Summary The practical arrangements for the recognition of cloud computing service providers under the proposed Cloud and AI Development Act (CADA) are governed by implementing acts adopted by the European Commission. Specifically, Article 17(12) of the proposal authorizes the Commission to establish these procedural details, mandating that they be adopted through the examination procedure set out in Article 46(2). As CADA is currently a proposal, these acts do not yet exist; once adopted, they will define the technical formats, communication protocols, and administrative workflows for the recognition process, filling the operational gaps left by the primary regulation.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonized framework for recognizing cloud computing service providers (CSPs) across the EU. While the regulation sets the substantive criteria for Union assurance levels 1 through 4 in Annex II and outlines the high-level procedural steps in Article 17, it deliberately delegates the granular administrative mechanics to secondary legislation. This ensures that the technical and operational details can be updated efficiently without requiring a full legislative amendment.

The Legal Basis: Article 17(12)

The authority for the Commission to define the "practical arrangements" for the recognition procedure is explicitly granted in Article 17(12). The text of the proposal states:

"The Commission may adopt implementing acts concerning the practical arrangements for the procedures referred to in this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2)."

This provision is the cornerstone of the administrative framework for CADA recognition. Article 17 itself describes a complex, multi-stage workflow involving the submission of applications to national competent authorities, the evaluation of evidence (such as EU statements of conformity for Level 1 or audit reports for Levels 2–4), a cross-border review period by other Member States, and the handling of reasoned objections. However, the regulation does not specify the how of these interactions. It leaves critical operational questions unanswered, such as:

  • What digital formats must be used for submitting the EU statement of conformity or audit reports?
  • What are the specific data standards for the exchange of evidence between the evaluating authority and other Member States?
  • How are the 60-day review periods and 15-day collaboration requests technically managed within a centralized or decentralized IT system?
  • What are the exact templates for reasoned objections or requests for clarification?

The implementing acts under Article 17(12) are designed to answer these questions, ensuring that the recognition process is uniform, efficient, and legally certain across all Member States.

The Examination Procedure (Article 46(2))

The proposal mandates that these implementing acts be adopted via the examination procedure under Article 46(2). This is a specific comitology procedure that ensures a high level of Member State oversight. Under this procedure:

  1. The Commission submits a draft of the implementing act to a committee composed of representatives from each Member State.
  2. The committee votes on the draft.
  3. If the committee delivers a positive opinion, the Commission adopts the act.
  4. If the committee delivers a negative opinion, the Commission cannot adopt the act in its current form. It may either submit a revised draft to the committee, refer the matter to an Appeal Committee, or submit a legislative proposal to the European Parliament and the Council.

This mechanism is crucial for the CADA recognition framework. It prevents the Commission from unilaterally imposing procedural burdens that might be incompatible with national administrative systems. Instead, it forces a consensus-building process where Member States can shape the practical arrangements to ensure they are workable for their national competent authorities. This is particularly important given the cross-border nature of the recognition process, where an authority in one Member State must rely on the cooperation and data exchange of authorities in others.

Scope of the Implementing Acts

While the text of the proposal does not provide an exhaustive list of the content of these acts, the structure of Article 17 strongly suggests the following key areas will be covered:

  • Application Submission Protocols: Defining the technical specifications for the digital submission of the EU statement of conformity (for Level 1) and the audit reports (for Levels 2–4) to the evaluating national competent authority.
  • Cross-Border Collaboration Mechanisms: Establishing the precise workflow for the evaluating authority to request collaboration from other Member States under Article 17(2), including the format for the 15-day response window and the digital channels for confirming or refusing collaboration.
  • Review Period Management: Detailing the logistical handling of the 60-day review period mentioned in Article 17(5)(a). This includes how draft recognition decisions are circulated, how the clock is stopped if further information is requested, and the formal mechanisms for lodging reasoned objections or requests for clarification under Article 17(6) and Article 17(8).
  • Dispute Resolution Procedures: Outlining the step-by-step process for referring matters to the Commission under Article 17(10) when a reasoned objection cannot be resolved between Member States, ensuring a clear path to a binding Commission decision.

Distinction from Delegated Acts

It is vital to distinguish these implementing acts from delegated acts. Article 16(2) empowers the Commission to adopt delegated acts to amend the substantive criteria for Union assurance levels in Annex II or to update the audit evidence requirements in Annex III. Delegated acts are subject to a different control mechanism (scrutiny by the European Parliament and the Council) and can change the rules of the game.

In contrast, the implementing acts under Article 17(12) are strictly procedural. They do not change the criteria for what constitutes a "Union assurance level" but rather define how providers apply for and receive recognition. This distinction is critical for compliance planning: changes to the criteria (via delegated acts) affect the technical and legal requirements for the service, while changes to the procedure (via implementing acts) affect the administrative burden and timeline of the application.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the reliance on implementing acts under Article 17(12) introduces a period of procedural uncertainty. Until these acts are finalized and published, the exact technical specifications for the recognition application remain undefined.

  • Monitor the Comitology Process: Because these acts require the examination procedure under Article 46(2), their adoption may be subject to negotiation and potential delays within the Member State committee. Stakeholders should monitor the Commission's comitology register and the Official Journal for the publication of these acts. The final text will dictate the precise administrative burden of the recognition process.
  • Prepare for Standardized Interoperability: The implementing acts will likely mandate specific data exchange formats and digital signatures for the interaction between CSPs, auditors, and national authorities. Compliance teams should ensure their internal systems can generate evidence (such as audit trails, conformity statements, and SBOMs) in formats that align with emerging EU digital standards for regulatory reporting.
  • Budget for Administrative Complexity: The recognition process involves multiple actors: the legal entity, the auditing organization (for Levels 2–4), the evaluating national competent authority, and potentially other Member States' authorities. The implementing acts will clarify the communication channels and response times between these parties. Organizations should plan for the administrative overhead of engaging with these multiple jurisdictions, especially if their service spans several Member States.
  • No Fixed Commission Deadline: The proposal does not set a hard statutory deadline for the Commission to adopt these specific implementing acts. This means the timeline for when the "practical arrangements" become legally binding is variable. Your compliance roadmap should include contingency plans for operating under the bare-bones framework of Article 17 until the secondary legislation is in force, potentially relying on national guidance in the interim.

Common misconceptions

  • "The implementing acts define the assurance level criteria." This is incorrect. The substantive criteria for Union assurance levels 1–4 are set out in Annex II of the regulation. The Commission can amend these criteria via delegated acts under Article 16(2), not via the implementing acts under Article 17(12). The Article 17 acts are purely procedural.
  • "Member States can set their own recognition procedures." No. CADA aims to harmonize the recognition process to prevent market fragmentation. While national competent authorities execute the recognition, the practical arrangements are set at the EU level by the Commission's implementing acts to ensure consistency across the Single Market.
  • "The examination procedure allows Member States to veto the acts." Not exactly. Under the examination procedure, a negative opinion from the committee does not automatically block the act. It triggers a referral to the Appeal Committee or allows the Commission to submit a legislative proposal. This nuance is important for predicting the likelihood and timing of the acts' adoption.

Related

This is general information about a draft EU regulation, not legal advice.