What evidence do I submit for CADA recognition?

Summary Under the proposed Cloud and AI Development Act (CADA), the evidence required for recognition depends entirely on the Union assurance level you are targeting. For Union assurance level 1, you must submit a self-issued EU statement of conformity and supporting evidence to the national competent authority (Article 17(3)). For Union assurance levels 2, 3, and 4, you must submit an independent audit report, a 'positive' audit opinion, and all evidence provided to the auditing organisation during the procedure (Article 17(4)). Crucially, under Article 21, all audit evidence must be relevant, sufficient, and reliable to demonstrate compliance with the criteria in Annex II, guided by the indicative list in Annex III.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. This framework relies on four distinct assurance levels to categorise the trustworthiness of cloud services. To participate in public procurement or serve Union entities, providers must obtain formal recognition for their services at one of these levels. The proposal draws a sharp distinction between the evidence required for the baseline level (Level 1) and the higher, more stringent tiers (Levels 2, 3, and 4).

Evidence for Union Assurance Level 1: Self-Assessment and Declaration

Union assurance level 1 serves as the baseline for sovereign cloud services. The regulatory approach for this level is lighter, relying on a conformity self-assessment rather than an independent third-party audit.

Under Article 17(3) of the CADA proposal, a candidate cloud computing service provider seeking recognition for Union assurance level 1 must submit the following to the evaluating national competent authority:

1. The EU statement of conformity referred to in Article 19(2).
2. All the necessary evidence required to support that statement.

The EU statement of conformity is a formal declaration issued by the provider itself, following a self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II. By issuing this statement, the provider assumes full responsibility for the compliance of its cloud computing service. The "necessary evidence" refers to the documentation and internal records that prove the provider has met the cumulative criteria for level 1, such as establishment in the Union, location of infrastructure and data within the Union, and transparency regarding subcontractors.

A specific derogation exists for small and medium-sized enterprises (SMEs). As per Article 17(3), the EU statement of conformity issued by SMEs is directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. For non-SMEs, the national competent authority will assess the submitted evidence within 60 days of accepting the application.

Evidence for Union Assurance Levels 2, 3, and 4: Independent Audit

For Union assurance levels 2, 3, and 4, the requirements are significantly more rigorous. These levels involve stricter criteria regarding personnel citizenship, cybersecurity certifications, software supply chain transparency, and the absence of third-country control. Consequently, self-assessment is insufficient.

Article 17(4) mandates that a candidate provider seeking recognition for these higher levels must submit the following to the evaluating national competent authority:

1. The audit report.
2. The 'positive' audit opinion referred to in Article 20.
3. All the evidence provided to the auditing organisation during the audit procedure.

The audit report and opinion are produced by an independent auditing organisation selected by the provider. A 'positive' opinion is only issued when all evidence shows that the provider complies with the audit criteria and obligations set out by the Regulation. If the auditor issues a 'negative' opinion, or if they are unable to reach a conclusion on specific aspects, the provider cannot proceed with recognition until these issues are resolved.

Crucially, the provider must submit all evidence provided to the auditor. This ensures the national competent authority has full visibility into the audit process and the underlying data that formed the basis of the auditor's conclusion. This transparency is vital for the mutual recognition process, where other Member States have a 60-day review period to object to the recognition if they believe the evidence is insufficient or the criteria were not met.

Standards for Audit Evidence: Relevance, Sufficiency, and Reliability

The quality of the evidence submitted is governed by Article 21, which sets out the content and quality standards for audit evidence. This article ensures that auditing organisations do not rely on superficial or inadequate data when assessing compliance.

Article 21(2) explicitly states that audit evidence must be:

• Relevant and sufficient: The evidence must enable the auditing organisation to prepare an audit report and provide an audit opinion. It must cover all the criteria listed in Annex II for the specific assurance level being assessed.
• Reliable: The evidence must be reliable according to the auditing organisation's professional judgment and scepticism.

