Summary Under the proposed Cloud and AI Development Act (CADA), national competent authorities (NCAs) are legally required to notify all other Member States and the European Commission whenever they amend or revoke a cloud computing service provider's recognition as offering a specific Union assurance level. This obligation, explicitly codified in Article 23(3), is the linchpin for ensuring the EU-wide consistency of recognition status. It supports mutual recognition across the single market by preventing fragmented enforcement, ensuring that a provider deemed non-compliant in one jurisdiction cannot continue to operate under a valid status in another, and guaranteeing that public sector buyers rely on accurate, real-time data in the central repository.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised sovereignty framework for cloud computing services. This framework categorises providers into four distinct Union assurance levels (1 through 4) based on rigorous criteria regarding establishment, data localisation, personnel citizenship, and third-country control. For a provider to supply cloud services to Union entities and public sector bodies, it must be formally recognised by the national competent authority (NCA) of its main establishment.

However, this recognition is not a static "once-and-done" approval. It is a dynamic status contingent upon ongoing compliance with complex sovereignty, cybersecurity, and operational autonomy criteria. The regulatory environment is fluid; a provider's circumstances can change due to shifts in ownership, breaches of data localisation rules, failures in cybersecurity audits, or changes in the legal landscape of a third country controlling the provider.

When such changes occur, the initial recognition may need to be amended (e.g., downgrading from Level 3 to Level 2) or fully revoked. Article 23 of the CADA proposal establishes the critical transparency obligations that govern this lifecycle, specifically addressing how changes in a provider's status are communicated across the Union to maintain the integrity of the single market.

The Notification Chain: From Provider to NCA to the Union

The mechanism for updating recognition status is a structured, three-step chain designed to ensure that the central repository of recognised services (maintained by the Commission under Article 22) remains accurate and trustworthy.

  1. Provider Notification (Article 23(1)): The cloud computing service provider acts as the first line of defence. Under Article 23(1), the provider is obligated to notify both the auditing organisation and the NCA of its establishment "as soon as possible" upon becoming aware of any information or material change in circumstances that may affect the audit report, the audit opinion, or the recognition itself.
  2. Auditor and NCA Assessment (Article 23(2)): Upon receiving the notification, the auditing organisation assesses whether the audit report or opinion needs to be amended or revoked. Simultaneously, the NCA of establishment assesses whether its initial recognition decision needs to be amended or revoked based on the new information.
  3. Cross-Border Notification (Article 23(3)): This is the critical step for single market consistency. If the NCA of establishment decides to amend or revoke the recognition, Article 23(3) imposes a strict, immediate obligation: "Where the national competent authority of establishment amends or revokes it recognition of the cloud computing service, it shall, as soon as possible, notify the national competent authorities of the other Member States and the Commission."

Why Cross-Border Notification is Mandatory

The requirement for NCAs to notify other Member States is not merely an administrative formality; it is foundational to the CADA's objective of creating a unified, resilient single market for sovereign cloud services. Without this mechanism, the sovereignty framework would be vulnerable to fragmentation and regulatory arbitrage.

1. Ensuring EU-wide Consistency of Recognition Status CADA relies on the principle that a recognition granted by the NCA of establishment is valid across the entire Union. Article 17(7) stipulates that where no reasoned objection is submitted during the review period, the recognition is deemed accepted by all Member States. However, this mutual acceptance creates a risk: if an NCA in one country revokes a provider's status due to a sovereignty breach (e.g., a new third-country law compelling data access), but other Member States remain unaware, that provider could continue to sell services to public entities in those other countries under a now-invalid status.

This would create a dangerous inconsistency where a service is deemed "sovereign" and compliant in one jurisdiction but "non-compliant" and risky in another. By mandating immediate notification under Article 23(3), the proposal ensures that the recognition status is synchronised across all 27 Member States. This prevents a scenario where a provider is effectively "blacklisted" in one country but remains "whitelisted" in another, thereby preserving the uniform application of the sovereignty framework.

2. Supporting Mutual Recognition Across the Single Market The CADA framework is built on mutual trust between Member States. Contracting authorities in Germany, for example, rely on the assessment performed by the NCA in Ireland if the provider is established there. This mutual recognition only functions if the underlying data is accurate and up-to-date. If an NCA fails to notify others of a revocation, it undermines the trust mechanism, forcing other Member States to either accept potentially non-compliant services (exposing them to sovereignty risks) or conduct redundant, costly parallel investigations to verify the status.

