Summary As proposed in the Cloud and AI Development Act (CADA), you must submit your application for Union assurance level recognition to the national competent authority of establishment. This is the authority in the Member State where your cloud computing service provider has its main establishment (head office or registered office from which principal financial functions and operational control are exercised). This authority acts as the evaluating national competent authority. While it leads the assessment, Article 17(2) explicitly allows it to request collaboration from other Member States' authorities if necessary, with a strict 15-day window for those states to agree or refuse.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union-wide framework for cloud computing sovereignty. A cornerstone of this framework is the formal recognition mechanism, which allows providers to be certified as offering specific Union assurance levels (1 through 4). For providers, the first critical step is identifying the correct regulatory body to handle the application. The proposal centralises this responsibility to avoid fragmentation and ensure a single point of entry for each provider.

The Evaluating National Competent Authority

Under Article 17(2) of the proposed CADA, the "national competent authority of establishment" is explicitly designated as the evaluating national competent authority. This designation is not merely administrative; it confers the primary legal responsibility for assessing the evidence submitted by the cloud computing service provider and making the initial determination on recognition.

The concept of "establishment" is pivotal. While the text of Article 17 does not redefine "establishment" in isolation, it relies on the definition provided in Article 25(4) regarding the exclusive competence of Member States. Article 25(4) clarifies that the Member State with exclusive competence is the one "in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised."

Therefore, the evaluating authority is not necessarily the authority in the Member State where your data centres are physically located, nor where your customers reside. It is the authority in the Member State where your corporate heart beatsβ€”where your strategic financial and operational decisions are made.

The Application Process and Evidence Requirements

Article 17(1) sets out the fundamental obligation for providers: "A cloud computing service provider that aims to be recognised as offering a Union assurance level, shall submit an application for recognition to the national competent authority of establishment."

This application is not a simple formality; it must be accompanied by robust evidence tailored to the specific assurance level sought. The proposal distinguishes clearly between the baseline level and the higher, audited levels:

  • For Union assurance level 1: The provider must submit the EU statement of conformity referred to in Article 19(2), along with all necessary evidence demonstrating compliance with the criteria in Annex II. Notably, for Small and Medium-sized Enterprises (SMEs), Article 17(3) provides a derogation: their EU statement of conformity is directly and automatically recognised in all Member States without prior evaluation by the national competent authority.
  • For Union assurance levels 2, 3, and 4: The requirements are more stringent. Under Article 17(4), the provider must submit the audit report, the 'positive' audit opinion issued by an auditing organisation (as per Article 20), and all evidence that was provided to the auditing organisation during the audit procedure.

The evaluating authority acts as the gatekeeper. It receives this dossier and is responsible for verifying that the evidence is sufficient to support the claim of compliance with the relevant Union assurance level criteria.

Cross-Border Collaboration Mechanism

A common misconception is that the evaluation is a purely domestic affair. While the authority of establishment leads the process, CADA recognises that cloud services often span multiple jurisdictions, and risks may be distributed across the Union. To address this, Article 17(2) introduces a mandatory collaboration mechanism.

The text states that the evaluating national competent authority "may, where necessary, request one or more competent authorities of the other Member States to collaborate in the procedure for a candidate recognition." This ensures that if the provider's infrastructure, subcontractors, or operational footprint extends into other Member States, those local authorities can contribute their expertise or local knowledge to the assessment.

However, this collaboration is time-bound to prevent procedural delays. The article stipulates that "Within 15 days of receiving such a request, the national authority that has received a request for collaboration shall either provide confirmation that it agrees to collaborate with the evaluating national competent authority or refuse the request." This tight deadline ensures that the evaluation process remains efficient and does not stall due to administrative inertia in other Member States.

Assessment Timeline and Review Period

Once the application is accepted, the clock starts ticking. Article 17(5) mandates that the evaluating national competent authority must assess the evidence within 60 days of accepting the application. During this period, the authority has three potential paths:

  1. Draft Recognition: If the evidence is sufficient, the authority prepares a draft recognition decision. It must then notify the competent authorities of all other Member States for a 60-day review period. During this window, other Member States may submit reasoned objections or requests for clarification if they believe the draft decision does not comply with the applicable Union assurance level criteria.
  2. Request for Information: If the evidence is insufficient, the authority may request further information. Crucially, the 60-day assessment clock is suspended from the date of the request until the information is received. This suspension cannot exceed 30 days in total, unless justified by the nature of the information or exceptional circumstances.
  3. Rejection: If the evidence remains insufficient or the provider fails to cooperate, the authority may reject the request. Before doing so, Article 17(5)(c) requires the authority to give the provider an opportunity to provide written comments on the conclusions of the evaluation within 30 days.

If no reasoned objection is raised by other Member States during the review period, the evaluating authority adopts the recognition decision, and the service is recognised throughout the Union at the appropriate level.

What this means for you

For cloud computing service providers, the practical implication is clear: map your corporate establishment first. Before preparing your application, you must definitively identify the Member State where your head office or registered office is located and where your principal financial and operational control is exercised. This is your "home" for CADA purposes.

  • Direct your application correctly: Do not send your application to the Commission, nor to the authority where your data centres are physically hosted. Send it to the national competent authority of your establishment.
  • Prepare for cross-border scrutiny: If your operations are pan-European, anticipate that your evaluating authority may reach out to colleagues in other Member States. Ensure your documentation regarding infrastructure location, subcontractor presence, and personnel is consistent across all jurisdictions.
  • Manage your timeline: Be aware that the 60-day assessment period can be paused if the authority requests more information. Proactively providing complete evidence (especially the audit report and positive opinion for levels 2-4) can prevent delays.
  • SMEs take note: If you qualify as an SME, your path to Level 1 recognition is streamlined. Your self-declaration is automatically valid across the Union, bypassing the national evaluation step entirely.

Common misconceptions

"I apply to the European Commission." Incorrect. The Commission's role is to maintain the central repository of recognised services (Article 22) and to resolve disputes if Member States cannot agree on a recognition decision (Article 17(10)). It does not evaluate individual applications. You apply to your national competent authority of establishment.

"I apply to the country where my servers are." Not necessarily. If your head office is in France but your data centres are in Poland, you apply to the French authority. The French authority is the evaluating authority. However, it may request collaboration from the Polish authority to verify the physical infrastructure located there.

"The process is purely national and isolated." While you apply to one authority, the system is designed for Union-wide validity. The evaluating authority must notify all other Member States, who have a 60-day window to raise reasoned objections. A recognition granted in one Member State is valid throughout the Union, provided no valid objections are upheld.

"Collaboration with other Member States is optional and slow." While the evaluating authority decides if collaboration is necessary, the response time for other Member States is strictly limited to 15 days. This prevents the process from being bogged down by administrative delays in other jurisdictions.

Related

This is general information about a draft EU regulation, not legal advice.