Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers (CSPs) must submit distinct evidence packages to national competent authorities depending on the Union assurance level sought. As set out in Article 17(3), applications for Union assurance level 1 require an EU statement of conformity and all necessary supporting evidence. For Union assurance levels 2, 3, and 4, Article 17(4) mandates the submission of a full audit report, a 'positive' audit opinion, and all evidence provided to the auditing organisation during the audit. These requirements ensure that the evaluating authority can independently verify compliance with the sovereignty framework before granting Union-wide recognition.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. The mechanism for a cloud computing service provider to be formally recognised as offering these levels is central to the Act's demand-side measures, enabling public sector bodies to procure services with verified sovereignty guarantees.

The evidence required for a recognition application is not uniform; it scales with the risk and strictness of the assurance level. The proposal creates a clear bifurcation: a self-assessment route for the baseline level (Level 1) and a rigorous third-party audit route for the higher levels (Levels 2, 3, and 4). This distinction is codified in Article 17, specifically in paragraphs 3 and 4, which dictate the precise documentation a candidate provider must submit to the national competent authority of establishment.

Evidence for Union Assurance Level 1: The Self-Assessment Route

Union assurance level 1 serves as the baseline for the sovereignty framework. It focuses on fundamental criteria such as establishment in the Union, location of infrastructure, and data residency, without requiring the most stringent controls on third-country influence or personnel citizenship. Consequently, the proposal allows for a lighter administrative burden through a conformity self-assessment.

Article 17(3) explicitly outlines the evidence required for this level. A candidate cloud computing service provider must submit two specific items to the evaluating national competent authority:

  1. The EU Statement of Conformity: This is a formal declaration issued by the provider following a self-assessment against the criteria for Union assurance level 1 set out in Annex II. By issuing this statement, the provider "shall assume responsibility for the compliance of the cloud computing service with the criteria." It is a legal attestation that the service meets the cumulative requirements, such as being established in the Union and ensuring customer data remains exclusively within the Union.
  2. All Necessary Evidence: The provider must include "all the necessary evidence" required to demonstrate that the criteria have been fulfilled. This evidence must substantiate the claims made in the statement of conformity. While the authority does not necessarily review every document for every application (due to the SME derogation below), the provider must possess and submit this evidence to prove compliance.

The SME Derogation A critical nuance in Article 17(3) concerns small and medium-sized enterprises (SMEs). The proposal states that the EU statement of conformity issued by CSPs that are SMEs "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This means that for SMEs at Level 1, the submission of evidence to the authority is not a prerequisite for the recognition to take effect across the Union. However, the obligation to have the evidence remains. The provider must still conduct the self-assessment, issue the statement, and retain the supporting evidence to demonstrate compliance if challenged by a contracting authority or during a market surveillance check.

Evidence for Union Assurance Levels 2, 3, and 4: The Independent Audit Route

For Union assurance levels 2, 3, and 4, the criteria become significantly more demanding. These levels address risks such as third-country control, require specific cybersecurity certifications (e.g., "substantial" for Levels 2 and 3, "high" for Level 4), and impose strict requirements on personnel (Union citizenship) and data usage (no training of third-country AI models). Due to the complexity and sensitivity of these criteria, the proposal mandates independent third-party verification.

Article 17(4) sets out the mandatory evidence package for these higher levels. A candidate provider must submit the following to the evaluating national competent authority:

  1. The Audit Report: This is the comprehensive document prepared by the auditing organisation. As detailed in Article 20(5), the report must be substantiated in writing and include the name and address of the provider, the period covered, the methodology applied, a description of the main findings, and a list of third parties consulted. It serves as the narrative record of the audit process.
  2. The 'Positive' Audit Opinion: The audit report must conclude with an audit opinion. A 'positive' opinion is defined as one given "where all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation." Without this specific opinion, the application cannot proceed. A 'negative' opinion or an inability to express an opinion would preclude recognition.
  3. All Evidence Provided to the Auditing Organisation: This is the most comprehensive requirement in the proposal. Article 17(4) states the applicant must submit "all the evidence provided to the auditing organisation during the audit procedure."

