CADA Recognition

Summary Under the proposed Cloud and AI Development Act (CADA), the national competent authority (NCA) of a cloud provider's main establishment acts as the sole "evaluating" authority for the Union cloud computing sovereignty framework. As set out in Article 17, this NCA assesses applications for Union assurance levels, coordinates with other Member States during a review period, and grants recognition that is valid across the entire EU. The NCA holds the power to revoke recognition if a provider "intentionally or negligently" supplied incorrect information and serves as the primary point of contact for cross-border disputes, which can be escalated to the European Commission for a binding decision if Member States cannot agree.

Detail

The CADA proposal establishes a harmonised Union cloud computing sovereignty framework to reduce dependencies on non-European providers and safeguard public order. Central to this framework is the recognition mechanism for cloud computing services offering specific "Union assurance levels" (Levels 1 through 4). The national competent authority plays a pivotal role in this process, acting as the evaluating body that validates whether a cloud computing service provider (CSP) meets the stringent criteria set out in Annex II.

The Evaluating National Competent Authority

When a cloud computing service provider seeks recognition for a Union assurance level, it must submit an application to the national competent authority of its establishment. As explicitly stated in Article 17(1), this authority becomes the "evaluating national competent authority." This single point of contact simplifies the process for providers, who do not need to apply separately in each Member State. Instead, a successful recognition in one Member State is deemed accepted by all, ensuring the free movement of sovereign cloud services within the Union.

The evaluating NCA is not isolated in its assessment. Article 17(2) allows the evaluating authority to request collaboration from competent authorities in other Member States if necessary. This is particularly relevant for cross-border services or when infrastructure is located in multiple jurisdictions. The requested authority has 15 days to confirm its agreement to collaborate or refuse the request. This cooperation ensures that the evaluation is comprehensive and accounts for any specific national security or data protection concerns that may arise in Member States where the service is deployed.

The Recognition Procedure and Timelines

The proposal sets strict deadlines for the evaluating NCA to ensure regulatory predictability. Upon accepting an application, the evaluating NCA has 60 days to assess the evidence submitted by the provider. This evidence typically includes an EU statement of conformity for Level 1 or a positive audit report and audit opinion for Levels 2, 3, and 4.

During this 60-day period, the evaluating NCA may:

1. Prepare a draft recognition decision: If the evidence is sufficient, the NCA notifies other Member States for a 60-day review period.
2. Request further information: If the evidence is insufficient, the NCA can request more data, suspending the 60-day clock for up to 30 days (or longer if justified).
3. Reject the request: Before rejection, the provider must be given 30 days to provide written comments.

If no reasoned objection is raised by other Member States during the review period, the evaluating NCA adopts the recognition decision, and the service is recognised throughout the Union. However, if objections are raised, the evaluating NCA must assess them and either maintain or revoke its draft decision. If disagreements persist, the matter can be referred to the European Commission, which will adopt a binding decision to resolve the dispute.

Revocation of Recognition

Recognition is not permanent. The evaluating NCA retains the authority to withdraw recognition if it finds that the provider has acted in bad faith. Article 17(11) explicitly states that the evaluating national competent authority may revoke its recognition if it finds that a cloud computing service provider "intentionally or negligently, supplied incorrect or misleading information." This provision underscores the importance of accuracy in the application and ongoing transparency obligations. Providers must also report material changes in circumstances that could affect their compliance, which may trigger a reassessment or revocation by the NCA.

Powers and Resources

To perform these tasks effectively, Member States must ensure their designated NCAs have sufficient resources, expertise, and technical means. Article 25 requires NCAs to perform their tasks in an impartial, transparent, and timely manner. Furthermore, Article 26 grants these authorities investigative powers, including the ability to require information from providers and auditing organisations, carry out inspections, and impose fines or periodic penalty payments for non-compliance. This enforcement capacity is crucial for maintaining the integrity of the sovereignty framework.

What this means for you

For in-house counsel and compliance officers at cloud computing service providers, the role of the NCA dictates your primary regulatory interface and risk management strategy.

1. Single Point of Entry: You will engage primarily with one NCA—the one in the Member State where your provider has its main establishment (head office or registered office). Ensure your legal entity structure aligns with your operational reality, as this determines which NCA evaluates your application.
2. Evidence Preparation: The NCA's assessment is evidence-based. For Level 1, this means a robust self-assessment and EU statement of conformity. For Levels 2–4, it requires a positive audit opinion from an accredited auditing organisation. Your compliance team must ensure that the audit evidence aligns precisely with the criteria in Annex II and the evidence requirements in Annex III.
3. Timeliness is Critical: The 60-day evaluation clock can be suspended if your evidence is incomplete. Prepare comprehensive applications to avoid delays. If the NCA requests further information, respond promptly within the specified time limit to keep the process moving.
4. Cross-Border Cooperation: Be prepared for the evaluating NCA to consult with authorities in other Member States. While you deal with the home NCA, ensure your operations in other jurisdictions do not present unforeseen compliance gaps that could lead to objections from destination authorities.
5. Ongoing Compliance: Recognition can be revoked for intentional or negligent misrepresentation. Maintain rigorous internal controls and monitoring to ensure that any material changes in your service or infrastructure are reported to both your auditing organisation and the NCA as required by Article 23.

Common misconceptions

• "Recognition is granted by the Commission." Incorrect. The European Commission maintains the central repository of recognised services and resolves disputes, but the actual recognition decision is adopted by the evaluating national competent authority of the provider's establishment.
• "Each Member State must approve the service independently." Incorrect. The proposal establishes a mutual recognition mechanism. Once the evaluating NCA grants recognition and no other Member State raises a reasoned objection (or the Commission resolves any objections in the provider's favour), the service is recognised across the entire Union.
• "The NCA conducts the audit." Incorrect. For Union assurance levels 2, 3, and 4, independent third-party auditing organisations conduct the audits. The NCA evaluates the audit report and the evidence provided by the provider, but it does not perform the technical audit itself. For Level 1, the provider conducts a self-assessment, which the NCA then reviews.
• "Recognition is permanent once granted." Incorrect. Recognition is subject to revocation if the provider supplied incorrect or misleading information, or if material changes occur that affect compliance. The NCA and auditing organisations have the power to amend or revoke recognition based on new information.

Related

• Who is the evaluating national competent authority under CADA?
• Which authority do I apply to for CADA recognition?
• CADA Recognition: When is a cloud service deemed accepted across the EU?
• CADA Personnel Rules: When is National Security Clearance Required?
• What is the role of professional scepticism in CADA audits?

This is general information about a draft EU regulation, not legal advice.