Summary As proposed, CADA recognition under Article 17 is a legal mechanism that grants a cloud computing service a specific "Union assurance level" (1–4), valid across the entire EU single market. In contrast, the European Cybersecurity Certification Scheme for Cloud Services (EUCS) is a technical cybersecurity standard. Under the CADA proposal, EUCS certification is not a standalone recognition tool but a mandatory input requirement for achieving Union assurance levels 2, 3, and 4. Specifically, Annex II 2.1(e) mandates that for Level 2, a service must obtain a European cybersecurity certificate of at least assurance level "substantial."
Detail
The proposed Cloud and AI Development Act (CADA) introduces a comprehensive sovereignty framework that fundamentally reshapes how cloud services are validated for public sector use. A critical distinction for compliance teams, legal counsel, and procurement officers is understanding that CADA recognition and EUCS certification serve different, albeit deeply interconnected, purposes. CADA recognition confers a legal status determining eligibility for public procurement based on sovereignty and operational autonomy, while EUCS provides the technical cybersecurity benchmark necessary to prove a service meets the rigorous criteria for higher assurance levels.
CADA Recognition: A Union-Wide Legal Status
CADA establishes a "Union cloud computing sovereignty framework" comprising four distinct assurance levels, as set out in Article 16. To operate within the EU public sector for activities requiring sovereignty safeguards, a cloud computing service provider must undergo a formal recognition process under Article 17. This process is administrative and legal in nature, distinct from technical conformity assessments.
The core value of CADA recognition is its Union-wide validity. Once a national competent authority of establishment recognizes a service as meeting a specific assurance level (1, 2, 3, or 4), that recognition is valid throughout the entire Union. This mechanism prevents market fragmentation, ensuring that a service recognized in one Member State can be procured by public bodies in another without re-evaluation.
The recognition process varies significantly by level:
- Level 1: Providers may carry out a conformity self-assessment and issue an EU statement of conformity. No independent audit is required.
- Levels 2–4: Providers must undergo independent third-party audits. They must submit an audit report containing a "positive" audit opinion to the national competent authority of establishment.
Crucially, Article 17 mandates that the competent authority evaluates the evidence submitted. If recognized, the service is registered in a central repository maintained by the Commission, allowing public procurement authorities across the EU to verify the service's status instantly.
EUCS Certification: A Technical Input for Higher Assurance
The European Cybersecurity Certification Scheme for Cloud Services (EUCS), developed under the Cybersecurity Act (Regulation (EU) 2019/881), focuses exclusively on technical cybersecurity standards. It certifies that a service meets specific security requirements at "basic," "substantial," or "high" assurance levels. It does not, in itself, assess sovereignty, data localisation, personnel citizenship, or operational autonomy in the broader sense that CADA does.
Under the CADA proposal, EUCS is not an alternative to recognition; it is a prerequisite for higher assurance levels. Annex II 2.1(e) explicitly states that for Union assurance level 2, the audited service "obtains a European cybersecurity certificate of at least assurance level 'substantial' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881."
Similar requirements apply to levels 3 and 4. Annex II 3.1(e) requires a "substantial" certificate for Level 3, while Annex II 4.1(e) requires a "high" certificate for Level 4. Until the EUCS scheme is fully established, national cybersecurity certification schemes apply where they exist.
This means that for a provider seeking Union assurance level 2, 3, or 4, holding an EUCS certificate (or its national equivalent) is a mandatory component of the audit evidence. However, EUCS alone is insufficient. A provider must also meet other cumulative criteria in Annex II, such as data localisation, personnel screening, supply chain transparency, and the absence of third-country control, to achieve full CADA recognition.
The Interplay in Public Procurement
The distinction becomes operationally critical in public procurement. Article 30 of CADA requires contracting authorities to procure cloud services based on the assurance level determined by their risk assessments under Article 29. A public body cannot simply ask for an "EUCS certified" provider; it must ask for a provider recognized under Article 17 at the appropriate Union assurance level.
For example, if a Member State determines that a specific public order activity (e.g., law enforcement or defence) requires Union assurance level 3, it can only procure from providers recognized at that level. Since Annex II 3.1(e) requires a "substantial" EUCS certificate for Level 3, the provider must hold both the CADA recognition and the underlying EUCS certification. The EUCS certificate proves the technical security; the CADA recognition proves the sovereignty and overall compliance.
