CADA Repository & Public Order

Summary Under the proposed Cloud and AI Development Act (CADA), the central repository of recognised cloud services (Article 22) serves as the mandatory verification tool for public-sector procurement, ensuring that public-order activities are supported by appropriately sovereign infrastructure. Contracting authorities must use this repository to identify services recognised at Union assurance levels 2, 3, or 4, which are required for activities contributing to the preservation of public order as determined by national risk assessments (Article 30(3)). This mechanism directly links the EU's sovereignty tiers to sensitive sectors, preventing the procurement of non-compliant services for critical functions.

Detail

The CADA proposal establishes a rigorous framework to mitigate the risks associated with the EU's dependence on third-country cloud providers, particularly for activities that underpin public order. The relationship between the central repository and public-order requirements is structural: the repository provides the verified list of compliant services, while the procurement rules dictate which services from that list must be used for specific high-sensitivity activities.

The Central Repository as the Source of Truth

Article 22 of the CADA proposal mandates the establishment and maintenance of a central repository by the European Commission. This repository contains cloud computing services that have been formally recognised as offering specific Union assurance levels (1, 2, 3, or 4). These levels represent a gradient of sovereignty and security, with Level 1 being the baseline for general public-sector use and Levels 2, 3, and 4 offering increasingly stringent protections against third-country control, data access, and service disruption.

The repository is not merely informational; it is the operational backbone of the CADA compliance framework. National competent authorities register services in this repository only after a rigorous assessment process, which includes conformity self-assessments for Level 1 and independent third-party audits for Levels 2, 3, and 4. As stated in Article 22, the repository shall be publicly available and regularly updated, ensuring that contracting authorities have access to the most current data on which providers meet the EU's sovereignty criteria.

Crucially, Article 22(3) stipulates that the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years. This ensures that the repository reflects not only current compliance but also historical non-compliance, providing a complete picture of a provider's reliability.

Public-Order Activities and Assurance Levels 2, 3, and 4

Not all public-sector activities carry the same level of risk. CADA distinguishes between general public-sector operations and those that contribute to the preservation of public order. Article 30(3) explicitly states that contracting authorities, including entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4.

Public-order activities are defined broadly to include sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement. These sectors are considered critical because a disruption in service, unauthorised access to data, or undue influence by a third country could undermine the functioning of the state or the safety of citizens.

The Risk Assessment Link

The requirement to use Level 2, 3, or 4 services is not automatic for all public bodies. It is triggered by a risk assessment conducted by Member States and Union entities under Article 29. These assessments identify which specific public-sector activities contribute to public order and determine the appropriate assurance level (2, 3, or 4) based on the sensitivity, criticality, and magnitude of the data processed.

Article 29(1) mandates that these risk assessments be carried out "By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." This ensures that the classification of activities remains dynamic and responsive to evolving threats. Furthermore, Article 29(3) empowers the Commission to specify the methodology to be applied, the templates to be used, and the elements to be taken into account for these assessments via implementing acts. This centralised methodology ensures consistency across the Union, preventing divergent national interpretations that could fragment the single market.

Once an activity is classified as public-order relevant, the contracting authority is legally bound to procure only from the subset of providers in the central repository that hold the requisite assurance level. For example, a ministry of defence might require Level 4 services for its most sensitive operations, while a local police force might require Level 3 for general case management. In both cases, the procurement process must filter for these specific levels within the central repository.

Sovereignty Tiers and Sensitive Sectors

The CADA proposal links sovereignty tiers directly to the sensitivity of the sector. Level 1 services, which require only a conformity self-assessment, are sufficient for general administrative tasks that do not impact public order. However, for sensitive sectors, the proposal mandates higher tiers:

• Level 2: Requires independent audits and ensures that data is not used to train third-country AI systems. It is suitable for less critical public-order activities.
• Level 3: Adds stricter requirements on personnel (Union citizenship) and cybersecurity certification. It may also allow for third-country providers under strict conditions if the Commission has adopted an implementing act recognising that third country as providing sufficient assurances (Article 18).
• Level 4: The highest level, requiring that the provider and its subcontractors are not subject to third-country control, and that sensitive data remains exclusively within the Union. This level is reserved for the most critical public-order activities, such as those involving classified information or national security.

