What is the role of the national competent authority of establishment in the CADA repository?

Summary Under the proposed Cloud and AI Development Act (CADA), the national competent authority (NCA) of establishment serves as the sole gatekeeper for the EU's central repository of sovereign cloud services. While the European Commission maintains the technical platform, the NCA of establishment is exclusively responsible for registering services it has recognised, amending entries upon material changes, and revoking entries when compliance fails. Crucially, Article 23(3) mandates that the NCA must promptly notify the Commission and all other Member States' NCAs of any such amendments or revocations, ensuring the repository remains a single, real-time source of truth for public procurement across the Union.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" designed to mitigate strategic dependencies on non-European providers. Central to this framework is the central repository of recognised cloud computing services. However, the proposal deliberately separates the technical maintenance of the database from the legal authority to validate services. The Commission acts as the administrator, but the national competent authority of establishment acts as the legal validator and data curator.

Defining the "Authority of Establishment"

The role is tied strictly to the provider's location. Under Article 25(4), the "competent authority of establishment" is defined as the authority in the Member State where the cloud computing service provider has its main establishment. This is the location where the provider has its head office or registered office from which the principal financial functions and operational control are exercised.

This authority holds exclusive competence for enforcing the sovereignty chapter (Title IV) regarding that provider. Consequently, it is the only body empowered to make the legal decisions that populate the central repository. Other Member States' authorities act as observers or recipients of notifications but do not hold independent registration power for that specific provider.

Registration Obligations: The Gatekeeper Function

The primary function of the NCA of establishment is to translate a successful recognition decision into a public record. The process varies by assurance level:

• Level 1: Based on a self-assessment and EU statement of conformity (Article 19).
• Levels 2–4: Based on an independent third-party audit and a "positive" audit opinion (Article 20).

Once the NCA of establishment has completed its assessment and adopted a recognition decision under Article 17, it must immediately formalise this status. Article 22(2) explicitly mandates: "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

This registration is the legal trigger that makes the service eligible for public procurement. Without this entry, a service cannot be legally procured by contracting authorities under Article 30, regardless of the provider's claims. The NCA does not merely upload a document; it certifies that the provider meets the cumulative criteria of Annex II for the specific assurance level.

Dynamic Maintenance: Amendments and Revocations

The repository is not a static list; it is a dynamic compliance dashboard. The NCA of establishment bears the ongoing responsibility to ensure the data reflects the current reality of the provider's operations.

The Trigger for Change: Changes are triggered by two main mechanisms:

1. Provider Notification: Under Article 23(1), providers must notify the NCA of any material changes in circumstances that could affect their recognition (e.g., change in ownership, infrastructure location, or cybersecurity status).
2. Independent Discovery: The NCA may discover non-compliance through its own investigative powers under Article 26 or via cross-border cooperation requests.

The Obligation to Act: Upon receiving a notification or discovering a discrepancy, the NCA must assess whether its recognition needs to be amended or revoked. Article 23(3) states: "Where the national competent authority of establishment amends or revokes it recognition of the cloud computing service, it shall, as soon as possible, notify the national competent authorities of the other Member States and the Commission."

This creates a strict chain of action:

1. Assessment: The NCA evaluates the material change.
2. Decision: The NCA decides to amend (e.g., downgrade the assurance level) or revoke the recognition entirely.
3. Update: The NCA updates the entry in the central repository to reflect the new status.
4. Notification: The NCA notifies the Commission and all other Member States.

The "Five-Year" Rule: The proposal ensures that non-compliance leaves a lasting mark. Article 22(3) specifies: "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This provision serves as a "blacklist" mechanism. Even after a provider potentially rectifies issues and re-applies, the historical record of the revocation remains visible for five years. This prevents providers from "resetting" their reputation by simply re-registering under a new entity or after a short delay, ensuring transparency for public buyers.

The Cross-Border Notification Chain

The most critical operational requirement for the NCA of establishment is the notification obligation. Because the repository is a single Union-wide tool, a change in one Member State must instantly reflect across the entire single market.

Article 23(3) creates a mandatory notification loop:

• To the Commission: Ensures the central platform is updated immediately.
• To Other Member States: Ensures that NCAs in other jurisdictions are aware that a provider they might have been considering for procurement is no longer compliant.

This mechanism prevents regulatory arbitrage. Without this obligation, a provider revoked in Germany could theoretically continue to be listed as compliant in France if the French authority was unaware of the German decision. The exclusive competence of the authority of establishment, combined with the mandatory notification, ensures a single, unified status for every provider across the EU.

