Why list in the CADA repository? Public procurement access & market advantage

Summary As proposed in the Cloud and AI Development Act (CADA), listing in the central repository is effectively mandatory for cloud providers seeking to serve the EU public sector. Article 22 establishes this repository as the sole public record of recognised sovereign services, while Article 30 mandates that contracting authorities must procure only from providers listed there with the appropriate assurance level. Beyond strict compliance, listing serves as a powerful market signal, demonstrating verified sovereignty and building trust with public buyers who are legally required to mitigate dependency risks. For providers, the repository transforms sovereignty from a marketing claim into a verified, searchable asset that unlocks access to the public procurement market.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a transformative mechanism for the European cloud market: a centralised, publicly accessible repository of cloud computing services that have been formally recognised for their sovereignty levels. For cloud service providers, understanding the mechanics and strategic value of this repository is critical. The repository is not merely an administrative database; it is the gatekeeper for public sector procurement and a key differentiator in a market increasingly defined by security, autonomy, and resilience.

The Legal Mechanism: Article 22 and the Central Repository

Under CADA, the European Commission is tasked with establishing and maintaining a dedicated repository of cloud computing services that have been recognised in accordance with the Act's sovereignty framework. This is explicitly outlined in Article 22.

The process begins when a cloud provider successfully undergoes the recognition process—either through a conformity self-assessment for Union Assurance Level 1 or an independent third-party audit for Levels 2, 3, and 4. Once the national competent authority of establishment validates the evidence, it registers the service in this central repository. The regulation specifies that this repository must be "publicly available and regularly updated by the Commission and the national competent authorities of establishment on a dedicated and easily accessible website."

The repository serves three critical functions for the market:

1. Transparency: It provides a single source of truth for public sector buyers, auditing organisations, and competent authorities regarding which services meet which sovereignty standards. It eliminates information asymmetry by making assurance levels visible to all.
2. Accountability: It records the specific Union Assurance Level (1, 2, 3, or 4) achieved by each service. Crucially, the regulation mandates that "the revocation of an audit report and audit opinion by an auditing organisation or the revocation of a recognition by a competent authority shall be published in the central repository and shall remain available there for five years." This ensures that market participants can see not just success, but also failures or lapses in compliance.
3. Market Access: It acts as the verification layer for procurement rules. Without an entry in this repository, a provider cannot prove compliance with the sovereignty requirements mandated for public contracts. The repository is the definitive "list of eligible suppliers" for the EU public sector.

The Procurement Mandate: Article 30

The primary driver for providers to seek listing is the procurement obligation set out in Article 30. This article dictates how public sector bodies and Union entities must purchase cloud services, creating a direct link between repository listing and revenue.

Article 30 establishes a tiered procurement requirement based on risk assessments conducted by Member States under Article 29:

• Minimum Baseline: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must, at a minimum, use cloud services recognised with Union Assurance Level 1.
• High-Criticality Sectors: Contracting authorities whose activities are identified as contributing to the preservation of public order (such as national security, defence, justice, or critical infrastructure under NIS2) must only procure services recognised with Union Assurance Levels 2, 3, or 4.

Crucially, the article states that these authorities "shall use" or "shall only procure" services that have been recognised under Article 17 and are consequently listed in the central repository under Article 22. The text is explicit: "Contracting authorities... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

There are limited derogations for exceptional circumstances (e.g., no adequate alternative exists, or applying the requirements would require disproportionate cost), but these are narrow and require strict justification. For the vast majority of public cloud contracts, a repository listing is a prerequisite for eligibility. If a provider is not listed, they are legally excluded from the tender process for public-order-relevant activities.

Strategic Market Advantages

Beyond mere compliance, listing in the CADA repository offers significant commercial advantages in the European market, turning a regulatory hurdle into a competitive asset.

1. Verification of Sovereignty as a Competitive Edge The EU cloud market is currently characterised by a pronounced dependence on third-country providers. CADA aims to level the playing field by introducing a harmonised sovereignty framework. A listing in the repository is a verified badge of trust. It signals to public buyers that the provider has undergone rigorous scrutiny regarding data residency, personnel citizenship, cybersecurity certification, and freedom from third-country control. In a procurement environment where "European added value" is a weighted criterion under Article 32, a recognised sovereignty status directly contributes to a higher evaluation score. It moves the provider from "claiming" sovereignty to "proving" it via a Union-wide registry.

2. Reduced Due Diligence Burden for Buyers Public procurement processes are often slowed by extensive security and sovereignty due diligence. Contracting authorities currently face the burden of verifying complex claims about data flows, ownership structures, and personnel screening. By providing a pre-verified status in a central repository, providers streamline the buying process. Contracting authorities can rely on the repository listing as proof of compliance, reducing the time and cost associated with tender evaluations. This efficiency can make a listed provider more attractive compared to unlisted competitors who require bespoke, time-consuming security assessments.