The notification obligation preserves the efficiency of the single market by ensuring that all authorities operate with the same factual baseline. It allows NCAs in destination Member States to take immediate enforcement action if necessary, without waiting for a formal cross-border cooperation request under Article 28.

3. Enabling the Central Repository to Function The Commission maintains a central repository of recognised cloud computing services under Article 22. This repository is the primary tool for public sector buyers to identify compliant providers and verify their assurance levels. Article 23(3) ensures that when an NCA acts, the Commission is immediately informed, allowing the central repository to be updated in real-time.

Without this direct notification line from the NCA to the Commission and other NCAs, the repository would become outdated. Public procurement officials relying on the repository would be making decisions based on stale data, potentially awarding contracts to providers whose recognition has already been revoked. The notification chain ensures the repository reflects the current legal reality of the provider's status.

Deadlines and Urgency

The CADA proposal emphasises speed in this process to mitigate risks to public order and operational autonomy. Article 23(3) states that the NCA must notify other authorities "as soon as possible." While the text does not specify a rigid number of days (unlike the 60-day assessment window in Article 17), the phrase "as soon as possible" in the context of sovereignty risks implies immediate action.

Delays in notification could leave public sector bodies exposed to third-country control, data access risks, or service disruptions that the CADA aims to mitigate. The urgency is compounded by the fact that a material change often signals an immediate threat to the "public order" relevance of the service, which is the core justification for the higher assurance levels.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the notification chain in Article 23 represents a critical operational risk area and a key compliance checkpoint.

1. Your Obligation to Report Material Changes Cloud providers cannot wait for an NCA to discover a compliance breach. Under Article 23(1), you have a proactive duty to notify the NCA of your establishment and your auditor of any material change. "Material change" is broad and includes changes in ownership structures, jurisdictional control, subcontractor arrangements, or significant cybersecurity incidents. Failure to report these changes promptly can lead to the revocation of your recognition and potential penalties under Article 24.

2. Monitor the Central Repository As a buyer of cloud services, your organisation must regularly check the Commission's central repository (Article 22). If a provider's status is amended or revoked, this will be reflected in the repository following the NCA's notification. Do not rely solely on contractual assurances from the provider; verify their status in the official EU register. A provider may be unaware of a revocation until they check the repository, but the legal effect of the revocation applies immediately upon the NCA's decision.

3. Prepare for Rapid Transitions If your current provider's recognition is revoked, you may face a forced migration. Article 29(6) notes that if a risk assessment requires migration, it must happen within a reasonable transition period not exceeding 12 months. However, a sudden revocation due to a severe sovereignty breach (e.g., a new third-country law) could necessitate faster action to protect public order. Ensure your cloud architecture supports portability and that you have backup providers that already hold the necessary Union assurance levels.

4. Audit Trail Documentation Maintain robust records of all communications with your auditor and the NCA. If a dispute arises regarding whether a change was "material" or whether you notified the NCA "as soon as possible," your documentation will be crucial in defending against penalties or revocation.

Common misconceptions

Misconception 1: The provider notifies other Member States directly. Correction: No. The provider notifies only the NCA of its main establishment and the auditing organisation (Article 23(1)). The NCA of establishment is solely responsible for notifying other Member States and the Commission (Article 23(3)). This centralises the communication channel to prevent conflicting information from reaching different jurisdictions and ensures a single, authoritative source of truth.

Misconception 2: Notification only happens when recognition is revoked. Correction: Article 23(3) applies to both amendments and revocations. A provider might move from Union assurance level 3 to level 2 due to a change in subcontractor locations or a downgrade in cybersecurity certification. This is an "amendment" and triggers the same cross-border notification obligation as a full revocation. The goal is to ensure all Member States know the current level of assurance, not just if the provider is banned.

Misconception 3: Other Member States can block the recognition via this notification. Correction: While other NCAs can raise objections during the initial recognition process (Article 17), the notification under Article 23(3) is an informational duty following a decision by the NCA of establishment. It is not a new veto opportunity. However, if other NCAs believe the amendment or revocation was incorrect or insufficient, they may trigger cross-border cooperation procedures under Article 28 to investigate suspected infringements or request further action.

Related

This is general information about a draft EU regulation, not legal advice.