Summary Under the proposed Cloud and AI Development Act (CADA), "recognition" is the mandatory legal gateway for cloud providers wishing to sell to EU public authorities and Union entities. As proposed in Article 17, once a provider secures recognition for a specific Union assurance level (1 through 4), their service is listed in a central EU repository and is legally recognized across all Member States. This mechanism is designed to unlock public-sector demand by creating a single, harmonized standard of trust, allowing providers to market their services EU-wide without facing fragmented national sovereignty requirements. Without this recognition, a provider is effectively barred from the public cloud market.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a "Union cloud computing sovereignty framework" that fundamentally alters the commercial landscape for cloud computing services. For cloud service providers (CSPs), "recognition" is not merely a voluntary certification badge; it is a legal status that determines market access. The framework creates a direct link between a provider's technical and legal compliance and their ability to participate in public procurement.

The Recognition Mechanism (Article 17)

The core of the market-access mechanism is Article 17, which establishes the procedure for recognizing cloud computing service providers. A provider aiming to be recognized as offering a specific Union assurance level must submit an application to the national competent authority of its establishment. The process is tiered based on the assurance level sought, reflecting the varying degrees of sovereignty risk:

  • Union Assurance Level 1: Providers must submit an "EU statement of conformity" demonstrating compliance with the criteria in Annex II. A specific provision for Small and Medium-sized Enterprises (SMEs) accelerates market entry: the EU statement of conformity issued by SMEs is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." For non-SMEs, the evaluating authority assesses the evidence.
  • Union Assurance Levels 2, 3, and 4: These higher levels require independent verification. Providers must submit an audit report and a "positive" audit opinion from an independent auditing organization, along with all evidence provided during the audit procedure.

The evaluating national competent authority has 60 days to assess the submitted evidence. If sufficient, the authority prepares a draft recognition decision and notifies the competent authorities of other Member States for a 60-day review period. During this window, other Member States may submit reasoned objections or requests for clarification if they believe the draft decision does not comply with the applicable Union assurance level. If no valid objection is raised within this period, the conclusions are deemed accepted by all Member States, and the service is recognized throughout the Union.

This "single point of entry" model ensures that a provider recognized in their Member State of establishment is recognized in all others, eliminating the need for multiple national certifications and reducing administrative burdens.

The Central Repository (Article 22)

Recognition is not a private status; it is a public, verifiable fact. Article 22 mandates that the European Commission shall establish and maintain a "central repository" of cloud computing services that have been recognized in accordance with Article 17.

The national competent authority that grants recognition is responsible for registering the cloud computing service in this central repository. This repository serves as the single source of truth for public buyers. It lists which services offer which assurance levels, allowing contracting authorities to identify compliant providers easily. The repository is publicly available and regularly updated. Crucially, the transparency mechanism includes a "negative" history: if a recognition is revoked, this revocation is published in the central repository and remains available there for five years. This ensures that public buyers can verify the current status of a provider and avoid services that have failed to maintain compliance.

Unlocking Public Sector Demand

The primary commercial driver for seeking CADA recognition is the procurement obligations placed on public buyers. Article 30 explicitly ties public procurement to the recognition framework.

  • Minimum Baseline: Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services that have been recognized under Article 17 as having at least Union assurance level 1.
  • Higher Assurance for Critical Functions: Article 30(3) mandates that for activities identified as contributing to the preservation of public order (such as national security, defense, justice, or law enforcement), contracting authorities "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

Consequently, without recognition, a cloud provider cannot legally supply these services to the public sector. Recognition is the essential "license to operate" in the public cloud market. It transforms a provider's technical capabilities into a legally recognized asset that public buyers are compelled to consider.

What this means for you

For cloud service providers and data centre operators, CADA recognition transforms your go-to-market strategy from a fragmented, country-by-country compliance exercise into a unified EU-wide opportunity.

1. Access to a Harmonized Market

Previously, public sector sovereignty requirements varied significantly across Member States, creating high barriers to entry and legal uncertainty. CADA harmonizes these criteria. Once you are recognized in your Member State of establishment, your service is recognized across the entire EU. This allows you to market your services to public authorities in Germany, France, or Poland with the same legal standing, provided you meet the specific assurance level required by their risk assessment. You no longer need to navigate 27 different national sovereignty regimes.

2. Visibility and Credibility

Listing in the central repository (Article 22) provides immediate visibility to procurement officers. It acts as a verified seal of trust. Public buyers are legally required to consider only recognized services. Being absent from this repository effectively makes you invisible to the public sector market. Conversely, being listed signals that you have undergone rigorous scrutinyβ€”whether through self-assessment for Level 1 or independent audit for Levels 2–4β€”and meet the EU's sovereignty standards. This credibility is a powerful differentiator against non-EU providers who may lack this specific recognition.

3. Strategic Positioning by Assurance Level

Your go-to-market strategy should align with the assurance level you target, as each level unlocks different market segments:

  • Level 1: Ideal for SMEs and providers offering basic sovereign guarantees (establishment in the EU, data remaining in the EU). The self-assessment route is faster and less costly, allowing quicker market entry for general public sector services.
  • Levels 2–4: Required for high-stakes sectors like defense, justice, and critical infrastructure. These levels require independent audits and stricter criteria (e.g., personnel screening, cybersecurity certifications, and no third-country control). Targeting these levels positions you as a premium, high-trust provider for the most lucrative and stable government contracts.

4. Operational Readiness

To prepare for recognition, you must ensure your operational practices align with the criteria in Annex II of CADA. This includes:

  • Ensuring your infrastructure and personnel are located in the Union (mandatory for Levels 2–4).
  • Implementing robust cybersecurity measures and obtaining relevant certifications.
  • Maintaining transparent subcontractor relationships and supply chain documentation.
  • For Levels 2–4, engaging an independent auditing organization early to prepare for the audit process, as the audit report is a prerequisite for recognition.

Common misconceptions

Misconception 1: Recognition is optional for public sector sales. Reality: It is mandatory. Article 30 explicitly states that contracting authorities must procure services that have been recognized under Article 17. Without recognition, you cannot legally bid for or supply public sector cloud contracts.

Misconception 2: You need separate recognition for each Member State. Reality: No. Article 17 establishes a mutual recognition system. Once recognized by the competent authority of your establishment, your service is recognized throughout the Union. Other Member States have a review period to object, but if they do not, the recognition is valid EU-wide.

Misconception 3: Recognition guarantees a contract. Reality: Recognition is a prerequisite, not a guarantee. It allows you to participate in tenders, but you must still win the contract based on other criteria such as price, technical quality, and innovation. However, it removes the barrier to entry that would otherwise disqualify you.

Misconception 4: The central repository is just a marketing tool. Reality: It is a legal requirement under Article 22. The Commission maintains this repository to ensure transparency and facilitate secure access to information for public sector customers. It is the official register of compliant services, and its data is legally binding for procurement decisions.

Related

This is general information about a draft EU regulation, not legal advice.