Summary Cloud providers aiming to serve the EU public sector under the proposed Cloud and AI Development Act (CADA) must begin preparation immediately, well before the regulation's application date. As proposed, the path to recognition involves selecting a target Union assurance level, conducting a rigorous gap analysis against Annex II, and engaging independent auditors for levels 2–4, while SMEs can utilise a streamlined self-assessment route for Level 1. Article 48 sets the application timeline (one year after entry into force), but the recognition process under Articles 16, 17, and 20 is time-intensive. Failure to prepare now risks exclusion from the central repository of recognised services when public procurement mandates take effect.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a transformative framework for cloud sovereignty. For cloud service providers (CSPs), the most immediate operational imperative is the requirement to obtain formal recognition under one of four "Union assurance levels" to serve public sector bodies. This process is governed primarily by Article 16 (the framework), Article 17 (recognition procedures), and Article 20 (independent audits), with the critical timeline defined in Article 48.

Understanding the Timeline: Article 48 and the Application Window

Article 48 of the proposal establishes the entry into force and application dates. The regulation would enter into force on the twentieth day following its publication in the Official Journal. Crucially, it would apply from "[same day and month as date of entry into force plus 1 year]".

While this one-year window may appear generous, the regulatory pressure begins immediately upon entry into force. Member States are required to designate national competent authorities within one year of entry into force. The recognition process itself is not instantaneous. Under Article 17, the evaluating national competent authority has 60 days to assess an application, followed by a 60-day review period where other Member States may raise reasoned objections. If objections arise, the process can extend further, potentially involving the Commission.

Consequently, the window for CSPs to prepare applications, gather evidence, undergo audits, and secure recognition is narrow. Providers who wait until the final application date to initiate their compliance journey will likely miss the initial procurement cycles. Public sector bodies, once their risk assessments under Article 29 are complete, will be mandated to procure only from recognised providers. Being absent from the central repository at that moment effectively locks a provider out of the public sector market at the outset.

Step 1: Select Your Target Assurance Level

The first strategic decision for any CSP is determining which Union assurance level aligns with their target market. Article 16 establishes the Union cloud computing sovereignty framework, comprising four levels. The specific criteria for these levels are detailed in Annex II.

  • Union Assurance Level 1: This serves as the baseline for general public sector use. It requires the provider to be established in the Union, with infrastructure and data remaining within the Union unless explicitly required otherwise by the public sector body.
    • The SME Advantage: Article 17(3) provides a significant simplification for Small and Medium-sized Enterprises (SMEs). If an SME meets the criteria for Level 1, it can issue an EU statement of conformity based on a self-assessment. This statement is directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority.
  • Union Assurance Levels 2, 3, and 4: These higher levels are required for activities identified as contributing to the preservation of public order (e.g., national security, defence, justice) following Member State risk assessments under Article 29. Achieving these levels requires independent third-party audits under Article 20 and stricter criteria, including mandatory Union citizenship for personnel (Levels 3 and 4) and absolute separation from third-country control.

Step 2: Run a Gap Analysis Against Annex II

Before engaging auditors or submitting applications, CSPs must perform a thorough gap analysis against the cumulative criteria in Annex II. This is not a simple checklist but a deep dive into technical, legal, and operational structures.

For Level 1, providers must verify:

  • Establishment: The provider is established in the Union.
  • Infrastructure & Data: Infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
  • Third-Country Control: If subject to third-country control, the provider must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are known to be exploited in the Union.

For Levels 2–4, the criteria are cumulative and increasingly strict. Providers must assess:

  • Personnel: Level 2 allows for additional personnel screening if required by the public sector body. Levels 3 and 4 mandate that personnel involved in service provision are Union citizens, with Level 4 potentially requiring national security clearances when handling classified information.
  • Data Usage: Providers must guarantee that data generated by using the service is not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
  • Supply Chain: Providers must maintain a complete and up-to-date Software Bill of Materials (SBOM) and demonstrate controls to block remote features that could tamper with or disrupt the service.
  • Support Operations: Technical and operational support must be initiated and performed exclusively within the Union. For Levels 3 and 4, this support must be provided by personnel who are Union residents and by third parties not subject to third-country control.

