Summary Under the proposed Cloud and AI Development Act (CADA), conformity self-assessment is the exclusive compliance mechanism for cloud computing service providers seeking recognition at Union assurance level 1. As mandated by Article 19, providers must independently evaluate their services against the specific sovereignty criteria in Annex II and issue a formal EU statement of conformity. This self-declaration serves as the primary evidence for recognition. Unlike higher assurance levels (2, 3, and 4), which require independent third-party audits, level 1 relies on the provider's own verification, subject to national competent authority oversight and potential market surveillance.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework designed to safeguard the Union's public order, data confidentiality, and operational autonomy. This framework categorises cloud services into four distinct Union assurance levels, each with progressively stricter requirements regarding establishment, infrastructure location, personnel, and third-country control.

Conformity self-assessment is the specific, streamlined compliance pathway designated for Union assurance level 1. This level represents the baseline of trust required for public sector cloud procurement where activities do not contribute to the preservation of public order in the most critical sectors. The legislative intent behind self-assessment is to lower administrative barriers for providers while ensuring a minimum standard of sovereigntyβ€”specifically regarding EU establishment, data localisation, and cybersecurityβ€”without the immediate cost and complexity of a full third-party audit.

The Legal Basis: Article 19

The procedural requirements for this mechanism are codified in Article 19 of the CADA proposal. The article establishes a clear, three-step obligation for any cloud computing service provider aiming to be recognised as offering Union assurance level 1.

1. Mandatory Self-Assessment

Pursuant to Article 19(1), the regulation states:

"Cloud computing service providers seeking recognition in accordance with Article 17 as offering Union assurance level 1, shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II."

This provision places the onus of verification squarely on the provider. The provider cannot delegate the legal act of assessment to an external auditor for the purpose of establishing level 1 status. The assessment must rigorously cover all cumulative criteria defined for level 1 in Annex II, Section 1, which include:

  • Establishment: The provider must be established in the Union.
  • Infrastructure Location: All infrastructure and assets, including those of subcontractors involved in the service, must be located in the Union (unless the public sector body explicitly requires otherwise).
  • Data Localisation: Customer data, including metadata and telemetry, must remain exclusively within the Union.
  • Cybersecurity: The service must comply with state-of-the-art cybersecurity standards.
  • Subcontractor Transparency: Full transparency regarding subcontractors, subject to due diligence and ongoing oversight.
  • Third-Country Control: If subject to third-country control, the provider must guarantee no laws require reporting vulnerabilities prior to exploitation.

2. Issuing the EU Statement of Conformity

Upon completing the self-assessment, Article 19(2) mandates the formalisation of the result:

"Following the self-assessment referred to in paragraph 1, the cloud computing service provider shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated. By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II."

The EU statement of conformity is a binding legal document, not a marketing brochure. By issuing it, the provider explicitly assumes full legal responsibility for the accuracy of the claims. This statement becomes the cornerstone of the recognition application submitted to the national competent authority of establishment under Article 17.

3. Public Availability

Transparency is a core pillar of the framework. Article 19(3) requires:

"The cloud computing service provider shall make the EU statement of conformity publicly available."

This ensures that public sector buyers, auditors, and other stakeholders can verify a provider's claimed status without needing to request private documentation. This public availability is a prerequisite for the provider to be listed in the central repository of recognised services established under Article 22.

Integration with the Recognition Process

While Article 19 governs the assessment and declaration, the broader recognition mechanism is detailed in Article 17. Once a provider has completed the self-assessment and issued the EU statement of conformity, they must submit this evidence to the national competent authority of establishment.

The process diverges based on the size of the provider:

  • For SMEs: Article 17(3) provides a significant simplification. It states that the EU statement of conformity issued by SMEs "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This creates an immediate, Union-wide validity for small and medium-sized enterprises.
  • For Non-SMEs: The competent authority must assess the submitted evidence. If satisfied, it prepares a draft recognition decision, which is then notified to other Member States for a 60-day review period to ensure consistency across the Union.

Distinction from Higher Assurance Levels

It is critical to distinguish the self-assessment pathway from the requirements for Union assurance levels 2, 3, and 4. As outlined in Article 20, providers seeking these higher levels must undergo independent third-party audits. They cannot rely on self-assessment.

For levels 2, 3, and 4, the provider must contract an independent auditing organisation to verify compliance with stricter criteria (such as Union citizenship for personnel, advanced cybersecurity certification, and strict separation from third-country control). The outcome of this process is an audit report and a 'positive' audit opinion, not a self-issued statement of conformity. Therefore, conformity self-assessment is exclusively the domain of level 1 providers, serving as the entry point for the sovereignty framework.

What this means for you

If you are a cloud service provider targeting the EU public sector, understanding the conformity self-assessment process is essential for market access under the proposed CADA.

1. Establish Robust Internal Governance

You must implement internal processes capable of verifying compliance with Annex II, Section 1. This requires documented evidence, not just assertions. You need to prove:

  • Your legal entity is established in the EU.
  • Your physical infrastructure (servers, storage, backup) is located within the Union.
  • Your subcontractors meet the same location and establishment criteria.
  • Your data flows are strictly contained within the Union unless explicitly authorised by the customer.
  • You have implemented state-of-the-art cybersecurity measures.

2. Draft the EU Statement of Conformity Carefully

You must prepare a formal EU statement of conformity. This document must explicitly declare that you have assessed your service against the level 1 criteria and found them compliant. Accuracy is paramount. Under Article 24, providing incorrect or misleading information can lead to penalties, and under Article 17(11), recognition can be revoked if the provider intentionally or negligently supplied incorrect information.

3. Ensure Public Disclosure

You are legally required to publish this statement. This could be on your website, in your sales documentation, or in a dedicated transparency portal. Public sector buyers will likely check the central repository (managed by the Commission under Article 22) or your public disclosures to verify your status before procurement.

4. Navigate the Submission Process

Unless you qualify as an SME, you must submit your statement and supporting evidence to your national competent authority. Be prepared for a review process where the authority may request clarification. If you are an SME, your statement is automatically recognised, but you must remain vigilant as competent authorities retain the power to investigate under Article 26 if non-compliance is suspected.

5. Maintain Ongoing Compliance

Compliance is not a one-time event. Under Article 23, you have transparency obligations to report any material changes in circumstances that may affect your compliance. If your infrastructure moves, your subcontractor structure changes, or you are subject to new third-country laws, you must notify the competent authority. Failure to do so could result in the amendment or revocation of your recognition.

Common misconceptions

Misconception 1: Self-assessment means no oversight. Reality: While you conduct the assessment internally, the process is subject to regulatory oversight. National competent authorities have investigative powers under Article 26 to verify your claims. If you are found to have provided incorrect or misleading information, your recognition can be revoked, and you may face penalties under Article 24.

Misconception 2: I can use self-assessment for level 2 or 3. Reality: No. Self-assessment is strictly for Union assurance level 1. Levels 2, 3, and 4 require independent third-party audits by accredited organisations under Article 20. Attempting to self-assess for a higher level will result in rejection by competent authorities.

Misconception 3: The EU statement of conformity is a one-time document. Reality: Compliance is ongoing. Under Article 23, you must report material changes. If your infrastructure moves or your subcontractor structure changes, you must notify the competent authority and potentially amend or revoke your statement.

Misconception 4: Only large providers need to worry about this. Reality: All providers seeking to sell to the public sector must comply. However, SMEs have a distinct advantage with automatic recognition under Article 17(3). Conversely, small providers must still ensure their internal controls are strong enough to generate a valid self-assessment and statement of conformity.

Related

This is general information about a draft EU regulation, not legal advice.