Enforcement Powers Supporting the Repository

To ensure the repository remains accurate, the NCA of establishment is equipped with robust enforcement tools under Article 26. These include:

• Investigative Powers: The right to require information, conduct inspections, and seize data.
• Enforcement Powers: The right to order the cessation of infringements and impose fines or periodic penalty payments.

If a provider fails to notify the NCA of a material change (violating Article 23(1)), the NCA can initiate enforcement proceedings. If the NCA finds that the provider no longer meets the criteria, it exercises its power under Article 17(11) to revoke the recognition. This revocation then triggers the update and notification obligations described above. Thus, the repository's accuracy is underpinned by the NCA's ability to penalise non-cooperation.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the role of the NCA of establishment dictates your strategy for market access and risk management.

1. Identify Your "Home" Regulator Immediately

Your primary regulatory relationship is not with the Commission, nor with the authorities in the countries where you sell services. It is exclusively with the NCA of establishment in the Member State of your main establishment.

• Action: Verify your legal definition of "main establishment" (head office vs. registered office) and identify the specific NCA designated by that Member State under Article 25.
• Risk: If you misidentify this authority, your recognition application may be rejected, or your notifications may be ignored, leading to a failure to register in the repository.

2. Treat Notifications as Critical Compliance Events

Under Article 23, the duty to notify is continuous. It is not enough to register once.

• Action: Establish an internal trigger mechanism. Any change in ownership structure, infrastructure location, subcontractor status, or cybersecurity certification must be reported to the NCA of establishment immediately.
• Consequence: Failure to notify can lead to the NCA revoking your recognition. Once revoked, your entry in the central repository is updated, and you are immediately ineligible for public contracts requiring that assurance level across the entire EU.

3. Understand the "Five-Year" Reputational Risk

The repository is a public record. Article 22(3) ensures that any revocation remains visible for five years.

• Action: Implement rigorous internal governance to avoid revocation. A revocation is not just a temporary suspension; it is a public record of non-compliance that will be visible to all potential public-sector clients for half a decade.
• Strategy: If a revocation occurs, prepare a remediation plan that addresses the specific criteria failure, as re-application after the five-year period will require demonstrating that the root causes have been fully resolved.

4. Monitor the Repository for Supply Chain Risks

If you are a public sector body or a prime contractor relying on subcontractors, you must actively monitor the repository.

• Action: Do not rely on a provider's self-declaration. Check the central repository regularly.
• Trigger: If an NCA of establishment revokes a subcontractor's recognition, the repository will be updated, and the notification will be sent to all Member States. You must have contractual clauses that allow for immediate termination or migration to maintain your own compliance with Article 30.

Common misconceptions

Misconception: The European Commission registers cloud services. Reality: The Commission maintains the technical infrastructure of the central repository (Article 22(1)), but it has no power to assess, register, or revoke individual services. That authority is exclusively delegated to the national competent authority of establishment (Article 22(2)). The Commission's role is purely administrative and oversight-based.

Misconception: A provider can be "partially" recognised (e.g., valid in France but not in Germany). Reality: CADA establishes a single market framework. Once the NCA of establishment recognises a service, that recognition is valid across the entire Union (Article 17(7)). Other Member States cannot independently reject a valid recognition unless they follow the specific objection procedures in Article 17, which are limited and subject to Commission arbitration. The repository reflects this single, unified status.

Misconception: Revocation is permanent and bans the provider forever. Reality: While a revocation remains in the repository for five years (Article 22(3)), this is a historical record, not a permanent ban. After the five-year period, a provider may re-apply. However, during the five-year window, the provider cannot offer the service under that assurance level, and the public record of the revocation remains visible to all contracting authorities.

Misconception: The NCA only acts if the provider tells them something changed. Reality: While Article 23 places a duty on providers to notify changes, the NCA of establishment also has active investigative powers under Article 26. The NCA can initiate audits, request information, and revoke recognition based on its own findings or cross-border cooperation, independent of the provider's voluntary notifications.

Related

• Does the CADA central repository replace national cloud certification lists?
• Why list in the CADA repository? Public procurement access & market advantage
• Who registers a cloud service in the CADA central repository?
• Who maintains the CADA central repository of cloud services?
• CADA Central Repository: Who can access it and is it public?

This is general information about a draft EU regulation, not legal advice.