How does a cloud provider get listed in the CADA central repository?

Summary To appear in the CADA central repository, a provider must first obtain recognition for its service at one of the four Union assurance levels under Article 17. The provider cannot register itself; once recognition is granted, the national competent authority of establishment registers the recognised service in the repository, as required by Article 22(2). Listing is a consequence of successful recognition, not a standalone step. CADA is a draft proposal, so none of these obligations apply yet; the practical steps below describe what would be required if it is adopted as proposed.

Detail

CADA proposes a Union cloud computing sovereignty framework to help public-sector bodies and Union entities choose trusted cloud services. The central repository is the public record of which services have been recognised. Providers do not "sign up" to it: the path runs through recognition under Article 17, and only then through registration under Article 22(2).

The prerequisite: recognition under Article 17

A service reaches the repository only after being recognised at a specific Union assurance level (1, 2, 3 or 4) under Article 17.

The provider applies to the national competent authority of establishment, and the evidence required depends on the level sought:

• Level 1. Submit the EU statement of conformity issued under Article 19 and all necessary evidence (Article 17(3)). For an SME, the level 1 statement of conformity is, by derogation, directly and automatically recognised in all Member States without prior recognition by the evaluating authority (Article 17(3)).
• Levels 2, 3 and 4. Submit the audit report and the "positive" audit opinion from an independent auditing organisation (Article 20), together with all the evidence given to that organisation during the audit (Article 17(4)).

Once the application is accepted, the evaluating national competent authority has 60 days to assess the evidence. If it is sufficient, the authority prepares a draft recognition decision and notifies the other Member States' authorities for a 60-day review period, during which they may raise a reasoned objection or request clarification (Article 17(5)). If no objection is raised, the evaluating authority adopts the recognition decision and the service is recognised throughout the Union (Article 17(7)).

The registration: Article 22(2)

Registration is performed by the authority, not the provider. Article 22(2) states: "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository." The Commission establishes and maintains the repository itself (Article 22(1)), but the data entry for a recognised service is the duty of the Member State authority that granted recognition.

What the repository records

The repository is publicly available and regularly updated (Article 22(4)) and serves as the reference for public-sector buyers. If a service is not in the repository, it cannot be procured under the mandatory rules in Article 30, except where a derogation in Article 30(4) applies (for example, no adequate recognised alternative exists). The repository also records negative outcomes: under Article 22(3), the revocation of an audit report and opinion by an auditing organisation, or the revocation of a recognition by a competent authority, must be published and remain available for five years.

The authority of establishment

The authority of establishment is the national competent authority in the Member State where the provider is established, and it has exclusive competence for the recognition and enforcement of the sovereignty framework chapter (Article 25(4)). In practice this means a single point of entry: a provider established in, say, Germany deals with the German authority, which evaluates the application, issues the recognition, and registers the service in the EU-wide repository. A recognition granted there is valid across the Union.

The cross-border review you should plan for

The single point of entry does not mean a single set of eyes. Once the evaluating authority prepares a draft recognition decision, it notifies the other Member States' authorities for a 60-day review period, sending them the evidence you submitted (Article 17(5)(a)). During that period any of them may raise a reasoned objection or request clarification if it considers the draft does not comply with the applicable Annex II level (Article 17(6)). If no objection is raised, the conclusions are deemed accepted and the recognition is adopted (Article 17(7)); if an objection is maintained, the matter can be referred to the Commission for a binding decision (Article 17(10)). The practical message for providers: prepare evidence that will withstand scrutiny by authorities beyond your own Member State, because they can object.

If you are controlled by a third country

Being under third-country control is not, by itself, a bar. Level 1 in Annex II sets conditions for such providers rather than excluding them (for instance, a guarantee about software-vulnerability reporting laws in the controlling country). For level 3, the route runs through Article 18: the Commission may identify "associated third countries" whose controlled providers may be audited against the level 3 criteria, where that country meets cumulative conditions such as a relevant GDPR adequacy decision and the absence of measures conflicting with lawful-access, service-continuity and open-market requirements. If you are pursuing that route, confirm your controlling country's status before investing in an audit.

What this means for you

If you are a provider aiming to sell to the EU public sector, your effort goes into the recognition process; the listing then follows automatically. There is no fee to pay or form to file to "get listed."

1. Choose your target level. Most public-sector activities require at least level 1; public-order-relevant activities (national security, defence, justice, law enforcement, and the critical sectors under NIS2) require levels 2, 3 or 4 depending on the buyer's risk assessment under Article 29.
2. Prepare the evidence.
   • For level 1, make the EU statement of conformity robust and grounded in a real Article 19 self-assessment. As an SME, that statement alone triggers automatic recognition.
   • For levels 2-4, engage an independent auditing organisation early; you need a "positive" opinion. The audit is assessed against the Annex II criteria — which include EU establishment, EU location of infrastructure and data, cybersecurity certification once a relevant scheme exists, and subcontractor transparency — using the audit evidence set out in Annex III. The audit is at your own expense (Article 20(1)).
3. Engage your authority of establishment. Submit to the authority in your Member State of establishment and plan for the 60-day evaluation and 60-day cross-border review periods.
4. Maintain compliance. Recognition is not permanent. Article 23 requires you to notify the auditing organisation and the competent authority of material changes that may affect your audit report, opinion or recognition. If recognition is revoked, it is published in the repository for five years.

Common misconceptions

"Providers register themselves in the repository." There is no self-service upload. Article 22(2) puts registration on the national competent authority. Your job is to supply the evidence for recognition; the authority records the outcome.

"Getting listed is irrelevant for private-sector sales." The binding procurement rules in Article 30 apply to public-sector bodies and Union entities. But the repository is a public market signal, and private entities in NIS2 critical sectors may carry out similar assessments under Article 31. A level 3 or 4 listing can be a competitive advantage in private tenders even where it is not legally required.

"Level 1 recognition is just a paper exercise." For SMEs, level 1 recognition is automatic on issuing the EU statement of conformity (Article 17(3)), but the statement must rest on a documented conformity self-assessment under Article 19, and the provider assumes responsibility for it. If the authority later finds the information was incorrect or misleading, it can revoke recognition (Article 17(11)), with the revocation published for five years.

"Listing equals permanent compliance." For levels 2-4 the audit report and opinion are reviewed annually (Article 20(8)), and recognition can be amended or revoked at any point under Articles 17, 20 and 23.

"An audit is a one-off cost." The independent audit is at your own expense (Article 20(1)), and because the report and opinion are submitted for annual review (Article 20(8)), maintaining a level 2-4 listing is a recurring commitment rather than a single project. Budget for the ongoing auditor relationship, not just the initial audit, and note that the auditing organisation must be independent of you, with no disqualifying non-audit work in the surrounding period and no contingent fees (Article 20(4)).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Central Repository: What it means for a cloud provider to be listed
• How does a cloud service get listed in the CADA central repository?
• CADA Central Repository Fee: Is there a cost to be listed?
• CADA Repository: Does one provider get one listing or many?
• Can a private company use the CADA central repository to choose a cloud provider?

This is general information about a draft EU regulation, not legal advice.