Who is the evaluating national competent authority under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the "evaluating national competent authority" is strictly defined as the national competent authority of the Member State where the cloud computing service provider has its main establishment. As set out in Article 17(2), this authority holds exclusive competence to assess recognition applications for Union assurance levels. While it leads the evaluation, it may request collaboration from other Member States' authorities to ensure a consistent EU-wide assessment, particularly when cross-border implications arise.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised framework for recognising cloud computing services that meet specific sovereignty and security standards, known as "Union assurance levels." A cornerstone of this framework is the clear allocation of administrative responsibility to avoid fragmentation. The proposal designates a single authority to evaluate each provider, ensuring that a service recognised in one Member State is automatically recognised across the entire Union.

Defining the Evaluating National Competent Authority

The proposal explicitly identifies the "evaluating national competent authority" based on the provider's corporate footprint. It is not a choice made by the provider, nor is it determined by where the data is physically stored or where the customers are located. Instead, it is tied to the provider's legal and operational centre of gravity.

According to Article 17(2) of the CADA proposal:

"The competent authority of establishment shall be the evaluating national competent authority. An evaluating national competent authority that has received an application for a candidate recognition, may, where necessary, request one or more competent authorities of the other Member States to collaborate in the procedure for a candidate recognition under this Article."

This provision centralises the administrative burden. A cloud computing service provider seeking recognition at any Union assurance level (1, 2, 3, or 4) submits a single application to the national competent authority of the Member State where it has its main establishment. This authority becomes the sole "evaluating national competent authority" for that application. If the evaluation is successful, the resulting recognition is valid throughout the EU, eliminating the need for duplicate applications in other Member States.

The "Main Establishment" Criterion

The determination of the evaluating authority hinges on the definition of "main establishment." While Article 17(2) assigns the role, Article 25(4) provides the definitive criteria for identifying the correct Member State.

Article 25(4) states:

"The Member State in which the cloud computing service provider has its main establishment, that is, where the cloud computing service provider has its head office or registered office from which the principal financial functions and operational control are exercised, shall have exclusive competence for enforcing this Chapter."

This definition is critical for compliance strategy. It prevents "regulatory arbitrage," where a provider might attempt to register in a Member State with a lighter regulatory touch despite its actual operations being centred elsewhere. The evaluating authority is the one where the principal financial functions and operational control are exercised. This ensures that the authority with the most direct oversight of the provider's governance is the one responsible for the sovereignty assessment.

The Role of Cross-Border Collaboration

While the evaluating authority holds exclusive competence, the proposal acknowledges that cloud services often have significant cross-border dimensions. To ensure consistency and address potential concerns in other jurisdictions, Article 17(2) introduces a mandatory collaboration mechanism.

The evaluating authority "may, where necessary, request one or more competent authorities of the other Member States to collaborate." This is not merely an option for the evaluating authority; it is a structured process designed to maintain the integrity of the single market.

The timeline for this collaboration is strict:

• Upon receiving a request for collaboration, the other Member State's competent authority has 15 days to respond.
• Within this period, the requested authority must either confirm its agreement to collaborate or refuse the request.

This mechanism ensures that if a provider has significant infrastructure, assets, or personnel in another Member State, that state's regulator can contribute to the assessment. This is particularly relevant for higher assurance levels (2, 3, and 4), where criteria regarding the location of infrastructure and personnel are stringent.

The Evaluation Timeline and Procedure

Once the application is lodged with the evaluating national competent authority, the proposal sets out a rigorous timeline for assessment under Article 17(5).

1. Initial Assessment (60 Days): The evaluating authority has 60 days from accepting the application to assess the evidence submitted.

   • For Union assurance level 1, this involves reviewing the EU statement of conformity and supporting evidence.
   • For levels 2, 3, and 4, this involves reviewing the audit report and the "positive" audit opinion from an independent auditing organisation.

