Why choose a CADA Level 1 provider? The baseline for public procurement

Summary Public-sector buyers would choose a Cloud and AI Development Act (CADA) Union Assurance Level 1 provider because it serves as the mandatory baseline for all public procurement activities that do not contribute to the preservation of public order. As proposed in Article 30(2), this tier offers the lowest-cost entry into the EU sovereign cloud framework, relying on a self-assessed conformity process rather than expensive third-party audits. While it imposes strict requirements on EU establishment and data residency (per Annex II), it avoids the heavy administrative burden of higher tiers, making it the proportionate choice for routine administrative tasks.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a four-tiered sovereignty framework designed to match the level of assurance to the risk profile of public-sector activities. For the vast majority of public procurement—routine administrative functions, general information storage, and standard operational workflows—Union Assurance Level 1 is not just an option; it is the statutory default.

The Mandatory Baseline for Non-Critical Services

The decision to procure at Level 1 is often driven by compliance necessity rather than preference. Under Article 30(2) of the proposal, Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order (following the risk assessments mandated in Article 29) shall use cloud computing services recognised as having a Union assurance level 1.

This provision establishes Level 1 as the floor for the entire public sector. It ensures that even low-risk activities benefit from a harmonised baseline of sovereignty, preventing the fragmentation of standards across Member States. By mandating Level 1 for non-critical functions, the proposal applies the principle of proportionality: it avoids imposing the stringent, high-cost requirements of Levels 2, 3, or 4 on activities where the risk of third-country interference or service disruption is minimal.

Lowest-Cost Entry Tier via Self-Assessment

A primary driver for the selection of Level 1 providers is economic efficiency. The proposal explicitly distinguishes Level 1 from the higher tiers by its assessment mechanism. While Levels 2, 3, and 4 require independent third-party audits under Article 20, Level 1 relies on a conformity self-assessment.

According to Article 19, cloud computing service providers seeking recognition at Level 1 must carry out a self-assessment of compliance with the criteria set out in Annex II. Following this assessment, the provider issues an EU statement of conformity. By issuing this statement, the provider assumes full responsibility for the compliance of the service with the Level 1 criteria.

This self-assessment model significantly lowers the barrier to entry for providers, particularly for small and medium-sized enterprises (SMEs). It eliminates the substantial costs associated with annual third-party audits, which can be prohibitive for smaller European players. For public buyers, this translates into a more competitive market with a wider pool of eligible providers, potentially driving down procurement costs for standard cloud services.

Baseline EU Establishment and Data Residency Assurance

Despite being the entry tier, Level 1 is not a "light" standard. Annex II, Section 1 of the proposal sets out cumulative criteria that provide a robust baseline of sovereignty. These criteria ensure that public data remains under EU jurisdiction and is hosted on infrastructure controlled by entities subject to EU law.

Key baseline assurances under Annex II, Section 1 include:

1. EU Establishment: The cloud computing service provider must be established in the Union. This ensures the provider is subject to EU jurisdiction and legal oversight.
2. Infrastructure and Asset Location: The infrastructure and assets of the provider, including those of its subcontractors involved in service provision, must be located in the Union. Exceptions are permitted only if the public sector body explicitly requires otherwise.
3. Data Residency: Customer data, including metadata and telemetry data, must remain exclusively within the Union at all times (before, during, and after configuration or use). Exceptions are allowed only if explicitly required by the public sector body.
4. Subcontractor Transparency: Providers must demonstrate full transparency regarding subcontractors, subjecting them to due diligence and contractual obligations to meet Union legal standards.
5. Cybersecurity Standards: The provider must demonstrate that the service complies with state-of-the-art cybersecurity standards.

These criteria provide a crucial layer of protection against the extraterritorial reach of third-country laws. By ensuring data and infrastructure remain within the Union, Level 1 directly addresses the risks associated with foreign access laws, such as those under the US CLOUD Act, which CADA aims to mitigate.

Simplified Recognition for SMEs

The proposal further incentivizes the choice of Level 1 providers by streamlining the recognition process for SMEs. Article 17(3) states that EU statements of conformity issued by SMEs are directly and automatically recognised in all Member States. This eliminates the need for prior recognition by a national competent authority for SME-provided Level 1 services, accelerating procurement cycles and fostering the growth of the European cloud market.

What this means for you

For public-sector procurement officers and compliance teams, choosing a CADA Level 1 provider involves a streamlined, compliance-focused workflow:

1. Verify the Statement: Request the provider's EU statement of conformity under Article 19(2). This document is the primary evidence of compliance for Level 1.
2. Check for Recognition: Confirm that the service is listed in the central repository of recognised services (established under Article 22). For SMEs, this recognition is automatic upon submission of the statement.
3. Assess Risk: Ensure your specific use case has not been flagged as "public order relevant" in your Member State's risk assessment (Article 29). If it has not, Level 1 is the compliant and proportionate choice.
4. Leverage Competition: Use the lower barriers of Level 1 to invite bids from a wider range of European providers, including SMEs, which can enhance market competition and drive down costs for standard cloud services.

Common misconceptions

• "Level 1 means no sovereignty guarantees." This is incorrect. Level 1 provides strict baseline guarantees regarding EU establishment, infrastructure location, and data residency, as detailed in Annex II. It prevents data from being stored or processed in third countries without explicit consent.
• "Self-assessment means no accountability." Providers issuing a Level 1 statement assume legal responsibility for compliance. Member States must lay down rules on penalties for infringements (Article 24), and recipients of the service have the right to seek compensation for damages caused by non-compliance.
• "All public sector bodies must use Level 1." No. Bodies involved in national security, law enforcement, or other public-order-relevant activities must procure Level 2, 3, or 4 services (Article 30(3)). Level 1 is specifically for non-critical, standard administrative functions.

Related

• Why would a public body require CADA Level 4 over Level 3?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• CADA Level 3: Sovereignty Requirements for Public Sector Buyers
• What does CADA Level 4 mean for a CTO choosing a provider?
• What criteria must a provider meet for CADA assurance level 4?

This is general information about a draft EU regulation, not legal advice.