Summary Under the proposed Cloud and AI Development Act (CADA), the method for demonstrating compliance with sovereignty requirements depends strictly on the Union assurance level a cloud computing service provider seeks. Providers aiming for Union assurance level 1 must conduct a conformity self-assessment and issue an EU statement of conformity, whereas providers seeking Union assurance levels 2, 3, or 4 are mandated to undergo an independent third-party audit. This distinction is designed by the Commission to balance administrative efficiency for lower-risk services with rigorous, verifiable oversight for higher-risk public sector activities involving public order.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a tiered sovereignty framework consisting of four Union assurance levels. To enter the central repository of recognised services and become eligible for public sector contracts, providers must prove they meet the cumulative criteria for their target level. CADA draws a sharp procedural line between the lowest tier and the upper three tiers, assigning fundamentally different verification mechanisms to each.
Self-Assessment for Union Assurance Level 1
For cloud computing service providers targeting Union assurance level 1, CADA mandates a conformity self-assessment. This process is governed exclusively by Article 19 of the proposal.
Under Article 19(1), providers seeking recognition as offering Union assurance level 1 must carry out a self-assessment of their compliance with the specific criteria for that level, which are detailed in Annex II of the Regulation. These criteria generally include requirements such as the provider being established in the Union, infrastructure and assets being located in the Union, and customer data remaining exclusively within the Union unless explicitly required otherwise by the public sector body.
Following this self-assessment, Article 19(2) requires the provider to issue an EU statement of conformity. By issuing this statement, the provider explicitly "assumes responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1 set out in Annex II." The provider must ensure that this self-assessment is based on documented evidence, internal control procedures, and continuous monitoring sufficient to demonstrate that the applicable criteria have been fulfilled.
Crucially, Article 19(3) stipulates that the EU statement of conformity must be made publicly available. This transparency requirement allows potential public sector clients to verify the provider's claim of compliance without immediate third-party intervention.
There is a notable simplification for smaller entities. Article 17(3) of CADA provides that EU statements of conformity issued by small and medium-sized enterprises (SMEs) for Union assurance level 1 are "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." For non-SME providers, the statement must still be submitted to the national competent authority of establishment for recognition, but the verification burden remains on the provider's internal controls rather than an external auditor.
Independent Third-Party Audits for Levels 2, 3, and 4
For providers seeking Union assurance levels 2, 3, or 4, the requirements are significantly more stringent. These higher levels are typically required for public sector activities identified as contributing to the preservation of public order, such as those in national security, defence, justice, or critical infrastructure sectors. For these tiers, self-assessment is explicitly insufficient.
Article 20(1) of CADA explicitly states that cloud computing service providers seeking recognition for Union assurance levels 2, 3, or 4 must undergo independent third-party audits at their own expense. The goal is to obtain an audit report and an audit opinion from a qualified auditing organisation. The text further clarifies that "an audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels."
The audit process is rigorous. Article 20(2) requires audited providers to cooperate fully with auditing organisations, providing access to all relevant data and premises and answering oral or written questions. Providers are prohibited from "hampering, unduly influencing or undermining the performance of the audit."
The auditing organisations themselves must meet strict independence and competence standards. Article 20(4) outlines that auditors must be independent from the cloud computing service provider, with no conflicts of interest. Specifically, they must not have provided non-audit services related to the matters audited to the provider in the 12 months prior to or following the audit, nor have they provided auditing services to the same provider in the preceding 10 years. Additionally, auditors must not perform the audit in return for fees contingent on the result.
The outcome of the audit is formalised in an audit report. Article 20(5) details the mandatory contents of this report, which must include a declaration of interests, a description of the methodology, main findings, and critically, a 'positive' or 'negative' audit opinion. A 'positive' opinion is given only if "all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation." A 'negative' opinion is issued if the auditing organisation considers that the provider does not comply. If the opinion is negative, the report must include operational recommendations and a recommended timeframe to achieve compliance.
