Summary If your application for recognition under the proposed Cloud and AI Development Act (CADA) lacks sufficient evidence, the evaluating national competent authority will not immediately reject it. Instead, as proposed in Article 17(5)(b), the authority may formally request further information from you. Crucially, the statutory 60-day assessment clock is suspended while you prepare this response, but this suspension is strictly capped at 30 days in total, unless justified by the nature of the information or exceptional circumstances. You must act quickly to provide the missing evidence to avoid missing your window for recognition.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for the recognition of cloud computing services that meet specific Union assurance levels. This recognition is a prerequisite for cloud providers wishing to serve public sector bodies and Union entities under the sovereignty procurement rules. The procedural mechanics for this recognition are governed primarily by Article 17 of the proposal.

When a cloud computing service provider submits an application for recognition (for Union assurance levels 1, 2, 3, or 4), the evaluating national competent authority is bound by a strict timeline to assess the evidence. Under Article 17(5), the authority must assess the submitted evidence within 60 days of accepting the application.

However, the proposal anticipates that initial applications may be incomplete or lack the necessary depth to demonstrate compliance with the criteria in Annex II. Article 17(5)(b) explicitly addresses this scenario. It states that if the evidence submitted is insufficient to allow the evaluating competent authority to recognize the cloud computing service, the authority "may request further information from the applicant and request that the applicant submit such information within a specified time limit."

This provision is critical for providers because it introduces a mechanism for remediation rather than immediate failure. It acknowledges that complex sovereignty audits, conformity self-assessments, and technical documentation may require iterative clarification before a final decision can be reached.

The Suspension of the Assessment Clock

The most significant procedural consequence of an information request under Article 17(5)(b) is the suspension of the 60-day assessment period. The text specifies: "The period of 60 days referred to in this paragraph shall be suspended from the date of issue of the request until the date the information is received."

This suspension is not open-ended. The proposal imposes a strict cap on this delay to prevent administrative stagnation: "The suspension shall not exceed 30 days in total unless it is justified by the nature of the information requested or by exceptional circumstances."

This creates a dual-timeline pressure for both the authority and the provider:

  1. The Authority's Deadline: The authority must issue its request and receive your response within the capped suspension window (usually 30 days).
  2. The Provider's Duty: You must provide the requested information within the "specified time limit" set by the authority, which must fit within that 30-day suspension cap.

If you fail to provide the information within this window, the suspension ends, and the clock resumes. If the total time exceeds the statutory limits without justification, or if the additional information remains insufficient, the authority may proceed to reject the application under Article 17(5)(c).

Types of Evidence at Stake

The "evidence" referred to in Article 17(5)(b) depends entirely on the assurance level sought, as the requirements differ significantly:

  • Union Assurance Level 1: Requires an EU statement of conformity and all necessary evidence demonstrating compliance with the criteria in Annex II (Article 17(3)).
  • Union Assurance Levels 2, 3, and 4: Require an audit report, a 'positive' audit opinion from an independent auditing organisation, and "all the evidence provided to the auditing organisation during the audit procedure" (Article 17(4)).

Common reasons for insufficient evidence might include incomplete software bills of materials (SBOMs), unclear documentation of subcontractor due diligence, insufficient proof of data localization controls, or gaps in the audit report regarding third-country control. Because the criteria for levels 2–4 are stringent and involve third-party audits, the "further information" requested often relates to clarifying audit findings, providing access to specific technical logs, or demonstrating the separation of Union and third-country subsidiaries.

Consequences of Non-Compliance

If you cannot provide the requested information within the allowed timeframe, the evaluating competent authority must either:

  1. Request further information again (if the initial suspension was not fully utilized and justified by exceptional circumstances).
  2. Reject the request for recognition.

Before rejecting, Article 17(5)(c) mandates that the authority must give you the opportunity to provide written comments on the conclusions of the evaluation within 30 days. The authority must take due account of these comments when finalizing its decision. This ensures that even if the evidence is deemed insufficient, you have a final procedural right to explain your position or correct misunderstandings before the final rejection.

What this means for you

For cloud service providers and data centre operators aiming for CADA recognition, the "request for more information" phase is a critical operational checkpoint. It is not merely a bureaucratic hurdle but a defined legal interaction with strict temporal boundaries that can determine the success of your application.

1. Prepare for Rapid Response You must have internal processes ready to retrieve and format evidence quickly. If the authority issues a request on Day 10 of the assessment, you have effectively up to 30 days (or less, depending on the authority's specified deadline) to respond. Delays in gathering technical documentation from engineering teams or legal teams can cause you to miss the suspension cap, leading to a rejected application.

2. Maintain Audit Readiness For providers seeking Levels 2–4, your relationship with your auditing organisation is key. Ensure that your auditor has already gathered comprehensive "audit evidence" as defined in Article 21 and Annex III. If the national competent authority finds gaps in the audit report, you may need to coordinate with your auditor to provide supplementary evidence. The "evidence provided to the auditing organisation during the audit procedure" must be submitted to the authority (Article 17(4)).

3. Document Everything Keep a detailed log of all communications with the evaluating national competent authority. Record the date of the information request, the specified deadline, and the date you submitted the further information. This documentation is vital if you need to argue that the suspension was improperly calculated or if you face a rejection and need to exercise your right to written comments.

4. Engage Proactively If you anticipate that gathering the requested information will take longer than the authority's specified limit, engage with the authority immediately. While the 30-day cap is strict, the proposal allows for extensions if "justified by the nature of the information requested or by exceptional circumstances." Proactive communication may help negotiate a reasonable extension before the deadline passes.

Common misconceptions

Misconception 1: The 60-day clock stops indefinitely while you gather evidence. Correction: The clock is suspended, but the suspension is strictly capped at 30 days unless exceptional circumstances are proven. You cannot delay the process indefinitely by slowly providing information.

Misconception 2: An information request is a sign that your application will be rejected. Correction: Not necessarily. It is a procedural step to clarify insufficient evidence. Many applications may require clarification on technical points. Rejection only occurs if you fail to provide the information within the allowed time or if the provided information still does not meet the criteria.

Misconception 3: You can submit information without a formal request. Correction: While you can submit additional evidence voluntarily, the suspension of the 60-day clock is triggered specifically by the authority's formal request for further information under Article 17(5)(b). Unsolicited submissions do not automatically pause the assessment timeline.

Misconception 4: The authority can reject your application immediately upon finding insufficient evidence. Correction: The authority must first request further information. It cannot reject the application outright without giving you the opportunity to supplement the evidence, unless the application is fundamentally flawed in a way that cannot be remedied by additional information.

Related

This is general information about a draft EU regulation, not legal advice.