3. Access to the EuroCloud Federation and Joint Procurement While the repository itself is a transparency tool, listing is often a precursor to participation in broader EU initiatives. The CADA establishes the EuroCloud Federation (under Article 34), a mechanism for public sector bodies to share cloud and data centre capacity. Participation in such federated models typically requires adherence to high sovereignty standards. Being listed in the repository demonstrates the baseline compliance necessary to engage in these advanced, cross-border public sector collaborations. Furthermore, the Commission's common procurement activities (under Article 37) will likely prioritise services available in the central repository, opening doors to joint purchasing frameworks that leverage collective buying power.

4. Long-Term Market Positioning and Spillover Effects As the EU seeks to reduce its dependence on third-country providers, the demand for sovereign cloud services will grow. Providers who achieve listing early will establish themselves as trusted partners for the public sector. This early mover advantage can lead to long-term contracts and deeper integration into critical national infrastructure, creating high barriers to entry for future competitors who lack recognised sovereignty status. Moreover, while Article 30 applies to public sector, Article 31 allows private sector entities (particularly those in critical sectors under NIS2) to conduct similar impact assessments. The spillover effect is significant: private sector buyers in regulated industries often mirror public sector standards. A repository listing will increasingly become a de facto standard for trust in the broader European market, not just for government contracts.

What this means for you

For cloud service providers and data centre operators, the path to the CADA repository is not optional if you intend to serve the European public sector. Here is how you should prepare to secure your market position:

1. Map Your Service to the Assurance Levels Review the criteria in Annex II of CADA. Determine which Union Assurance Level your service can realistically achieve. Level 1 requires establishment in the Union and data residency within the Union. Levels 2–4 require independent audits, stricter personnel requirements (including EU citizenship for Level 3/4 where required by the public body), and specific cybersecurity certifications. Be realistic: a service cannot be listed at Level 3 if it relies on third-country control that cannot be mitigated.

2. Prepare for Audit and Documentation For Levels 2–4, you must engage an auditing organisation. Ensure your technical documentation, software bills of materials (SBOMs), and data flow diagrams are ready. The audit evidence listed in Annex III will be scrutinised. You must demonstrate control over your supply chain, including subcontractors and third-country subsidiaries. The audit report must be "substantiated" and include a "positive" audit opinion to be accepted.

3. Engage with National Competent Authorities Recognition is granted by the national competent authority of your establishment. Begin early dialogue with these authorities in your home Member State. They will assess your application and submit it for recognition across the Union. Delays in this process can delay your market entry. Remember that for Level 1, SMEs benefit from automatic recognition, but for higher levels, the process involves a 60-day review period by other Member States.

4. Leverage Your Listing in Marketing Once listed, actively promote your Union Assurance Level in your sales materials. Highlight how your service meets the specific requirements of Article 30. Use the repository listing as a proof point in tenders to satisfy procurement officers' compliance checks quickly. In a market where "sovereignty" is often a buzzword, the repository link is the only verifiable proof.

5. Monitor Changes and Maintain Compliance The repository is dynamic. If your service undergoes material changes, you must notify the auditing organisation and competent authority under Article 23. Failure to do so can lead to revocation of recognition, which will be published in the repository, damaging your reputation and market access. The revocation remains visible for five years, serving as a long-term stain on your market record.

Common misconceptions

Misconception 1: Listing is voluntary for all providers. While providers are not forced to join the repository if they only serve the private sector, it is effectively mandatory for public sector work. Article 30 creates a closed loop: public buyers must buy from the repository. If you are not in the repository, you are invisible to the public procurement process for any activity with public order relevance.

Misconception 2: One listing covers all services globally. Recognition is specific to the cloud computing service and its configuration. A provider may have some services recognised at Level 1 and others at Level 3. The repository lists specific services, not just the provider entity. You cannot assume that being a "European provider" grants automatic listing; each service must meet the cumulative criteria for its claimed level.

Misconception 3: The repository replaces cybersecurity certification. The CADA repository lists sovereignty assurance levels, which include cybersecurity as a component (e.g., requiring a European cybersecurity certificate of at least "substantial" assurance for Levels 2 and 3, and "high" for Level 4). However, the repository is not a cybersecurity certification scheme itself. It is a registry of services that have met broader sovereignty criteria, including data protection, personnel checks, and operational autonomy. You still need separate cybersecurity certifications (like the future EUCS) to meet the criteria for higher assurance levels.

Misconception 4: Private sector buyers will ignore the repository. While Article 30 applies to public sector, Article 31 allows private sector entities (particularly those in critical sectors under NIS2) to conduct similar impact assessments. The spillover effect is significant: private sector buyers in regulated industries often mirror public sector standards. A repository listing will increasingly become a de facto standard for trust in the broader European market, not just for government contracts.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Central Repository: Who can access it and is it public?
• CADA Procurement & Central Repository: How Public Buyers Must Verify Sovereign Cloud
• CADA Repository Check: What Procurement Teams Must Verify Before Tendering
• CADA Repository & Public Order: How Article 22 Links to Article 30(3)
• CADA Procurement Rules: When Public Bodies Must Use Recognised Cloud Services

This is general information about a draft EU regulation, not legal advice.