This third element is crucial. It ensures that the national competent authority is not merely rubber-stamping an auditor's conclusion. The authority receives the entire evidentiary dossierβ€”the contracts, the access logs, the personnel records, the software bills of materials (SBOM), and the cybersecurity certificatesβ€”that the auditor examined. This allows the authority to verify the robustness of the audit, check the reliability of the evidence, and ensure the 'positive' opinion is well-founded.

The Evaluation Process and Timeline

Once the evidence is submitted, the evaluating national competent authority (the authority in the Member State of the provider's main establishment) has a strict timeline to assess the application. Article 17(5) stipulates that within 60 days of accepting the application, the authority must assess the evidence and either:

  • Prepare a draft recognition decision and notify other Member States for a 60-day review period;
  • Request further information (suspending the 60-day clock for up to 30 days); or
  • Reject the request (after giving the provider 30 days to comment).

If no reasoned objections are raised by other Member States during the review period, the recognition is adopted, and the service is recognised throughout the Union.

What this means for you

For cloud service providers, the evidence submission is not a formality; it is the core of the compliance strategy. The distinction between Level 1 and Levels 2-4 dictates your entire preparation workflow.

1. For Level 1 Applicants (Self-Assessment)

  • Internal Rigour is Key: Since the process relies on your own declaration, your internal control procedures must be robust. You must be able to generate the "necessary evidence" on demand. This includes proof of establishment, infrastructure location logs, and data residency contracts.
  • SME Advantage: If you are an SME, you benefit from automatic recognition upon issuing the EU statement of conformity. However, do not mistake "automatic" for "unverified." Contracting authorities may still request to see your evidence to confirm your status.
  • Documentation: Ensure your EU statement of conformity is signed and publicly available, as required by Article 19(3).

2. For Levels 2-4 Applicants (Audit Route)

  • Audit Selection Matters: Your choice of auditing organisation is critical. They must be independent, competent, and able to produce a substantiated report. Under Article 20, you must cooperate fully, granting access to all data and premises.
  • The "Full Package" Rule: You must prepare to hand over everything you gave the auditor. Do not assume the auditor's summary is enough. The national authority will review the raw evidence. If your evidence package is incomplete (e.g., missing a specific contract or access log), the authority may reject the application or request further information, delaying your market entry.
  • Audit Opinion is Non-Negotiable: You cannot apply for recognition without a 'positive' audit opinion. If the auditor issues a negative opinion or qualifies their findings, you must remediate the issues and undergo a new audit before applying.
  • Evidence Retention: Maintain a complete archive of the audit evidence. If the authority requests clarification or if the audit report is revoked later due to material changes (Article 23), you must be able to reconstruct the audit trail.

3. Strategic Timing

The 60-day assessment period begins only when the authority accepts the application. Incomplete submissions trigger a suspension of the clock. To avoid delays, ensure your submission includes the full audit report, the positive opinion, and the complete evidence dossier before the application is formally lodged.

Common misconceptions

"Self-assessment is sufficient for all levels." No. Self-assessment and the EU statement of conformity are exclusively for Union assurance level 1. Levels 2, 3, and 4 strictly require an independent third-party audit, a positive audit opinion, and the submission of all underlying audit evidence.

"The national authority only reviews the audit opinion." Incorrect. Article 17(4) explicitly requires the submission of "all the evidence provided to the auditing organisation." The authority has the right and duty to review the underlying evidence to validate the auditor's conclusions. They do not just accept the opinion at face value.

"SMEs at Level 1 do not need to keep evidence." While SMEs at Level 1 do not need to submit evidence to the authority for automatic recognition, they must still perform the self-assessment and issue the EU statement of conformity. They are legally responsible for the accuracy of this statement and must retain the supporting evidence to prove compliance if challenged by a public buyer or regulator.

"The audit report alone is enough." The audit report is a summary of findings. The regulation requires the entire evidence package submitted to the auditor. Without the underlying evidence (e.g., the actual contracts, logs, and certificates), the application is incomplete under Article 17(4).

Related

This is general information about a draft EU regulation, not legal advice.