material changes (new subcontractors, infrastructure moves, security posture shifts) to your auditor and competent authority. Build internal detection and reporting into your governance.
3. Leverage the SME route. If you qualify as an SME, your Level 1 EU statement of conformity is automatically recognised Union-wide — a real time-to-market advantage worth highlighting to public buyers.
4. Demonstrate Union added value. Document EU-designed/manufactured hardware, EU R&D, and use of Union-funded research results; this can score in tenders under Article 32.
5. Assess third-country exposure. If you are under the control of a third country or an entity established there, expect higher barriers at the upper levels. Note Article 18: the Commission could, by implementing act, identify "associated third countries" whose controlled providers may be audited against the Level 3 criteria, subject to cumulative conditions (including a GDPR adequacy decision).

Common misconceptions

• "CADA is just another cybersecurity certification." Not quite. Cybersecurity is one component, but the assurance levels also address establishment, data location, operational autonomy and protection against third-country access and disruption. It goes beyond technical security to legal and operational independence.

• "All public-sector cloud contracts require the highest level." No. The approach is risk-based. Buyers whose activities are not identified as contributing to public order must use Level 1 services (Article 30(2)); only activities identified through a risk assessment as contributing to public order in sensitive areas (defence, justice, law enforcement, critical sectors) must use Levels 2, 3 or 4 (Article 30(3)).

• "SMEs are exempt from the sovereignty rules." No. SMEs must meet the same substantive Level 1 criteria in Annex II and still issue a valid EU statement of conformity. The only relief is procedural: their Level 1 statement is automatically recognised without prior recognition by the evaluating authority (Article 17(3)).

• "This only matters for providers already serving the public sector." The mandatory rules bind public buyers, but the framework is open to any provider seeking recognition. Private entities in NIS2 critical sectors may also carry out similar assessments under Article 31, which is likely to create demand pressure beyond the public sector.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Does CADA apply to cloud service providers?
• Why is the EU dependent on non-EU cloud providers?
• What is a cloud computing service provider under CADA?
• What does 'reducing dependencies on critical technologies' mean in CADA?
• What does CADA mean for the average EU citizen?

This is general information about a draft EU regulation, not legal advice.