CADA Compliance Checklist

Summary There is no single "CADA compliance checklist" for every organisation because the Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, targets specific actors: cloud computing service providers seeking public contracts and public sector bodies procuring those services. Private entities using AI but not providing cloud services generally fall outside CADA's direct obligations. As proposed, providers must obtain a "Union assurance level" recognition (Articles 16–17) to access public markets, while public buyers must conduct risk assessments (Article 29) to determine required assurance levels. The Regulation would apply one year after entry into force (Article 48), with critical interim deadlines for Member States to designate authorities and complete initial risk assessments within that first year.

Detail

The Cloud and AI Development Act (CADA) establishes a framework to strengthen Europe's cloud and AI ecosystem by reducing dependencies on third-country providers and ensuring operational autonomy. Unlike the GDPR, which applies broadly to data processing, CADA's obligations are targeted at the infrastructure layer and public procurement. Article 1 defines the subject matter, focusing on five measures: establishing Cloud and AI Leadership Initiatives, accelerating data centre deployment, enabling a sovereign cloud offer to safeguard public order, reducing critical technology dependencies, and fostering public-sector adoption.

Compliance is strictly role-based. The core burden falls on two groups: Cloud Computing Service Providers (who must prove sovereignty) and Contracting Authorities/Public Sector Bodies (who must mandate it).

1. For Cloud Computing Service Providers: The Sovereignty Framework

If your organisation provides cloud computing services and aims to sell to Union entities or public sector bodies, you must navigate the "Union cloud computing sovereignty framework" established in Article 16. This framework consists of four assurance levels (Level 1 to Level 4), with requirements escalating in strictness.

Step 1: Determine the Required Assurance Level You must align your offering with customer requirements. Article 30 mandates that public sector bodies whose activities do not contribute to public order must use services recognised as having at least Union Assurance Level 1. Bodies whose activities do contribute to public order (e.g., national security, justice, defence) must procure services recognised as Level 2, 3, or 4, based on their risk assessments.

Step 2: Meet the Criteria (Annex II) The specific criteria are detailed in Annex II, but the general trajectory is:

• Level 1: Requires the provider to be established in the Union, with infrastructure and data remaining in the Union (unless the public body explicitly requires otherwise). It requires compliance with state-of-the-art cybersecurity standards and full transparency on subcontractors.
• Levels 2–4: Require independent third-party audits (Article 20).
  • Level 2: Requires Union establishment for the provider and subcontractors, Union location for infrastructure/personnel/data, and a European cybersecurity certificate of at least "substantial" assurance.
  • Level 3: Adds a mandatory requirement that personnel (including subcontractors) are Union citizens (with security clearance where appropriate). It also introduces a specific derogation mechanism for third-country control.
  • Level 4: The highest tier, requiring "high" assurance cybersecurity certification and strictly prohibiting any third-country control over the provider or its subcontractors.

Step 3: Obtain Recognition (Article 17) You cannot self-certify for Levels 2–4. You must submit an application for recognition to the national competent authority of your establishment.

• For Level 1: You issue an EU statement of conformity (Article 19). Crucially, for SMEs, this statement is directly and automatically recognised in all Member States without the need for prior evaluation by the competent authority. Larger providers must undergo the authority's assessment.
• For Levels 2–4: You must undergo an independent audit by an accredited auditing organisation. The audit report and a "positive" audit opinion are submitted to the competent authority.
• Timeline: The competent authority has 60 days to assess the evidence. If accepted, the service is recognised across the entire Union.

Step 4: Maintain Transparency (Article 23) Once recognised, you must notify the auditing organisation and the competent authority of any material changes that could affect your assurance level. Failure to do so can lead to revocation of recognition.

2. For Public Sector Bodies (Contracting Authorities)

If your organisation is a public sector body procuring cloud services, your compliance duties are centred on risk assessment and procurement mandates.

Step 1: Conduct Risk Assessments (Article 29) Within one year of the Regulation's entry into force, and thereafter every two years, you must carry out risk assessments. These assessments must:

• Identify public sector activities that contribute to the preservation of public order (e.g., in sectors listed in Annex I or II of the NIS2 Directive, or areas like national security, defence, justice, law enforcement).
• Determine which Union assurance level (2, 3, or 4) is appropriate for those activities.
• Consider the sensitivity, criticality, and magnitude of data processed.
• Evaluate whether a multi-vendor or multi-cloud strategy is appropriate to enhance resilience.

