Summary As proposed, the Cloud and AI Development Act (CADA) would create a single, publicly accessible online register of cloud services that meet specific EU sovereignty standards. This central repository, maintained by the European Commission, lists services recognized as trustworthy for public use. To keep this list accurate, providers have a strict duty to immediately report any significant changes to their security or legal status. This ensures the marketplace remains transparent, reliable, and up-to-date for public-sector buyers across the Union.

Detail

The core of CADA's marketplace transparency is a shift from fragmented, national trust mechanisms to a unified EU-wide system. Currently, public authorities across Europe struggle to verify which cloud providers meet strict sovereignty and security criteria, often relying on disparate national lists. CADA addresses this by establishing a Union cloud computing sovereignty framework with four assurance levels. The transparency of this framework relies on two key pillars: a central public register and strict reporting duties for providers.

The Central Repository (Article 22)

Article 22 of the CADA proposal mandates the creation of a dedicated "central repository" of cloud computing services. This is not merely an internal database; it is a public-facing tool designed to facilitate secure and efficient information exchange between public-sector customers, auditing organizations, competent authorities, and the Commission.

Under this article, the Commission is required to establish and maintain this repository. When a cloud computing service provider successfully undergoes the recognition process for one of the four Union assurance levels (ranging from Level 1, the baseline, to Level 4, the highest security standard), their service is registered in this central hub. The national competent authority responsible for the recognition is tasked with ensuring the service is listed.

Crucially, the repository is publicly available. It is hosted on a dedicated, easily accessible website and is updated regularly by both the Commission and the national competent authorities. This transparency allows public procurement officers to instantly verify whether a vendor holds the necessary sovereignty credentials without navigating complex national bureaucracies.

The repository also serves as a record of negative outcomes. If a service's recognition is revokedβ€”whether by an auditing organization or a competent authority due to non-complianceβ€”this revocation is published in the central repository and remains visible for five years. This ensures that the public record reflects both current trustworthiness and historical compliance issues, preventing providers from simply disappearing and reappearing under a new guise.

The Duty to Keep It Honest (Article 23)

A public list is only as good as its accuracy. Article 23 imposes strict transparency obligations on recognized cloud computing service providers to ensure the repository remains reliable. Providers cannot simply obtain a certification and forget about it; they must actively maintain their status.

The key requirement is the duty to notify. If a provider becomes aware of any information or material change in circumstances that could affect their audit report, their "positive" audit opinion, or their official recognition under the sovereignty framework, they must notify the auditing organization and the national competent authority of their establishment as soon as possible.

What constitutes a "material change"? While the specific technical details are defined in secondary legislation, the proposal indicates this covers any shift that undermines the provider's compliance with the assurance level criteria. This could include changes in ownership that introduce third-country control, breaches in cybersecurity standards, or shifts in data localization practices that no longer keep data within the Union.

Once notified, the auditing organization must assess whether the audit report or opinion needs to be amended or revoked. If changes are made, the auditor must notify the competent authority. The competent authority then assesses whether the official recognition needs to be amended or revoked. If recognition is revoked, the authority must notify other Member States and the Commission, ensuring the central repository is updated promptly. This creates a closed loop of accountability, preventing providers from maintaining a "trusted" status while their underlying security or legal posture deteriorates.

What this means for you

For public-sector procurement officers, IT managers, and citizens concerned about data sovereignty, this framework simplifies vendor due diligence and reduces risk.

  1. Simplified Vendor Verification: Instead of conducting separate, resource-intensive background checks for each procurement, you can consult the central repository to identify pre-verified providers. This reduces administrative burden and accelerates procurement timelines.
  2. Dynamic Risk Management: The transparency obligations under Article 23 mean that the list is not static. If a provider's security posture changes, the system is designed to flag this. Procurement officers can rely on the repository as a living document, knowing that significant compliance failures will trigger updates and potential delisting.
  3. Standardized Criteria: By using services listed in the repository, you align with a harmonized EU standard for sovereignty and security. This supports the CADA objective of reducing fragmentation and ensures that public data is handled according to consistent, high-level safeguards across all Member States.

Common misconceptions

  • "Any cloud provider can join the list." This is incorrect. Only providers that have successfully undergone the rigorous recognition processβ€”including independent third-party audits for Levels 2, 3, and 4, or self-assessment for Level 1β€”and been formally recognized by a national competent authority can appear in the repository.

  • "Listing means permanent immunity from scrutiny." The repository is not a one-time certification. Article 23 requires ongoing monitoring and immediate reporting of material changes. Providers can be delisted if they fail to maintain compliance, and revocations remain public for five years.

  • "This replaces national security clearances." While CADA harmonizes baseline sovereignty criteria, national authorities still determine the specific assurance level required for different public sector activities based on risk assessments (Article 29). The repository provides the data, but the risk-based decision on which level to procure remains with the public authority.

Related

This is general information about a draft EU regulation, not legal advice.