Step 3: Line Up an Independent Auditor (Levels 2–4)

For providers targeting Levels 2, 3, or 4, self-assessment is insufficient. Article 20 mandates independent third-party audits. The proposal sets strict independence requirements for auditing organisations to ensure objectivity:

  • Cooling-off Period: Auditing organisations must not have provided auditing services to the provider in the 10-year period before the audit.
  • Non-Audit Services: They must not have provided non-audit services related to the audited matters in the 12-month period before or after the audit.
  • Fee Structure: Fees cannot be contingent on the result of the audit.

CSPs should identify and engage accredited auditing organisations early. The audit process requires providers to give auditors access to all relevant data and premises. The audit report must include a "positive" or "negative" opinion. A negative opinion will block recognition. Therefore, it is advisable to conduct a pre-audit or mock audit to identify and remediate gaps before the formal engagement.

Step 4: Prepare Evidence and Documentation

Article 17 requires providers to submit all relevant evidence to the national competent authority of establishment.

  • For Level 1: The core document is the EU statement of conformity.
  • For Levels 2–4: The submission must include the audit report, the "positive" audit opinion, and all evidence provided to the auditing organisation during the procedure.

Article 21 outlines the content and quality of audit evidence, which must be relevant, sufficient, and reliable. Providers should begin compiling documentation on:

  • Infrastructure Locations: Detailed lists of data centres, backup sites, and disaster recovery locations, proving they are within the Union.
  • Personnel Records: Employment contracts, payroll records, and proof of Union citizenship for relevant staff.
  • Software Supply Chain: SBOMs, vulnerability reporting policies, and migration plans for third-country components.
  • Data Flow Diagrams: Visual evidence demonstrating that customer data remains within the Union and is not transferred to third countries.
  • Subcontractor Contracts: Agreements ensuring subcontractors meet the same sovereignty criteria.

Step 5: The SME Self-Assessment Route for Level 1

Small and medium-sized enterprises (SMEs) have a distinct advantage under Article 17(3). If an SME meets the criteria for Union assurance level 1, it can issue an EU statement of conformity based on a self-assessment. This statement is directly and automatically recognised in all Member States, bypassing the need for prior recognition by the evaluating national competent authority. This streamlined process significantly reduces the time and cost to market for SMEs. However, SMEs must still ensure they meet all the technical and legal criteria in Annex II for Level 1 and be prepared to demonstrate compliance if challenged by a public sector body or competent authority.

What this means for you

For cloud service providers and data centre operators, the clock is ticking. The proposal's timeline leaves little room for delay. Here is a prioritised action plan:

  1. Define Your Market Strategy: Decide if you are targeting general public sector work (Level 1) or critical infrastructure and national security sectors (Levels 2–4). This determines your compliance path and the resources required.
  2. Perform a Gap Analysis: Map your current operations against Annex II. Identify gaps in data localisation, personnel citizenship, and supply chain transparency. Be honest about third-country dependencies.
  3. Select an Auditor (Levels 2–4): If targeting higher assurance levels, begin the process of selecting an independent auditing organisation that meets the strict independence criteria in Article 20. Start the audit process early, as it will take time to gather evidence and remediate issues.
  4. Prepare Documentation: Start gathering evidence for your application. For SMEs targeting Level 1, prepare your EU statement of conformity. For larger providers, ensure your technical documentation is audit-ready.
  5. Monitor National Designations: Keep an eye on which national competent authorities are designated by Member States, as you will need to submit your application to the authority in your Member State of establishment.
  6. Plan for Transparency: Article 23 imposes transparency obligations. You must promptly notify the auditing organisation and competent authority of any material changes that could affect your recognition. Establish internal processes to monitor and report such changes immediately.

Common misconceptions

  • "Self-assessment is enough for all levels." This is incorrect. Only Union assurance level 1 allows for self-assessment (and even then, only SMEs can bypass the national competent authority recognition step). Levels 2, 3, and 4 strictly require independent third-party audits under Article 20.
  • "Data localisation is the only requirement." While keeping data in the Union is critical, the sovereignty framework also covers personnel citizenship, supply chain transparency, support operations location, and the absence of third-country control. Ignoring these aspects will lead to audit failure.
  • "The application date is the deadline to start." The recognition process under Article 17 can take several months, including the 60-day assessment and 60-day review periods. Starting preparations only on the application date will likely result in missing the first wave of public procurement opportunities.
  • "SMEs are exempt from sovereignty rules." SMEs are not exempt. They must still meet the technical and legal criteria for Union assurance level 1. The only exemption is from the prior recognition step by the national competent authority, allowing for automatic recognition upon issuing a statement of conformity.

Related

This is general information about a draft EU regulation, not legal advice.