Summary Under the proposed Cloud and AI Development Act (CADA), a single recognition of a cloud computing service as meeting a specific Union assurance level is valid across all 27 EU Member States. This "once-for-all" approach eliminates the need for separate national certifications, significantly simplifying cross-border sales. Crucially, for small and medium-sized enterprises (SMEs) seeking Union assurance level 1, recognition is automatic and immediate across the entire Union without prior national approval. This framework, as proposed in Article 17, transforms the EU cloud market from a fragmented landscape into a unified single market for sovereign services.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, is designed to harmonize the regulatory landscape for cloud and AI services across the European Union. A central pillar of this proposal is the elimination of fragmented national sovereignty standards, which currently create significant barriers for providers wishing to sell services across borders. By establishing a unified Union cloud computing sovereignty framework, CADA aims to ensure that a service recognized in one Member State is accepted in all others, thereby fostering a competitive and resilient European cloud ecosystem.

The Principle of Mutual Recognition

As proposed, CADA introduces a streamlined mechanism where a cloud computing service provider applies for recognition to the national competent authority of its main establishment. This authority, designated as the "evaluating national competent authority," is responsible for assessing the provider's compliance with the specific criteria for Union assurance levels 1, 2, 3, or 4, as detailed in Annex II.

The core benefit for cross-border sales is explicitly established in Article 17(7) of the proposal. It states that if no reasoned objections or requests for clarification are submitted by other Member States within a 60-day review period, "the conclusions by the evaluating national competent authority shall be deemed accepted by all Member States." Consequently, the audited service is "recognised throughout the Union at the appropriate Union assurance level."

This mechanism ensures that a provider certified in Germany, for example, can legally offer its sovereign cloud services to public sector bodies in France, Italy, or Spain without facing additional certification hurdles. The recognition is EU-wide, creating a single market for sovereign cloud services. This "deemed accepted" status is the legal engine that drives cross-border interoperability and market access under the proposal.

Special Rules for SMEs at Level 1

CADA acknowledges that small and medium-sized enterprises (SMEs) often lack the resources to navigate complex multi-jurisdictional certification processes. To address this and foster innovation, the proposal includes a highly streamlined path for SMEs seeking the baseline Union assurance level 1.

According to Article 17(3), while standard providers must submit their EU statement of conformity to the evaluating national competent authority for formal recognition, there is a specific derogation for SMEs: "the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This means an SME that self-assesses compliance with Level 1 criteria and issues an EU statement of conformity can immediately claim this status across the entire EU. There is no waiting period for national authority review, nor is there a risk of objection from other Member States for this specific tier. This automatic recognition is a powerful tool for smaller European providers to compete against larger incumbents in cross-border public procurement, effectively removing the administrative burden of the 60-day review period for the most common entry-level service tier.

The Role of the Central Repository

To facilitate this cross-border trust and ensure transparency, the Commission will establish and maintain a central repository of recognized services under Article 22. Once a service is recognizedβ€”whether through the standard evaluation process or the automatic SME routeβ€”the national competent authority of establishment registers it in this central repository.

This public, easily accessible database allows public sector buyers across the EU to verify the sovereignty status of a provider instantly. By centralizing this information, CADA reduces due diligence costs for contracting authorities and accelerates procurement processes. A buyer in Portugal can instantly verify that a provider established in Estonia holds a valid Union assurance level, knowing that the status is legally binding across the Union.

Objection and Dispute Resolution

While the system favors mutual recognition to ensure market fluidity, it includes robust safeguards to maintain the integrity of the sovereignty framework. During the 60-day review period applicable to non-SME providers, other Member States can submit reasoned objections if they believe the service does not meet the Union assurance level criteria (Article 17(6)).

If an objection is raised, the evaluating authority must assess it. If they maintain their decision despite the objection, the matter can be referred to the Commission, which can issue a binding decision on whether the recognition can proceed (Article 17(10)). This ensures that while the default is acceptance, there is a mechanism to resolve genuine disputes regarding compliance. However, for the vast majority of compliant providers, this process is designed to be a formality that ensures quality without blocking market access.

What this means for you

For cloud service providers and data centre operators, CADA's recognition framework represents a significant reduction in administrative burden and time-to-market for cross-border sales.

  1. Simplified Go-to-Market Strategy: You no longer need to manage 27 different national sovereignty certifications. A single application to your home country's competent authority is sufficient to access the entire EU public sector market. This lowers operational costs and allows you to scale more rapidly across borders.
  2. SME Advantage: If you are an SME, you can leverage the automatic recognition for Level 1 services. By issuing your EU statement of conformity, you can immediately bid for contracts across the EU without waiting for national approval. This levels the playing field against larger, non-EU hyperscalers that may face stricter scrutiny at higher assurance levels.
  3. Procurement Competitiveness: Public sector buyers are required to procure services with at least Union assurance level 1, and higher levels for activities deemed critical to public order (Article 30). Having a recognized status places you in the eligible pool for these contracts. Ensure your documentation is robust, as the central repository will make your status transparent to all potential buyers.
  4. Preparation for Audits: For Levels 2, 3, and 4, you must undergo independent third-party audits. Prepare your internal controls, software bills of materials (SBOMs), and data localization proofs early. The audit evidence must be sufficient to withstand potential objections from other Member States during the review period.

Common misconceptions

  • "I still need national approvals in every country I sell to." This is incorrect. CADA explicitly replaces national fragmentation with a Union-wide recognition. Once recognized by the authority of your main establishment, your status is valid everywhere in the EU, subject only to the mutual objection process.
  • "All providers must wait for national authority approval." This is not true for SMEs at Level 1. As per Article 17(3), SMEs are automatically recognized across the Union upon issuing their statement of conformity. This bypasses the national evaluation step entirely for this specific tier.
  • "Recognition is permanent and unchangeable." Recognition is conditional on ongoing compliance. Providers must report material changes that could affect their assurance level (Article 23). If a provider fails to maintain compliance, the recognition can be revoked, and the service removed from the central repository.

Related

This is general information about a draft EU regulation, not legal advice.