Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) mandates the European Commission to establish and maintain a central repository of cloud computing services formally recognised as meeting specific Union assurance levels. This public database, required by Article 22, serves as the single source of truth for public-sector buyers to identify trusted providers. Once a national competent authority grants recognition under Article 17, it is legally obligated to register the service in this repository. This mechanism ensures transparency, prevents market fragmentation, and allows buyers to verify that a provider meets the sovereignty criteria required for their specific use case before procurement.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonised framework designed to mitigate risks associated with dependence on third-country cloud providers and to strengthen the EU's technological sovereignty. A cornerstone of this framework is the creation of a transparent, accessible, and centralised registry of cloud services that have passed rigorous sovereignty and security assessments. This repository is not merely a passive list; it is a functional governance tool that bridges the gap between technical audits and public procurement decisions.

Legal Basis and Establishment

The requirement for this repository is explicitly set out in Article 22 of the CADA proposal. Article 22(1) mandates that the Commission "shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17."

The legislative intent, as reflected in Recital 57 of the proposal, is to facilitate the "secure and efficient storage, access and exchange of relevant information between public sector customers of services offering Union assurance levels, auditing organisations, competent authorities and the Commission." By centralising this data, the proposal aims to eliminate the current fragmentation where Member States might maintain disparate national lists, thereby creating a unified market for sovereign cloud services.

The Registration Process: A Chain of Accountability

The population of the repository is directly linked to the recognition process detailed in Article 17. The workflow creates a clear chain of accountability that ensures data integrity:

  1. Application: A cloud computing service provider submits an application for recognition to the national competent authority of its establishment, providing evidence of compliance with the relevant Union assurance level (Levels 1 through 4).
  2. Evaluation and Recognition: The evaluating national competent authority assesses the evidence. If the criteria are met, the authority adopts a recognition decision. Under Article 17(7), if no reasoned objection is raised by other Member States during the review period, the service is recognised throughout the Union.
  3. Mandatory Registration: Crucially, the provider does not register itself. Article 22(2) stipulates that the "national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

This distinction is vital: the registration is an official act performed by the competent authority, confirming that the recognition process has been completed successfully and that the service is eligible for the EU-wide market.

Content, Transparency, and Accessibility

The repository is designed to be a public-facing resource. Article 22(4) states that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

The repository will contain details of services recognised under Union assurance levels 1, 2, 3, and 4. Each level corresponds to increasingly stringent criteria regarding data localisation, personnel citizenship, cybersecurity certification, and freedom from third-country control, as detailed in Annex II of the proposal. For a public buyer, the repository provides immediate visibility into which providers have been audited and recognised for specific sovereignty levels.

Revocation and Historical Transparency

The repository also serves a critical enforcement function by tracking negative outcomes and ensuring historical transparency. Article 22(3) specifies that the "revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This five-year retention period is significant. It ensures that if a provider fails to maintain compliance, loses their audit opinion, or has their recognition withdrawn due to incorrect information or a material change in circumstances, this information remains visible to the market. This prevents a provider from simply re-applying immediately after a failure without the market being aware of the historical non-compliance, thereby aiding risk assessments by future buyers.

Role in Public Procurement

For public sector buyers, the repository is the primary reference point for compliance with Article 30 of the CADA proposal. Article 30(2) requires Union entities and public sector bodies whose activities do not contribute to public order to use services recognised at Union assurance level 1. Article 30(3) mandates that contracting authorities whose activities do contribute to public order must procure only services recognised at levels 2, 3, or 4.

By consulting the central repository, buyers can verify that a provider holds the necessary assurance level before awarding a contract. The repository thus bridges the gap between the technical audit process and the practical procurement process. It provides the legal certainty needed for public authorities to rely on the recognised status of a service, knowing that the Commission and national authorities have overseen the registration and that the data is current.

What this means for you

For public-sector procurement officers, IT decision-makers, and compliance teams, the central repository represents a significant simplification of vendor due diligence. Instead of conducting individual, fragmented assessments of provider sovereignty claims or relying on self-declared statements, you will have access to a harmonised, EU-wide list of validated services.

Key actions and considerations:

  • Verification of Status: Before issuing tenders for cloud services, you must consult the central repository to identify providers that hold a valid recognition. This is particularly critical for activities identified as contributing to public order, which require Union assurance levels 2, 3, or 4. Relying on a provider not listed in the repository for these activities would constitute a breach of Article 30.
  • Reliance on Recognition: The repository provides a level of legal certainty. If a service is listed as recognised at a specific assurance level, you can rely on this status for procurement purposes, subject to the specific requirements of your risk assessment under Article 29. The repository acts as the definitive proof of compliance with the sovereignty framework.
  • Monitoring for Changes: You should monitor the repository for updates. If a provider's recognition is revoked, this will be published in the repository. Your contracts should include clauses that allow for termination or migration if a provider's recognised status is lost, ensuring continuity of service and ongoing compliance.
  • SME Advantage: Note that for Union assurance level 1, SME providers can issue an EU statement of conformity that is directly and automatically recognised without prior recognition by the competent authority (Article 17(3)). While the repository will list recognised services, the mechanism for SMEs at Level 1 is slightly streamlined. However, once recognised, they are still registered in the central repository to ensure visibility.

The repository aims to reduce the administrative burden on public buyers by providing a single, authoritative source of information. It supports the CADA's broader goal of increasing the uptake of sovereign cloud services by making trusted European providers easily identifiable and verifiable.

Common misconceptions

Misconception 1: The repository lists all cloud providers in the EU. Correction: The repository only lists cloud computing services that have successfully completed the recognition process under Article 17 and have been registered by the national competent authority. It does not include providers that have not applied for recognition, those whose applications have been rejected, or those that only offer services below the minimum assurance level required for public procurement.

Misconception 2: Listing in the repository guarantees compliance with all EU laws. Correction: The repository confirms that a service meets the specific sovereignty and security criteria for the assigned Union assurance level (Levels 1-4) as defined in Annex II. It does not replace other compliance obligations, such as those under the GDPR, the AI Act, or the NIS2 Directive. Providers must still comply with all applicable EU legislation; the repository is specific to the CADA sovereignty framework.

Misconception 3: Providers register themselves directly. Correction: According to Article 22(2), it is the national competent authority of establishment that registers the service in the central repository after granting recognition. Providers do not self-register; the registration is an official act following the authority's decision, ensuring the data is verified by a public body.

Misconception 4: Revocations are removed immediately. Correction: Article 22(3) states that revocations of recognition or audit opinions must remain published in the repository for five years. This ensures transparency and allows buyers to see historical compliance issues, preventing providers from "hiding" past failures by simply re-applying.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.