What is the CADA central repository for sovereign cloud services?

Summary The proposed Cloud and AI Development Act (CADA) establishes a central repository as the single, publicly accessible digital register of cloud computing services officially recognised as meeting EU sovereignty standards. Under Article 22, the European Commission must maintain this database, which lists services recognised at Union assurance levels 1 through 4. For public procurement, this repository is the definitive "source of truth": Article 30 mandates that contracting authorities generally procure only from services listed here. Crucially, Article 30(4)(a) ties a key derogation (exception) to the absence of a service in the repository; if a recognised service is not listed, buyers may be unable to justify a derogation unless they prove no adequate alternative exists. This mechanism drives market uptake by making non-listed services administratively difficult to procure.

Detail

The central repository is a cornerstone of CADA's strategy to reduce the EU's dependence on non-European cloud providers and to create a transparent, level playing field for European cloud computing service providers. It functions as the operational heart of the sovereignty framework established in Title IV of the proposal.

What is the central repository?

As proposed in Article 22, the European Commission is required to establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17. This recognition process confirms that a cloud service meets the criteria for one of the four "Union assurance levels" (levels 1, 2, 3, or 4), which are defined in Annex II of the proposal. These levels represent increasing degrees of sovereignty, data localisation, and protection against third-country access.

The repository is not a static list but a dynamic, regularly updated database. It is designed to be publicly available and easily accessible via a dedicated website. Its primary purpose is to provide transparency and legal certainty for public-sector bodies (contracting authorities) and Union entities that are legally obligated to procure cloud services from recognised providers.

How does it work?

The mechanism for populating the repository is decentralised but coordinated:

1. Recognition: A cloud computing service provider submits an application for recognition to the national competent authority of their establishment. For Union assurance level 1, this involves a self-assessment and an EU statement of conformity. For levels 2, 3, and 4, it requires an independent third-party audit resulting in a "positive" audit opinion.
2. Registration: Once the national competent authority grants recognition, it is obligated to register the cloud computing service in the central repository maintained by the Commission.
3. Public Access: The Commission ensures the repository is publicly available. This allows any contracting authority across the EU to search for and identify which services are legally compliant for their specific procurement needs.

The repository also handles negative outcomes. If a recognition is revoked by a competent authority or if an auditing organisation revokes an audit report, this revocation must be published in the central repository. The record of the revocation remains available for five years, ensuring that historical compliance issues are visible to future buyers.

The link to public procurement

The central repository is directly tied to the procurement obligations set out in Article 30. Under CADA, public-sector bodies cannot simply choose any cloud provider; they must adhere to strict sovereignty requirements based on risk assessments.

• General Rule: Contracting authorities whose activities do not involve high-risk public order concerns must procure cloud services that have been recognised as having at least Union assurance level 1. Crucially, these services must be those recognised under Article 17 and, by extension, listed in the central repository.
• High-Risk Activities: For activities identified as contributing to the preservation of public order (such as defence, national security, or critical infrastructure), authorities must procure services recognised at Union assurance levels 2, 3, or 4. Again, these must be services that have undergone the formal recognition process and are reflected in the repository.

Derogations and the "absence of service" clause

A critical function of the central repository is defined in Article 30(4)(a). This provision allows for a derogation, meaning a contracting authority may, on an exceptional basis, decide not to procure a recognised cloud service if certain conditions are met. One of these conditions is that the subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository, and no adequate or reasonable alternative exists.

This creates a powerful incentive for providers to seek recognition and be listed in the repository. If a service is not in the repository, it is effectively presumed unavailable for standard public procurement unless a complex derogation process is justified. This mechanism helps drive the market toward sovereign, EU-recognised services by making non-listed services administratively difficult to purchase.

What this means for you

For public-sector procurement officers and legal teams, the central repository will become the starting point for every cloud computing tender. Here is how you should prepare:

• Mandatory Check: Before drafting tender specifications, you will need to consult the central repository to identify which providers and services are currently recognised. You cannot legally award a contract to a cloud provider unless their service is listed with the appropriate Union assurance level required by your risk assessment.
• Risk Assessment Alignment: Your internal risk assessments (required under Article 29) will determine the minimum assurance level you need. If your risk assessment identifies a need for Union assurance level 3, you must search the repository specifically for services recognised at that level. Do not assume a Level 1 service is sufficient for critical public order activities.
• Handling Absences: If you cannot find a suitable service in the repository, you must document this thoroughly. Under Article 30(4)(a), you can only bypass the repository if you can prove that no adequate alternative exists and that this absence is not due to artificially narrowing your tender parameters. This documentation will be subject to scrutiny.
• Monitoring Changes: Because recognisations can be revoked, you should establish a process to monitor the repository for any changes to the status of your current or potential cloud providers. A revocation listed in the repository may trigger a need to migrate services or re-evaluate contracts.

Common misconceptions

Misconception 1: The repository lists all cloud providers in the EU. No. The repository only lists cloud computing services that have successfully completed the formal recognition process under Article 17 and met the criteria for a specific Union assurance level. Many EU-based providers may not be listed if they have not sought recognition or failed to meet the criteria.

Misconception 2: Being listed in the repository guarantees a contract. No. The repository is a compliance tool, not a quality or price ranking. It confirms that a service meets the legal sovereignty and security criteria. Procurement decisions will still be based on standard public procurement criteria such as technical quality, price, and European added value (Article 32), provided the service is listed in the repository.

Misconception 3: The repository replaces the need for a risk assessment. No. The risk assessment (Article 29) determines which level of assurance you need. The repository tells you which services meet that level. You cannot use the repository without first knowing what level of sovereignty your specific public-sector activity requires.

Misconception 4: Private companies can use the repository for procurement mandates. The mandatory procurement rules (Article 30) apply to Union entities and public-sector contracting authorities. Private sector entities, particularly those in critical sectors under NIS2, are encouraged to conduct similar impact assessments (Article 31) but are not strictly bound by the same procurement mandates. However, the repository will likely become the de facto standard for trusted cloud services across the broader market.

Related

• CADA Article 30 and the Central Repository: How they work together
• How can a provider get listed in the CADA central repository?
• CADA Article 39: What must a central purchasing authority pass down to buyers?
• CADA Article 39: The Commission as Central Purchasing Body
• CADA Article 39: How the Commission's Central Purchasing Framework Works

This is general information about a draft EU regulation, not legal advice.