CADA Compliance Checklist for Cloud Providers

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers (CSPs) aiming to serve EU public sector bodies must secure formal recognition under a new sovereignty framework. The process, governed by Articles 16 through 23, requires selecting a target Union Assurance Level (1–4), conducting either a self-assessment (Level 1) or an independent third-party audit (Levels 2–4), and applying to a national competent authority (NCA). Once recognised, providers must register in a central repository and maintain strict ongoing transparency obligations under Article 23, reporting any material changes immediately. Failure to meet the cumulative criteria in Annex II or to report changes can result in the revocation of recognition.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised Union cloud computing sovereignty framework designed to reduce strategic dependencies and safeguard public order. For cloud service providers, compliance is a prerequisite for accessing the EU public sector market. The framework is built on four distinct Union Assurance Levels, each with escalating requirements regarding establishment, data localisation, personnel citizenship, cybersecurity certification, and freedom from third-country control.

The compliance journey is strictly defined by Articles 16 to 23 of the proposal. Below is a detailed, step-by-step checklist derived directly from the text of the proposal.

Step 1: Select Your Target Union Assurance Level

Before initiating any technical or administrative work, a CSP must determine which assurance level aligns with its target market and operational capabilities. Article 16 establishes the framework comprising four levels, with specific criteria detailed in Annex II.

• Union Assurance Level 1 (Baseline):

  • Establishment: The provider must be established in the Union.
  • Infrastructure & Data: Infrastructure, assets, and customer data (including metadata and telemetry) must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
  • Subcontractors: Full transparency is required regarding subcontractors, who must be subject to due diligence and contractual obligations.
  • Third-Country Control: If the provider is subject to third-country control, it must guarantee that no laws in that country require reporting software vulnerabilities to authorities before they are exploited.
  • Assessment Method: Self-assessment (Article 19).

• Union Assurance Level 2 (Substantial):

  • Establishment & Location: The provider and all involved subcontractors must be established in the Union. Infrastructure, assets, and personnel must be located in the Union.
  • Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS) once established. Until then, national schemes or the highest applicable Union standards apply.
  • AI Training: Data generated by the service cannot be used to train or fine-tune AI systems operated by third countries.
  • Support: Technical and operational support must be initiated and performed exclusively within the Union.
  • Assessment Method: Independent third-party audit (Article 20).

• Union Assurance Level 3 (High - Conditional):

  • Personnel: Personnel involved in the service must be Union citizens. Where appropriate, they must hold national security clearance for classified information.
  • Third-Country Control: The provider and subcontractors must not be subject to third-country control. Exception: A derogation is possible if the Commission adopts an implementing act under Article 18 for a specific third country, provided strict safeguards are met.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
  • Support: Technical support must be performed by Union residents and third parties not subject to third-country control.
  • Assessment Method: Independent third-party audit (Article 20).

• Union Assurance Level 4 (High - Strict):

  • Personnel: Personnel must be Union citizens with necessary security clearance.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
  • Third-Country Control: Strict prohibition on third-country control over the provider or subcontractors. No derogations under Article 18 apply at this level.
  • Software Control: The provider must demonstrate effective control over software components, ensuring no third country holds effective control over their design, development, or evolution.
  • Assessment Method: Independent third-party audit (Article 20).

Action Item: Conduct a gap analysis against Annex II. Determine if your current infrastructure, personnel, and supply chain can meet the cumulative criteria for your target level.

Step 2: Conduct Conformity Assessment or Independent Audit

The method of proving compliance is strictly tiered.

• For Level 1 (Self-Assessment): Under Article 19, providers must carry out a conformity self-assessment against the criteria in Annex II. Upon completion, the provider must issue an EU statement of conformity, assuming full responsibility for compliance. This statement must be made publicly available.

• For Levels 2, 3, and 4 (Independent Audit): Under Article 20, providers must undergo independent third-party audits at their own expense.

  • Auditor Selection: The provider must contract an "auditing organisation" that is independent, free of conflicts of interest, and possesses proven technical competence.
  • Cooperation: The provider must cooperate fully, granting access to all relevant data, premises, and answering oral or written questions.
  • Outcome: The audit must result in an audit report and a "positive" audit opinion. The report must include a declaration of interests, methodology, findings, and the specific assurance level achieved.
  • Annual Review: Providers must submit the audit report and opinion for annual review to confirm continued compliance.

Action Item: If targeting Level 1, document your internal controls and draft the EU statement of conformity. If targeting Levels 2–4, engage an accredited auditing organisation and prepare evidence for a rigorous audit, including Software Bills of Materials (SBOMs) and personnel records.

Step 3: Apply for Recognition

Technical compliance alone is insufficient; formal recognition by a national authority is mandatory. Article 17 outlines the recognition mechanism.