Key Differences at a Glance
| Feature | CADA Recognition (Article 17) | EUCS Certification |
|---|---|---|
| Legal Basis | CADA Proposal (COM(2026) 502 final) | Cybersecurity Act (Regulation (EU) 2019/881) |
| Primary Scope | Sovereignty, operational autonomy, data residency, third-country control | Technical cybersecurity standards only |
| Output | Union Assurance Level (1–4) | Cybersecurity Assurance Level (Basic, Substantial, High) |
| Validity | Union-wide (once recognized by one MS) | Union-wide (once certified) |
| Role in CADA | Final legal status for public procurement | Mandatory input requirement for Levels 2–4 |
| Assessment | Self-assessment (L1) or Third-party audit (L2–4) | Third-party conformity assessment |
What this means for you
For in-house counsel, compliance officers, and cloud service providers, the separation of these two regimes creates a dual-track compliance strategy. You cannot rely on one certification to satisfy the other.
1. Map your target assurance levels Identify which Union assurance levels your services need to achieve to access your desired public sector markets. If you are targeting only Level 1, you may not need EUCS certification immediately, as Level 1 criteria in Annex II 1.1 do not explicitly mandate an EUCS certificate (though they require compliance with state-of-the-art cybersecurity standards). However, if you aim for Levels 2–4, you must initiate the EUCS certification process in parallel with your CADA recognition application.
2. Prepare for the audit overlap For Levels 2–4, the CADA audit under Article 20 will examine your EUCS certificate as part of the evidence. Ensure your technical documentation for EUCS aligns with the audit evidence requirements in Annex III of CADA. The auditing organisation for CADA will verify that your EUCS certificate is valid and covers the necessary assurance level (e.g., "substantial" for Level 2/3, "high" for Level 4).
3. Monitor the timeline and availability CADA is a proposal. The specific dates for application and the final status of EUCS (which is still being developed by ENISA) are subject to change. However, the structural requirement that EUCS feeds into CADA Levels 2–4 is fixed in the proposal. Plan your cybersecurity investments now to meet the "substantial" or "high" EUCS requirements, as these will be bottlenecks for CADA recognition. Until EUCS is established, national schemes apply, but the transition to EUCS is expected.
4. Penalties and enforcement Non-compliance with CADA obligations can lead to penalties under Article 24. If you claim a certain assurance level without meeting the criteria (including the EUCS requirement for Levels 2–4), you risk having your recognition revoked and facing fines. Member States must lay down rules on penalties that are "effective, proportionate and dissuasive."
Common misconceptions
Misconception 1: "EUCS certification is enough for public contracts." False. EUCS certifies cybersecurity, not sovereignty. Public procurement under CADA Article 30 requires a Union assurance level from the CADA framework. You need both EUCS (for technical security) and CADA recognition (for legal sovereignty status).
Misconception 2: "CADA replaces EUCS." False. CADA incorporates EUCS as a building block. For Levels 2–4, EUCS is a mandatory input. CADA adds layers of sovereignty, data localisation, and operational autonomy on top of the cybersecurity baseline provided by EUCS.
Misconception 3: "Recognition is only for EU-based providers." Not necessarily. While Article 16 and Annex II emphasize Union establishment and control, Article 18 provides a mechanism for the Commission to recognize third countries as providing sufficient assurances for Level 3. However, this is a high bar and subject to strict conditions, including adequacy decisions and safeguards against third-country access.
Misconception 4: "Level 1 requires EUCS." False. Annex II 1.1 sets out criteria for Level 1, which include cybersecurity compliance but do not explicitly mandate an EUCS certificate. Levels 2, 3, and 4 do mandate EUCS (or national equivalents until EUCS is fully available).
Official sources
Related
- CADA Audit Report vs. Audit Opinion: Key Differences Explained
- CADA Associated Third Countries vs. GDPR Adequacy: Key Differences
- CADA Recognition Process: Step-by-Step Guide for Cloud Providers
- CADA Recognition: SMEs vs Large Providers – Automatic Level 1 vs Full Audit
- Which authority do I apply to for CADA recognition?
This is general information about a draft EU regulation, not legal advice.