Summary As proposed, if the European Cybersecurity Certification Scheme for Cloud Services (EUCS) under the Cybersecurity Act is not yet established, cloud providers seeking Union assurance levels 2, 3, or 4 under the Cloud and AI Development Act (CADA) must rely on existing national cybersecurity certification schemes. If no national scheme exists in the provider's Member State, they must instead demonstrate compliance with the "highest cybersecurity standards under applicable Union law." This transitional mechanism, explicitly defined in Annex II of the proposal, ensures that public procurement for sovereign cloud can proceed without waiting for the EU-wide certification infrastructure to mature.

Detail

The Cloud and AI Development Act (CADA), proposed by the European Commission on 3 June 2026 (COM(2026) 502 final), establishes a four-tier sovereignty framework for cloud computing services known as "Union assurance levels." These levels are designed to mitigate risks associated with third-country control, data sovereignty, and operational continuity. A critical component of achieving Union assurance levels 2, 3, and 4 is demonstrating a robust cybersecurity posture through formal certification or equivalent proof.

Under the current legislative proposal, CADA explicitly links its cybersecurity requirements to the European Cybersecurity Certification Scheme for Cloud Services (EUCS), which is being developed under the Cybersecurity Act (Regulation (EU) 2019/881). However, the EUCS is not yet fully adopted or operational. To prevent regulatory deadlock and allow public sector bodies to begin procuring sovereign cloud services immediately upon CADA's application, the proposal includes specific fallback mechanisms.

The Fallback Mechanism in Annex II

The specific criteria for each Union assurance level are detailed in Annex II of the CADA proposal. For Union assurance level 2, Annex II, Section 2.1(e) states that the audited service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under the EUCS, provided that such a scheme has been established under the Cybersecurity Act and is available to cloud computing service providers.

The provision then outlines a clear hierarchy for what happens if that primary condition is not met:

  1. National Schemes: "Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist." This means that if a Member State has already implemented a national cybersecurity certification scheme for cloud services, providers in that jurisdiction can use that national certification to satisfy the CADA requirement for Union assurance levels 2, 3, and 4.
  2. Highest Standards Under Union Law: "Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law."

This same logic applies to Union assurance level 3 (Annex II, Section 3.1(e)) and Union assurance level 4 (Annex II, Section 4.1(e)). While Level 3 requires a 'substantial' assurance level and Level 4 requires a 'high' assurance level under the EUCS, the fallback mechanism remains consistent: in the absence of the EUCS, providers may rely on national schemes where they exist, or demonstrate compliance with the highest cybersecurity standards under applicable Union law.

The Role of Independent Audits

It is important to note that Union assurance levels 2, 3, and 4 require independent third-party audits under Article 20. The auditing organisation will assess whether the provider meets the criteria in Annex II. If the EUCS is not available, the auditor will verify either:

  • The validity of the national cybersecurity certificate issued by a competent conformity assessment body; or
  • The provider's evidence that their service complies with the highest cybersecurity standards under applicable Union law (such as the NIS2 Directive requirements or other relevant sectoral cybersecurity laws).

This audit evidence must be sufficient to allow the auditing organisation to issue a 'positive' audit opinion, which is then submitted to the national competent authority for recognition under Article 17. The auditing organisation must ensure that the evidence is "relevant and sufficient" and "reliable," as required by Article 21.

Implications for Recognition and Procurement

The recognition process under Article 17 remains unchanged regardless of which cybersecurity standard is used. Once a provider obtains the necessary audit opinion (based on either EUCS, a national scheme, or highest Union standards), they apply to the national competent authority of their establishment. If recognized, the service is registered in the central repository under Article 22 and can be procured by public sector bodies across the EU.

Public sector bodies must conduct risk assessments under Article 29 to determine which Union assurance level is appropriate for their activities. If a risk assessment determines that Union assurance level 2, 3, or 4 is required, the contracting authority must procure services that have been recognized at that level. The fallback mechanism ensures that such services are available even before the EUCS is fully operational, preventing a "chicken-and-egg" scenario where procurement is stalled due to a lack of certified providers.