1. Submission: Submit an application to the national competent authority (NCA) of your establishment.
   • Level 1: Include the EU statement of conformity and necessary evidence.
   • Levels 2–4: Include the audit report and the "positive" audit opinion.
   • Note: For SMEs, the Level 1 statement is directly and automatically recognised in all Member States without prior NCA review.
2. Evaluation: The evaluating NCA has 60 days to assess the evidence. It may request further information, suspending the clock for up to 30 days.
3. Union Review: If the NCA intends to recognise the service, it notifies other Member States for a 60-day review period. Other NCAs may submit reasoned objections.
4. Decision:
   • If no objections are raised, the service is recognised throughout the Union.
   • If objections are raised, the evaluating NCA must assess them. If disagreement persists, the matter may be referred to the Commission for a binding decision.

Action Item: Prepare a complete application dossier. Engage with your NCA early to understand local procedural nuances and ensure your evidence meets the specific requirements of Annex II.

Step 4: Register in the Central Repository

Once recognised, the service must be listed in the central repository to be visible to public sector buyers. Article 22 mandates the Commission to establish and maintain a central repository of recognised services.

• Registration: The NCA that granted recognition is responsible for registering the service in the repository.
• Public Access: The repository is publicly available and regularly updated.
• Revocation: If a recognition is revoked, this must be published in the repository and remain available for five years.

Action Item: Monitor the central repository to ensure your service is correctly listed and that your status reflects your current compliance level.

Step 5: Maintain Ongoing Transparency and Compliance

Compliance is a continuous obligation, not a one-time event. Article 23 imposes strict transparency duties on recognised providers.

1. Notification of Material Changes: As soon as a provider becomes aware of any information or material change in circumstances that may affect the audit report, the "positive" opinion, or the recognition, it must immediately notify:
   • The auditing organisation.
   • The national competent authority of establishment.
2. Reassessment: The auditing organisation must assess whether the audit report or opinion needs to be amended or revoked based on the notification.
3. Authority Action: The NCA must then assess whether its recognition needs to be amended or revoked. If revoked, the change is published in the central repository.

Action Item: Establish internal monitoring processes to detect material changes in infrastructure, subcontractors, control structures, or personnel. Implement a clear protocol for immediate notification to auditors and authorities.

What this means for you

For cloud service providers, the CADA compliance checklist represents a fundamental shift from voluntary "sovereign cloud" marketing claims to a legally binding, audited status.

• Operational Restructuring: Providers relying on global support centres or third-country subcontractors for Levels 2–4 will face significant restructuring costs. Technical support must be performed exclusively within the Union, and personnel requirements (Union citizenship) for Levels 3 and 4 may necessitate hiring or reassigning staff.
• Audit Readiness: The requirement for independent audits means providers must maintain "audit-ready" documentation at all times. This includes detailed SBOMs, evidence of data localisation, and proof of personnel citizenship and location.
• Strategic Positioning: Providers must decide if Level 1 is sufficient for their market or if the higher barriers to entry for Levels 2–4 offer a competitive advantage in critical sectors like defence, justice, and law enforcement.
• Cost Implications: The costs of independent audits, restructuring, and potential loss of economies of scale from data localisation must be factored into pricing. However, access to the EU public sector market, which is increasingly mandated to use these levels, may offset these costs.

Common misconceptions

"Compliance is a one-time certification." No. Article 23 establishes an ongoing obligation. Providers must continuously monitor their operations and immediately report any material changes. Failure to do so can lead to the revocation of recognition.

"Level 1 is just a self-declaration with no oversight." While Level 1 relies on self-assessment, the provider issues a legally binding EU statement of conformity and assumes full responsibility. Furthermore, the NCA reviews the application, and providers are subject to penalties for infringements under Article 24.

"Third-country providers can never qualify." While Levels 2–4 generally prohibit third-country control, Article 18 allows the Commission to adopt implementing acts for specific third countries that meet strict criteria (e.g., adequacy decisions, no measures to compel service degradation). However, this is an exception, not the rule, and does not apply to Level 4.

"Only EU-based providers are affected." The definition of "cloud computing service provider" in Article 2(2) is broad. Any legal entity providing cloud services to EU public sector bodies must comply if it seeks recognition. Non-EU providers face significant hurdles, particularly regarding data localisation and personnel requirements.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Compliance Checklist: Roles, Deadlines & Assurance Levels
• Which National Competent Authority Do I Apply to for CADA Recognition?
• Where do I start with CADA compliance if I am completely new to it?
• CADA Application Date: What Organisations Must Do Before Compliance Kicks In
• CADA penalties for cloud providers: Article 24 fines, mitigation & compensation

This is general information about a draft EU regulation, not legal advice.