Can a public body require data outside the EU under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), public bodies possess a specific, conditional right to require that customer data be stored or processed outside the European Union, but only for cloud services recognised at Union assurance levels 1, 2, and 3. This flexibility is explicitly written into the criteria for these tiers as an exception: "unless the public sector body explicitly requires otherwise." However, this exception does not exist for Union assurance level 4. For Level 4 services, which are designated for sensitive data and critical public-order activities, the regulation mandates that such data must remain exclusively within the Union at all times, with no possibility for a public body to override this requirement.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" to address risks related to third-country control and operational autonomy. This framework is built on four distinct Union assurance levels (UALs). The rules governing where data can reside differ significantly between the lower tiers (1–3) and the highest tier (4), creating a nuanced regime where public procurement choices directly dictate data geography.

The Explicit Exception for Levels 1, 2, and 3

For the first three assurance levels, the proposal acknowledges that not all public sector activities require strict data localisation. To accommodate global collaboration, legacy system integration, or specific operational needs, the text includes a deliberate carve-out.

• Union Assurance Level 1: Under Annex II, Section 1.1(c), the baseline rule requires that customer data (including metadata and telemetry) processed by the provider and its subcontractors remain exclusively within the Union. However, the text immediately qualifies this with the phrase: "unless the public sector body explicitly requires otherwise." This grants the contracting authority the power to contractually mandate data residency outside the EU for Level 1 services.
• Union Assurance Level 2: The same flexibility applies. Annex II, Section 2.1(c) stipulates that data must remain within the Union, "unless the public sector body explicitly requires otherwise." This allows public bodies to opt for non-EU data storage even when the service meets the higher cybersecurity and personnel criteria of Level 2.
• Union Assurance Level 3: Even at this tier, which involves stricter controls on third-country influence and personnel, the data residency rule retains the exception. Annex II, Section 3.1(c) states that data must remain exclusively within the Union, "unless the public sector body explicitly requires otherwise."

It is important to note that this exception is conditional and explicit. The default position of CADA is EU-only residency. A public body cannot passively accept data outside the EU; it must actively and explicitly state this requirement in its procurement documents or contractual agreements. Furthermore, this exception applies specifically to data. Other criteria, such as the location of infrastructure, may also have similar exceptions (e.g., Annex II, Section 1.1(b) regarding infrastructure location), but the data rule is the most critical for sovereignty assessments.

The Absolute Prohibition for Level 4

The flexibility granted in the lower tiers vanishes completely at Union assurance level 4. This level is designed for the most sensitive data and activities critical to the preservation of public order, such as defence, justice, and national security.

• Union Assurance Level 4: Annex II, Section 4.1(c) establishes a strict, non-negotiable rule. It states that customer data, which following a risk assessment is identified as sensitive, "remain exclusively within the Union and at any time, including before, during or after the configuration or use of the service."

Crucially, Section 4.1(c) contains no "unless the public sector body explicitly requires otherwise" clause. The omission of this phrase is deliberate and legally significant. It means that even if a public body wants to store sensitive data outside the EU, it is prohibited from doing so under a Level 4 service. The regulation removes the discretion of the public body to override the data residency requirement for this specific tier, ensuring that the highest level of sovereignty is maintained for the most critical assets.

The Role of Risk Assessments and Procurement

The ability to use the Level 1–3 exception is tightly coupled with the risk assessment obligations in Article 29. Public bodies and Union entities must conduct risk assessments to determine the sensitivity and criticality of their data.

• Determining the Level: If a risk assessment concludes that an activity contributes to the preservation of public order (e.g., in defence or law enforcement), Article 30(3) mandates that the contracting authority must procure only services recognised at Union assurance levels 2, 3, or 4.
• The Level 4 Trap: If the risk assessment identifies data as sensitive enough to warrant Level 4, the public body is legally bound to procure a Level 4 service. Consequently, the "explicit requirement" exception for data residency becomes unavailable. The body cannot procure a Level 3 service to bypass the Level 4 data rules, nor can it apply the Level 3 exception to Level 4 data.
• Non-Public Order Activities: For activities that do not contribute to public order, Article 30(2) requires a minimum of Union assurance level 1. In these cases, the public body has the full discretion to invoke the Annex II, Section 1.1(c) exception and require data to be stored outside the EU, provided it does so explicitly.

Third-Country Control and Derogations

While data residency is a key factor, the broader sovereignty framework also considers third-country control. Article 18 allows the Commission to adopt implementing acts identifying third countries where cloud providers subject to their control may still qualify for Union assurance level 3, provided specific safeguards are met. However, even if a provider qualifies for Level 3 under an Article 18 derogation, the data residency rule in Annex II, Section 3.1(c) still applies: the public body must explicitly require otherwise to allow data outside the Union. For Level 4, Annex II, Section 4.1(g) strictly prohibits any third-country control, and Section 4.1(c) strictly prohibits data leaving the Union, regardless of any third-country association.

What this means for you

For public-sector procurement officers, legal counsel, and IT strategists, the CADA proposal introduces a clear but strict decision tree regarding data geography.

1. Conduct the Risk Assessment First: Before drafting any tender, you must perform the risk assessment required by Article 29. If your data is classified as sensitive or critical to public order, you are likely mandated to procure a Level 4 service.
2. Accept the Level 4 Limit: If your assessment leads to a Level 4 requirement, you must accept that data cannot leave the EU. There is no contractual workaround. Attempting to require data outside the EU for a Level 4 service would violate the criteria for that assurance level.
3. Use the Exception Explicitly: If your assessment allows for Level 1, 2, or 3, and you have a legitimate operational need for data to be stored outside the EU (e.g., for a global research project), you must explicitly state this requirement in your procurement documents. Do not assume the provider will offer this; the default is EU-only.
4. Verify Provider Recognition: Ensure the cloud provider you select is formally recognised by the competent authority as offering the specific assurance level you require. A provider claiming "Level 3" status but failing to meet the Annex II criteria (including the data residency exception if invoked) would be non-compliant.
5. Document the Rationale: Keep a clear audit trail showing why you invoked the exception for Levels 1–3. This demonstrates that the decision was a conscious, explicit requirement by the public body, not an oversight or a default setting by the provider.

Common misconceptions

• "CADA allows public bodies to send any data outside the EU if they want to." This is false. The ability to require data outside the EU is strictly limited to Union assurance levels 1, 2, and 3. For Level 4, which covers sensitive data, the prohibition is absolute and cannot be overridden by the public body.

• "The exception is automatic for Level 3 services." Incorrect. The exception in Annex II, Section 3.1(c) is conditional on the public sector body explicitly requiring otherwise. If the public body does not state this requirement, the default rule (data must remain in the Union) applies.

• "Level 4 is just a higher version of Level 3, so the rules are similar." While both levels require high sovereignty, the data residency rule is a fundamental differentiator. Level 3 permits an exception for data location; Level 4 does not. This distinction is critical for public order activities.

• "If I use a Level 1 service, I can ignore all sovereignty rules." No. Even if you invoke the exception to move data outside the EU under Level 1, the provider must still be established in the Union, and other criteria (such as cybersecurity standards and transparency on subcontractors) must be met. The exception applies only to the specific criterion of data location.

Related

• Can a public body require extra personnel screening under CADA?
• Why would a public body require CADA Level 4 over Level 3?
• CADA public sector body: definition, data residency powers & assurance tiers
• Does CADA let a public body waive EU data residency?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels

This is general information about a draft EU regulation, not legal advice.