What is the EU statement of conformity under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the EU statement of conformity is the formal legal instrument used by cloud computing service providers to self-declare compliance with Union assurance level 1. As proposed in Article 19(2), the provider must issue this statement to demonstrate that the service meets the criteria set out in Annex II, and by doing so, the provider "shall assume responsibility for the compliance of the cloud computing service." Furthermore, Article 19(3) mandates that this statement "shall be made publicly available," ensuring transparency for public sector buyers and regulators. Unlike higher assurance levels, this process does not require an independent third-party audit.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the sovereignty, resilience, and security of the EU's cloud and AI ecosystem. A cornerstone of this framework is the Union cloud computing sovereignty framework, which defines four distinct Union assurance levels (Level 1 to Level 4). These levels allow public sector bodies and Union entities to procure cloud services with varying degrees of trust, data protection, and operational autonomy based on their specific risk profiles.

For providers targeting the baseline tier of this framework—Union assurance level 1—the Regulation introduces a streamlined compliance mechanism known as the conformity self-assessment. The EU statement of conformity is the definitive output of this process. It serves as the provider's official, legally binding attestation that their cloud computing service adheres to the specific technical, operational, and legal requirements defined for Level 1.

The Legal Mechanism: Article 19

The rules governing the creation, issuance, and publication of the EU statement of conformity are explicitly detailed in Article 19 of the CADA proposal, titled "Conformity self-assessment." This article creates a distinct pathway for Level 1 that differs fundamentally from the audit-based requirements for Levels 2, 3, and 4.

1. The Obligation to Self-Assess (Article 19(1))

Before a provider can issue the statement, they must first conduct a rigorous internal review. Article 19(1) stipulates that "Cloud computing service providers seeking recognition in accordance with Article 17 as offering Union assurance level 1, shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II."

This self-assessment is not a casual checklist; it requires the provider to verify that their service meets all cumulative criteria for Level 1. According to Annex II, Section 1, these criteria include:

• Establishment: The provider must be established in the Union.
• Infrastructure Location: Infrastructure and assets (including those of subcontractors) must be located in the Union, unless the public sector body explicitly requires otherwise.
• Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union, unless explicitly required otherwise by the public sector body.
• Outsourcing Controls: If technical support is outsourced outside the Union, the provider must implement measures to ensure traceability, security, and governance without compromising operational autonomy.
• Cybersecurity: The service must comply with state-of-the-art cybersecurity standards.
• Subcontractor Transparency: The provider must provide full transparency regarding subcontractors and subject them to due diligence.
• Third-Country Control: If the provider is subject to third-country control, they must guarantee that no laws in that country require reporting software vulnerabilities before they are exploited.

2. Issuing the Statement and Assuming Responsibility (Article 19(2))

Once the self-assessment is complete and compliance is verified, the provider must formally issue the document. Article 19(2) provides the precise legal definition and consequence of this act:

"Following the self-assessment referred to in paragraph 1, the cloud computing service provider shall issue an EU statement of conformity stating that compliance with the criteria for Union assurance level 1 have been demonstrated. By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II."

This clause is critical for liability and accountability. By issuing the statement, the provider explicitly assumes responsibility for the accuracy of their claims. This shifts the burden of proof entirely onto the provider. Unlike higher assurance levels where an independent auditing organization validates the claims, Level 1 relies on the provider's internal controls and integrity. If a provider issues a false statement, they face direct liability under the penalty provisions of Article 24, which requires Member States to impose "effective, proportionate and dissuasive" penalties for infringements.

3. Public Availability (Article 19(3))

Transparency is a foundational principle of the CADA sovereignty framework. To ensure that public sector bodies, Union entities, and the wider market can verify a provider's status, Article 19(3) mandates:

"The cloud computing service provider shall make the EU statement of conformity publicly available."

This requirement ensures that the statement is not a private internal document but a public declaration. Providers must publish this statement on their website or another accessible platform, allowing potential customers to confirm that the provider has self-declared compliance with Level 1 criteria. This public availability is a prerequisite for the provider to be recognized as offering Union assurance level 1.

Relationship to Recognition and the Central Repository

The EU statement of conformity is the primary evidence required for the recognition of a cloud service under Article 17.

