Summary The most cost-effective entry point for cloud providers into the proposed Cloud and AI Development Act (CADA) framework is Union assurance level 1. Unlike higher tiers that mandate expensive third-party audits, level 1 relies on a conformity self-assessment mechanism. As proposed, providers must issue an EU statement of conformity after verifying compliance with specific sovereignty criteria. Crucially, for small and medium-sized enterprises (SMEs), this pathway is streamlined further: their self-assessment statements are automatically recognized across the entire Union without prior approval from a national competent authority. This eliminates administrative fees and review delays, making level 1 the lowest-barrier option for market entry.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a four-tier sovereignty framework for cloud computing services. These tiers, designated as Union assurance levels 1 through 4, define the degree of trust, data localization, and freedom from third-country control required to serve EU public sector bodies. For cloud service providers (CSPs), the cost of compliance varies significantly between these levels. The primary differentiator is the verification method: while levels 2, 3, and 4 require independent third-party audits, Union assurance level 1 relies on a self-declaration model.

The Self-Assessment Mechanism: Article 19

The foundation of the level 1 entry strategy is Article 19 of the CADA proposal. This article establishes the "Conformity self-assessment" procedure. Under Article 19(1), cloud computing service providers seeking recognition at Union assurance level 1 are required to carry out a self-assessment of their compliance with the criteria set out in Annex II. These criteria include fundamental sovereignty requirements, such as:

  • The provider being established in the Union.
  • Infrastructure and assets (including those of subcontractors) being located in the Union.
  • Customer data remaining exclusively within the Union, unless explicitly required otherwise by the public sector body.
  • Implementation of measures to ensure traceability and security when outsourcing technical support outside the Union.
  • Compliance with state-of-the-art cybersecurity standards.
  • Full transparency regarding the use of subcontractors.

Once the provider has verified these conditions, Article 19(2) mandates the issuance of an "EU statement of conformity." By issuing this statement, the provider explicitly "assumes responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1." Article 19(3) further requires that this statement be made publicly available.

This self-assessment model is inherently lower cost than the audit regimes for higher levels. It removes the need to engage accredited auditing organizations, pay for audit fees, and undergo rigorous on-site inspections. The provider relies on internal resources and documentation to demonstrate compliance.

Recognition Process and the SME Advantage: Article 17(3)

While the self-assessment reduces the direct cost of verification, the recognition process can still involve administrative overhead. Article 17 outlines the general procedure for recognition. Typically, a provider must submit its EU statement of conformity and evidence to the national competent authority of establishment. The authority then assesses the evidence, prepares a draft recognition decision, and notifies other Member States for a review period. If no objections are raised, the service is recognized throughout the Union.

However, the proposal includes a specific derogation that makes level 1 the most attractive entry point for smaller players. Article 17(3) states:

"By way of derogation from the first subpragraph, the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This provision is a game-changer for SMEs. It means that once an SME issues its public EU statement of conformity, it is automatically recognized as a level 1 provider across the EU. There is no need to:

  1. Submit evidence to a national authority.
  2. Wait for an assessment period.
  3. Navigate the inter-Member State review process.
  4. Pay any administrative fees associated with the recognition procedure.

For SMEs, the act of issuing the statement is the sole requirement for Union-wide market access at level 1. This significantly reduces time-to-market and eliminates the administrative burden that often hinders smaller providers.

Comparison with Higher Tiers

To fully appreciate the cost advantage of level 1, it is necessary to contrast it with the requirements for Union assurance levels 2, 3, and 4. Article 20 mandates that providers seeking these higher levels must undergo independent third-party audits at their own expense.

These audits must be performed by auditing organizations that meet strict independence and competence requirements (e.g., no conflicts of interest, no prior non-audit services). The process involves:

  • Providing auditors with access to all relevant data, premises, and personnel.
  • Paying for the auditor's time, expertise, and the production of a detailed audit report.
  • Obtaining a "positive" audit opinion.
  • Submitting the audit report and opinion to the national competent authority for recognition.

The costs associated with these audits are substantial, often running into tens or hundreds of thousands of euros depending on the complexity of the service. Furthermore, the recognition process for levels 2–4 involves the full administrative review by national authorities and other Member States, adding further time and potential legal costs.

In contrast, level 1 relies on internal resources for self-assessment and, for SMEs, bypasses the authority's formal recognition process entirely. This makes it the lowest barrier to entry in terms of both direct financial outlay and administrative effort.

What this means for you

If you are a cloud service provider or data centre operator looking to serve EU public sector bodies, targeting Union assurance level 1 is your most efficient first step.

For SMEs: The automatic recognition provision in Article 17(3) is a major strategic advantage. You do not need to budget for extensive interactions with national competent authorities or hire external auditors. Your primary focus should be on rigorously conducting your internal self-assessment against the criteria in Annex II and drafting a robust EU statement of conformity. Ensure this statement is publicly accessible, as this transparency is a core requirement. By leveraging the SME derogation, you can achieve EU-wide market access with minimal regulatory friction.

For Larger Providers: While you cannot benefit from automatic recognition, the self-assessment model of level 1 is still significantly cheaper than the audit requirements for levels 2–4. You should budget for internal compliance teams to manage the self-assessment and for potential review by the national competent authority. Use level 1 as a foothold to build trust and market presence. As your client base grows and demands higher sovereignty guarantees (e.g., for sensitive data or critical infrastructure), you can then invest in the more expensive audit processes required for higher assurance levels.

Strategic Planning: Regardless of your size, ensure your infrastructure and data flows strictly adhere to the level 1 criteria. Any deviation, such as data leaving the Union without explicit customer consent or using non-EU established subcontractors without proper safeguards, will invalidate your self-assessment. Since you are assuming responsibility for the conformity statement, accurate internal controls are essential to avoid penalties under Article 24, which allows for effective, proportionate and dissuasive penalties for infringements.

Common misconceptions

"Level 1 means no compliance requirements." This is incorrect. Level 1 still has strict cumulative criteria defined in Annex II, including data localization, establishment requirements, and cybersecurity standards. The difference is in the verification method (self-assessment vs. third-party audit), not the absence of rules.

"SMEs don't need to make their statement public." False. Article 19(3) explicitly requires that the cloud computing service provider shall make the EU statement of conformity publicly available. This applies to all providers seeking level 1 recognition, including SMEs. Transparency is a key component of the trust framework.

"Automatic recognition for SMEs means no oversight." While SMEs bypass the pre-recognition assessment by the national competent authority, they are still subject to market surveillance. National competent authorities have investigative and enforcement powers under Article 26 to ensure ongoing compliance. If an authority suspects non-compliance, it can investigate and impose penalties. The automatic recognition is an administrative shortcut, not a legal exemption from the rules.

"Level 1 is only for small companies." No. Any provider, regardless of size, can choose to pursue Union assurance level 1. Large providers may choose this tier for specific services where the highest levels of assurance (levels 2–4) are not required by the customer's risk assessment. It is a matter of matching the service level to the customer's needs and the provider's cost structure.

Related

This is general information about a draft EU regulation, not legal advice.