By mandating that public-order activities use services from Levels 2, 3, or 4, CADA ensures that the EU's most critical infrastructure is insulated from external threats. The central repository allows contracting authorities to easily verify that a provider meets these stringent criteria before awarding a contract.

Procurement Obligations and Exceptions

Article 30(2) sets the baseline requirement: all Union entities and public-sector bodies whose activities have not been identified as contributing to public order must use services recognised at Union assurance level 1. This creates a two-tiered procurement model: general public-sector bodies use Level 1 services, while public-order bodies use Levels 2, 3, or 4.

However, Article 30(4) provides for exceptions. Contracting authorities may derogate from these requirements on an exceptional basis and where duly justified. This could occur if:

1. The subject matter of the tender cannot be supplied by recognised cloud computing services available in the central repository, and no adequate or reasonable alternative exists.
2. The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders.
3. Applying the requirements would require the contracting authority to procure services at disproportionate cost.

These exceptions are narrow and require strict justification to prevent them from undermining the sovereignty objectives of the regulation.

What this means for you

For public-sector and procurement officers, the CADA proposal introduces a new mandatory step in the cloud procurement process: verification via the central repository.

1. Conduct Risk Assessments: You must first determine whether your organisation's activities contribute to the preservation of public order. This involves collaborating with national authorities to conduct the risk assessments required under Article 29, ensuring you follow the methodology specified by the Commission under Article 29(3).
2. Identify Required Assurance Levels: Based on the risk assessment, identify whether your activities require Level 1, 2, 3, or 4 services. If your activities are public-order relevant, you must procure at least Level 2.
3. Use the Central Repository: Before launching a tender, consult the central repository established under Article 22. Filter for providers that hold the required assurance level. Only these providers are eligible to bid for your contract.
4. Verify Status: Ensure that the provider's status in the repository is current. The repository is regularly updated, and recognitions can be revoked if a provider no longer complies with the criteria. Check for any revocations published in the last five years as per Article 22(3).
5. Document Justifications for Exceptions: If you must derogate from the requirement to use recognised services, you must document the justification thoroughly, demonstrating that no adequate alternative exists and that the cost is not disproportionate, as outlined in Article 30(4).

Failure to follow this process could result in non-compliance with CADA, potentially leading to penalties or the invalidation of procurement contracts. Moreover, using non-compliant services for public-order activities exposes your organisation to significant security and sovereignty risks.

Common misconceptions

• Misconception: All public-sector cloud services must be Level 4.
  • Reality: Only activities identified as contributing to public order require Levels 2, 3, or 4. General administrative tasks can use Level 1 services. The level required depends on the specific risk assessment of the activity.
• Misconception: The central repository lists all cloud providers in the EU.
  • Reality: The repository lists only those providers that have been formally recognised as meeting the Union assurance levels. Many cloud providers may not be listed because they have not undergone the recognition process or do not meet the criteria.
• Misconception: Third-country providers can never be used for public-order activities.
  • Reality: While Levels 2 and 4 generally require providers to be established in the Union and not subject to third-country control, Level 3 allows for third-country providers if the Commission has adopted an implementing act recognising that third country as providing sufficient assurances (Article 18). However, this is subject to strict conditions and is not the default.
• Misconception: Risk assessments are a one-time exercise.
  • Reality: Article 29 requires risk assessments to be carried out initially and then every two years, or whenever necessary. As the threat landscape evolves, the classification of activities and the required assurance levels may change.

Related

• Why list in the CADA repository? Public procurement access & market advantage
• CADA Central Repository: Who can access it and is it public?
• CADA Transparency Obligations: Why Article 23 Matters for Public Buyers
• What is Article 22 of CADA (the central repository of cloud services)?
• CADA Procurement & Central Repository: How Public Buyers Must Verify Sovereign Cloud

This is general information about a draft EU regulation, not legal advice.