CADA Repository

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must immediately notify its auditing organisation and national competent authority (NCA) of any material change, including service discontinuation, that could affect its recognised Union assurance level (Article 23(1)). If the change leads to the revocation of the service's recognition, this revocation is published in the central repository and remains publicly accessible for five years (Article 22(3)). This ensures transparency and prevents the continued use of non-compliant or defunct services in critical public sector procurement.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous framework for cloud computing sovereignty, centred on a centralised repository of services that have been recognised as meeting specific "Union assurance levels" of trust and security. For cloud service providers (CSPs), maintaining an accurate listing in this repository is not merely a marketing exercise but a legal prerequisite for serving public sector bodies. The regulation explicitly addresses the lifecycle of these listings, including the critical scenario where a service is discontinued, significantly altered, or no longer compliant.

The Transparency Obligation: Notifying Material Changes

The cornerstone of maintaining repository accuracy is the transparency obligation placed on cloud computing service providers. According to Article 23(1) of the proposed CADA, a recognised cloud computing service provider is legally obligated to act promptly upon becoming aware of any information or material change in circumstances that may affect the audit report, the associated "positive" audit opinion, or the recognition granted by the national competent authority (NCA).

"Material change" is a broad term that encompasses the discontinuation of a service. If a provider decides to sunset a specific cloud offering, migrate it to a different jurisdiction that no longer meets the assurance criteria, or cease operations entirely, this constitutes a change that fundamentally affects the validity of the existing recognition. The provider must notify two entities "as soon as possible":

1. The auditing organisation that issued the audit report.
2. The national competent authority of establishment.

This notification triggers a reassessment process. The auditing organisation must assess whether the audit report or opinion needs to be amended or revoked. If the service is discontinued, the audit opinion will inevitably be revoked because the audited service no longer exists in the form that was certified. Subsequently, the auditing organisation notifies the NCA of establishment, which then assesses whether its formal recognition of the service needs to be amended or revoked.

The Central Repository and Revocation Records

Once the NCA revokes the recognition of a cloud computing service, the change must be reflected in the central repository maintained by the European Commission. Article 22 establishes the mechanics of this repository, which serves as the single source of truth for public sector procurers across the Union.

Article 22(2) mandates that the national competent authority of establishment that originally recognised the service must register it in the central repository. Conversely, when a recognition is withdrawn, Article 22(3) stipulates that the revocation of an audit report and audit opinion by an auditing organisation, or the revocation of a recognition by a competent authority, "shall be published in the central repository."

Crucially, CADA imposes a long-term retention rule for these negative records. The same provision states that the revocation record "shall remain available there for five years." This five-year window serves several policy objectives:

• Audit Trail: It allows public sector bodies and auditors to verify why a service was removed from the trusted list.
• Fraud Prevention: It prevents providers from quickly re-listing a service under a new name or guise without addressing the underlying compliance issues that led to the revocation.
• Market Stability: It ensures that procurers are not left with "ghost" listings of services that are no longer available or compliant.

The Role of the National Competent Authority

The national competent authority (NCA) of establishment plays the pivotal role in updating the repository. While the provider initiates the process via notification under Article 23, the NCA holds the exclusive power to formally revoke the recognition. The NCA must then ensure this revocation is published in the central repository. The Commission maintains and updates the repository, but the data input regarding revocations flows from the NCAs.

If a provider fails to notify the NCA of a discontinuation, the NCA may still discover the discrepancy through its supervisory powers or through reports from public sector users. In such cases, the NCA can revoke the recognition based on its own findings, leading to the same publication requirements under Article 22(3).

What this means for you

For cloud service providers and data centre operators, the implications of Articles 22 and 23 are operational and legal. You cannot simply "take down" a service and ignore the regulatory status; the regulatory status must be actively terminated.

1. Integrate Discontinuation into Your Compliance Workflow Your internal product lifecycle management must include a compliance step for any service holding a Union assurance level recognition. When a product roadmap includes a sunset date or a significant architectural change that moves the service out of the Union or alters its control structure, your compliance team must trigger the notification process under Article 23(1). Delaying this notification until after the service is already offline may be viewed as a failure to maintain transparency, potentially exposing the provider to penalties under Article 24.

2. Prepare for the Five-Year Shadow Understand that revoking a recognition does not erase it from history. The record will remain in the public central repository for five years. If your service is discontinued due to a compliance breach or security failure, this negative record will be visible to potential future customers and partners. Ensure that your communication strategy addresses this transparency requirement. If the discontinuation is purely commercial (e.g., the product is no longer profitable), the revocation record will simply state that the recognition was withdrawn, but the five-year visibility remains.

3. Coordinate with Your Auditor The notification under Article 23(1) is dual-addressed: to the auditor and the NCA. Your auditor must formally amend or revoke the audit report before the NCA can formally revoke the recognition. Ensure your contract with your auditing organisation includes clear SLAs for processing these notifications. A bottleneck at the auditor level can delay the formal update in the repository, leaving your service in a "zombie" state where it is listed as compliant but is actually discontinued.

4. Impact on Public Sector Contracts If you have active contracts with public sector bodies that rely on your recognised status, the revocation of your listing may trigger contractual termination clauses or migration requirements. While Article 29(6) of CADA notes that if a risk assessment requires migration to another service, the transition period shall not exceed 12 months, your discontinuation notice should be coordinated with these timelines to avoid abrupt service cuts for critical infrastructure.

Common misconceptions

Misconception 1: "If I stop offering the service, the listing automatically expires." Incorrect. CADA does not provide for automatic expiration of repository listings based on market activity. The listing remains valid until the NCA formally revokes it following the assessment triggered by your notification (or their own investigation). Without formal revocation, the service remains legally "recognised" in the repository, even if it is offline.

Misconception 2: "The repository entry is deleted immediately upon revocation." Incorrect. Article 22(3) explicitly requires that the revocation record remain available for five years. The entry is not deleted; it is updated to reflect the revoked status. This is a deliberate design choice to maintain a historical audit trail for the public sector.

Misconception 3: "I only need to tell the Commission." Incorrect. The Commission maintains the repository, but it does not directly manage individual provider notifications. Under Article 23(1), you must notify your auditing organisation and the national competent authority of establishment. The NCA then updates the central repository. Bypassing the NCA and auditor will not result in a valid update to your legal status.

Misconception 4: "Discontinuation is only a material change if it was a high-assurance level (3 or 4)." Incorrect. The transparency obligation in Article 23 applies to all Union assurance levels (1 through 4). Even a Level 1 service, which relies on a self-assessment, must have its recognition amended or revoked if the service is discontinued, as the basis for the conformity statement no longer exists.

Related

• CADA Procurement: Can a buyer rely on the repository when a service is not listed?
• Who registers a cloud service in the CADA central repository?
• What should a buyer do if a service is revoked in the CADA repository mid-contract?
• What happens when a recognition is amended or revoked under CADA Article 23?
• CADA Article 23: What happens when a material change is reported?

This is general information about a draft EU regulation, not legal advice.