2. Outcomes of the Initial Assessment:

   • Draft Recognition: If evidence is sufficient, the authority prepares a draft recognition decision and notifies other Member States for a 60-day review period.
   • Request for Information: If evidence is insufficient, the authority may request further information. The 60-day clock is suspended for a maximum of 30 days (unless exceptional circumstances justify a longer suspension) while the applicant gathers the data.
   • Rejection: If the application is rejected, the provider must be given the opportunity to provide written comments within 30 days before the final decision is made.

3. The Review Period: During the 60-day review period following the draft decision, other Member States may submit reasoned objections or requests for clarification. If no objections are raised, the evaluating authority adopts the recognition decision, and the service is recognised across the Union. If objections are raised, the evaluating authority must assess them and may maintain or revoke its draft decision. If disagreement persists, the matter may be referred to the Commission for a binding decision.

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the designation of the evaluating national competent authority has profound strategic implications.

1. Pinpoint Your Main Establishment Your first step is to definitively identify your "main establishment" under Article 25(4). This is not a matter of preference; it is a legal fact based on where your head office or registered office exercises principal financial functions and operational control. Your compliance strategy must align with this reality. Attempting to route an application through a different Member State's authority where you lack this "main establishment" would be a procedural error likely to lead to rejection.

2. Prepare for a Single, High-Stakes Evaluation Because the evaluating authority acts as a "one-stop-shop," the quality of your application to this single authority determines your entire EU market access. You must ensure that your evidence package—whether a self-assessment for Level 1 or a full audit report for Levels 2–4—is robust and directly addresses the criteria in Annex II. The evaluating authority will not defer to other national regulators for the final decision; it bears the responsibility.

3. Anticipate Cross-Border Scrutiny While you deal primarily with one authority, be prepared for that authority to engage in collaboration. If your infrastructure spans multiple Member States, the evaluating authority may request input from those jurisdictions. Ensure your internal teams in all relevant Member States are ready to respond to collaboration requests within the 15-day window. Delays in collaboration could stall the entire recognition process.

4. Manage the 60-Day Clock The proposal imposes a strict 60-day assessment period. If the evaluating authority requests additional information, the clock stops for up to 30 days. Your compliance team must be agile enough to provide this information immediately to avoid unnecessary delays. Failure to respond within the suspension period could result in the authority rejecting the application or the suspension expiring, leaving the application incomplete.

5. Understand the Consequences of Misrepresentation The evaluating authority's power is significant. Under Article 17(11), the authority may revoke recognition if it finds that the provider intentionally or negligently supplied incorrect or misleading information. Given that the evaluating authority is the sole gatekeeper for EU-wide recognition, maintaining transparency and accuracy in all communications with this specific authority is paramount.

Common misconceptions

Misconception 1: I can choose the most favourable national authority. Incorrect. The evaluating authority is determined by the location of your "main establishment" as defined in Article 25(4). You cannot select a regulator based on perceived leniency if your operational control and financial functions are exercised elsewhere.

Misconception 2: The evaluating authority acts in total isolation. While the evaluating authority has exclusive competence, Article 17(2) explicitly provides for collaboration. It may request input from other Member States, and those states have a right to object during the review period. Ignoring the potential for cross-border feedback is a strategic error.

Misconception 3: I need to apply separately in every country where I have data centres. No. The proposal establishes a single recognition procedure. Once the evaluating national competent authority grants recognition, it is valid across the entire Union. There is no need for parallel applications in other Member States.

Misconception 4: The 60-day assessment period is a guarantee of approval. The 60-day period is a deadline for the authority to assess the application, not a guarantee of a positive outcome. If the evidence is insufficient, the authority can request more information (suspending the clock) or reject the application entirely.

Related

• CADA Recognition: The Role of the National Competent Authority
• Who pays for the CADA audit? Provider costs explained
• Who must meet CADA Union assurance levels?
• Who can act as a CADA auditing organisation?
• Which authority do I apply to for CADA recognition?

This is general information about a draft EU regulation, not legal advice.