What is the CADA central repository of cloud computing services?

Summary The central repository is a publicly available, EU-wide register that the European Commission would establish and maintain to list cloud computing services recognised as offering a Union assurance level. As proposed in Article 22(1) of the Cloud and AI Development Act (CADA), it would catalogue services that have been recognised under Article 17 at one of four assurance levels (1 to 4). It is designed to give public-sector buyers a single, transparent place to see which services have been formally recognised and at what level, so they can match a service to the sovereignty requirements of their use case. CADA is a draft proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

CADA proposes a Union cloud computing sovereignty framework built around four "Union assurance levels," whose criteria are set out in Annex II. To make that framework usable in practice, Article 22 would create a central repository of cloud computing services: a record of which services have actually been recognised, by whom, and at what level.

Legal basis and scope

The repository is established under Article 22(1), which provides that "The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17 ('central repository')."

Two points follow from that wording. First, the obligation to build and run the repository falls on the Commission. Second, the repository covers only services that have completed the Article 17 recognition process. Recognition confirms that a service meets the cumulative criteria for a specific Union assurance level (1, 2, 3 or 4) in Annex II. A service that has never sought recognition would not appear.

Recital 57 explains the purpose: a central repository is described as necessary to facilitate the secure and efficient storage, access and exchange of relevant information between public-sector customers, auditing organisations, competent authorities and the Commission.

How services reach the repository

Listing follows recognition; it is not a separate application:

1. A cloud computing service provider applies for recognition to the national competent authority of establishment (Article 17(1)).
2. The provider submits the required evidence: for Union assurance level 1, an EU statement of conformity from a conformity self-assessment (Article 19); for levels 2, 3 and 4, an audit report and a "positive" audit opinion from an independent auditing organisation (Article 20).
3. The evaluating national competent authority assesses the evidence and, where satisfied, adopts a recognition decision, with other Member States given a review period to object (Article 17(5)-(7)).
4. Article 22(2) then requires the national competent authority of establishment that recognised the service to register it in the central repository.

So the repository is populated by national authorities but hosted centrally by the Commission, which keeps it consistent and accessible across the Union.

Public availability

Article 22(4) provides that "The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This public access is what lets potential customers, particularly public-sector bodies, see which services have been recognised and at which level without conducting separate due diligence in each Member State.

Revocations are also published

The repository would record loss of status, not just current recognitions. Article 22(3) provides that the revocation of an audit report and audit opinion by an auditing organisation, or the revocation of a recognition by a competent authority, "shall be published in the central repository and shall remain available there for five years." This historical record is intended to keep past compliance failures visible rather than letting them disappear quietly.

Link to public procurement

The repository underpins CADA's public-procurement rules. Under Article 30, as proposed, Union entities and public-sector bodies whose activities are not identified as contributing to the preservation of public order would have to use services recognised under Article 17 at Union assurance level 1; contracting authorities whose activities are identified as public-order-relevant (for example national security, defence, justice or law enforcement) would have to procure only services recognised at level 2, 3 or 4. The repository is the place where a buyer can confirm that a service holds the necessary recognition.

Who is responsible for what

The repository involves a deliberate division of labour, which is worth keeping straight:

• The Commission establishes and maintains the repository and ensures it is publicly available on a dedicated website (Article 22(1), (4)).
• The national competent authority of establishment assesses each application, takes the recognition decision (Article 17), registers the recognised service (Article 22(2)), and publishes revocations (Article 22(3)).
• For levels 2 to 4, independent auditing organisations produce the audit report and opinion the authority relies on (Article 20), and conduct the annual reviews that keep a recognition current (Article 20(8)).

The repository is therefore "central" in visibility and access, but the substantive decisions behind each entry are taken at national level and by independent auditors. This matters when reading an entry: the Commission has not vouched for the technical detail of a service; it has hosted the recognised-status record produced by the responsible authority.

How an entry changes over time

A repository entry is not static. For audited levels, the annual review under Article 20(8) can confirm, update or revoke the underlying report and opinion. If a provider reports a material change under Article 23, the auditing organisation and the authority reassess, and the recognition may be amended or revoked. Where a recognition or audit report/opinion is revoked, that revocation is published and stays visible for five years (Article 22(3)). The repository is thus best understood as a living record of recognised status rather than a one-time certificate list.

What this means for you

For a public-sector procurement officer or legal adviser, the central repository would become the reference point for sovereignty compliance.

Simpler vendor checks. Rather than independently verifying each provider's sovereignty claims, you could check whether a service is listed and at what level. A recognition granted in one Member State and registered in the repository is valid across the Union.

A historical risk signal. Because revoked recognitions stay visible for five years (Article 22(3)), you can see whether a service previously lost its status, which may inform how you weigh it against alternatives.

Match the level to your risk assessment. Listing alone is not enough: you need the right level for your activity, in line with the risk assessment that determines whether level 1 or levels 2-4 apply (Articles 29 and 30).

Keep monitoring. Recognition is not permanent. Providers must report material changes under Article 23, and a recognition can be amended or revoked. It would be prudent to check the repository during the life of a contract, not only at award.

Common misconceptions

"The repository lists every cloud provider in the EU." No. It lists only services recognised under Article 17 at a Union assurance level. Providers that have not sought recognition simply do not appear; their absence does not make them unlawful, but it does mean they are not "recognised" for CADA's procurement rules.

"Being listed means a service is 'sovereign' in an absolute sense." The listing records a specific assurance level. Level 1 is the baseline (EU establishment, EU-located infrastructure and data unless the public body requires otherwise, state-of-the-art cybersecurity, subcontractor transparency); levels 2 to 4 add cumulative criteria. A level 1 service is not interchangeable with a level 3 or 4 service for higher-risk activities. Note too that level 1 expressly contemplates providers under third-country control, subject to its conditions in Annex II, so a listing does not by itself mean "no third-country control."

"The Commission verifies every technical detail of each service." The Commission runs the repository, but the substantive assessment is done by national competent authorities and, for levels 2 to 4, by independent auditing organisations (Articles 17, 20). The Commission's role is to keep the repository accessible, updated and consistent.

"Only public bodies can use it." The repository is publicly available (Article 22(4)), so anyone can consult it. The binding procurement obligations in Article 30, however, fall on contracting authorities and Union entities; private-sector use is voluntary.

Related

• Who maintains the CADA central repository of cloud services?
• What is Article 22 of CADA (the central repository of cloud services)?
• What information does the CADA central repository show about cloud services?
• Is the CADA central repository a marketplace to buy cloud services?
• Who registers a cloud service in the CADA central repository?

This is general information about a draft EU regulation, not legal advice.