What should a buyer do if a service is revoked in the CADA repository mid-contract?

Summary If a cloud computing service loses its Union assurance level recognition mid-contract, the revocation is published in the central repository and remains visible for five years under Article 22(3) of the proposed Cloud and AI Development Act (CADA). For public-sector buyers, this event is not merely informational; it is a potential breach of procurement compliance. Buyers must immediately verify whether their contract falls under the mandatory assurance levels of Article 30. If the service no longer meets the required level (e.g., dropping from Level 3 to Level 1 for a public-order activity), the buyer must trigger contractual review clauses, assess residual public order risks, and initiate migration or mitigation strategies. Crucially, buyers retain the right to seek compensation for damages under Article 24(3) for any loss suffered due to the provider's infringement of sovereignty obligations.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous sovereignty framework for cloud computing services, anchored by a central repository of recognised services. For public-sector buyers, the integrity of this repository serves as the legal baseline for procurement compliance. When a service provider's recognition is revoked, the implications extend far beyond technical service levels, touching upon contractual validity, regulatory adherence, and the preservation of public order.

The Repository and the Five-Year Visibility Rule

Under Article 22, the Commission is mandated to establish and maintain a dedicated repository of cloud computing services recognised as offering Union assurance levels 1 through 4. This repository acts as the single source of truth for contracting authorities and Union entities.

The critical provision for mid-contract disruptions is found in Article 22(3), which states: "The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This five-year retention period is a deliberate design choice to ensure transparency and historical accountability. For a procurement officer, this means a revocation is not a transient event that disappears once a provider re-applies. It is a permanent, publicly accessible record signalling a failure to meet the cumulative criteria for a specific assurance level. This visibility affects the provider's reputation and, critically, the buyer's ability to demonstrate due diligence in future audits. If a buyer continues to use a service after its revocation is published, they risk being flagged for non-compliance during inspections by national competent authorities.

Procurement Obligations: The Article 30 Threshold

The severity of a revocation depends entirely on the assurance level required by the buyer's specific risk assessment under Article 29. Article 30 sets out the mandatory procurement rules that dictate which assurance levels must be procured.

1. Baseline Requirement (Level 1): Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having at least Union assurance level 1.
2. Public Order Requirement (Levels 2–4): Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in sectors falling under Annex I or II of Directive (EU) 2022/2555, or in areas of national security, internal security, external border management, defence, justice, or law enforcement) must only procure services recognised as offering Union assurance levels 2, 3, or 4.

If a service is revoked mid-contract, the buyer must immediately determine which paragraph of Article 30 applies.

• Scenario A: A provider holding Level 3 recognition is revoked and reverts to Level 1. If the buyer's activity is classified under Article 30(3) (public order), the service is now non-compliant. The contract rests on a foundation that violates CADA's sovereignty framework.
• Scenario B: A provider holding Level 1 recognition is revoked entirely. If the buyer's activity only requires Level 1 under Article 30(2), the service is now non-compliant as it no longer meets the minimum baseline.

In both scenarios, the buyer is technically in a position of non-compliance unless they act swiftly. The revocation effectively removes the legal "shield" that the assurance level provided, potentially exposing the public sector body to risks of third-country data access or operational disruption that the assurance levels were designed to prevent.

Legal Recourse and Compensation

CADA provides a clear legal pathway for buyers affected by such non-compliance. Article 24(3) explicitly states: "Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

This provision empowers buyers to claim damages for costs associated with:

• Emergency migration to a compliant provider.
• Data recovery and integrity verification.
• Service disruptions caused by the provider's failure to maintain the assured status.
• Administrative costs incurred in assessing the breach and implementing mitigation.

However, the right to compensation is distinct from the right to terminate. Termination rights depend on the specific contractual clauses negotiated at the tender stage. As CADA is a proposal, public contracts should ideally reference CADA's recognition status as a material condition of the contract. If the contract includes a "material adverse change" or "regulatory compliance" clause linked to CADA recognition, the revocation triggers these clauses. If not, the buyer may need to rely on general public procurement law principles regarding the failure to meet essential contract requirements.

