Summary Under the proposed Cloud and AI Development Act (CADA), recognition and repository listing are distinct but causally linked steps in the Union cloud computing sovereignty framework. Recognition is the formal legal decision by a national competent authority that a cloud computing service meets the criteria for a specific Union assurance level (Article 17). Repository listing is the subsequent administrative act of publishing that recognised status in a central EU database maintained by the Commission (Article 22). Crucially, listing follows automatically from recognition; providers do not apply for listing separately, and the national authority is responsible for registering the service once recognition is granted.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework to reduce the EU's dependence on third-country cloud providers and safeguard public order. A critical component of this framework is the mechanism by which cloud computing services are verified, legally validated, and made visible to public sector buyers. While often conflated in casual discussion, recognition and repository listing serve fundamentally different legal and operational functions within the regulation.

Recognition: The Substantive Legal Decision

Recognition is the core legal process that determines whether a cloud computing service qualifies as "Union assured" at a specific level (1, 2, 3, or 4). This process is governed exclusively by Article 17 of the CADA proposal.

The recognition process is initiated when a cloud computing service provider submits an application for recognition to the national competent authority of establishment. This authority acts as the "evaluating national competent authority." The nature of the evidence required depends entirely on the assurance level sought:

  • For Union assurance level 1: The provider submits an EU statement of conformity (as per Article 19) and all necessary evidence demonstrating compliance with the criteria in Annex II. Notably, for SMEs, this statement is directly and automatically recognised in all Member States without prior evaluation by the competent authority.
  • For Union assurance levels 2, 3, and 4: The provider must submit an audit report, a "positive" audit opinion from an independent auditing organisation (Article 20), and all evidence provided during the audit procedure.

The evaluating authority has 60 days to assess the submitted evidence. If the evidence is sufficient, the authority prepares a draft recognition decision and notifies the competent authorities of other Member States for a 60-day review period. During this period, other authorities may submit reasoned objections. If no reasoned objection is raised, the conclusions of the evaluating authority are deemed accepted by all Member States, and the authority adopts the recognition decision.

Recognition is a binding legal status. It grants the provider the right to market their service as meeting specific sovereignty criteria and, crucially, allows public sector bodies to procure these services in compliance with CADA's procurement rules (Article 30). Without a valid recognition decision under Article 17, a service cannot legally be considered compliant with the sovereignty framework for public sector procurement.

Repository Listing: The Administrative Publication

While recognition establishes the legal status, repository listing ensures transparency, market visibility, and operational accessibility. This function is governed by Article 22 of the CADA proposal.

The Commission is required to establish and maintain a dedicated central repository of cloud computing services that have been recognised in accordance with Article 17. This repository serves as the single source of truth for public sector buyers, auditing organisations, competent authorities, and the general public.

The relationship between the two steps is strictly defined by Article 22(2), which stipulates that the national competent authority of establishment that recognised the cloud computing service is responsible for registering the cloud computing service in the central repository. This provision creates a clear division of labour and a specific workflow:

  1. Providers do not apply for listing: There is no separate application process for the repository. The provider's interaction with the EU system ends with the submission of evidence to the competent authority for recognition.
  2. Listing is automatic and mandatory: Once the recognition decision is adopted by the competent authority, that authority must register the service in the central repository. The provider cannot be listed without this prior legal act.
  3. Public accessibility: Under Article 22(4), the central repository shall be publicly available and regularly updated by the Commission and the national competent authorities on a dedicated and easily accessible website.

The repository entry includes details of the recognised service and its assurance level. Furthermore, Article 22(3) mandates that the revocation of an audit report, audit opinion, or recognition by a competent authority shall be published in the central repository and remain available there for five years. This ensures a clear historical record for market participants, allowing them to see not just current compliance but also past failures or withdrawals.

The Sequential Link: Why the Distinction Matters

The relationship between recognition and listing is strictly sequential and causal. Recognition precedes listing. A service cannot be listed in the central repository unless it has first been recognised under Article 17. Conversely, listing validates recognition for the market. While recognition is the legal fact, listing is the operational proof that enables procurement. Public sector bodies are expected to use the central repository to identify compliant services, as it is the only place where the Union-wide validity of a service is publicly confirmed.