What this means for you

For CTOs, architects, and SMEs evaluating their cloud infrastructure strategies, the transitional provisions in CADA offer both clarity and a temporary layer of complexity.

For Cloud Providers:

  • Audit Preparation: You must prepare for independent audits under Article 20. If the EUCS is not yet available, you should identify which national cybersecurity certification scheme applies in your Member State of establishment. If your country lacks such a scheme, you must document how your service meets the "highest cybersecurity standards under applicable Union law." This likely involves aligning with NIS2 Directive requirements and demonstrating robust technical and organizational measures.
  • Documentation: Ensure your technical documentation (required for the audit) clearly maps your security controls to the relevant national scheme or Union law standards. Auditors will need this evidence to issue a positive opinion.
  • Monitoring: Keep a close watch on the adoption of the EUCS. Once established, you may need to transition from national certifications or self-declared compliance with Union law to the EUCS certificate to maintain your Union assurance level recognition, as the proposal empowers the Commission to update Annex II via delegated acts.

For Public Sector Buyers (CTOs/Architects):

  • Procurement Strategy: You can begin drafting procurement requirements for Union assurance levels 2, 3, and 4 now, even if the EUCS is not ready. Your tender documents should specify that providers must meet the criteria in Annex II, including the fallback cybersecurity options.
  • Vendor Evaluation: When evaluating vendors, check their cybersecurity certification status. If they hold a national certificate, verify that it is recognized under the relevant national scheme. If they claim compliance with "highest Union law standards," scrutinize their audit evidence to ensure it genuinely reflects high cybersecurity maturity, as this is a self-declared standard subject to audit.
  • Risk Assessment: Conduct your risk assessments under Article 29 promptly. The level of cybersecurity required (via EUCS, national scheme, or Union law) depends on the assurance level your activities require.

For SMEs:

  • Level 1 Exception: Note that Union assurance level 1 does not require a cybersecurity certificate (Annex II, Section 1.1(e) only requires demonstrating compliance with state-of-the-art cybersecurity standards). This level is based on self-assessment and an EU statement of conformity under Article 19. SMEs may find Level 1 more accessible in the short term, especially if they are not yet ready for the rigorous audit and certification processes required for Levels 2-4.
  • Cost Considerations: Independent audits (Article 20) are at the provider's expense. Ensure you factor these costs into your pricing and compliance budget, regardless of whether you use a national scheme or demonstrate highest Union law standards.

Common misconceptions

Misconception 1: CADA requires the EUCS certificate immediately upon entry into force.

  • Reality: CADA explicitly provides a fallback. The EUCS is the preferred standard, but national schemes or demonstration of highest Union law standards are valid alternatives until the EUCS is established and available.

Misconception 2: National cybersecurity schemes are automatically recognized across the EU under CADA.

  • Reality: National schemes are only applicable within the context of the audit for providers established in that Member State. The recognition of the cloud service (Article 17) is based on the audit opinion and the national competent authority's decision. While the service, once recognized, is valid across the EU, the underlying national certificate is not automatically a pan-EU passport; it is evidence used during the audit to satisfy Annex II criteria.

Misconception 3: "Highest standards under Union law" is a vague, unenforceable requirement.

  • Reality: This requirement is subject to independent third-party audit (Article 20). Auditing organizations must assess whether the provider's evidence is sufficient to conclude that the service complies with the highest cybersecurity standards under applicable Union law. This is not a self-declared checkbox but a rigorous audit finding.

Misconception 4: Union assurance level 1 requires a cybersecurity certificate.

  • Reality: Level 1 (Annex II, Section 1.1(e)) only requires demonstrating compliance with state-of-the-art cybersecurity standards. It does not require a formal certificate (EUCS or national). Certificates are only mandatory for Levels 2, 3, and 4.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.