Which existing EU certifications can be reused as CADA tier evidence?

Summary As proposed, the Cloud and AI Development Act (CADA) does not allow existing EU certifications to serve as direct, automatic substitutes for its four-tier Union assurance levels. Instead, CADA requires a dedicated conformity self-assessment for Union assurance level 1 (Article 19) and independent third-party audits against specific Annex II criteria for levels 2, 3, and 4 (Article 20). However, existing frameworks like the European Cybersecurity Certification Scheme for Cloud Services (EUCS)—once adopted—and GDPR data processing agreements can provide significant supporting evidence. Recital 63 explicitly states that technical and organisational measures implemented under the GDPR can be relied upon to demonstrate that necessary Union assurance levels are met, provided they are mapped to the specific sovereignty criteria in Annex II.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a distinct sovereignty framework for cloud computing services in the EU. A critical question for cloud service providers (CSPs) and data centre operators is whether existing compliance efforts—such as ISO 27001, national cybersecurity certifications, or GDPR adherence—can be "reused" to satisfy CADA's requirements. The short answer is no for direct substitution, but yes for evidentiary support.

CADA introduces four "Union assurance levels" (UAL 1–4) in Article 16. These levels are not certifications themselves but rather sets of cumulative criteria that a service must meet to be recognised as providing a certain level of Union assurance. The mechanism for proving compliance differs significantly between the tiers and cannot be bypassed by pointing to a pre-existing certificate.

The Distinction: Sovereignty vs. Security

The fundamental distinction lies in the scope of the regulation. While existing certifications like ISO 27001 or the upcoming EUCS focus primarily on technical cybersecurity and information security management, CADA addresses sovereignty. This includes operational autonomy, the absence of third-country control, data residency, and the specific prohibition of using EU data to train third-country AI models.

For Union assurance levels 2, 3, and 4, CADA mandates independent third-party audits (Article 20). The auditing organisation must assess the provider against the specific "audit criteria" set out in Annex II. While an existing certification demonstrates that a provider has robust security practices, it does not automatically verify compliance with CADA's specific sovereignty requirements. For instance, a provider might have a perfect ISO 27001 certificate but still be subject to the control of a third-country entity, which would disqualify them from UAL 3 and 4 under Annex II, point 3.1(g) and 4.1(g).

The Role of GDPR Article 28 Agreements

Recital 63 clarifies the relationship between existing data protection laws and CADA. It acknowledges that where cloud computing services are used to process personal data, the General Data Protection Regulation (GDPR) applies. Crucially, it notes: "Where specific technical and organisational measures should be implemented pursuant to this Regulation to ensure that personal data are processed in line with this Regulation, such specific measures could be foreseen in the mandatory agreements pursuant to Regulation (EU) 2016/679 and could be relied on to demonstrate that the necessary Union assurance levels are met."

This provision is significant for providers. It means that the contractual and technical safeguards already in place for GDPR compliance—particularly under Article 28 processor agreements—can serve as strong evidence for the data protection and security components of CADA's criteria. However, the auditor must still explicitly map these measures to the CADA criteria in Annex II. For example, a GDPR clause preventing unauthorised third-country access supports the criteria for UAL 2 and 3, but the auditor must verify that this clause is effective and enforceable against the specific "third-country control" risks defined in CADA, which go beyond standard data transfer restrictions.

EUCS as a Mandatory Component for Higher Tiers

The European Cybersecurity Certification Scheme for Cloud Services (EUCS), developed under the Cybersecurity Act (Regulation (EU) 2019/881), plays a pivotal role in CADA's framework. Annex II explicitly references EUCS for Union assurance levels 2, 3, and 4, but with distinct requirements for each tier:

• Union Assurance Level 2: The provider must obtain a European cybersecurity certificate of at least assurance level 'substantial' under EUCS, provided the scheme is established and available. Until then, national cybersecurity certification schemes apply, or the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law (Annex II, point 2.1(e)).
• Union Assurance Level 3: Similarly, UAL 3 requires an EUCS certificate of at least assurance level 'substantial' (Annex II, point 3.1(e)).
• Union Assurance Level 4: UAL 4 requires an EUCS certificate of at least assurance level 'high' (Annex II, point 4.1(e)).

Therefore, once EUCS is fully adopted and operational, obtaining an EUCS certificate will be a mandatory part of the evidence package for UAL 2, 3, and 4. It is not a substitute for the entire CADA audit, but it satisfies the specific cybersecurity criterion within the broader sovereignty assessment. If EUCS is not yet available, providers can use national schemes or demonstrate high cybersecurity standards, but these are interim measures.

Conformity Self-Assessment for Union Assurance Level 1

For the baseline Union assurance level 1, CADA does not require an independent audit. Instead, Article 19 establishes a "conformity self-assessment" process. The cloud computing service provider must:

1. Carry out a self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II.
2. Issue an "EU statement of conformity" stating that compliance has been demonstrated.
3. Make this statement publicly available.

