Can a public body require extra personnel screening under CADA?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a public body may impose additional personnel screening and Union citizenship requirements when procuring cloud services at Union assurance level 2. This is a conditional obligation: the cloud computing service provider is required to ensure that personnel meeting these specific requirements are available if the public sector body determines such measures are necessary. This flexibility distinguishes Level 2 from the absolute mandates found in Levels 3 and 4.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" designed to safeguard the Union's public order and reduce strategic dependencies. A critical component of this framework is the differentiation of assurance levels, which allows public buyers to calibrate security requirements to the sensitivity of their specific use cases.

While Union assurance level 1 establishes a baseline for establishment and data location, Union assurance level 2 introduces enhanced operational controls, including specific provisions regarding the personnel who access and manage the service.

The Legal Basis: Annex II 2.1(d)

The authority for public bodies to demand extra personnel screening is explicitly grounded in Annex II, Section 2.1(d) of the CADA proposal. This section lists the cumulative criteria that a cloud computing service provider must satisfy to be recognized as offering Union assurance level 2.

The text of Annex II 2.1(d) states:

"if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available."

This provision creates a conditional mandate. It does not automatically require that all personnel at Level 2 be Union citizens or undergo screening. Instead, it empowers the contracting authority (the public body) to make a risk-based determination. If the public body concludes that the nature of the data or the service requires enhanced personnel controls, the cloud provider is legally obligated to make personnel who meet those specific criteria available for the service.

The Process: From Risk Assessment to Procurement

The ability to trigger this requirement is not arbitrary; it is embedded in the broader CADA compliance workflow:

1. Risk Assessment (Article 29): Before procuring cloud services, Member States and Union entities must conduct risk assessments to determine the appropriate Union assurance level for their activities. These assessments consider the sensitivity, criticality, and magnitude of the data, as well as the risk of third-country access or service disruption.
2. Defining the Requirement: If the risk assessment indicates that standard Level 2 criteria are insufficient without additional personnel controls, the public body can specify these needs in the procurement documents. The public body effectively "activates" the clause in Annex II 2.1(d).
3. Provider Obligation: A provider seeking recognition at Level 2 must demonstrate to the auditing organization (under Article 20) that they have the operational capacity to meet these conditional requirements. This includes having a pool of personnel who can undergo the requested screening and, if required, hold Union citizenship.
4. Audit and Recognition: The independent audit verifies that the provider can fulfill the specific conditions imposed by the public body. Only upon a "positive" audit opinion can the service be recognized at Level 2 for that specific procurement context.

Distinction from Levels 3 and 4

It is vital to distinguish the conditional nature of Level 2 from the absolute requirements of higher tiers. The CADA proposal creates a tiered approach to personnel sovereignty:

• Level 2 (Conditional): Under Annex II 2.1(d), screening and citizenship are required only if the public sector body determines them necessary. This allows for flexibility where the risk profile warrants extra scrutiny but does not demand a blanket citizenship mandate for all staff.
• Level 3 (Mandatory): Under Annex II 3.1(d), the requirement is absolute: "the personnel... are Union citizens." Furthermore, where appropriate, personnel must hold necessary national security clearance when handling classified information. There is no option for the public body to waive this; it is a prerequisite for the level itself.
• Level 4 (Mandatory): Similarly, Annex II 4.1(d) mandates that personnel are Union citizens and, where appropriate, hold national security clearance for classified information.

Thus, Level 2 serves as a strategic middle ground. It allows public bodies to enforce strict personnel controls for sensitive but non-classified data without incurring the potentially higher costs and limited vendor availability associated with the absolute citizenship mandates of Levels 3 and 4.

What this means for you

For public-sector procurement officers, legal counsel, and cloud service providers, understanding the mechanics of Annex II 2.1(d) is essential for compliant and secure procurement.

For Public Sector Buyers (Contracting Authorities)

1. Leverage the Risk Assessment: Use the Article 29 risk assessment not just to select the assurance level, but to define the specific personnel conditions. If your data is sensitive but not classified, Level 2 with a specific screening requirement may be the most cost-effective and secure option.
2. Draft Precise Tender Specifications: When issuing a tender for Level 2 services, explicitly state the personnel screening and citizenship requirements you deem "necessary." Do not assume the provider knows your specific security posture; the obligation to "ensure personnel... are available" is triggered by your determination.
3. Verify Capability, Not Just Certification: When reviewing bids, look beyond the general Level 2 recognition. Request evidence that the provider has the specific personnel pool capable of meeting your screening criteria. The audit report under Article 20 should reflect the provider's ability to meet these specific conditional requirements.

For Cloud Service Providers

1. Prepare for Conditional Audits: If you aim to serve the public sector at Level 2, you must be prepared to demonstrate that you can flexibly deploy personnel who meet varying screening and citizenship requirements. Your internal HR and security protocols must be robust enough to accommodate these conditional demands.
2. Understand the "Availability" Obligation: The text requires you to "ensure that personnel meeting those requirements are available." This does not necessarily mean every employee must be a Union citizen, but you must have a sufficient workforce that can be deployed to the specific public body's needs.
3. Differentiate Your Offering: Providers who can efficiently manage these conditional personnel requirements at Level 2 may gain a competitive advantage over those who only offer the rigid, all-or-nothing approach of Levels 3 and 4.

Strategic Implications

• Cost Efficiency: By utilizing Level 2 with conditional screening, public bodies can avoid the premium costs often associated with Level 3 and 4 services, where the entire workforce must be Union citizens.
• Market Flexibility: This mechanism encourages a broader range of European providers to enter the market, as they can compete on Level 2 by demonstrating the ability to meet specific screening needs rather than meeting the absolute citizenship bar immediately.
• Tailored Sovereignty: It allows for a "right-sized" approach to sovereignty, ensuring that the level of personnel control matches the actual risk to public order, rather than applying a one-size-fits-all mandate.

Common misconceptions

Misconception 1: "Level 2 automatically means all staff must be EU citizens."

• Correction: This is incorrect. Under Annex II 2.1(d), the citizenship and screening requirements are conditional. They apply only if the public sector body determines them necessary. Levels 3 and 4 are the tiers where Union citizenship is an absolute, unconditional requirement for all personnel.

Misconception 2: "Public bodies can impose these screening requirements at Level 1."

• Correction: No. The criteria for Union assurance level 1 (Annex II 1.1) focus on establishment, infrastructure location, and data residency. They do not contain provisions for personnel screening or citizenship requirements imposed by the public body. If personnel controls are required, the procurement must target at least Level 2.

Misconception 3: "Providers can refuse to hire or screen staff if it's too costly."

• Correction: No. If a provider seeks recognition at Level 2 and a public body imposes necessary screening requirements, the provider must ensure that compliant personnel are available. Failure to meet these conditional criteria means the provider cannot be recognized as offering Level 2 for that specific service.

Misconception 4: "This replaces national security clearance laws."

• Correction: No. CADA complements national laws. For Levels 3 and 4, the text explicitly references "necessary national security clearance" for classified information. At Level 2, the public body can demand screening, but the specific nature of that screening (e.g., whether it aligns with national clearance procedures) is determined by the public body's risk assessment and national legal framework.

Related

• Can a public body require data outside the EU under CADA?
• Why would a public body require CADA Level 4 over Level 3?
• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA public sector body: definition, data residency powers & assurance tiers

This is general information about a draft EU regulation, not legal advice.