• Submission: Under Article 17(3), a provider seeking Level 1 recognition must submit the EU statement of conformity, along with all necessary evidence, to the national competent authority of their establishment.
• SME Derogation: A significant simplification exists for small and medium-sized enterprises (SMEs). Article 17(3) states that "the EU statement of conformity issued under Article 19(2) by cloud computing service providers that are SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." This removes administrative barriers for smaller providers, allowing them to access the EU market immediately upon issuing their statement.
• Central Repository: Once recognized (or automatically recognized for SMEs), the service is registered in the central repository established under Article 22. This repository, maintained by the Commission, serves as the single source of truth for all cloud services recognized at Union assurance levels 1 through 4.

Distinction from Higher Assurance Levels (2, 3, and 4)

It is vital to distinguish the EU statement of conformity from the compliance mechanisms for higher assurance levels.

• Level 1: Relies on self-assessment and the EU statement of conformity (Article 19). No independent audit is required.
• Levels 2, 3, and 4: Require independent third-party audits conducted by accredited auditing organizations (Article 20). Providers must obtain an audit report and a "positive" audit opinion. The criteria for these levels are significantly stricter, including requirements for Union citizenship for personnel (conditional at Level 2, mandatory at Levels 3 and 4), "substantial" or "high" cybersecurity certification (Annex II), and stricter controls on third-country influence.

The self-declared nature of the Level 1 statement reflects the Regulation's proportionality principle: Level 1 serves as a baseline for general public sector activities that do not require the highest levels of sovereignty protection, whereas Levels 2–4 are reserved for activities contributing to the preservation of public order (Article 29).

What this means for you

If you are a cloud computing service provider aiming to serve the EU public sector under the proposed CADA, the EU statement of conformity is your primary gateway to Level 1 recognition. Here is how you should prepare:

1. Conduct a Rigorous Internal Audit: Before drafting the statement, perform a comprehensive self-assessment against Annex II, Section 1. Verify your establishment status, map your data flows to ensure they remain within the Union, and review your subcontractor agreements. You must have documented evidence to support every claim in your statement.
2. Draft the Statement with Precision: The statement is a legal declaration. Ensure it explicitly states that "compliance with the criteria for Union assurance level 1 have been demonstrated," mirroring the language of Article 19(2). Ambiguity could be interpreted as non-compliance.
3. Publish Immediately: Do not wait for recognition to publish. Article 19(3) requires the statement to be publicly available. Ensure it is easily accessible on your website, clearly labeled, and up-to-date.
4. Understand Your Liability: By signing the statement, you assume full responsibility. If your service is later found to be non-compliant (e.g., data was routed outside the Union without explicit permission), you face penalties under Article 24 and potential removal from the central repository.
5. Leverage SME Status if Applicable: If you qualify as an SME, your statement grants you automatic recognition across the EU. Ensure your SME status is clearly documented to benefit from this streamlined process.
6. Monitor for Material Changes: If your service undergoes changes that affect compliance (e.g., a new subcontractor outside the Union), you must update your assessment and potentially reissue the statement. Article 23 requires providers to notify authorities of material changes that may affect their recognition status.

Common misconceptions

"The EU statement of conformity is just a formality."

• Reality: It is a binding legal instrument. Under Article 19(2), issuing the statement means you "assume responsibility" for compliance. If you are found to be non-compliant, you face direct legal liability and penalties, not just a loss of certification.

"I need an external auditor to issue the statement."

• Reality: No. The EU statement of conformity is the result of a self-assessment (Article 19). Independent audits are only mandatory for Union assurance levels 2, 3, and 4. Level 1 is designed to be accessible without third-party costs.

"I can keep the statement private until I win a contract."

• Reality: Article 19(3) explicitly mandates that the provider "shall make the EU statement of conformity publicly available." Transparency is a legal requirement, not an option.

"Level 1 is the same as Level 2 or 3."

• Reality: They are fundamentally different. Level 1 is a baseline self-declaration. Levels 2, 3, and 4 require independent audits, stricter data residency rules, and specific personnel requirements (e.g., Union citizenship). The statement of conformity does not apply to these higher levels.

"Only large providers need to worry about this."

• Reality: All providers seeking Level 1 recognition must issue the statement. However, SMEs benefit from a unique advantage: their statement is automatically recognized across the EU without national authority review, giving them a competitive edge in speed to market.

Related

• Must the CADA EU statement of conformity be public?
• CADA Conformity Self-Assessment: The Level 1 Pathway Explained
• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• Why is CADA Level 4 the highest sovereignty tier?

This is general information about a draft EU regulation, not legal advice.