CADA Recognition

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider's recognition for a Union assurance level is deemed accepted across the entire EU if no other Member State's competent authority submits a reasoned objection or request for clarification within the 60-day review period. As explicitly stated in Article 17(7), this silence triggers automatic Union-wide recognition, allowing the provider to operate seamlessly across borders without further national approvals. This mechanism ensures a single market for sovereign cloud services, provided the evaluating authority's draft decision complies with the criteria in Annex II.

Detail

The CADA proposal establishes a harmonised framework for cloud computing sovereignty, designed to reduce fragmentation and ensure that public sector bodies can rely on trusted, auditable services. Central to this framework is the recognition procedure for cloud computing service providers (CSPs) seeking to offer services at Union assurance levels 1, 2, 3, or 4. The mechanism relies on a "one-stop-shop" approach, where the national competent authority of the provider's main establishment acts as the evaluating authority.

The Evaluation and Notification Process

The process begins when a CSP submits an application for recognition to the national competent authority of its establishment (Article 17(1)). The evidence required depends on the assurance level sought:

• Union assurance level 1: The provider submits an EU statement of conformity based on a self-assessment (Article 17(3)).
• Union assurance levels 2, 3, and 4: The provider must submit an audit report and a "positive" audit opinion from an independent auditing organisation (Article 17(4)).

Once the application is accepted, the evaluating national competent authority has 60 days to assess the evidence (Article 17(5)). If the evidence is sufficient, the authority prepares a draft recognition decision. Crucially, it must then notify the competent authorities of all other Member States, initiating a 60-day review period (Article 17(5)(a)). This notification includes the evidence submitted by the provider, allowing other Member States to verify that the draft decision complies with the applicable Union assurance level criteria set out in Annex II of the Regulation.

The "Deemed Accepted" Rule: Article 17(7)

The cornerstone of the CADA's cross-border efficiency is the principle of mutual recognition through silence. According to Article 17(7), if no reasoned objection or request for clarification is submitted by any other Member State's competent authority within the 60-day review period, the conclusions drawn by the evaluating national competent authority are automatically deemed accepted by all Member States.

The text of Article 17(7) states:

"Where no reasoned objection or request for clarification is submitted within the review period referred to in paragraph 5, point (a), the conclusions by the evaluating national competent authority shall be deemed accepted by all Member States, the evaluating national competent authority shall adopt the recognition decision and the audited service shall be recognised throughout the Union at the appropriate Union assurance level."

Upon this deemed acceptance, the evaluating authority adopts the final recognition decision. Consequently, the audited service is recognised throughout the entire Union at the appropriate Union assurance level. This means that a cloud service recognised in, for example, Germany, is automatically valid in France, Spain, and all other Member States, provided the review period has passed without objection.

Objections, Clarifications, and Dispute Resolution

If a Member State does have concerns, it may submit a reasoned objection or a request for clarification during the review period (Article 17(6)). The evaluating authority must then take these requests into account.

• Clarifications: If a request for clarification is submitted, the evaluating authority may seek new information from the applicant or confirm/modify its original draft. If the requesting authority remains unsatisfied, it may escalate to a reasoned objection (Article 17(8)).
• Objections: If a reasoned objection is lodged, the evaluating authority must assess it and either maintain or revoke its original draft decision (Article 17(9)).
• Commission Intervention: If the evaluating authority intends to maintain its decision despite the objection, the objecting authority may refer the matter to the European Commission. The Commission will then adopt a binding decision determining whether the evaluating authority may proceed with the recognition (Article 17(10)).

Scope and Applicability: The SME Derogation

This mechanism applies to all Union assurance levels. However, for Union assurance level 1, there is a specific derogation for Small and Medium-sized Enterprises (SMEs). As per Article 17(3), the EU statement of conformity issued by SMEs is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."

This means SMEs seeking Level 1 recognition bypass the 60-day review period entirely. For levels 2, 3, and 4, the independent audit requirement remains, and the mutual recognition process via Article 17(7) is the standard path to Union-wide validity. This structure is designed to prevent national authorities from imposing additional, divergent requirements on providers that have already been cleared by their home authority, thereby fostering a single market for sovereign cloud services.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the "deemed accepted" rule under Article 17(7) significantly simplifies market access but introduces specific strategic considerations:

1. Predictable Timeline: You can plan for a maximum 120-day timeline for recognition (60 days for initial assessment + 60 days for Member State review) if no objections are raised. This predictability aids in procurement planning and service rollout schedules. Note that the 60-day assessment period can be suspended if the authority requests further information, potentially extending the timeline (Article 17(5)(b)).
2. Home Authority Focus: Your primary relationship for recognition will be with the competent authority in your Member State of establishment. Ensuring this authority has robust, efficient processes is critical, as their draft decision triggers the Union-wide clock.
3. Risk of Objections: While silence equals acceptance, you must prepare for potential objections. If another Member State objects, the process can be delayed or halted. Ensure your audit evidence and conformity statements are meticulously prepared to withstand scrutiny from any Member State's authority, particularly regarding the criteria in Annex II.
4. Union-Wide Validity: Once recognised, your service is valid EU-wide. You do not need to re-apply or undergo separate audits in each Member State where you wish to sell to public sector bodies. This reduces administrative burden and compliance costs significantly.
5. SME Advantage: If your organisation qualifies as an SME, you benefit from automatic recognition for Union assurance level 1, bypassing the review period entirely. Verify your SME status under the definition in Article 2(8) to leverage this advantage.

Common misconceptions

• "Recognition in one country means automatic acceptance everywhere." While the outcome is Union-wide recognition, it is not instantaneous upon approval by the home authority. It is conditional on the passage of the 60-day review period without objection (Article 17(7)). If an objection is raised, the process becomes contentious and may involve the Commission.
• "Any Member State can block a recognition indefinitely." Objections must be reasoned and submitted within the 60-day review period. Furthermore, if an objection is raised, the evaluating authority has the power to maintain its decision, and the matter can be referred to the Commission for a binding decision. A single Member State cannot unilaterally veto a recognition without engaging in this structured dispute resolution process.
• "Union assurance level 1 requires the same scrutiny as levels 2-4." Level 1 relies on a conformity self-assessment and an EU statement of conformity, whereas levels 2-4 require independent third-party audits. Additionally, SMEs are exempt from the review period for level 1 recognition, a benefit not available for higher assurance levels.
• "The Commission decides every recognition." The Commission only becomes involved if a reasoned objection is lodged and the evaluating authority maintains its decision against the objection, leading to a referral (Article 17(10)). In the absence of such disputes, the national competent authorities manage the process, with the Commission's role limited to maintaining the central repository and overseeing the framework.

Related

• CADA Recognition Validity: Is a Cloud Service Approved Across the Whole EU?
• CADA Recognition Disputes: What Happens When a Member State Objects?
• Which authority do I apply to for CADA recognition?
• When does CADA require self-assessment versus an independent audit?
• CADA Personnel Rules: When is National Security Clearance Required?

This is general information about a draft EU regulation, not legal advice.