Practical Steps for Affected Buyers

When a revocation occurs, procurement officers and legal teams should follow a structured, evidence-based response:

1. Verify the Revocation in the Repository: Immediately access the central repository established under Article 22. Confirm the status of the service, noting the exact date of revocation and the specific assurance level lost. Under Article 22(3), this record will remain visible for five years, serving as irrefutable evidence of the breach.
2. Re-assess Public Order Impact: Re-evaluate the risk assessment conducted under Article 29. Does the loss of the specific assurance level expose the public sector body to unacceptable risks regarding data confidentiality, operational autonomy, or public order? If the service was providing Level 3 or 4 assurance for a critical function, the risk profile has fundamentally changed.
3. Review Contractual Clauses: Scrutinize the contract for clauses linking performance to "Union assurance levels" or "sovereignty recognition." Many modern public-sector contracts will include a right to terminate or renegotiate if a provider loses a mandatory certification. If the contract is silent, the buyer must determine if the loss of recognition constitutes a fundamental breach of the contract's purpose.
4. Notify the Provider: Formally notify the provider of the revocation and request a remediation plan. Under Article 23, providers have transparency obligations to notify authorities of material changes. If the provider failed to notify the buyer or the competent authority of the material change leading to revocation, this strengthens the buyer's position for damages under Article 24.
5. Initiate Migration or Mitigation: If the service no longer meets the Article 30 requirements, begin planning for migration to a compliant provider immediately. While the Data Act facilitates switching, CADA's sovereignty requirements add a layer of complexity: the new provider must also hold a valid Union assurance level appropriate for the buyer's risk profile. If the revocation was due to third-country control issues, the migration path must ensure the new provider is free from such control.
6. Document for Audit: Maintain comprehensive records of the revocation, the impact assessment, the notification to the provider, and the steps taken to mitigate risk. This documentation is critical for demonstrating compliance with Article 30 during future audits by national competent authorities. It proves that the buyer acted diligently to rectify the non-compliance.

What this means for you

For public-sector procurement officers, a mid-contract revocation is a compliance emergency, not just a technical issue. It signals that the provider has failed to meet the cumulative criteria for their assurance level, which may include breaches in data localisation, personnel citizenship, or third-country control safeguards (as detailed in Annex II of CADA).

Your primary duty is to protect public order. If your organisation falls under Article 30(3), continuing to use a service that has lost its Level 2, 3, or 4 recognition may be a direct violation of CADA. You must act swiftly to either secure a waiver (if exceptional circumstances under Article 30(4) apply, such as the unavailability of any recognised alternative) or migrate to a compliant provider.

Furthermore, the five-year visibility of the revocation in the repository (Article 22(3)) means this incident will affect the provider's eligibility for future contracts. When evaluating tenders, you can use this historical data to assess the provider's reliability and commitment to sovereignty standards. A provider with a recent revocation in the repository presents a higher risk profile, and their past failure to maintain compliance should be a key factor in your risk assessment.

Common misconceptions

• "A revocation means the service is shut down." Incorrect. A revocation means the service no longer meets the sovereignty criteria for a specific assurance level. The service may continue to operate technically, but it is no longer legally recognised as compliant with the Union's trust framework. For public-sector buyers, this renders the service non-compliant for procurement purposes, even if it remains online and functional.

• "I can ignore the revocation if the service works fine." Incorrect. CADA's procurement rules under Article 30 are mandatory for public-sector bodies. Using a service that no longer holds the required assurance level is a regulatory breach, regardless of technical performance. The risk is not just service disruption but potential exposure to third-country data access or operational coercion, which the assurance levels are designed to prevent. The five-year publication period underscores the seriousness of the breach.

• "The revocation is temporary and will be fixed quickly." While providers can apply for re-recognition, the process involves new audits and assessments under Article 17. There is no guarantee of swift reinstatement. Procurement officers must plan for the worst-case scenario: prolonged non-compliance. The five-year publication period (Article 22(3)) implies that trust is not easily restored and that the breach is a matter of public record.

• "I can only claim damages if the service stops working." Incorrect. Article 24(3) allows compensation for "any damage or loss" due to the infringement of obligations. This includes costs related to legal compliance, emergency migration, reputational damage, and the administrative burden of managing the breach, not just technical downtime.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Procurement: Can a buyer rely on the repository when a service is not listed?
• Who registers a cloud service in the CADA central repository?
• CADA Repository: What happens when a cloud service is discontinued?
• How should a CTO factor the CADA central repository into a cloud strategy?
• CADA Repository: How long do revoked recognitions stay published?

This is general information about a draft EU regulation, not legal advice.