Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance level 1 can outsource technical and operational support to third parties located outside the European Union. This is not a blanket prohibition. However, it is strictly conditional: providers must implement necessary legal, technical, and organisational measures to ensure traceability, security, and governance of those operations, and critically, these outsourced operations must not, in any way, compromise the operational autonomy of the cloud computing service provider (Annex II, Section 1, paragraph 1(d)).

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework comprising four distinct assurance levels. These levels are designed to help public sector bodies and Union entities assess the trustworthiness of cloud services based on criteria ranging from basic establishment to high-level sovereignty protections. For providers aiming for Union assurance level 1β€”the baseline tier for sovereign cloud recognitionβ€”the rules regarding subcontracting and support are nuanced, allowing for global operational realities while enforcing strict control mechanisms.

The Specific Rule on Outsourced Support

The criteria for Union assurance level 1 are detailed in Annex II of the CADA proposal. While many criteria focus on the physical location of infrastructure, assets, and data, paragraph 1(d) specifically addresses the scenario where a provider outsources support functions outside the EU.

According to Annex II, Section 1, paragraph 1(d), a cloud computing service provider meets the level 1 criteria if:

"where the cloud computing service provider outsources the technical and operational support or assistance, including any subsequent sub-outsourcing arrangements, to third-party service providers outside of the Union, the necessary legal, technical and organisational measures are implemented to ensure traceability, security and governance of those operations and those operations do not, in any way, compromise the operational autonomy of the cloud computing service provider;"

This provision explicitly acknowledges the reality of global IT support structures and the reliance on international talent pools. It does not impose a blanket ban on offshore support for level 1 services. Instead, it shifts the burden of proof to the primary provider to demonstrate that they retain full control and oversight, ensuring that the outsourcing arrangement does not create a sovereignty risk.

Key Requirements for Compliance

To comply with this criterion, providers must satisfy two main pillars, both of which are mandatory under the proposed text:

  1. Implementation of Robust Measures: Providers must have robust legal, technical, and organisational measures in place.

    • Legal Measures: Contracts must clearly define the scope of access, data handling restrictions, audit rights, and liability. These agreements must ensure that the subcontractor is bound by Union legal obligations.
    • Technical Measures: Access controls, encryption, logging mechanisms, and network segmentation must ensure that support staff outside the EU cannot access customer data or core infrastructure without explicit, traceable authorisation. The technical architecture must prevent unauthorised data exfiltration or modification.
    • Organisational Measures: Clear governance structures must exist to monitor the subcontractor's activities. This includes defined reporting lines, incident response protocols, and regular oversight to ensure the subcontractor acts strictly within the bounds of the agreement.

  2. Preservation of Operational Autonomy: The outsourced operations must not, in any way, compromise the operational autonomy of the cloud computing service provider. This is the critical safeguard. It means the primary provider must remain the ultimate decision-maker regarding service continuity, security incidents, infrastructure changes, and strategic direction. The subcontractor acts strictly under the provider's direction and control. If the third party could unilaterally disrupt the service, access data without consent, or force the provider to comply with third-country laws, the criterion would not be met.

Context Within the Level 1 Framework

It is essential to view this rule in the context of the other level 1 criteria in Annex II, Section 1, which create a "sovereign baseline" even when support is outsourced:

  • Establishment: The provider must be established in the Union (Annex II, 1.1(a)).
  • Infrastructure & Assets: The infrastructure and assets (including those of subcontractors involved in the service) must be located in the Union, unless the public sector body explicitly requires otherwise (Annex II, 1.1(b)).
  • Data Localisation: Customer data, including metadata and telemetry, must remain exclusively within the Union, again unless explicitly required otherwise by the public sector body (Annex II, 1.1(c)).

Therefore, while support can be outsourced offshore, the data and the infrastructure hosting that data generally must remain in the EU for level 1 compliance. The offshore support team would typically interact with the system via secure, monitored channels without direct access to the raw data or physical hardware. The "traceability" requirement ensures that every action taken by the offshore team is logged and attributable.

Contrast with Higher Assurance Levels

The flexibility allowed at level 1 diminishes significantly at higher assurance levels, reflecting the increasing sensitivity of the use cases they are designed to support.

For Union assurance level 2, the rules tighten considerably. Annex II, Section 2, paragraph 2.1(h) requires that technical and operational support or assistance, including subsequent sub-outsourcing arrangements, be initiated and performed exclusively within the Union. This creates a clear incentive for providers to maintain EU-based support teams if they wish to qualify for level 2 or higher.

Similarly, Union assurance level 3 and level 4 maintain the requirement for support to be performed exclusively within the Union by personnel who are Union residents (Annex II, 3.1(h) and 4.1(h)). Furthermore, levels 3 and 4 introduce mandatory Union citizenship requirements for personnel (Annex II, 3.1(d) and 4.1(d)), a condition that does not exist for level 1.

This tiered approach ensures that while the baseline (Level 1) accommodates global operational models, higher tiers (Levels 2-4) provide the strictest guarantees of sovereignty for activities contributing to the preservation of public order, such as law enforcement, defence, and critical infrastructure.

What this means for you

For CTOs, architects, and SMEs evaluating their cloud strategy under the proposed CADA, this provision offers a degree of operational flexibility but demands rigorous governance.

  • For Cloud Providers: If you are a European provider aiming for level 1 recognition, you do not need to immediately repatriate all support staff to the EU. However, you must audit your current offshore support arrangements. Ensure your contracts and technical controls explicitly prevent the subcontractor from exercising independent control over your infrastructure. Document how you maintain "traceability" and "governance" over these external teams. Be prepared to demonstrate to auditors that your operational autonomy is intact.
  • For Public Sector Buyers: When procuring level 1 services, you can accept providers with offshore support teams, provided they have demonstrated compliance with Annex II 1.1(d). However, you must be aware that if your use case involves higher sensitivity or public order relevance (as determined by your risk assessment under Article 29), you may be required to mandate level 2 or higher. In those cases, the provider would be forced to use EU-only support, potentially impacting cost or availability.
  • For SMEs: The level 1 framework is designed to be accessible. The allowance for outsourced support recognises that smaller European providers may rely on global talent pools for maintenance. Focus on documenting your control mechanisms rather than restructuring your entire support workforce. The key is proving that the "operational autonomy" of the EU entity remains unchallenged.

Common misconceptions

"Level 1 bans all non-EU involvement." False. Level 1 allows for offshore technical and operational support, provided strict controls are in place. It primarily restricts where data and infrastructure are located, not necessarily where the support engineers sit. The text explicitly contemplates outsourcing to third parties outside the Union.

"Outsourced support means the subcontractor controls the service." Incorrect. The criterion explicitly states that outsourced operations must not, in any way, compromise the operational autonomy of the cloud computing service provider. The primary provider retains full control; the subcontractor is merely an extension of the provider's team, bound by strict legal and technical constraints. If the subcontractor could override the provider's decisions, the criterion would fail.

"Level 1 rules are the same as Level 2." False. Level 2 requires technical and operational support to be performed exclusively within the Union (Annex II, Section 2, paragraph 2.1(h)). The flexibility of level 1 is lost at level 2. Providers cannot use offshore support teams if they aim for the higher assurance levels required for public-order-relevant activities.

"Sub-outsourcing is banned at Level 1." False. The text explicitly mentions "including any subsequent sub-outsourcing arrangements" in Annex II 1.1(d). This means the primary provider can outsource to a third party, who can in turn outsource to a fourth party, provided the chain of legal, technical, and organisational measures ensures traceability and preserves autonomy throughout the entire chain.

Related

This is general information about a draft EU regulation, not legal advice.