Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission's central repository must retain records of revoked cloud computing service recognitions for five years, as explicitly mandated by Article 22(3). This requirement is a cornerstone of the Act's transparency framework, designed to protect public sector buyers by maintaining a historical record of services that failed to maintain their Union assurance levels. The five-year retention prevents providers from "whitewashing" their compliance history, ensuring that contracting authorities can see past non-compliance even if a provider has since remediated issues and regained recognition.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous, tiered framework for cloud computing sovereignty known as "Union assurance levels" (Levels 1 through 4). This system relies on a centralized mechanism to verify and publicize which cloud services meet these stringent criteria. However, compliance is not a one-time achievement; it is a continuous obligation. Providers can lose their status if they fail to meet ongoing criteria, if auditors identify deficiencies, or if material changes occur in their ownership or infrastructure.
Article 22 of the CADA proposal governs the establishment and maintenance of the "central repository of cloud computing services." While the primary function of this repository is to list currently compliant services to facilitate procurement, Article 22(3) introduces a critical transparency mechanism regarding non-compliance and loss of status. The provision states:
"The revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years."
This clause creates a mandatory five-year "shadow record" for any cloud service that has lost its Union assurance level. The rationale behind this specific duration and visibility requirement is multi-layered, targeting market integrity, buyer protection, and regulatory deterrence.
Transparency and Buyer Protection Rationale
Public sector bodies across the EU are required under CADA (specifically Articles 29 and 30) to conduct risk assessments and procure cloud services that meet minimum assurance levels. For general activities, Union assurance level 1 is the baseline. However, for activities identified as contributing to the preservation of public orderβsuch as law enforcement, defence, or critical infrastructureβcontracting authorities must procure only services recognised at levels 2, 3, or 4.
These procurement decisions carry significant legal, security, and operational weight. A cloud provider's recognition is not merely a badge of quality; it is a legal prerequisite for accessing sensitive public sector markets. If a provider's recognition is revokedβwhether due to a failed audit, a change in control by a third-country entity, or a failure to maintain infrastructure within the Unionβthe loss of status is a material fact for any prospective or existing public sector buyer.
By keeping the revocation visible for five years, CADA ensures that contracting authorities have access to a complete historical picture of a provider's compliance trajectory. Without this retention period, a provider could have their recognition revoked, immediately re-apply, potentially gain a new recognition (perhaps at a lower level or after remediation), and appear in the repository with a "clean slate." The five-year rule prevents this "whitewashing" of compliance history. It allows public buyers to see that a provider previously failed to meet the rigorous criteria for Union assurance, enabling them to factor this risk into their procurement decisions and risk assessments under Article 29.
Historical Record and Deterrence
The five-year window aligns with standard regulatory retention periods for serious compliance failures in other EU digital frameworks, balancing the need for historical accountability with the possibility of eventual rehabilitation. It serves as a powerful deterrent against complacency. Providers know that a failure to maintain their assurance level will not be a temporary, easily forgotten administrative hiccup. Instead, it becomes a permanent feature of their public regulatory profile for half a decade.
This visibility also aids national competent authorities. When assessing re-application for recognition under Article 17, authorities can review the repository to understand the context of previous revocations. Was the revocation due to a minor administrative error, or a fundamental breach of sovereignty criteria, such as unauthorized data transfer outside the Union or loss of operational autonomy? The historical record provides essential context for evaluating the provider's current reliability and the robustness of their remediation efforts.
Interaction with Transparency Obligations
Article 22(3) works in tandem with Article 23, which imposes ongoing transparency obligations on providers. Under Article 23(1), recognised cloud computing service providers must notify the auditing organisation and the national competent authority of establishment "as soon as possible" upon becoming aware of any material change in circumstances that may affect their audit report, opinion, or recognition.
If a revocation occurs, it is immediately published. The five-year retention ensures that this negative information remains accessible long after the immediate incident has been resolved. This mechanism balances the provider's interest in moving forward with the public interest in security and transparency. It ensures that the "public order" safeguard, which is central to the Act's objective in Article 1(1)(c), is not undermined by the rapid cycling of providers through the recognition system.
What this means for you
For in-house counsel, compliance officers, and procurement teams, Article 22(3) introduces a long-term reputational and contractual risk that must be managed proactively. The five-year visibility rule fundamentally changes the risk profile of non-compliance.
1. Contractual and Procurement Implications Public sector contracts increasingly include clauses requiring continuous compliance with CADA assurance levels. A revocation triggers immediate contractual consequences, including potential termination for breach of contract. Furthermore, because the revocation remains visible for five years, it may affect your ability to win future tenders. Procurement teams evaluating bids will see the historical revocation in the central repository. Even if you have since regained compliance, the historical record may lead them to discount your bid, require additional mitigations, or prefer competitors with a clean five-year history.
2. Remediation Strategy If your service faces a potential revocation, the stakes are significantly higher than just losing the current contract. You must develop a robust remediation plan that not only addresses the immediate breach but also demonstrates systemic improvement. When re-applying for recognition under Article 17, you will need to clearly articulate how the issues leading to the previous revocation have been permanently resolved. You must acknowledge that the prior failure is permanently recorded in the central repository for five years, and your strategy must account for this public scrutiny.
3. Monitoring and Reporting Ensure your internal monitoring systems are sensitive to any changes that could trigger a revocation under Article 23. This includes changes in ownership, infrastructure location, subcontractor arrangements, or personnel citizenship (critical for Levels 3 and 4). Early detection allows for proactive notification and potential remediation before a formal revocation is issued and published. A proactive approach to reporting material changes may mitigate the severity of the revocation, though it will not erase the five-year record.
4. Stakeholder Communication Prepare communication strategies for key clients, particularly public sector bodies, in the event of a revocation. Transparency with clients about the issue and your remediation steps can help mitigate trust erosion, even though the regulatory record will reflect the failure for five years. Clients may view a proactive disclosure more favourably than a discovery of the revocation via the central repository.
Common misconceptions
Misconception 1: The record is only visible during the revocation period. Some providers assume that once they rectify the issue and regain recognition, the record of the previous revocation disappears. This is incorrect. Article 22(3) explicitly states the revocation "shall remain available there for five years," regardless of whether the provider subsequently regains recognition at any level. The record is a historical fact, not a current status indicator.
Misconception 2: Only major breaches lead to a five-year mark. The provision does not distinguish between minor and major breaches for the purpose of retention. Any revocation of recognition, whether due to a technical audit failure, a minor administrative oversight, or a fundamental sovereignty breach, triggers the five-year visibility requirement. The text of the Act is absolute: "The revocation... shall be published... and shall remain available there for five years."
Misconception 3: The repository is internal and not public. Article 22(4) states that the central repository "shall be publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website." This means that competitors, journalists, analysts, and potential clients can easily access the history of revoked recognitions. There is no private "black box" for these records; they are part of the public transparency regime.
Misconception 4: You can appeal the visibility of the record. The five-year retention is a statutory requirement of the transparency framework. While you can appeal the revocation decision itself through national or EU judicial remedies (as provided for in Article 26 and general EU law principles), the mechanism for publishing and retaining the record for five years is a fixed element of the Act designed to protect public order. If the revocation is upheld, the record remains for the full five-year term.
Related
- CADA Repository: How long do revoked recognitions stay published?
- Are revoked recognitions published in the CADA central repository?
- What should a buyer do if a service is revoked in the CADA repository mid-contract?
- What happens when a recognition is amended or revoked under CADA Article 23?
- Why list in the CADA repository? Public procurement access & market advantage
This is general information about a draft EU regulation, not legal advice.