Summary Under the proposed Cloud and AI Development Act (CADA), recognition is the formal administrative act by which a national competent authority grants a cloud computing service provider a specific "Union assurance level" (1 to 4), enabling them to serve public sector bodies. Certification, specifically under the European Cybersecurity Certification Scheme (EUCS), is a technical security assessment that serves as a conditional prerequisite for achieving Union assurance levels 2, 3, and 4. In short, certification proves your security posture; recognition grants your legal market access for sovereign cloud services. Crucially, if the EUCS scheme is not yet established, providers may demonstrate compliance with the highest cybersecurity standards under applicable Union law as a fallback.

Detail

To navigate CADA, in-house counsel must distinguish between the outcome (recognition) and the input (certification). These are not interchangeable terms; they represent different stages and types of compliance within the proposed framework.

Recognition: The Market Access Grant

Recognition is the core mechanism of CADA's sovereignty framework. It is the formal status that allows a cloud computing service provider to offer services to Union entities and public sector bodies.

  • The Process: As outlined in Article 17, a provider submits an application for recognition to the national competent authority of their establishment. This authority evaluates the provider's evidence to determine if they meet the cumulative criteria for Union assurance level 1, 2, 3, or 4.
  • The Result: If successful, the provider is "recognised" across the entire Union. This recognition is listed in a central repository maintained by the Commission (Article 22).
  • The Scope: Recognition covers the entire "Union assurance" framework defined in Article 16. It confirms that the provider meets specific sovereignty criteria, such as data localisation, personnel citizenship requirements, and freedom from third-country control, depending on the level sought.

Certification: The Technical Prerequisite

Certification, in the context of CADA's higher assurance levels, refers primarily to cybersecurity certification. CADA does not create a new certification scheme from scratch; instead, it mandates the use of existing or forthcoming EU cybersecurity standards.

  • The Link to Assurance Levels: For Union assurance levels 2, 3, and 4, Annex II of the proposal sets out cumulative criteria. Specifically, Annex II, point 2.1(e) (for Level 2) and 3.1(e) (for Level 3) require that the audited service obtains a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act). This scheme is known as the European Cybersecurity Certification Scheme for Cloud Services (EUCS).
  • Level 4 Requirement: For the highest level, Union assurance level 4, Annex II, point 4.1(e) requires a certificate of at least assurance level "high."
  • The Conditional Nature: The proposal acknowledges that the EUCS scheme may not be fully established or available immediately. Annex II explicitly states: "provided that such a scheme has been established under that Regulation and is available to cloud computing service providers." Until such a scheme is established and available, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law. Thus, certification is a mandatory prerequisite only if a relevant scheme exists; otherwise, a demonstration of compliance with the highest standards suffices.

How They Interact

The relationship is hierarchical and procedural:

  1. Certification First: To aim for Union assurance levels 2, 3, or 4, a provider must first undergo independent third-party audits (Article 20). Part of this audit involves verifying that the provider holds the necessary cybersecurity certification (EUCS, national equivalent, or a demonstration of highest standards).
  2. Recognition Second: The national competent authority reviews the audit report, which includes the certification status, along with other sovereignty evidence (e.g., legal separation from third-country control, personnel citizenship). If all criteria in Annex II are met, the authority grants recognition under Article 17.

Specific Legal Mechanisms

  • Delegated Acts on Audits: The Commission is empowered to adopt delegated acts to supplement the Regulation by laying down detailed rules on the performance of audits. This specific empowerment is found in Article 20(9), which references the general delegation power in Article 45.
  • Third-Country Derogations: For Union assurance level 3, a provider subject to third-country control may still be eligible if the Commission has adopted an implementing act under Article 18 (Associated third countries). This is a common drafting slip where Article 19 (Conformity self-assessment) is mistakenly cited; the correct reference for third-country eligibility is Article 18.
  • Level 1 Self-Assessment: Providers seeking only Union assurance level 1 do not need a cybersecurity certificate; they only need to issue an EU statement of conformity based on a self-assessment (Article 19).

What this means for you

For compliance officers and in-house counsel, understanding this distinction is critical for resource allocation, timeline planning, and risk management.

1. Compliance Timelines and Deadlines

  • Recognition Deadlines: National competent authorities have strict timelines for processing recognition applications. Under Article 17(5), the evaluating authority must assess the evidence within 60 days of accepting an application. They must then notify other Member States for a 60-day review period. If no objections are raised, recognition is granted. You must plan your application submission well in advance of any public procurement deadlines that require specific assurance levels.
  • Certification Lead Times: Cybersecurity certification (EUCS or national) is often a lengthy, technical process involving external auditors. Because certification is a prerequisite for recognition at levels 2–4 (subject to the fallback mechanism), delays in certification will directly delay your recognition. Start the certification process early, or prepare the "highest standards" demonstration if no scheme is available.

2. Resource Allocation

  • Technical vs. Legal Teams: Certification is largely a technical and operational challenge (IT security, data flows, personnel checks). Recognition is a legal and administrative challenge (corporate structure, third-country control analysis, contractual clauses). Ensure your legal team prepares the "recognition" evidence package (e.g., proof of Union establishment, subcontractor due diligence) while your IT security team pursues certification.
  • Audit Cooperation: Article 20(2) requires providers to cooperate fully with auditing organisations, providing access to data and premises. Failure to cooperate can result in a negative audit opinion, which precludes recognition.

3. Penalties and Liability

  • Infringements: Article 24 establishes that Member States must lay down penalties for infringements of the sovereignty framework. While the proposal does not set specific fine amounts for recognition fraud, it mandates that penalties be "effective, proportionate and dissuasive." Factors include the nature of the infringement and the provider's turnover.
  • Compensation: Article 24(3) grants recipients of cloud services the right to seek compensation for damage suffered due to a provider's infringement of their obligations. Misrepresenting your certification status or recognition level could expose the company to significant civil liability.

4. Strategic Procurement

  • Public Sector Contracts: Under Article 30, public sector bodies must procure services that match their risk assessment. If a public body's activities contribute to public order, they must only procure services recognised at levels 2, 3, or 4. Without recognition, you are excluded from these markets. Without the underlying certification (or equivalent demonstration), you cannot obtain that recognition.

Common misconceptions

Misconception 1: "Recognition is just another name for certification." No. Certification is a technical security assessment (often by a notified body or auditor). Recognition is a legal status granted by a national authority that confirms you meet broader sovereignty criteria, including but not limited to security. You can have a security certificate without CADA recognition (if you don't apply for it), but you cannot have CADA recognition for levels 2–4 without the required certification (or equivalent demonstration).

Misconception 2: "EUCS is mandatory for all cloud providers under CADA." Not exactly. EUCS (or an equivalent national scheme) is only mandatory for providers seeking Union assurance levels 2, 3, or 4 if such a scheme is established and available. Providers seeking only Union assurance level 1 do not need a cybersecurity certificate; they only need to issue an EU statement of conformity based on a self-assessment (Article 19). Furthermore, if no scheme exists, providers may demonstrate compliance with the highest cybersecurity standards under applicable Union law.

Misconception 3: "If I get certified in one country, I am automatically recognised everywhere." Certification may have cross-border validity depending on the scheme, but recognition is explicitly designed for mutual recognition across the EU. Once the national competent authority of your establishment grants recognition under Article 17, that recognition is valid across the Union. However, the initial application and assessment happen in your Member State of establishment.

Misconception 4: "CADA creates its own new certification body." No. CADA leverages the existing Cybersecurity Act framework for EUCS. It does not create a new "CADA certification." It creates a new "CADA recognition" process that consumes EUCS certificates (or equivalent evidence) as input.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.