Summary Under the proposed Cloud and AI Development Act (CADA), small and medium-sized enterprises (SMEs) seeking to supply cloud services to the EU public sector have a unique, streamlined pathway to compliance. As proposed in Article 19, SMEs can demonstrate compliance with Union assurance level 1 through a "conformity self-assessment," issuing an EU statement of conformity without the need for a costly third-party audit. Crucially, Article 17(3) grants these SMEs automatic, direct recognition across all Member States immediately upon issuing that statement. This bypasses the standard 60-day review period and prior approval by a national competent authority required for non-SME providers, significantly lowering barriers to entry for smaller players in the sovereign cloud market.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. These levels are designed to mitigate risks associated with third-country control and ensure the resilience of the EU's digital infrastructure. While higher levels (2, 3, and 4) are mandatory for activities deemed critical to public order, Union assurance level 1 serves as the baseline requirement for general public sector procurement.

For most cloud providers, achieving recognition at any level involves a rigorous application process to the national competent authority of establishment. However, the proposal explicitly recognizes the need to foster competition and reduce administrative burdens for smaller entities. Consequently, it introduces a specific derogation for SMEs at the entry level.

The Conformity Self-Assessment Mechanism (Article 19)

Article 19 of the proposal establishes the "Conformity self-assessment" procedure. This mechanism is available exclusively to cloud computing service providers seeking recognition at Union assurance level 1.

The process is defined in three distinct steps:

  1. Self-Evaluation: The provider must carry out a self-assessment of its compliance with the cumulative criteria for Union assurance level 1 set out in Annex II. These criteria include being established in the Union, ensuring infrastructure and assets (including those of subcontractors) are located in the Union, and guaranteeing that customer data remains exclusively within the Union unless the public sector body explicitly requires otherwise.
  2. Issuing the Statement: Upon completing the self-assessment, the provider issues an "EU statement of conformity." This document formally states that compliance with the criteria for Union assurance level 1 has been demonstrated.
  3. Assumption of Responsibility: By issuing this statement, the provider assumes full responsibility for the compliance of its service with the criteria. Article 19(3) mandates that the provider must make this EU statement of conformity publicly available.

Unlike higher assurance levels, which require independent third-party audits under Article 20, the level 1 self-assessment relies on the provider's internal controls, documented evidence, and continuous monitoring.

Automatic Recognition for SMEs (Article 17)

The most transformative aspect of this framework for SMEs is found in Article 17, which governs the "Recognition of cloud computing service providers."

Under the standard procedure (Article 17(1) and 17(4)), a provider must submit an application for recognition to the national competent authority of establishment. For levels 2, 3, and 4, this requires an audit report and a "positive" audit opinion. Even for level 1, non-SME providers must submit their EU statement of conformity and evidence to the national authority, which then has up to 60 days to assess the evidence and potentially notify other Member States for a review period (Article 17(5)).

However, Article 17(3) introduces a critical derogation specifically for SMEs. The text states:

"By way of derogation from the first subparagraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This provision creates a "fast track" for SMEs:

  • No Prior Approval: The SME does not need to wait for a national competent authority to review or approve its status before it is recognized.
  • Immediate Effect: Recognition is effective immediately upon the issuance of the EU statement of conformity.
  • Union-Wide Validity: The recognition is valid across all Member States simultaneously, eliminating the risk of fragmented national interpretations or delays.

This mechanism effectively removes the administrative bottleneck that often hinders smaller providers from entering the public procurement market, allowing them to compete on equal footing regarding speed and cost.

Criteria for Union Assurance Level 1

To utilize this self-assessment route, an SME must ensure its service meets the cumulative criteria for Union assurance level 1 as defined in Annex II, Section 1. Key requirements include:

  • Establishment: The provider must be established in the Union.
  • Location of Assets: Infrastructure and assets, including those of subcontractors involved in the service, must be located in the Union.
  • Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Cybersecurity: The provider must demonstrate that the service complies with state-of-the-art cybersecurity standards.
  • Transparency: The provider must provide full transparency regarding the use of subcontractors, subjecting them to due diligence and ongoing oversight.
  • Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that country require reporting of software vulnerabilities to authorities prior to exploitation.

What this means for you

For SME cloud service providers, the self-assessment mechanism under the proposed CADA represents a strategic opportunity to access the public sector market with reduced overhead. Here is the practical impact on your operations:

1. Significant Cost Reduction The most immediate benefit is financial. Higher assurance levels (2, 3, and 4) require independent third-party audits under Article 20, which involve substantial fees for auditing organisations. The self-assessment route for level 1 eliminates these external audit costs entirely. This makes it financially viable for smaller providers to offer sovereign cloud services without the heavy compliance burden associated with larger enterprises.

2. Accelerated Time-to-Market Under the standard recognition process, non-SME providers face a 60-day assessment period by the evaluating national competent authority, potentially followed by a 60-day review period by other Member States (Article 17(5)). For SMEs, Article 17(3) removes this waiting period. Once you issue your EU statement of conformity, you are recognized across the EU immediately. This agility allows SMEs to respond rapidly to public procurement tenders that require Union assurance level 1.

3. Mandatory Public Transparency While the process is streamlined, it is not without obligation. Article 19(3) requires that the EU statement of conformity be made publicly available. You must be prepared to publish this document on your website or a designated repository, ensuring that your claim of compliance is transparent to customers, regulators, and competitors.

4. Legal Responsibility and Risk By self-assessing, you assume full legal responsibility for your compliance. Article 19(2) states that by issuing the statement, the provider "shall assume responsibility for the compliance of the cloud computing service." If you issue a statement of conformity but fail to meet the criteria in Annex II, you risk penalties under Article 24. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive," and recipients of services have the right to seek compensation for damages. Therefore, the self-assessment must be rigorous, well-documented, and based on robust internal controls.

5. Eligibility Verification Ensure your company qualifies as an SME under the definition in Article 2(8) of CADA, which refers to Commission Recommendation 2003/361/EC. This definition typically considers staff headcount, turnover, and balance sheet total. If your company grows beyond SME status, you will lose the automatic recognition benefit and must transition to the standard recognition process involving the national competent authority.

Common misconceptions

Misconception 1: Self-assessment means no rules apply. Some providers assume that self-assessment implies a lack of scrutiny or lower standards. In reality, the criteria for Union assurance level 1 are strict and legally binding. You must still comply with all requirements in Annex II, including data residency, infrastructure location, and cybersecurity standards. The difference is who verifies the compliance: you verify it yourself, rather than a third-party auditor.

Misconception 2: SMEs can use self-assessment for Level 2, 3, or 4. The self-assessment mechanism under Article 19 applies only to Union assurance level 1. For levels 2, 3, and 4, Article 20 mandates independent third-party audits. SMEs cannot bypass the audit requirement for these higher levels of sovereignty, even if they are small.

Misconception 3: Automatic recognition means no oversight. While Article 17(3) removes the need for prior recognition by a national competent authority, it does not remove oversight entirely. Competent authorities retain investigative and enforcement powers under Article 26. If a complaint is raised, or if evidence suggests non-compliance, authorities can investigate, revoke recognition, and impose penalties under Article 24. The "automatic" nature applies only to the initial recognition, not to ongoing compliance.

Misconception 4: Any cloud provider can self-assess. Only providers seeking Union assurance level 1 can use this route. Furthermore, the automatic recognition benefit under Article 17(3) is exclusively for SMEs. Non-SME providers seeking level 1 must still submit their self-assessment evidence to the national competent authority for formal recognition and must wait for the assessment period to conclude.

Related

This is general information about a draft EU regulation, not legal advice.