Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers do not register their own services in the central repository. Instead, the national competent authority of establishment that granted the formal recognition is legally obligated to register the service. As proposed in Article 22(2), once a provider receives recognition for a Union assurance level (1, 2, 3, or 4), the national authority must enter the service details into the EU-wide central repository maintained by the Commission. This ensures that the public list contains only verified, officially recognized services.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous framework to enhance the transparency and trustworthiness of cloud services within the EU. A critical component of this framework is the central repository of cloud computing services. For providers seeking to serve public sector bodies, understanding the registration mechanism is vital, as it determines how their services become visible to potential buyers.

The process is designed to prevent self-declaration and ensure that only services that have undergone the appropriate conformity assessment or audit procedures appear on the official list. The workflow is strictly hierarchical and involves three key actors: the cloud computing service provider (CSP), the national competent authority of establishment, and the European Commission.

The Legal Mechanism: Article 22

The specific rules governing the registration process are found in Article 22 of the proposal. This article establishes the repository and delineates the distinct responsibilities of the Commission and the Member States.

Article 22(1) mandates that the Commission shall "establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17." This repository serves as the single, authoritative source of truth for contracting authorities, auditing organizations, and the public. It allows stakeholders to verify whether a specific cloud service meets the Union assurance levels required for public procurement.

However, the Commission's role is administrative and infrastructural; it does not perform the substantive registration of individual services. The responsibility for data entry lies squarely with the national level. Article 22(2) explicitly states:

"The national competent authority of establishment that recognised a cloud computing service under Article 17 shall register the cloud computing service in the central repository."

This provision creates a clear chain of custody and accountability. The "national competent authority of establishment" refers to the public body designated by the Member State where the cloud service provider has its main establishment (as defined in Article 25(4)). This authority is the entity that evaluates the provider's application, verifies the evidence (such as the EU statement of conformity for Level 1 or the audit report and positive opinion for Levels 2–4), and issues the formal recognition decision.

Once this authority issues the decision recognizing the service at a specific Union assurance level, it triggers the registration obligation. The authority must then update the central repository to reflect this new status. This mechanism ensures that the information in the repository is not self-declared by commercial entities but is instead certified by a competent public authority.

The Registration Workflow

The process unfolds in two distinct phases:

  1. Recognition Phase: The cloud service provider submits an application for recognition to the national competent authority of establishment.

    • For Union assurance level 1, the provider submits an EU statement of conformity (Article 19).
    • For Union assurance levels 2, 3, and 4, the provider submits an audit report and a "positive" audit opinion from an independent auditing organization (Article 20).
    • The national competent authority assesses the evidence. If satisfied, it adopts a recognition decision.

  2. Registration Phase: Upon adopting the recognition decision, the national competent authority of establishment is legally required to register the service in the central repository.

    • The provider does not have direct access to the repository to input data.
    • The Commission maintains the platform but relies on the national authorities to populate it with verified data.

This separation of duties is crucial for the integrity of the framework. It prevents providers from listing unverified services and ensures that the repository reflects the current, legally binding status of each service.

Content and Transparency of the Repository

While Article 22 does not enumerate every specific data field to be registered, the context of the Regulation implies that the entry must contain sufficient information to identify the service and its assurance level. This typically includes the name of the provider, the specific service, the recognized Union assurance level, and the date of recognition.

Article 22(4) confirms that the central repository shall be "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This transparency is essential for public sector bodies conducting procurement under Article 30, as they must verify that a tendered service is listed in the repository before awarding contracts for activities contributing to public order.

Revocation and Historical Records

The registration is dynamic, not static. If a service loses its recognized status, the repository must immediately reflect this change to prevent public bodies from procuring non-compliant services.

Article 22(3) states:

"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."

This requirement ensures that historical data is preserved for audit trails and that the public record clearly shows if a previously trusted service has been downgraded or removed due to non-compliance. The national competent authority remains the active agent in this process; if it revokes recognition, it must update the repository to reflect this status change. The five-year retention period for revocation records provides a robust mechanism for accountability and risk assessment.

What this means for you

For cloud service providers (CSPs) aiming to participate in the EU public sector market, understanding this registration flow is critical for compliance and market access.

  1. Engage Your National Authority: Your primary point of contact for registration is the national competent authority in your Member State of establishment, not the European Commission. Ensure you have established clear communication channels with this authority early in the process.
  2. Secure Formal Recognition First: You cannot register your service until you have received formal recognition. For Level 1, ensure your EU statement of conformity is robust and submitted correctly. For Levels 2–4, secure a "positive" audit opinion from an accredited auditing organization. Without this official recognition, the national authority cannot legally register you.
  3. Monitor the Repository: Once your service is registered, proactively monitor the central repository to ensure the information is accurate. While the national authority is responsible for the entry, errors can occur. Inaccurate data could hinder public sector buyers from finding your service or lead to procurement disqualifications.
  4. Plan for Continuous Compliance: Recognition is not permanent. Article 20(8) requires an annual review of the audit report and opinion for Levels 2–4. Ensure your ongoing compliance efforts are seamless so that the national authority can renew your recognition and maintain your registration without interruption.
  5. Prepare for Revocation Scenarios: Understand that if your recognition is revoked, the record of that revocation will remain in the public repository for five years. This long-term visibility underscores the importance of maintaining strict adherence to the Union assurance criteria.

Common misconceptions

"We can register our service in the central repository ourselves once we have our audit report."

  • Reality: No. Self-registration is strictly prohibited under the proposed CADA. Article 22(2) mandates that only the national competent authority of establishment that granted the recognition can register the service. The provider has no direct write-access to the repository.

"The European Commission manually enters every service into the database."

  • Reality: The Commission maintains the technical infrastructure and the platform, but it does not perform the data entry for individual services. The duty to register lies exclusively with the national competent authorities of establishment. The Commission's role is to ensure the repository is accessible and updated based on the data provided by Member States.

"Once registered, our status is permanent until we choose to leave."

  • Reality: Registration is entirely dependent on active recognition. If your audit opinion is revoked, your recognition is withdrawn, or you fail to meet the annual review requirements, your entry will be updated to reflect this revocation. Furthermore, Article 22(3) ensures that the record of revocation remains visible for five years, serving as a permanent public record of non-compliance.

"The repository is just a list of providers."

  • Reality: The repository is a list of recognized services at specific Union assurance levels. It is a dynamic tool for public procurement verification, not a static directory. It links specific services to their compliance status, allowing contracting authorities to filter services by the assurance level required for their specific public-order risk assessment.

Related

This is general information about a draft EU regulation, not legal advice.