Step 2: Procure According to Assurance Levels (Article 30)

• For activities not identified as contributing to public order, you must procure services with at least Union Assurance Level 1.
• For activities identified as contributing to public order, you must only procure services recognised as Level 2, 3, or 4.
• Derogations are possible only in exceptional cases (e.g., no suitable tender exists, or applying the requirement would entail disproportionate cost), but these are narrow.

Step 3: Apply EU Added Value Criteria (Article 32) In public procurement for innovative cloud services and AI systems, you must include non-price award criteria that evaluate the tenderer's contribution to the European cloud and AI ecosystem. This includes strengthening the EU digital supply chain and using hardware/software designed or manufactured in the Union.

3. For Member States

Member States have significant implementation duties to enable the framework:

• Designate Competent Authorities (Article 25): Within one year of entry into force, Member States must designate one or more national competent authorities responsible for enforcing the sovereignty framework.
• Adopt National Strategies (Article 7): Member States must establish national cloud and AI strategies within one year, aligned with CADA objectives.
• Establish Data Centre Acceleration Zones (Article 10): Member States must designate at least one data centre acceleration zone within six months of entry into force to accelerate deployment.

What this means for you

In-House Counsel / Compliance Officers at Cloud Providers

• Audit Readiness: If you target the EU public sector, begin auditing your supply chain and data residency practices now. You must prove where your data, infrastructure, and personnel are located. For Levels 2–4, you must demonstrate that no third-country entity can compel you to access data or disrupt service.
• Subcontractor Management: You are responsible for your subcontractors. Ensure they meet the same establishment and location requirements as you do for the relevant assurance level.
• Competent Authority Engagement: Identify the national competent authority in your Member State of establishment. Prepare to engage with them for the recognition process. The 60-day assessment clock starts upon submission, so have your audit evidence ready.
• SME Advantage: If you are an SME, note that your Level 1 EU statement of conformity is automatically recognised across the Union, bypassing the national competent authority's prior recognition step (Article 17(3)).

In-House Counsel / Compliance Officers at Public Sector Bodies

• Inventory Your Cloud Usage: Map all current and planned cloud contracts. Classify each based on whether it supports activities contributing to public order.
• Initiate Risk Assessments: Start drafting your risk assessment methodology now. You have one year from the application date to complete the first assessment. The Commission will provide guidance and templates, but early preparation is key.
• Review Procurement Templates: Update your standard cloud procurement documents to include mandatory references to Union Assurance Levels. Ensure your evaluation criteria include the "EU added value" non-price criteria required by Article 32.
• Plan for Migration: If your current provider does not hold the required assurance level, plan for migration. Article 29(6) allows a maximum 12-month transition period for migration if a risk assessment requires it.

For Member State Authorities

• Designation Deadline: Ensure your national competent authority is designated and notified to the Commission within one year of entry into force (Article 25).
• Strategy Alignment: Draft your national cloud and AI strategy to align with CADA's objectives, including the "AI first" principle and data centre acceleration goals (Article 7).

Common misconceptions

"CADA applies to all companies using AI." Incorrect. CADA primarily regulates cloud computing services and their provision to the public sector. While it supports AI development through initiatives like the AI Leadership Initiative, it does not impose direct compliance obligations on private companies merely for using AI, unlike the AI Act.

"We can self-certify for any level." Incorrect. Only Level 1 allows for a self-assessment (EU statement of conformity). Levels 2, 3, and 4 require independent third-party audits by accredited auditing organisations (Article 20).

"Third-country providers can never sell to the EU public sector." Not entirely. A cloud computing service provider controlled by a third country can be audited for Union Assurance Level 3 if the Commission adopts an implementing act recognising that third country as providing sufficient safeguards (Article 18). This requires the third country to have an adequacy decision under GDPR and no laws enabling control over the provider that conflicts with EU data protection or service continuity. However, Level 4 explicitly prohibits third-country control.

"The rules apply immediately upon publication." Incorrect. Article 48 states the Regulation applies from one year after its entry into force. Entry into force occurs 20 days after publication in the Official Journal. Therefore, there is a significant lead time (approximately 1 year and 20 days) before obligations kick in. However, preparatory steps like designating authorities and conducting initial risk assessments must be completed within that first year of application.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• CADA Key Dates & Deadlines: A Chronological Compliance Timeline
• How do I obtain the cybersecurity certification CADA assurance levels require?
• Who pays for the independent audit under CADA? Costs for Levels 1–4

This is general information about a draft EU regulation, not legal advice.