CADA Central Repository

Summary Under the proposed Cloud and AI Development Act (CADA), being listed in the central repository is the definitive proof that a cloud service has been formally recognised by a national competent authority as meeting a specific Union assurance level (1, 2, 3, or 4). As mandated by Article 22(1), the Commission must establish this dedicated repository, and under Article 22(2), the national competent authority of establishment is responsible for registering the service. This listing is not a voluntary marketing badge; it is the primary public, verifiable trust signal required for EU public sector bodies to procure your services. Without it, your service is effectively invisible to the public procurement market for sensitive activities.

Detail

The proposed Cloud and AI Development Act (CADA) seeks to reduce the EU's strategic dependence on non-European cloud providers by establishing a harmonised Union cloud computing sovereignty framework. This framework, defined in Article 16, categorises cloud services into four distinct assurance levels based on their ability to safeguard public order, ensure data sovereignty, and maintain operational autonomy.

The central repository is the operational engine that makes this framework transparent and enforceable. It is not a general directory of all cloud providers operating in Europe. Instead, it is a curated, legally binding register of services that have successfully navigated a rigorous recognition process.

The Legal Architecture: Article 22

The existence, management, and function of the repository are explicitly defined in Article 22 of the CADA proposal.

• Article 22(1) establishes the legal mandate: "The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17." This confirms that the repository is an official EU-level tool, managed centrally by the European Commission to ensure uniformity across the single market.
• Article 22(2) defines the registration mechanism: "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository." This creates a clear chain of custody and responsibility. A provider does not register themselves directly with the Commission. Instead, they apply to their national competent authority (designated under Article 25). Once that authority validates the evidence and adopts a recognition decision, that authority is legally obligated to register the service in the central repository.

The Path to Listing: Recognition Under Article 17

Listing in the repository is the final administrative step in a multi-stage compliance journey governed by Article 17. To be listed, a provider must first prove compliance with the cumulative criteria for one of the four Union assurance levels set out in Annex II.

1. Union Assurance Level 1 (Self-Assessment): For the baseline level, providers must carry out a conformity self-assessment and issue an EU statement of conformity (Article 19). While Small and Medium-sized Enterprises (SMEs) may benefit from automatic recognition of their statements, other providers typically submit this evidence to their national competent authority for formal validation before registration.
2. Union Assurance Levels 2, 3, and 4 (Independent Audit): For higher assurance levels, the bar is significantly higher. Providers must undergo independent third-party audits by an auditing organisation (Article 20). They must obtain a "positive" audit opinion and submit the full audit report to their national competent authority.

Only after the national competent authority assesses the evidence and adopts a recognition decision (as detailed in Article 17(5)-(7)) does the service qualify for the repository. The repository, therefore, acts as the public face of this administrative recognition. It confirms that a service is not merely claiming to be sovereign, but has been verified by an EU authority.

Public Accessibility and Transparency

Article 22(4) mandates that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This transparency is critical to CADA's objective of creating a single market for sovereign cloud services. Public sector contracting authorities across the EU can access this repository to verify which providers are eligible for their specific procurement needs. For example, if a public body in Germany requires a Level 3 service for law enforcement data, they can consult the repository to identify all providers recognised at that level, regardless of whether the provider is established in Germany, France, or Poland. This eliminates the need for fragmented national lists and ensures cross-border interoperability.

Integrity, Revocation, and the "Five-Year" Rule

The repository is a dynamic, living document, not a static list. Article 22(3) ensures the integrity of the data by stating: "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This provision serves two purposes. First, it acts as a real-time warning system: if a provider fails to maintain compliance, or if new evidence emerges that undermines their sovereignty claims, their status is updated immediately. Second, the five-year retention of revocation records ensures that public sector bodies can assess the historical reliability of a provider. This protects the public sector from relying on outdated or compromised certifications and maintains the credibility of the entire framework.