This distinction is vital for understanding the legal architecture of CADA. Recognition is the substantive act of compliance verification; listing is the procedural act of transparency. The regulation deliberately separates the decision-making power (held by national authorities) from the publication mechanism (managed centrally by the Commission via the repository) to ensure both national sovereignty in assessment and Union-wide market transparency.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, distinguishing between recognition and listing is vital for managing timelines, responsibilities, and risk.

1. Focus Resources on Recognition, Not Listing

Do not allocate resources to preparing a separate "listing application." Your primary compliance burden lies in gathering the evidence required for Article 17 recognition. This includes ensuring your conformity self-assessment (for Level 1) or independent audit (for Levels 2–4) is robust and that your audit report contains a "positive" opinion. The repository listing will happen automatically once the competent authority accepts your recognition. Attempting to "push" for listing before recognition is complete is procedurally impossible under the draft.

2. Monitor the Competent Authority's Timeline

Under Article 17(5), the evaluating authority has 60 days to assess evidence, followed by a 60-day review period by other Member States. You should track these deadlines closely. If the authority requests additional information, the 60-day clock suspends (for up to 30 days unless justified otherwise). Delays in recognition directly delay your appearance in the central repository, potentially impacting your ability to bid for public sector contracts that require specific assurance levels. Remember, the clock starts when the authority accepts the application, not when you submit it.

3. Ensure Data Accuracy for the Repository

While you do not submit data directly to the repository, the information published there originates from your application and the competent authority's decision. Ensure that the details provided in your Article 17 application (service name, assurance level, provider details, scope of service) are accurate. Errors here will result in incorrect listing, which may cause procurement disqualification or reputational damage. Since the authority registers the service, any discrepancy between your application and the final entry must be resolved at the national level before the registration occurs.

4. Prepare for Revocation Visibility

Article 22(3) requires that any revocation of recognition or audit opinion be published in the repository for five years. If your status is revoked, this negative record will remain publicly visible. Compliance officers should implement continuous monitoring systems to ensure ongoing compliance with assurance criteria, as a lapse could trigger revocation and a lasting public record. This "five-year shadow" is a significant reputational risk that goes beyond the immediate loss of the right to sell to the public sector.

5. Procurement Strategy for Buyers

For public sector buyers, the central repository is the definitive list of compliant services. You should not rely solely on a provider's claim of being "sovereign" or "EU-assured." Verify their status in the central repository established under Article 22. If a service is not listed, it has not been recognised, and procuring it may breach CADA's public procurement obligations (Article 30). The repository is your primary tool for due diligence.

Common misconceptions

"We need to apply to the Commission to be listed in the repository." No. Providers apply to their national competent authority for recognition (Article 17). The competent authority then registers the service in the Commission's repository (Article 22). There is no direct application to the Commission for listing. The Commission's role is to maintain the repository, not to evaluate individual applications.

"Listing in the repository is a guarantee of ongoing compliance." Listing confirms that a recognition decision has been made at a specific point in time. However, recognition is based on the evidence provided at the time of assessment. Ongoing compliance is maintained through annual reviews (Article 20) and transparency obligations (Article 23). A listed service can still be revoked if it no longer meets criteria, and that revocation will be published in the repository.

"We can be listed before we are recognised." No. Recognition is the prerequisite. A service cannot be entered into the central repository without a prior positive recognition decision under Article 17. The legal decision must exist before the administrative act of listing can occur.

"The repository is only for public sector bodies." While primarily designed to facilitate public procurement, Article 22(4) states the repository shall be publicly available. Private sector entities, auditing organisations, competitors, and the general public can also access it to verify provider claims. It is a transparency tool for the entire market.

"Listing is a separate certification process." Listing is not a certification process; it is a publication mechanism. The certification (or conformity assessment) happens during the recognition phase. Listing is simply the act of making that result visible to the world.

Related

This is general information about a draft EU regulation, not legal advice.