Summary As proposed, the CADA central repository is fully open to the public. Article 22(4) of the Cloud and AI Development Act (CADA) mandates that the Commission maintain this database on a "dedicated and easily accessible website" where it "shall be publicly available." Crucially, this means no registration, login, or account creation is required for any individual, business, or public authority to view the list of recognized cloud services. The repository serves as a transparent, real-time market tool to verify Union assurance levels (1 through 4) and track revocations.

Detail

The Cloud and AI Development Act (CADA) introduces a "Union cloud computing sovereignty framework" designed to mitigate risks associated with third-country control and ensure operational autonomy for the EU. A cornerstone of this framework is the central repository of cloud computing services, established under Article 22. This database acts as the single source of truth for which cloud providers have successfully demonstrated compliance with the Union assurance levels defined in Annex II.

Legal Basis for Public Access

The accessibility of the repository is explicitly defined in Article 22(4) of the proposal. The text states:

"The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This provision establishes three critical operational facts for the future implementation of CADA:

  1. Universal Public Access: The phrase "publicly available" removes any restriction on the user base. Unlike many regulatory databases that are restricted to "registered stakeholders" or "competent authorities," the CADA repository would be open to anyone. This includes private enterprises, SMEs, researchers, journalists, and individual citizens, in addition to public-sector bodies.
  2. No Authentication Barriers: The requirement for the site to be "easily accessible" combined with "publicly available" implies a design that does not require users to create accounts, log in, or provide credentials to view the data. The intent is to lower the barrier to entry for market transparency, allowing any potential buyer to instantly verify a provider's status.
  3. Dedicated Platform: The Commission is obligated to host this data on a specific, dedicated website, ensuring it is not buried within general Commission portals but stands as a distinct, searchable resource for the cloud market.

What Data is Visible?

The repository serves two primary functions: listing active recognitions and publishing historical revocations.

Active Recognitions Under Article 22(2), once a national competent authority of establishment recognizes a cloud computing service as offering a specific Union assurance level (Level 1, 2, 3, or 4), it must register that service in the central repository. Consequently, the public can view:

  • The name of the cloud computing service provider.
  • The specific Union assurance level recognized (e.g., Level 3 for public-order activities).
  • The Member State of establishment.
  • The date of recognition.

Revocations and Historical Data Transparency also requires visibility into non-compliance. Article 22(3) mandates that if an auditing organization revokes an audit report/opinion, or if a competent authority revokes a recognition, this action "shall be published in the central repository and shall remain available there for five years."

This ensures that a provider who lost their status due to a breach of sovereignty criteria (e.g., unauthorized third-country access or failure to maintain Union personnel) remains visible in the public record for a significant period. This prevents "status laundering" where a provider might attempt to hide past failures from potential clients.

Governance and Maintenance

While the repository is public, its maintenance is a shared responsibility:

  • The European Commission: Is responsible for establishing the technical platform, ensuring the website remains "easily accessible," and maintaining the central database.
  • National Competent Authorities: Under Article 22(2), the authority in the Member State where the provider is established is responsible for the initial registration of the service. They must also update the repository if they amend or revoke a recognition.
  • Regular Updates: Article 22(4) requires the repository to be "regularly updated," ensuring that the public view reflects the current legal status of providers in near real-time.

What this means for you

The public nature of the CADA repository fundamentally changes how market participants verify cloud compliance.

For Public Procurement Officers

Under Article 30, contracting authorities must procure cloud services that meet specific assurance levels based on their risk assessment (Article 29).

  • Pre-Tender Verification: Before launching a tender, you can visit the public repository to confirm that a potential bidder holds a valid recognition for the required level (e.g., Level 2 or higher for law enforcement activities).
  • Due Diligence Efficiency: You no longer need to request audit reports or conformity statements as a first step. The repository provides a verified, official status. If a provider is not listed, they are not recognized under CADA.
  • Contract Monitoring: Since revocations remain visible for five years, you can monitor the status of your current providers. If a provider is removed from the list, you are alerted to the loss of compliance, triggering the migration obligations under Article 29(6) (which requires migration within 12 months).

For Private Companies and SMEs

While CADA's procurement mandates primarily target public bodies, private entities operating in critical sectors (under Article 31) or those seeking to align with EU standards can use the repository.

  • Market Intelligence: SMEs can use the repository to identify which European providers are achieving high assurance levels, helping them choose partners that align with their own sovereignty goals.
  • Competitive Benchmarking: Providers can see who else is recognized at their level, fostering a transparent competitive environment.
  • No Cost to Access: Because no login is required, there is no administrative cost or friction for a private company to check a vendor's status.

For Cloud Providers

  • Visibility: Being listed in the repository is a key marketing asset. It signals to the market that you have passed independent audits (for Levels 2-4) or self-assessment (Level 1).
  • Reputation Risk: Providers must understand that any revocation will be publicly visible for five years. This creates a strong incentive to maintain continuous compliance and promptly report material changes under Article 23.

Common misconceptions

"The repository is a private portal for government officials only."

  • Correction: This is incorrect. Article 22(4) explicitly states the repository "shall be publicly available." There is no legal basis in the proposal to restrict access to government officials. Any member of the public can access the data.

"I need to register an account to search for compliant providers."

  • Correction: No. The requirement for the site to be "easily accessible" and "publicly available" precludes mandatory registration or login walls for viewing the list of recognized services.

"The repository lists every cloud provider in Europe."

  • Correction: No. The repository only lists services that have successfully applied and been recognized under Article 17. Providers that have not applied, or whose applications were rejected, will not appear in the list (unless a revocation is published). It is a list of compliant services, not a directory of all services.

"Revocations are removed immediately after a provider fixes the issue."

  • Correction: Under Article 22(3), revocations must remain in the repository for five years. This ensures historical transparency and prevents providers from erasing their compliance history.

Related

This is general information about a draft EU regulation, not legal advice.