CADA Recognition Process

Summary The proposed Cloud and AI Development Act (CADA) establishes a mandatory, harmonised recognition procedure for cloud computing service providers (CSPs) seeking "Union assurance levels" of sovereignty. As proposed in Article 17, the process is centralised: a provider submits an application to the national competent authority of its main establishment. That authority has 60 days to assess the evidence. If sufficient, a draft decision is issued and circulated to all other Member States for a 60-day cross-border review. If no reasoned objections are raised, the service is automatically recognised across the entire Union. This mechanism ensures a "single market" for sovereign cloud, where recognition in one Member State grants validity in all others, eliminating the need for duplicate national certifications.

Detail

The CADA recognition process is the administrative backbone of the proposed sovereignty framework. Unlike voluntary certification schemes, this is a statutory procedure where a cloud provider must be formally recognised by a national authority to be listed in the central repository and become eligible for public sector procurement under Article 30.

The process is governed strictly by Article 17 of the proposal. It is designed to be efficient yet rigorous, balancing the need for speed with the necessity of cross-border trust. Below is the definitive step-by-step breakdown of how this process functions as proposed.

Step 1: Preparing Evidence and Submitting the Application

The process initiates when a cloud computing service provider (CSP) decides to seek recognition for a specific Union assurance level (Level 1, 2, 3, or 4). The CSP must first gather the requisite evidence demonstrating compliance with the criteria set out in Annex II.

• For Union Assurance Level 1: The provider must conduct a conformity self-assessment and issue an "EU statement of conformity" as detailed in Article 19.
• For Union Assurance Levels 2, 3, and 4: The provider must undergo an independent third-party audit. They must obtain an audit report and a "positive" audit opinion from an accredited auditing organisation, as detailed in Article 20.

Once the evidence is compiled, the CSP submits an application for recognition to the national competent authority of establishment. This is the authority in the Member State where the provider has its main establishment (head office or registered office).

Citation: Article 17(1) states: "A cloud computing service provider that aims to be recognised as offering a Union assurance level, shall submit an application for recognition to the national competent authority of establishment. When submitting an application for recognition, the cloud computing service provider shall include all the relevant evidence required under paragraphs 3 or 4."

The application content depends on the target level:

• Level 1: Must include the EU statement of conformity and all necessary evidence (Article 17(3)).
• Levels 2–4: Must include the audit report, the "positive" audit opinion, and all evidence provided to the auditing organisation during the audit procedure (Article 17(4)).

Special Derogation for SMEs: The proposal includes a specific acceleration mechanism for Small and Medium-sized Enterprises (SMEs). If an SME issues an EU statement of conformity for Level 1, it is directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. This bypasses the standard assessment and review timeline entirely for this specific category (Article 17(3), second subparagraph).

Step 2: The 60-Day National Assessment

Upon receipt of a complete application, the national competent authority of establishment assumes the role of the "evaluating national competent authority." This authority is bound by a strict statutory deadline to assess the submitted evidence.

Citation: Article 17(5) states: "Within 60 days of accepting an application pursuant to paragraph 1, the evaluating national competent authority shall assess the evidence submitted pursuant to paragraphs 3 or 4..."

During this 60-day window, the authority must take one of three specific actions:

1. Prepare a Draft Recognition Decision: If the evidence is deemed sufficient, the authority prepares a draft decision to recognise the service. It must then notify the competent authorities of all other Member States to initiate a 60-day review period. This notification must include the evidence submitted by the provider (Article 17(5)(a)).
2. Request Further Information: If the evidence is insufficient, the authority may request additional information from the applicant. The applicant must submit this within a specified timeframe. Crucially, the 60-day assessment clock is suspended from the date the request is issued until the information is received. This suspension is capped at 30 days in total, unless justified by the nature of the information or exceptional circumstances (Article 17(5)(b)).
3. Reject the Request: The authority may reject the application. However, procedural fairness is mandated: before rejecting, the authority must give the CSP the opportunity to provide written comments on the evaluation conclusions within 30 days. The authority must take these comments into account when finalising its decision (Article 17(5)(c)).

Step 3: The 60-Day Cross-Border Review

If the evaluating authority prepares a draft recognition decision, the process enters a critical cross-border phase. This step ensures that the recognition is consistent with Union-wide standards and prevents "regulatory arbitrage" where a provider might be recognised in one state but not meet standards in another.

Citation: Article 17(6) states: "During the review period referred to in paragraph 5, point (a), the national competent authority of another Member State may submit a reasoned objection or request for clarification to the evaluating national competent authority, where it considers that the draft recognition decision does not comply with the applicable Union assurance level set out in Annex II."

During this 60-day review period, other Member States can intervene in two distinct ways:

1. Request for Clarification: A Member State may ask for clarification regarding the draft decision. The evaluating authority must consider this request. It may then request new information from the applicant (triggering a suspension of the clock as per Step 2) or confirm/modify its original draft. If the requesting authority remains unsatisfied after clarification, it may escalate to a reasoned objection (Article 17(8)).
2. Reasoned Objection: A Member State may submit a formal, reasoned objection if it believes the draft decision fails to comply with the Union assurance level criteria defined in Annex II.

