Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers must prove they meet specific sovereignty criteria to serve the public sector. Union assurance level 1 relies on a conformity self-assessment by the provider, whereas levels 2, 3, and 4 require independent third-party audits. This two-track approach, defined in Article 19 and Article 20, balances market access for basic services with rigorous external verification for sensitive government operations.

Detail

The CADA proposal introduces a "Union cloud computing sovereignty framework" designed to protect public order and data sovereignty. This framework consists of four assurance levels. The mechanism for proving compliance differs significantly between the entry-level tier and the higher tiers, reflecting the increasing sensitivity of the data and operations involved.

Level 1: Conformity Self-Assessment (Article 19)

For Union assurance level 1, the CADA proposal establishes a streamlined self-assessment mechanism. According to Article 19, cloud computing service providers seeking recognition at this level must carry out a conformity self-assessment of their compliance with the criteria set out in Annex II of the Regulation.

The process under Article 19 works as follows:

  • Provider Responsibility: The provider is solely responsible for verifying that their service meets the Level 1 criteria. There is no requirement for an external auditor to validate these findings prior to recognition.
  • EU Statement of Conformity: Following the self-assessment, the provider issues an "EU statement of conformity." By issuing this statement, the provider assumes full responsibility for the compliance of the service with the criteria for Union assurance level 1.
  • Public Availability: The provider must make this EU statement of conformity publicly available, ensuring transparency for potential customers.
  • Automatic Recognition for SMEs: Notably, the proposal includes a specific derogation for small and medium-sized enterprises (SMEs). Under Article 17(3), EU statements of conformity issued by SMEs are directly and automatically recognized in all Member States without the need for prior recognition by a national competent authority.

This tier is designed to be accessible, allowing providers to enter the market with lower administrative barriers while still committing to baseline sovereignty standards, such as ensuring infrastructure and customer data remain within the Union.

Levels 2, 3, and 4: Independent Third-Party Audits (Article 20)

For Union assurance levels 2, 3, and 4, the CADA proposal mandates a much stricter verification process. Article 20 requires providers to undergo independent third-party audits at their own expense to obtain an audit report and an audit opinion from an auditing organisation.

The audit process under Article 20 involves:

  • Independent Verification: Providers cannot self-certify. They must hire an independent auditing organisation that meets strict independence and competence requirements. The auditor must be free from conflicts of interest, such as having provided non-audit services to the provider in the 12 months prior to the audit.
  • Cumulative Criteria: A provider seeking a higher level (e.g., Level 3) must satisfy all cumulative criteria for the lower levels (Level 1 and 2) as well. Article 20(1) explicitly states that "failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."
  • Access and Cooperation: Audited providers must cooperate fully, giving auditors access to all relevant data, premises, and personnel. They must not hamper, unduly influence, or undermine the performance of the audit.
  • Audit Opinion: The auditing organisation prepares a written report containing a "positive" or "negative" audit opinion. A "positive" opinion confirms that the audited service complies with the applicable audit criteria for the specific assurance level.
  • Annual Review: The audit is not a one-time event. Article 20(8) requires the audited provider to annually submit the audit report and the associated "positive" audit opinion for review to confirm continued compliance. The auditing organisation may then confirm, update, or revoke the initial opinion.

The audit adds a critical layer of external verification, ensuring that claims of sovereignty, data localization, and absence of third-country control are objectively verified by experts. This is essential for higher assurance levels, which often involve sensitive government data, national security interests, or classified information.

The Role of National Competent Authorities

While the assessment methods differ, both paths lead to formal recognition. Under Article 17, providers submit evidence to the national competent authority of their establishment. For Level 1, this is the EU statement of conformity (and for SMEs, recognition is automatic). For Levels 2, 3, and 4, the provider must submit the audit report and the "positive" audit opinion. The competent authority then assesses the evidence and, if satisfied, adopts a recognition decision valid across the entire Union.

What this means for you

For public-sector procurement officers, cloud providers, and compliance teams, understanding the distinction between self-assessed and audited tiers is crucial for risk management and operational planning.

1. Risk-Based Procurement Strategy You will use the results of your risk assessments (as required by Article 29) to determine which tier you need. If your activity does not contribute to the preservation of public order in high-risk sectors, you may only need Level 1 services. In this case, you can rely on the provider's self-assessment and EU statement of conformity. This simplifies procurement and may open the market to more providers, including SMEs benefiting from automatic recognition.

2. Higher Assurance for Sensitive Data If your risk assessment identifies your activities as contributing to public order (e.g., in defense, law enforcement, or critical infrastructure), you must procure services recognized at Level 2, 3, or 4. You cannot accept a self-assessment here. You must verify that the provider has a valid, positive audit opinion from an independent auditor. This external verification provides you with greater confidence that the provider's infrastructure and data handling practices are secure and sovereign.

3. Checking the Central Repository The Commission will maintain a central repository of recognized services (Article 22). When evaluating tenders, you should check this repository to confirm the provider's current assurance level and the validity of their recognition. For Level 1, you are relying on their self-declaration; for Levels 2-4, you are relying on an independent audit opinion that has been registered.

4. Monitoring Changes and Transparency Providers have transparency obligations (Article 23) to report material changes that might affect their assurance level. As a procurer, you should monitor these notifications, especially for audited services. If a provider reports a material change, the auditing organisation may need to amend or revoke the audit opinion, which could trigger a re-audit or a downgrade in assurance level, potentially affecting your service continuity.

5. Strategic Planning for Providers Cloud providers must decide early which assurance level they target. If aiming for Level 1, the focus is on internal controls and documentation for the self-assessment. If aiming for Levels 2-4, providers must budget for independent audit costs, prepare for rigorous evidence collection (including access to premises and data), and ensure their software supply chain and personnel meet the stricter criteria. Remember that the audit is an annual requirement, not a one-off certification.

Common misconceptions

Misconception 1: Self-assessment means no oversight. While Level 1 is self-assessed, it is not unregulated. Providers are liable for the accuracy of their EU statement of conformity. National competent authorities have investigative and enforcement powers (Article 26) to check compliance and impose penalties for infringements. Self-assessment shifts the initial burden of proof to the provider, but oversight remains robust.

Misconception 2: Audits guarantee 100% security. An independent audit under Article 20 verifies compliance with specific sovereignty and cybersecurity criteria at a point in time. It does not guarantee that the service is immune to all future cyber threats or that no vulnerabilities exist. It provides a verified baseline of trust and sovereignty, confirming that the provider meets the regulatory standards for that assurance level.

Misconception 3: You can choose any level for any service. No. The level is dictated by your risk assessment. You cannot arbitrarily choose Level 1 for a high-risk activity if your risk assessment determines that Level 2 or higher is needed to protect public order. Conversely, mandating Level 4 for low-risk activities may be disproportionate and limit competition unnecessarily.

Misconception 4: SMEs are exempt from all rules. While SMEs benefit from automatic recognition for Level 1, they are not exempt from the criteria themselves. They must still meet the Level 1 requirements and issue a valid EU statement of conformity. If an SME wishes to offer Level 2, 3, or 4 services, it must undergo the same independent audit process as larger providers.

Related

This is general information about a draft EU regulation, not legal advice.