What this means for you

For cloud service providers, data centre operators, and their legal teams, securing a place in the CADA central repository is a strategic imperative if you wish to access the EU public sector market. Here is what you need to know:

1. It is your mandatory digital passport for public contracts

Under Article 30, public sector bodies are legally restricted in what they can procure. Specifically, Article 30(2) requires that entities whose activities do not contribute to public order must use services recognised at Level 1. More critically, Article 30(3) mandates that contracting authorities whose activities do contribute to public order (e.g., defence, justice, law enforcement) "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

Without being listed in the repository, you are effectively invisible to these procurement processes. You cannot demonstrate your compliance through private contracts, marketing materials, or private certifications alone. You must be in the public register to be eligible.

2. Preparation for the recognition process is non-negotiable

You do not apply to the repository directly. You apply to your national competent authority (designated by your Member State under Article 25). To succeed, you must prepare for this process by:

• For Level 1: Conducting a rigorous self-assessment against the Annex II criteria and issuing a robust EU statement of conformity. Ensure your internal controls are documented, as you assume full responsibility for the statement.
• For Levels 2-4: Engaging an independent auditing organisation early. You must demonstrate compliance with strict criteria regarding data localisation, personnel citizenship (mandatory for Levels 3 and 4), and the absence of third-country control. The audit evidence must be sufficient for the competent authority to grant recognition without excessive back-and-forth. Remember, for Levels 2 and 3, the cybersecurity certificate must be at least "substantial" assurance, while Level 4 requires "high" assurance (Annex II).

3. Ongoing compliance is a continuous obligation

Listing is not a one-time achievement; it is a continuous status. Article 23 imposes strict transparency obligations on you. If you become aware of any "material change in circumstances that may affect the audit report and the 'positive' opinion... or the recognition," you must notify the auditing organisation and the national competent authority "as soon as possible."

Failure to notify can lead to the revocation of your recognition. As noted in Article 22(3), such a revocation will be published in the central repository and remain visible for five years. This public record of non-compliance can severely damage your reputation and market access.

4. It creates a level playing field across the Union

The repository eliminates the fragmentation of the market. Once you are recognised in one Member State and listed in the central repository, your service is recognised across the entire Union. This reduces the administrative burden of seeking separate national approvals and allows you to scale your sovereign cloud offering EU-wide more efficiently. It ensures that a provider established in one Member State can compete on equal footing with providers established in others, provided they meet the same Union assurance criteria.

Common misconceptions

Misconception 1: "Any cloud provider operating in the EU can join the repository." Reality: No. The repository is exclusively for services that have undergone the formal recognition process under Article 17. It is not a general business directory or a marketing platform. If you have not submitted an application for recognition and received a positive decision from a national competent authority, you will not be listed.

Misconception 2: "Listing in the repository means I am compliant with all EU laws." Reality: Listing specifically signals compliance with the Union assurance levels regarding sovereignty, data localisation, personnel citizenship, and third-country control. It does not automatically certify compliance with other regulations such as the GDPR, the AI Act, or NIS2. While many sovereignty criteria overlap with cybersecurity and data protection standards, you must still comply with all other applicable EU legislation independently.

Misconception 3: "I can choose which repository to be listed in." Reality: There is only one central repository established by the Commission under Article 22(1). You cannot choose between different national lists for the purpose of EU-wide recognition. Your national competent authority registers you in this single, central database to ensure a unified market view.

Misconception 4: "Once I am listed, my status is permanent." Reality: Recognition is subject to ongoing monitoring and annual reviews (Article 20(8)). As noted in Article 22(3), revocations are published. If your auditing organisation revokes your opinion, or if the competent authority finds you supplied incorrect information, your listing will be updated to reflect this revocation. You must maintain continuous compliance to remain a trusted provider.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• How does a cloud provider get listed in the CADA central repository?
• CADA Central Repository Fee: Is there a cost to be listed?
• How does a cloud service get listed in the CADA central repository?
• Can a private company use the CADA central repository to choose a cloud provider?
• Can a foreign or non-EU cloud provider appear in the CADA central repository?

This is general information about a draft EU regulation, not legal advice.