Summary Yes, under the proposed Cloud and AI Development Act (CADA), metadata and telemetry are explicitly covered by data residency rules. Annex II to the proposal defines "customer data" to include "metadata and telemetry data," requiring these data types to remain exclusively within the Union for services seeking Union assurance levels. While Union Assurance Level 1 allows for exceptions if the public sector body explicitly requires otherwise, Levels 2, 3, and 4 impose stricter cumulative criteria, including prohibitions on using such data to train third-country AI systems. Compliance requires mapping these data flows across the entire supply chain, including subcontractors.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, introduces a rigorous sovereignty framework designed to mitigate risks associated with the EU's reliance on third-country cloud providers. A central pillar of this framework is data residency, which applies not only to the primary content processed by cloud services but also to the ancillary data generated during service operation. For legal and compliance teams, the critical distinction is that CADA closes potential loopholes regarding "non-content" data by explicitly categorizing metadata and telemetry as "customer data."

Explicit Inclusion of Metadata and Telemetry

The definition of data subject to residency restrictions in CADA is broad and inclusive. Annex II, which sets out the criteria for Union Assurance Levels, explicitly addresses this in Section 1.1(c) regarding Union Assurance Level 1. The text states:

"the customer data, including metadata and telemetry data, that is processed, stored and transferred by the cloud computing service provider, and by the subcontractors, which are involved in the provision of the service, remain exclusively within the Union, unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service;"

This language confirms that metadata (data about data, such as user activity logs, access times, and system interactions) and telemetry data (performance metrics, error reports, and usage statistics) are treated with the same sovereignty requirements as the primary customer data. They cannot be transferred outside the Union unless the specific public sector client explicitly permits it. This requirement applies "at any time," covering the entire lifecycle of the data, from configuration through to the termination of the service.

Application Across Assurance Levels

This residency requirement is not limited to the baseline Level 1. It is a cumulative requirement that escalates in strictness across the four Union Assurance Levels (UALs) established in Article 16 and detailed in Annex II.

  • Union Assurance Level 1: As noted in Annex II 1.1(c), metadata and telemetry must remain in the Union unless the public sector body explicitly requires otherwise. This level serves as the baseline for public sector activities not deemed to contribute to the preservation of public order. The exception is conditional: the public sector body must actively and explicitly require the transfer; it is not an automatic right for the provider.
  • Union Assurance Level 2: Annex II 2.1(c) repeats the requirement that customer data, including metadata and telemetry, must remain exclusively within the Union, subject to the same explicit exception for public sector bodies. However, Level 2 adds stricter requirements, such as prohibiting the use of data generated by the service to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country (Annex II 2.1(f)). This prevents providers from using telemetry data to improve their models in non-EU jurisdictions.
  • Union Assurance Level 3: Annex II 3.1(c) maintains the exclusive Union residency rule for metadata and telemetry. This level is reserved for activities contributing to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defense, and justice. The requirement for personnel to be Union citizens (Annex II 3.1(d)) further tightens the control over who can access this data.
  • Union Assurance Level 4: Annex II 4.1(c) applies the same residency rule for data identified as sensitive following a risk assessment. At this highest level, the expectation is that all data, including metadata and telemetry, remains within the Union to ensure operational autonomy and prevent unauthorized access by third-country authorities.

The Role of Risk Assessments and Public Sector Bodies

Under Article 29, Member States and Union entities must conduct risk assessments to determine which Union Assurance Level is appropriate for their public sector activities. These assessments must consider the sensitivity, criticality, and magnitude of personal and non-personal data processed.

For services at Levels 2, 3, and 4, the residency rule is more rigid. While Level 1 allows an exception if the public sector body "explicitly requires otherwise," higher levels are designed for critical infrastructure and sensitive operations. Consequently, the likelihood of a public sector body waiving the residency requirement for metadata and telemetry decreases significantly as the assurance level rises. In practice, for Levels 3 and 4, the expectation is that all data, including telemetry, remains within the Union to ensure operational autonomy and prevent unauthorized access by third-country authorities. The risk assessment under Article 29(1) specifically requires identifying activities that contribute to the preservation of public order, which directly influences the applicable assurance level and the strictness of the data residency rules.

Subcontractors and Supply Chain

CADA extends these obligations to the entire supply chain. The residency rules apply to "subcontractors which are involved in the provision of the service" (Annex II 1.1(c)). Cloud providers must ensure that their subcontractors also adhere to these residency constraints. This means that even if the primary cloud provider is EU-based, their subcontractors cannot process or store metadata and telemetry outside the Union without violating the assurance criteria. Annex II 2.1(a) and 3.1(a) further require that the subcontractors themselves be established in the Union for Levels 2 and 3, reinforcing the requirement that the entire chain of custody for metadata and telemetry remains within the Union.

What this means for you

For in-house counsel and compliance officers, the inclusion of metadata and telemetry in CADA's residency rules has several practical implications:

  1. Audit and Mapping: You must map all data flows associated with your cloud services, including those that do not contain direct customer content. This includes logs, performance metrics, and diagnostic data. Ensure that your data flow diagrams explicitly account for metadata and telemetry, as these are now legally defined as "customer data" under CADA.
  2. Contractual Review: Review contracts with cloud providers and subcontractors. Ensure that clauses regarding data processing and storage explicitly cover metadata and telemetry. Contracts should prohibit the transfer of these data types outside the Union unless explicitly permitted by the relevant public sector body, and should reflect the specific assurance level required.
  3. Assurance Level Alignment: Determine the appropriate Union Assurance Level for your activities based on the risk assessments required by Article 29. If your activities are deemed to contribute to the preservation of public order, you will likely need Level 2, 3, or 4, which impose stricter residency and AI-training prohibitions. Note that for Level 1, the exception is conditional on the public sector body's explicit requirement.
  4. Vendor Management: Ensure that your cloud providers can demonstrate compliance with the relevant Union Assurance Level criteria. This includes verifying that their subcontractors also adhere to the residency rules for metadata and telemetry. Providers must be able to prove that their supply chain does not inadvertently transfer these data types outside the Union.
  5. Penalties and Liability: Non-compliance with the sovereignty framework can result in penalties. Article 24 mandates that Member States lay down rules on penalties, which must be effective, proportionate and dissuasive. Recipients of cloud services also have the right to seek compensation for damage or loss suffered due to a provider's infringement of these obligations.

Common misconceptions

  • "Metadata is not personal data, so it's exempt." While metadata may not always qualify as personal data under the GDPR, CADA's definition of "customer data" for residency purposes is broader and explicitly includes metadata and telemetry, regardless of their personal data status.
  • "Telemetry is just technical data, so it can go anywhere." CADA treats telemetry data as part of the customer data set subject to residency rules. Providers cannot use telemetry data to improve their services in third countries if it violates the Union assurance criteria, particularly the prohibition on training third-country AI systems found in Annex II 2.1(f).
  • "Level 1 allows free transfer of metadata." Level 1 requires metadata and telemetry to remain in the Union unless the public sector body explicitly requires otherwise. This is not a free pass; it requires a specific, documented waiver from the client. The default position is Union residency.
  • "Only the primary provider is responsible." The rules explicitly extend to subcontractors involved in the provision of the service. A provider cannot outsource the processing of metadata to a non-EU subcontractor to bypass residency rules.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.