CADA Marketplace Transparency

Summary The proposed Cloud and AI Development Act (CADA) establishes a marketplace transparency model anchored in Article 22 and Article 23 to verify the sovereignty of cloud services. This dual-layer system combines a central repository of recognised services with mandatory disclosure duties for providers to report material changes. Together, these provisions ensure that public-sector buyers have access to reliable, up-to-date data on which providers meet specific Union assurance levels, thereby building trust through verified transparency and continuous monitoring of the sovereign cloud ecosystem.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, aims to reduce the EU's dependence on non-European cloud providers by establishing a harmonised sovereignty framework. A critical component of this framework is the CADA marketplace transparency model, which relies on two complementary provisions: the establishment of a central repository and the imposition of ongoing transparency obligations on providers. These mechanisms work together to ensure that the information public-sector contracting authorities rely on for procurement decisions is accurate, current, and trustworthy.

The Central Repository: A Single Source of Truth (Article 22)

Article 22 of the CADA proposal mandates the European Commission to establish and maintain a dedicated central repository of cloud computing services. This repository serves as the single source of truth for the EU market regarding sovereign cloud capabilities, acting as the public-facing interface for the Union assurance framework.

Under Article 22(1), the Commission is tasked with creating this repository to list cloud computing services that have been formally recognised under Article 17 as offering a specific Union assurance level (Levels 1 through 4). This recognition is not automatic; it follows a rigorous assessment process involving national competent authorities and, for higher assurance levels (2, 3, and 4), independent third-party audits.

The operational mechanics of the repository are defined in Article 22(2), which requires the national competent authority of establishment to register the service in the central repository once recognition is granted. This creates a clear chain of responsibility: the provider applies, the national authority verifies the evidence, and the service is listed centrally. This ensures that the data in the repository is the result of a formal administrative act, not a self-declaration.

Crucially, Article 22(4) stipulates that the central repository must be "publicly available and regularly updated" and hosted on a "dedicated and easily accessible website." This public accessibility is the cornerstone of the transparency model. It allows public-sector buyers, auditing organisations, and other stakeholders to easily identify which providers have met the strict criteria for Union assurance levels without needing to navigate fragmented national databases.

Furthermore, the repository acts as a permanent record of integrity. Article 22(3) requires that any revocation of an audit report, audit opinion, or official recognition must be published in the repository and remain available there for five years. This historical record ensures that past non-compliance or failures are visible, preventing providers with a history of sovereignty breaches from easily re-entering the market without disclosure. It provides a "blacklist" function that is essential for risk-averse public procurement.

Provider Disclosure Duties: Keeping the Data Alive (Article 23)

While the central repository provides the static list of compliant services at a given moment, Article 23 ensures that this list remains accurate over time by imposing dynamic transparency obligations on cloud computing service providers. Cloud environments are complex and constantly evolving; a provider's compliance status can change due to shifts in infrastructure, subcontracting arrangements, ownership structures, or legal jurisdictions.

Article 23(1) requires recognised cloud computing service providers to notify both their auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect their audit report, positive opinion, or recognition status.

This duty of disclosure is broad and covers critical sovereignty factors. A "material change" could include:

• Changes in the provider's ownership or control structure (e.g., acquisition by a third-country entity).
• Relocation of infrastructure or data storage outside the Union.
• Changes in subcontracting arrangements that introduce new third-country risks.
• Any incident that compromises the operational autonomy or data confidentiality guaranteed by the Union assurance level.

Once notified, the auditing organisation must assess whether the audit report or opinion needs to be amended or revoked (Article 23(2)). If the auditor determines that compliance is no longer met, they must notify the national competent authority. Similarly, the national competent authority must assess whether its recognition needs to be amended or revoked and notify other Member States and the Commission if it does (Article 23(3)).

This feedback loop ensures that the central repository under Article 22 is not a static snapshot but a living record. If a provider fails to disclose a material change, or if a change renders their service non-compliant, the recognition can be withdrawn, and the repository updated accordingly. This mechanism prevents "zombie" listings where a provider remains listed despite losing their sovereign status.

