Who maintains the CADA central repository of cloud services?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission is legally responsible for establishing and maintaining the central repository of recognised cloud computing services. As set out in Article 22(1), this repository serves as the single, EU-wide public register for services that have been verified against Union assurance levels. However, the Commission does not unilaterally decide which services are listed. Instead, national competent authorities of establishment are mandated to register the services they recognise into this central system. Article 22(4) further requires that the repository be publicly available and regularly updated by both the Commission and these national authorities on a dedicated website, ensuring transparency for public buyers and market participants.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a comprehensive sovereignty framework designed to reduce the EU's dependence on third-country cloud providers and safeguard the operational autonomy of Union entities. A critical component of this framework is the creation of a centralised, transparent register of cloud services that have been verified as meeting specific EU sovereignty standards. The governance, maintenance, and population of this repository are strictly defined in Article 22 of the proposal, creating a clear division of responsibilities between the EU level and the Member State level.

The Commission's Role: Establishment and Maintenance

The primary responsibility for the infrastructure of the repository lies with the European Commission. Article 22(1) explicitly states that "The Commission shall establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17."

This provision assigns the Commission the role of the platform operator. Its duties include:

• Technical Infrastructure: Building and hosting the digital system that will serve as the central repository.
• Maintenance: Ensuring the system remains secure, resilient, and operational across the Union.
• Accessibility: Guaranteeing that the repository is accessible to all relevant stakeholders.

By centralising the register at the EU level, CADA aims to prevent market fragmentation. Without a single repository, public-sector bodies in different Member States might rely on disparate national lists, creating administrative burdens and hindering the cross-border provision of sovereign cloud services. A unified EU-wide register ensures that a cloud service recognised in one Member State is immediately visible and verifiable across the entire Union, facilitating the single market for cloud services.

The Role of National Competent Authorities

While the Commission hosts the repository, it does not act as the gatekeeper for which services are listed. The authority to assess and recognise cloud services remains with the Member States. Consequently, the responsibility for populating the register lies with the national competent authorities of establishment.

Article 22(2) mandates that "The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

This creates a distinct two-step workflow:

1. Assessment and Recognition: National competent authorities assess cloud service providers against the Union assurance levels (Levels 1–4) as defined in Annex II. This involves reviewing self-assessments (for Level 1) or independent audit reports (for Levels 2–4) and issuing a formal recognition decision.
2. Registration: Once a service is officially recognised, the national authority is legally required to register that service in the Commission's central repository.

This mechanism ensures that the repository accurately reflects the rigorous national oversight processes while providing a unified EU view. It also means that the accuracy and timeliness of the repository depend heavily on the diligence of national authorities in submitting and updating their recognitions. The Commission does not independently verify the technical compliance of individual providers; it relies on the national authorities to perform the assessment and subsequently register the outcome.

Public Accessibility and Transparency

A defining feature of the repository is its openness to the public. Article 22(4) stipulates that "The central repository shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

This public accessibility serves several strategic purposes:

• Market Transparency: It allows public-sector contracting authorities to easily identify which providers meet the required sovereignty levels for their procurement needs, as mandated by Article 30.
• Trust and Verification: It provides verifiable proof that a service has undergone the necessary conformity assessments or independent audits, enhancing trust in the EU cloud ecosystem.
• Competition: It levels the playing field by making compliance visible, allowing compliant EU providers to demonstrate their sovereignty credentials to potential clients, including private sector entities operating in regulated industries.

Updates, Revocations, and Historical Records

The repository is designed as a dynamic tool, not a static list. Article 22(3) addresses the scenario where a service loses its recognised status. It states that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This five-year retention period for revoked recognitions is crucial for audit trails and historical transparency. It ensures that if a service was previously compliant but is no longer—due to a failure to maintain standards, the withdrawal of an audit opinion, or the submission of misleading information—this history is preserved for regulatory oversight and due diligence purposes. Furthermore, Article 23 imposes transparency obligations on cloud service providers to notify authorities of material changes that might affect their status, triggering updates or revocations that are then reflected in the central repository.

What this means for you

For public-sector procurement officers, cloud service providers, and compliance teams, the central repository will become the primary source of truth for cloud sovereignty compliance under the proposed CADA.

• Simplified Due Diligence: Instead of manually reviewing complex audit reports or national certificates, you will be able to search the central repository to confirm if a provider holds the specific Union assurance level required by your risk assessment (e.g., Level 2, 3, or 4 for public-order-relevant activities under Article 30).
• Cross-Border Procurement: The repository facilitates multi-cloud and cross-border strategies. You can confidently procure services from providers established in other Member States, knowing their sovereign status is verified and registered centrally by their national competent authority.
• Monitoring Changes: You should monitor the repository for updates. If a provider's status is revoked or downgraded, you must act in accordance with your contract and the migration timelines set out in Article 29(6), which allows for a reasonable transition period not exceeding 12 months.
• Preparation for Providers: Cloud service providers seeking recognition must understand that they do not register themselves directly. They must engage with their national competent authority of establishment. Once recognised, the authority will register the service in the central repository. Providers should ensure their national authority is aware of their application status to avoid delays in public visibility.

Common misconceptions

"The Commission audits the services." No. The Commission only hosts the database. The actual assessment and recognition of services are performed by national competent authorities (or through self-assessment for Level 1 SMEs). The Commission does not evaluate the technical or legal compliance of individual providers.

"The repository is private or restricted to government use." No. Article 22(4) explicitly states the repository shall be "publicly available." This allows private-sector entities, researchers, and the general public to verify the sovereignty status of cloud services, fostering market trust and enabling private companies to benchmark their own compliance.

"Providers register themselves directly into the EU system." No. Providers submit their evidence to national competent authorities. It is the national competent authority that registers the service in the central repository after granting recognition. Providers do not have direct write-access to the central EU register; the process is mediated by the national authority.

"Once listed, a service stays listed forever." No. Recognitions can be revoked if a provider fails to maintain compliance, supplies misleading information, or if an auditing organisation withdraws its positive opinion. Such revocations are published in the repository and remain visible for five years, ensuring that historical non-compliance is not erased.

Related

• Who registers a cloud service in the CADA central repository?
• CADA Central Repository: Who can access it and is it public?
• What is the CADA central repository of cloud computing services?
• What is Article 22 of CADA (the central repository of cloud services)?
• What information does the CADA central repository show about cloud services?

This is general information about a draft EU regulation, not legal advice.