The specific types of evidence required are detailed in Annex III of the CADA proposal. Annex III provides an indicative list of evidence for each audit criterion (e.g., Union establishment, location of infrastructure, data localisation, Union citizenship, cybersecurity certification, absence of third-country control). For example, to prove "Union establishment" (Audit Criterion A), Annex III suggests evidence such as national company extracts, tax residency documentation, VAT registration, lease contracts for physical offices, and payroll records showing permanent staff in the Union.

While Annex III is indicative and does not limit the evidence that may be requested, auditing organisations may seek any additional information necessary to ensure a comprehensive and accurate assessment. The strictness of the evidence requirements increases with the assurance level. For instance, at level 4, evidence must demonstrate that third countries do not hold effective control over software components, which may require detailed source code audits and migration plans.

The Role of the National Competent Authority

Once the evidence is submitted under Article 17, the evaluating national competent authority has 60 days to assess it. If the evidence is insufficient, the authority may request further information, suspending the 60-day clock for up to 30 days (or longer in exceptional circumstances). If the authority is satisfied, it prepares a draft recognition decision and notifies other Member States. If no reasoned objections are raised within the subsequent 60-day review period, the service is recognised throughout the Union at the appropriate assurance level.

If the authority rejects the request, the provider has the right to provide written comments within 30 days. The authority must take these comments into account before finalising its conclusions. This procedural safeguard ensures that providers have a chance to clarify or supplement their evidence before a final rejection.

What this means for you

For cloud service providers and data centre operators, preparing for CADA recognition requires a shift from traditional compliance reporting to a structured, evidence-based audit readiness.

1. Map your evidence to Annex III: Do not wait for the audit to begin gathering evidence. Review Annex III of the CADA proposal and map your existing documentation to each audit criterion. Identify gaps early. For example, if you aim for level 3, ensure you have documented proof of Union citizenship for all personnel involved in service provision and evidence of the separation between your Union parent company and any third-country subsidiaries.
2. Maintain an evidence repository: Article 17(4) requires you to submit all evidence provided to the auditor. Maintain a centralised, secure repository of your compliance documentation. This includes technical architecture diagrams, data flow maps, subcontractor contracts, payroll records, and cybersecurity certificates. Ensure this repository is accessible and up-to-date.
3. Invest in audit quality: The reliability of your evidence is judged by the auditor's professional scepticism. Work with an auditing organisation that understands the nuances of CADA. Ensure your internal processes generate reliable evidence. For instance, automated logs for data localisation are more reliable than manual attestations.
4. Prepare for SME exemptions: If you are an SME, leverage the automatic recognition for level 1. Ensure your EU statement of conformity is robust and well-documented, as it will be scrutinised by public sector buyers even if not by the national competent authority.
5. Plan for the 60-day clock: The recognition process has tight deadlines. Delays in providing evidence can suspend the clock. Ensure your internal teams can respond quickly to requests for further information from the national competent authority or the auditor.

Common misconceptions

• Misconception: "Self-assessment is enough for all levels."
  • Reality: Self-assessment and the EU statement of conformity are only sufficient for Union assurance level 1. Levels 2, 3, and 4 strictly require an independent third-party audit and a 'positive' audit opinion.
• Misconception: "Annex III is a mandatory checklist of exact documents."
  • Reality: Annex III is indicative. It lists examples of evidence (e.g., "lease contracts, utility bills") but does not limit what an auditor can request. Auditors have the discretion to seek additional information necessary for a comprehensive assessment. The key is that the evidence must be relevant, sufficient, and reliable (Article 21).
• Misconception: "I only need to submit the audit report."
  • Reality: For levels 2-4, you must submit the audit report, the 'positive' audit opinion, and all evidence provided to the auditing organisation during the procedure (Article 17(4)). The national competent authority needs to see the underlying data to verify the auditor's conclusion.
• Misconception: "SMEs are exempt from providing evidence."
  • Reality: SMEs are exempt from the recognition procedure for level 1 (automatic recognition), but they must still carry out a conformity self-assessment and issue an EU statement of conformity (Article 19). They must be able to demonstrate compliance if challenged by a public sector buyer or authority.

Related

• How to build a CADA evidence pack for national recognition
• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• What happens if another Member State objects to my CADA recognition?

This is general information about a draft EU regulation, not legal advice.