How the Two Provisions Reinforce Trust

The CADA marketplace transparency model relies on the synergy between Article 22 and Article 23 to build trust in the sovereign cloud market. Without both elements, the system would be vulnerable to either obsolescence or lack of visibility.

1. Verification and Visibility (Article 22): Article 22 provides the necessary visibility. Without a central, public repository, public-sector buyers would face significant due diligence costs to verify each provider's sovereignty claims individually. The repository standardises this information, reducing friction and enabling efficient procurement. It transforms complex technical and legal assessments into a simple, accessible "yes/no" status for each assurance level.
2. Continuity and Accountability (Article 23): Article 23 provides the necessary continuity. Trust is easily broken if a provider's status changes unnoticed. By legally mandating the disclosure of material changes, CADA ensures that the "trust" placed in a recognised service is continuously validated. It shifts the burden of monitoring from the buyer to the provider, ensuring that the provider is the first to know and report when their status is compromised.
3. Market Discipline: The combination of public listing and mandatory disclosure creates powerful market discipline. Providers know that any deviation from their certified sovereignty standards must be reported and will be publicly recorded (including past revocations). This discourages "sovereignty washing" and encourages providers to maintain robust governance structures, as the reputational cost of a revocation published in the repository is high.

For public-sector entities, this model means they can rely on the central repository for their initial due diligence, confident that the data is maintained through rigorous provider obligations and national oversight. The transparency model effectively turns the sovereign cloud market into a verified marketplace where trust is institutionalised rather than assumed.

What this means for you

For public-sector procurement officers and compliance teams, the CADA marketplace transparency model simplifies the process of sourcing compliant cloud services while reinforcing the legal basis for your purchasing decisions.

• Streamlined Due Diligence: Instead of conducting deep-dive audits on every potential vendor, you can consult the central repository established under Article 22. If a service is listed with the appropriate Union assurance level (Level 1, 2, 3, or 4) for your specific risk assessment needs, it has already undergone the necessary verification by a national competent authority.
• Ongoing Compliance Monitoring: You are not solely responsible for monitoring a provider's compliance post-contract. Article 23 places the onus on the provider to report material changes. However, you should still monitor the repository for updates to your provider's status. If a provider's recognition is revoked or amended, this will be reflected in the repository, alerting you to potential risks to your operations or data sovereignty.
• Risk-Based Procurement: The transparency model supports the risk-based approach mandated by CADA. By knowing exactly which assurance level a service holds, you can align your procurement with the risk assessments required under Article 29. For example, if your risk assessment determines that Level 3 assurance is required for a specific public order activity, you can filter the repository for services recognised at that level.
• Documentation for Audits: The repository serves as evidence of your compliance with CADA's procurement rules. When audited, you can demonstrate that you procured services from providers listed in the central repository, thereby fulfilling your obligation to use recognised sovereign services.

Common misconceptions

• "The repository is a certification body." The repository itself does not certify services. It is a listing mechanism. Certification and recognition are performed by national competent authorities and independent auditing organisations, as outlined in Article 17 and Article 20. The repository merely publishes the outcome of these processes.

• "Listing in the repository guarantees perpetual compliance." No. Compliance is dynamic. Article 23 requires providers to report changes, and recognitions can be revoked. A service listed today may be removed tomorrow if a material change occurs and is not remediated. Procurement officers must treat the repository as a current-state indicator, not a permanent warranty.

• "Only EU-based providers can be listed." While the criteria for Union assurance levels strongly favour EU establishment and control, Article 18 allows for the possibility of third-country providers being audited for Level 3 recognition if specific safeguards are met and the Commission adopts an implementing act. The transparency model applies to all recognised services, regardless of origin, provided they meet the criteria.

• "The repository includes all cloud services." The repository only includes services that have been formally recognised under Article 17. Many cloud services may operate in the EU without seeking this recognition. The repository is a filter for sovereign, assured services, not a comprehensive directory of all cloud providers.

Related

• CADA Marketplace Transparency: The Public Register Explained
• How should a CSP build an internal process for CADA transparency notifications?
• Who sets the penalties for CADA transparency infringements?
• Who enforces CADA transparency obligations on cloud providers?
• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers

This is general information about a draft EU regulation, not legal advice.