What happens to a cloud provider without CADA recognition?

Summary As proposed, a cloud computing service provider without formal recognition under the Cloud and AI Development Act (CADA) is effectively barred from supplying services to EU public sector bodies. Article 16(1) establishes a mandatory Union cloud computing sovereignty framework, requiring providers to meet specific criteria to serve Union entities and public sector bodies. Article 17 sets out the recognition process; without a recognised Union assurance level, providers are ineligible for public procurement. Even the lowest tier, Level 1, requires formal recognition (or automatic recognition for SME self-assessments). Consequently, "no recognition" equates to zero access to the public market, as there is no "unrecognised" tier for public contracts.

Detail

The proposed Cloud and AI Development Act introduces a strict gatekeeping mechanism for the European public cloud market, fundamentally altering how cloud computing services are procured by the Union and its Member States. The core of this mechanism is the Union cloud computing sovereignty framework, designed to mitigate risks related to data sovereignty, operational continuity, and dependence on third-country jurisdictions.

The Mandatory Framework and Recognition Process

Article 16(1) of the CADA proposal explicitly establishes that the Union cloud computing sovereignty framework comprises four Union assurance levels. Crucially, it states that cloud computing service providers "shall meet" the criteria set out in Annex II "in order to provide their cloud computing services to Union entities and public sector bodies." This creates a binary condition: to serve the public sector, a provider must be recognised at one of the four levels. The text contains no provision for unrecognised providers to operate in this space.

The pathway to this status is defined in Article 17, which governs the recognition of cloud computing service providers. A provider aiming to serve the public sector must submit an application for recognition to the national competent authority of its establishment. The process differs significantly depending on the target level:

• For Union Assurance Level 1: Providers must carry out a conformity self-assessment and issue an EU statement of conformity. Article 17(3) introduces a critical distinction for Small and Medium-sized Enterprises (SMEs): their EU statements of conformity are "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." For non-SMEs, however, the national competent authority must still assess the evidence and issue a recognition decision before the service can be used.
• For Union Assurance Levels 2, 3, and 4: Providers cannot self-assess. They must undergo independent third-party audits. Under Article 17(4), they must submit the audit report and a "positive" audit opinion to the national competent authority. Only upon a positive assessment by the authority is the service recognised across the Union.

Consequences of Non-Recognition

If a provider does not undergo this process, or if their application is rejected, they remain without a recognised assurance level. The consequences are severe and primarily commercial, effectively locking them out of the public sector:

1. Exclusion from Public Procurement: Article 30(2) mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised at Union assurance level 1. Article 30(3) further requires that authorities whose activities are identified as contributing to public order (e.g., defence, justice, law enforcement, critical infrastructure) must only procure services recognised at levels 2, 3, or 4. Therefore, a provider without any recognition is ineligible for both categories of public contracts. There is no "Level 0" or unrecognised option for public procurement.
2. Invisibility in the Central Repository: The Commission is required to establish and maintain a central repository of cloud computing services recognised under Article 17 (Article 22). Providers without recognition will not appear in this repository. Since public buyers are expected to rely on this repository to identify compliant options, unrecognised providers become effectively invisible to the market, even if they attempted to argue for an exemption.
3. Limited and Narrow Exemptions: Article 30(4) allows for derogations from the assurance level requirements only on an exceptional basis and where "duly justified." These circumstances are strictly limited to: (a) the subject matter cannot be supplied by recognised services available in the central repository and no adequate alternative exists; (b) a similar procurement process yielded no suitable tenders; or (c) applying the requirements would impose "disproportionate cost." These are not general loopholes for unrecognised providers to maintain market share; they are emergency measures for market failures or extreme cost constraints.

Contrast with Self-Assessed Level 1

It is crucial to distinguish between "no recognition" and "self-assessed Level 1." For SMEs, the self-assessment process leads to automatic recognition under Article 17(3). For larger providers, self-assessment is merely the first step toward Level 1 recognition, but it does not confer recognition until the national competent authority accepts the evidence and issues a decision.

A provider that has merely conducted an internal check but has not secured the formal recognition status (or the automatic SME status) is legally in the same position as a provider that has done nothing: they have no assurance level and thus no public market access. The "self-assessment" is a procedural requirement for Level 1, not a substitute for the recognition status itself for non-SMEs.

What this means for you

As a cloud service provider or data centre operator, the absence of CADA recognition represents a total loss of the EU public sector market. This is not a minor compliance gap; it is a structural market exclusion barrier.

Immediate Action Required

• Assess Your Size: If you are an SME, ensure your internal processes allow you to issue a robust EU statement of conformity. This is your fastest route to market, as it triggers automatic recognition across the Union under Article 17(3) without waiting for national authority review.
• Engage National Authorities: If you are a large enterprise, you cannot self-certify into the market. You must prepare for the audit and application process under Article 17. Begin engaging with the national competent authority in your Member State of establishment to understand their specific evidence requirements and timelines.
• Audit Readiness: For Levels 2–4, you must contract an independent auditing organisation. Ensure your subcontractors, data localisation policies, and supply chain controls meet the stringent criteria in Annex II, as auditors will scrutinise these areas heavily. Failure to meet these criteria will result in a negative audit opinion and rejection.

Strategic Positioning

Without recognition, you may still serve the private sector, but even here, risks emerge. Article 31 allows private sector entities operating in sectors of high criticality (listed in Annex I of the NIS2 Directive) to conduct impact assessments similar to public bodies. While not mandatory, these assessments may lead private clients to prefer or require recognised providers to mitigate their own sovereignty risks. Furthermore, Article 32 encourages contracting authorities to use "Union added value" criteria in procurement, which may further disadvantage unrecognised, potentially non-EU-controlled providers.

Common misconceptions

Misconception 1: "We can still sell to the public sector if we are cheaper." Incorrect. The CADA proposal does not allow price to override sovereignty requirements. Article 30 mandates the use of recognised services. While Article 30(4) allows for exceptions if recognised services are unavailable or disproportionately costly, these are exceptional derogations, not standard procurement practices. You cannot compete on price if you are legally ineligible to bid.

Misconception 2: "Self-assessment is enough for everyone." Incorrect. Only SMEs benefit from the automatic recognition of self-assessments under Article 17(3). Large providers must have their self-assessment evidence reviewed and accepted by the national competent authority to achieve Level 1 recognition. Without this formal step, a self-assessment is merely an internal document with no legal standing in the CADA framework.

Misconception 3: "Recognition is optional for low-risk public services." Incorrect. Article 30(2) sets Level 1 as the minimum requirement for public sector bodies whose activities are not deemed to contribute to public order. There is no "zero-level" or unrecognised tier for public procurement. All public contracts require at least Level 1 recognition.

Misconception 4: "We can wait for the final law to see if this changes." Risky. The proposal is designed to address immediate strategic dependencies. The recognition process under Article 17 involves 60-day assessment periods and potential cross-border reviews. Delaying preparation could mean missing early procurement cycles once the regulation applies. Furthermore, the criteria in Annex II are detailed and technical; aligning your infrastructure and contracts takes significant time.

Related

• CADA Recognition Revocation: What Happens if a Provider Supplies False Information?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• CADA Recognition Disputes: What Happens When a Member State Objects?
• CADA Recognition: What it means for a provider's go-to-market
• How should a non-EU cloud provider approach CADA recognition?

This is general information about a draft EU regulation, not legal advice.