Once a provider obtains a 'positive' audit opinion, they submit this report, along with the opinion and all evidence provided to the auditor, to the national competent authority of establishment for recognition (Article 17(4)). This recognition process involves a review period where other Member States' competent authorities can raise reasoned objections.
Ongoing Compliance and Annual Reviews
Compliance is not a one-time event. Article 20(8) requires that audited providers submit their audit report and associated 'positive' audit opinion for review annually. This review can be conducted by the same or a different auditing organisation. Based on this annual review, the auditing organisation may confirm, update, or revoke the initial audit report and opinion.
Furthermore, Article 23 imposes transparency obligations. If a provider becomes aware of any material change in circumstances that may affect the audit report or their recognition, they must notify the auditing organisation and the national competent authority of establishment as soon as possible. This triggers a reassessment, which may lead to the amendment or revocation of the audit report and the provider's recognised status.
What this means for you
For in-house counsel and compliance officers at cloud computing service providers, the choice between self-assessment and independent audit is a strategic decision driven by your target market and the risk profile of the public sector activities you intend to serve.
If you target Union assurance level 1: Your primary obligation is to build robust internal governance. You must document your compliance with Annex II criteria meticulously. Since you are issuing the EU statement of conformity under Article 19, you assume full legal responsibility for its accuracy. Ensure your internal audit functions are capable of verifying data residency, infrastructure location, and subcontractor oversight. For SMEs, this path offers the fastest route to market recognition across the EU due to the automatic recognition mechanism in Article 17(3). For larger providers, prepare for a formal submission to your national competent authority, though the process remains less resource-intensive than a full third-party audit.
If you target Union assurance levels 2, 3, or 4: You must budget for and engage qualified third-party auditing organisations well in advance. The criteria for these levels are more complex, involving stricter data localisation, personnel citizenship requirements (for levels 3 and 4), and higher cybersecurity certification standards. Under Article 20, you must ensure your chosen auditor meets the strict independence criteria, including the 10-year cooling-off period for previous auditing services. Prepare your IT and legal teams for extensive data requests and on-site inspections. The annual review requirement means you must maintain continuous compliance, not just at the point of initial certification.
Penalties and Liability: Under Article 24, Member States must lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." Providing incorrect or misleading information during a self-assessment or audit can lead to the revocation of recognition. Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation for any damage or loss suffered due to a provider's infringement of their obligations under the sovereignty framework. This creates significant financial risk for providers who fail to maintain rigorous compliance documentation.
Common misconceptions
Misconception 1: Self-assessment is "lighter" regulation. While self-assessment for level 1 does not require an external auditor, it does not exempt providers from the substantive criteria in Annex II. The provider remains fully liable for compliance. A flawed self-assessment that leads to a false EU statement of conformity can result in severe penalties and loss of public sector contracts. The burden of proof remains entirely on the provider.
Misconception 2: Any auditor can perform the audit for levels 2-4. Article 20(4) sets high bars for auditor independence and competence. Auditors cannot have recent commercial ties with the provider, and they must demonstrate proven expertise in auditing cloud computing services. Providers cannot simply choose a low-cost auditor without verifying these strict regulatory qualifications, including the prohibition on contingent fees.
Misconception 3: Certification is permanent. CADA requires ongoing vigilance. Article 20(8) mandates annual reviews of audit reports for levels 2-4. Additionally, Article 23 requires immediate notification of material changes. A provider's status can be revoked if they fail to maintain compliance or if they fail to report changes that affect their assurance level.
Misconception 4: Level 1 is only for small providers. While SMEs benefit from automatic recognition of their level 1 statements, large hyperscalers can also target level 1 for specific, lower-risk public sector use cases. The choice of level depends on the sensitivity of the data and the criticality of the public order activity, not just the size of the provider. Large providers may opt for level 1 for non-critical administrative functions while pursuing higher levels for sensitive operations.
Related
- CADA Self-Assessment vs Independent Audit: Rigour, Evidence & Revocation
- Which CADA assurance levels require an independent audit?
- CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance
- CADA Conformity Self-Assessment: The Level 1 Pathway Explained
- CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services
This is general information about a draft EU regulation, not legal advice.