In this tier, existing certifications and GDPR agreements can form the backbone of the internal evidence used to support the self-assessment. However, the provider assumes full responsibility for the accuracy of this statement. The criteria for UAL 1 are less stringent than higher tiers (e.g., they do not require EUCS certification or strict prohibitions on third-country control in the same absolute terms), but they still require specific commitments regarding infrastructure location, data residency, and cybersecurity standards.

Mapping Existing Evidence to Annex II and Annex III

The core of the CADA compliance process is the mapping of existing controls to the criteria in Annex II. Auditors for UAL 2–4 will request specific "audit evidence" as outlined in Annex III. This evidence often overlaps with existing compliance documentation, but the context and specificity differ:

• Infrastructure Location: Evidence such as lease agreements, property deeds, and network diagrams (Annex III, Criterion B) can often be sourced from existing IT governance records. However, the auditor must verify that all elements, including backup and disaster recovery, remain exclusively within the Union.
• Data Localization: Data flow diagrams and contractual agreements preventing data transfer outside the Union (Annex III, Criterion C) are directly relevant to GDPR international transfer mechanisms. However, CADA requires that data is not used to train or fine-tune any AI system operated by a third country (Annex II, point 2.1(f)), a requirement that goes beyond standard GDPR transfer restrictions.
• Third-Country Control: For providers subject to third-country control, demonstrating the absence of such control or the implementation of legal/technical separation measures (Annex III, Criterion G) is unique to CADA. This may require new documentation, such as cap tables, board minutes, and declarations of no veto rights, which are not typically part of standard GDPR or ISO audits.
• Software Supply Chain: Providing a Software Bill of Materials (SBOM) and evidence of source code auditability (Annex III, Criterion I) may align with existing software security standards but must be presented in the format required by CADA auditors, including specific migration plans for third-country components.

What this means for you

For cloud service providers and data centre operators aiming to achieve CADA recognition, you cannot simply present an existing ISO 27001 or SOC 2 report and claim compliance. You must engage in a structured mapping exercise:

1. Inventory Existing Controls: Gather all current cybersecurity certifications, GDPR Article 28 agreements, and data processing addendums.
2. Gap Analysis against Annex II: Compare your existing controls against the specific criteria for your target Union assurance level in Annex II. Identify where current measures fall short (e.g., lack of explicit prohibitions on third-country AI training data usage or specific personnel citizenship requirements for UAL 3/4).
3. Prepare for EUCS: If targeting UAL 2, 3, or 4, prioritize achieving EUCS certification once available. If not yet available, ensure your national cybersecurity certifications or internal security standards are robust enough to meet the "highest cybersecurity standards" interim requirement. Note the distinction: UAL 2 and 3 require 'substantial', while UAL 4 requires 'high'.
4. Enhance Documentation: Update your GDPR processor agreements to explicitly include the technical and organisational measures required by CADA, as suggested by Recital 63. This dual-purpose documentation will streamline both GDPR compliance and CADA audit evidence.
5. Engage Auditors Early: For UAL 2–4, select an auditing organisation that understands the nuance of CADA's sovereignty criteria. They will need to verify that your existing evidence directly addresses the specific risks of third-country control and data sovereignty, not just general cybersecurity.

Common misconceptions

"GDPR compliance equals CADA compliance." Incorrect. While GDPR agreements can be relied upon to demonstrate certain technical and organisational measures (Recital 63), CADA covers broader sovereignty risks, including operational autonomy, third-country control, and software supply chain integrity, which are outside the scope of GDPR.

"An ISO 27001 certificate is sufficient for Union Assurance Level 2." Incorrect. UAL 2 requires an independent audit against CADA's specific criteria in Annex II, including cybersecurity certification (EUCS or equivalent). ISO 27001 is a general management standard and does not address the specific sovereignty and data residency requirements of CADA.

"Union Assurance Level 1 requires an external audit." Incorrect. UAL 1 is based on a conformity self-assessment and an EU statement of conformity issued by the provider (Article 19). External audits are only mandatory for levels 2, 3, and 4.

"EUCS replaces the CADA audit." Incorrect. EUCS satisfies the cybersecurity criterion within the CADA framework (Annex II), but the provider must still undergo the full CADA audit to verify other criteria, such as data localization, personnel citizenship, and absence of third-country control.

"Level 3 requires 'High' cybersecurity certification." Incorrect. As proposed, both Level 2 and Level 3 require a European cybersecurity certificate of at least assurance level 'substantial'. Only Level 4 requires the 'high' assurance level (Annex II, points 2.1(e), 3.1(e), and 4.1(e)).

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How do GDPR processor agreements interact with CADA tier evidence?
• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer
• Which CADA obligations stack with NIS2 obligations?
• Which CADA obligations stack on top of AI Act obligations?
• Which CADA definitions come from the NIS2 Directive?

This is general information about a draft EU regulation, not legal advice.