Step 4: Handling Objections and Finalising Recognition

The outcome of the process depends on whether objections are raised during the review period.

Scenario A: No Objections If no reasoned objections or requests for clarification are submitted within the 60-day review period, the process concludes automatically. The conclusions by the evaluating national competent authority are deemed accepted by all Member States. The authority adopts the recognition decision, and the service is recognised throughout the Union at the appropriate assurance level (Article 17(7)).

Scenario B: Objections Raised If a reasoned objection is submitted, the evaluating national competent authority must assess it. It has two options:

1. Maintain the Draft Decision: The authority decides to keep its original decision despite the objection.
2. Revoke the Draft Decision: The authority withdraws its decision if it agrees with the objection.

The evaluating authority must inform all other competent authorities of its decision within 15 days after the end of the review period (or within 15 days after receiving the objection, if the objection was raised after a clarification request) (Article 17(9)).

Step 5: Escalation to the Commission

If the evaluating authority intends to maintain its draft decision despite a reasoned objection from another Member State, the objecting authority has a right of escalation to the European Commission. This ensures that disputes between national authorities do not stall the single market.

Citation: Article 17(10) states: "In case the evaluating national competent authority intends to maintain its draft decision, the concerned national competent authority may refer the matter to the Commission. The Commission shall assess the referral and may request information from the national competent authorities concerned. The Commission shall adopt a binding decision determining whether the evaluating national competent authority may adopt the recognition decision."

The Commission acts as the final arbiter. It may request information from the involved authorities and will issue a binding decision determining whether the recognition can proceed. This mechanism guarantees that a single Member State cannot unilaterally block a Union-wide recognition without a binding EU-level resolution.

Step 6: Union-Wide Recognition and Publication

Once the recognition decision is adopted—whether automatically after the review period, following the evaluating authority's decision to maintain the draft, or after a Commission binding decision—the cloud computing service achieves Union-wide recognition.

The national competent authority of establishment must then register the service in the central repository maintained by the Commission, as established under Article 22. This repository is publicly available and serves as the definitive list of recognised sovereign cloud services. Public sector bodies and Union entities will consult this repository to identify compliant providers for procurement under Article 30.

What this means for you

For cloud service providers, data centre operators, and their legal/compliance teams, the CADA recognition process represents a shift from voluntary market differentiation to a mandatory, state-backed gatekeeping mechanism for public sector contracts.

• Strategic Timing is Critical: The 60-day assessment clock is strict but can be paused. If your application is incomplete, the clock stops, and you risk significant delays. Ensure your audit reports (for Levels 2–4) or self-assessments (for Level 1) are robust and fully documented before submission.
• Single Point of Entry: You only apply to the authority in your country of main establishment. You do not need to apply in every Member State where you have customers. This "one-stop-shop" approach is the core efficiency of the proposal.
• Prepare for Cross-Border Scrutiny: Even if your national authority is supportive, other Member States have a 60-day window to object. If you operate in sensitive sectors (e.g., defence, law enforcement), be prepared for heightened scrutiny from other national authorities.
• SME Advantage: If you are an SME targeting Level 1, the process is significantly faster. Your statement of conformity is automatically recognised across the EU, bypassing the 60-day assessment and the 60-day cross-border review. This is a major competitive advantage for smaller EU-based providers.
• The Commission is the Final Arbiter: If a Member State objects to your recognition, the dispute does not end at the national level. The Commission can issue a binding decision. This provides a layer of legal certainty but also means that political or regulatory disagreements between states can escalate to Brussels.

Common misconceptions

• Misconception 1: "Recognition is immediate once I get a positive audit."
  • Reality: No. A positive audit opinion is a prerequisite, but it is not the final step. You must still submit an application to the national competent authority. The authority has up to 60 days to assess it, followed by a mandatory 60-day review period by other Member States. The total timeline can easily exceed four months.
• Misconception 2: "I need to apply for recognition in every EU country where I sell services."
  • Reality: No. The process is centralised. You apply only to the competent authority of your main establishment. Once recognised, the status is valid across the entire Union. This is the fundamental "single market" benefit of CADA.
• Misconception 3: "A rejection by a national authority is final and unappealable."
  • Reality: While Article 17 does not detail a formal judicial appeal process within the text, it mandates a procedural safeguard: the authority must allow the provider to submit written comments before rejecting (Article 17(5)(c)). Furthermore, if the matter involves an objection from another Member State, the Commission's binding decision serves as a higher-level resolution mechanism.
• Misconception 4: "Level 1 requires an independent audit like Levels 2–4."
  • Reality: No. Level 1 is based on a self-assessment and an EU statement of conformity. Only Levels 2, 3, and 4 require independent third-party audits. This distinction is crucial for providers seeking a lower barrier to entry for non-critical public sector work.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Recognition vs EUCS: Key Differences for Cloud Providers
• CADA Recognition Timeline: How long does the process take?
• CADA Recognition: SMEs vs Large Providers – Automatic Level 1 vs Full Audit
• Can a CADA recognition be revoked? Grounds, process and consequences
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels

This is general information about a draft EU regulation, not legal advice.