What should a buyer check in the CADA central repository?

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector buyers must verify cloud services in the Commission-maintained central repository before procurement. You must confirm the service's specific Union assurance level (1–4), the national competent authority that granted recognition, and the validity of the underlying audit or conformity statement. This verification is mandatory for compliance with CADA's procurement obligations and ensures the service meets the sovereignty criteria required for your public-order activities.

Detail

Under the proposed CADA, the European Commission will establish and maintain a central repository of cloud computing services that have been formally recognised as offering specific levels of Union assurance. As set out in Article 22(1), this repository serves as the single source of truth for public-sector bodies and Union entities to identify trusted cloud providers. For procurement officers, this repository is not merely an informational list; it is the legal gateway to compliant sourcing.

When conducting due diligence, a buyer must check several critical data points within the repository entry for any prospective cloud service:

1. The Specific Union Assurance Level

CADA introduces a four-tier sovereignty framework. The repository will clearly indicate whether a service is recognised for Union assurance level 1, 2, 3, or 4. This distinction is vital because Article 30 mandates different procurement thresholds based on your risk assessment.

• If your activities are not identified as contributing to the preservation of public order, you must procure services recognised at Union assurance level 1 (Article 30(2)).
• If your activities involve national security, defence, justice, or other public-order-critical sectors (as determined by the risk assessment in Article 29), you must procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

Checking the repository confirms that the provider's claimed level matches the legally recognised level. A provider may claim "Level 4" marketing status, but if the repository lists them only at "Level 2," you cannot use them for high-security use cases. The repository acts as the definitive filter to prevent the procurement of non-compliant services.

2. The Recognising National Competent Authority

Article 22(2) specifies that the national competent authority of the provider's establishment is responsible for registering the service in the central repository. By checking this field, you verify which Member State's authority performed the evaluation. This is important for Article 17, which outlines the recognition procedure. If a dispute arises or if you need to contact the authority regarding the provider's compliance, knowing the specific evaluating authority is essential. It also confirms that the provider has a genuine establishment in the Union, a core requirement for all assurance levels. The authority listed is the one with exclusive competence for enforcing the sovereignty chapter under Article 25(4).

3. Audit Currency and Conformity Status

The repository will reflect the current status of the provider's compliance.

• For Union assurance level 1, providers submit an EU statement of conformity. The repository confirms this statement has been accepted (or automatically recognised for SMEs, per Article 17(3)).
• For Union assurance levels 2, 3, and 4, providers must undergo independent third-party audits. The repository entry should reflect a "positive" audit opinion.

Buyers must check that the recognition is active. Article 22(3) states that if an audit report or recognition is revoked, this revocation will be published in the central repository and remain available for five years. If a provider's status shows a revocation or a pending review due to a "negative" audit opinion (as defined in Article 20), the service is no longer compliant for procurement. The repository ensures that expired or invalidated recognitions are immediately visible to prevent accidental procurement.

4. Public Accessibility and Transparency

Article 22(4) mandates that the central repository be publicly available and regularly updated by the Commission and national competent authorities. This ensures transparency. Buyers should note that the repository is designed to be easily accessible, allowing for efficient verification during tender processes. The data provided is intended to be machine-readable and user-friendly, facilitating integration into procurement software systems. This accessibility is crucial for the "single information point" principle, ensuring that all market participants have equal access to the same compliance data.

What this means for you

For public-sector procurement officers, the central repository is your primary compliance tool. You cannot rely solely on a provider's marketing materials or private contracts to determine sovereignty status.

Pre-Procurement Verification: Before issuing a tender or awarding a contract, query the repository. If a provider is not listed, they are not recognised under CADA and cannot be used for activities requiring Union assurance. If they are listed but at a lower level than your risk assessment requires (e.g., Level 1 instead of Level 3), you must disqualify them or request they pursue a higher-level recognition. This step is a prerequisite for fulfilling the obligations under Article 30.

Contractual Safeguards: Include clauses in your contracts that require providers to notify you immediately if their status in the central repository changes. Article 23 imposes transparency obligations on providers to report material changes that could affect their recognition. If the repository shows a revocation, your contract should trigger a migration plan or termination clause to ensure continuity of service and security. This aligns with the requirement to maintain operational autonomy and prevent service disruption.

Audit Trail: Maintain records of your repository checks. In the event of an audit by your national competent authority or the European Commission, you must demonstrate that you verified the provider's status in the central repository at the time of procurement. This protects your organisation from liability related to non-compliant cloud usage and demonstrates due diligence in safeguarding public order.

Common misconceptions

Misconception 1: "If a provider has an EU certificate, they are automatically in the repository." Not necessarily. Article 17 establishes a recognition process. A provider may have a positive audit opinion, but until the national competent authority formally adopts the recognition decision and registers it in the central repository (as per Article 22(2)), the service is not legally recognised for procurement. Always check the repository, not just the provider's certificate. The certificate is a prerequisite, but the repository entry is the legal proof of recognition.

Misconception 2: "Level 1 is sufficient for all public sector use." No. Article 30(3) explicitly requires that contracting authorities whose activities contribute to the preservation of public order must procure services at Union assurance levels 2, 3, or 4. Using a Level 1 service for high-security activities (e.g., defence, law enforcement) is a breach of CADA. The repository helps you avoid this error by clearly distinguishing the levels. The risk assessment in Article 29 determines which level is mandatory.

Misconception 3: "The repository only shows positive recognitions." Article 22(3) requires that revocations of audit reports or recognitions are also published and remain visible for five years. This historical data is crucial for risk assessment. A provider with a recent revocation may pose a higher risk, even if they re-apply for recognition. The repository provides a complete history of compliance status, not just current success.

Misconception 4: "I can use the repository to find any cloud provider." The repository only lists services that have applied for and received recognition. Many cloud providers, particularly those not targeting the EU public sector or those failing to meet sovereignty criteria, will not be listed. Absence from the repository means the service is not recognised under CADA, not that it is illegal to use in all contexts (though it is illegal for mandatory public procurement under CADA). The repository is a list of compliant options for public procurement, not a directory of all available cloud services.

Related

• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA Central Repository: How to Find Recognised Cloud Services
• What questions should a CTO ask a vendor about its CADA tier?
• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
• What does CADA level 2 mean for a healthcare cloud buyer?

This is general information about a draft EU regulation, not legal advice.