Can support staff be outside the EU at CADA level 2?

Summary No, under the proposed Cloud and AI Development Act (CADA), support staff for Union Assurance Level 2 services cannot be located outside the EU. As proposed, Annex II 2.1(h) explicitly mandates that all technical and operational support, including any sub-outsourcing, must be "initiated and performed exclusively within the Union." This is a strict geographical constraint that contrasts sharply with Level 1, which permits outsourcing support outside the EU provided specific traceability and security measures are implemented. For providers seeking Level 2 recognition, global support centers must be relocated or restructured to operate entirely from within the Union.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a tiered sovereignty framework designed to mitigate risks associated with third-country dependencies. A core component of this framework is the definition of "Union Assurance Levels" (UAL), which dictate the geographical and operational constraints on cloud computing service providers. For organizations evaluating whether their current global support models comply with CADA, the distinction between Level 1 and Level 2 is critical, particularly regarding the location of personnel performing technical tasks.

The Strict Rule for Level 2: No External Support

To achieve recognition as a Union Assurance Level 2 provider, a cloud computing service provider must meet cumulative criteria set out in Annex II of the proposal. The requirement for the location of support personnel is absolute and non-negotiable for this tier.

Specifically, Annex II 2.1(h) states that:

"the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union."

This provision leaves no room for exceptions based on time zones, cost efficiencies, or the classification of the support task as "non-critical." The requirement applies to the entire spectrum of technical and operational assistance. This encompasses helpdesk services, infrastructure administration, security operations center (SOC) and network operations center (NOC) activities, privileged access management, backup handling, and disaster recovery operations.

Crucially, the prohibition extends to "subsequent sub-outsourcing arrangements." This means a Level 2 provider cannot contract a third-party vendor to provide support from outside the EU, even if the primary provider is established within the Union. The physical location where the support action is executed must be within EU borders.

Contrast with Level 1: The Outsourcing Allowance

The restriction on Level 2 support stands in sharp contrast to the more flexible requirements for Union Assurance Level 1. Under Annex II 1.1(d), Level 1 providers are permitted to outsource technical and operational support to third-party service providers outside the Union.

However, this permission is conditional. The provider must implement necessary legal, technical, and organizational measures to ensure:

1. Traceability of operations.
2. Security of operations.
3. Governance of operations.
4. That these operations do not, in any way, compromise the operational autonomy of the cloud computing service provider.

Therefore, a provider offering a Level 1 service can maintain global support centers, provided they can demonstrate robust controls over those external entities. A provider seeking Level 2 recognition, however, must relocate or restructure these functions to ensure they remain entirely within EU borders. This creates a clear operational bifurcation: Level 1 allows for a global delivery model with safeguards, while Level 2 demands a fully localized delivery model.

Audit and Verification

Compliance with this location requirement is not a matter of self-declaration. Under Article 20 of CADA, Level 2 recognition requires an independent third-party audit. Auditing organizations will assess compliance with Annex II 2.1(h) by requesting specific evidence, as detailed in Annex III, Section 8 (Audit Criterion H).

The evidence required includes:

• Binding contractual clauses stating that all support activities must be initiated and performed exclusively in the Union.
• Proof of no remote access for technical and operational support from outside the Union.
• Evidence that helpdesk, SOC, and NOC services are exclusively provided from the Union.
• Technical measures such as geographically restricted network controls and Union-based administrative infrastructure.

If an auditor finds that support tickets are routed to, or handled by, personnel in a third country, the provider will fail to meet the criteria for Level 2. The audit will scrutinize not just the location of the servers, but the location of the "hands-on-keyboard" personnel.

Implications for Service Architecture

For CTOs and architects, this requirement necessitates a fundamental review of global service delivery models. It is not sufficient to have the primary infrastructure in the EU if the operational support for that infrastructure relies on offshore teams. The phrase "initiated and performed" suggests that even if a ticket is logged in the EU, if the resolution requires action by a non-EU employee, the criterion is violated.

This may require the establishment of dedicated EU-based support hubs or the restructuring of existing teams to ensure that all personnel with access to perform operational tasks are physically situated within the Union. The regulation effectively decouples the "cloud" from the "support," requiring both to be geographically aligned for higher assurance levels.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the Level 2 support location rule has immediate operational and financial implications.

1. Operational Restructuring

If your organization aims to provide cloud services to public sector bodies requiring Level 2 assurance, you must audit your current support chains. Any reliance on offshore support centers (e.g., in Asia, the Americas, or non-EU European countries) for technical or operational tasks must be eliminated. You may need to:

• Establish or expand support centers within the EU.
• Retrain existing EU-based staff to handle tasks previously offshored.
• Implement technical controls (e.g., IP geo-fencing for admin access) to prevent non-EU personnel from performing support actions, even accidentally.

2. Cost Implications

Shifting support operations from low-cost jurisdictions to the EU will likely increase operational expenditure (OpEx). This cost must be factored into the pricing models for Level 2 services. SMEs, in particular, may find the resource requirements for maintaining a fully EU-based support team challenging, potentially pushing them to focus on Level 1 offerings unless they can leverage specialized, high-value EU-based talent pools.

3. Contractual Due Diligence

Your contracts with subcontractors and vendors must be reviewed. Clauses allowing for global support delivery must be amended or terminated for any service line targeting Level 2 recognition. You must ensure that your supply chain does not inadvertently violate the "exclusively within the Union" rule through sub-contractors.

4. Strategic Positioning

For providers currently relying on global support models, CADA creates a clear bifurcation. You can continue to serve the private sector or Level 1 public sector clients with your existing global model, but you will be excluded from the Level 2 market unless you invest in EU-localized support infrastructure. This may drive a two-tier service offering: a cost-competitive Level 1 service with global support, and a premium Level 2 service with EU-only support.

Common misconceptions

Misconception 1: "Support" only means Tier 1 helpdesk. Some providers assume that "technical and operational support" refers only to initial customer inquiries. In reality, Annex II 2.1(h) covers the entire spectrum of operational assistance, including backend infrastructure management, security monitoring, and disaster recovery. If a non-EU engineer fixes a server issue, the criterion is violated.

Misconception 2: Remote work within the EU is sufficient, so remote work outside is fine too. While the regulation focuses on the location of the action being performed within the Union, it does not distinguish between on-premise and remote work within the EU. However, it explicitly prohibits the action being performed outside the Union. A support agent working remotely from a third country is in violation of the rule, regardless of their employment contract with an EU entity.

Misconception 3: Level 1 providers can easily upgrade to Level 2 by just changing contracts. Upgrading from Level 1 to Level 2 is not merely a contractual exercise. It requires a fundamental shift in operational architecture. Providers must demonstrate through audit evidence (Annex III) that technical controls prevent external access and that all personnel involved in support are located in the Union. This often requires significant investment in new infrastructure and staffing.

Misconception 4: "Initiated and performed" allows for EU initiation and non-EU performance. The phrase "initiated and performed exclusively within the Union" is cumulative. Both the initiation (e.g., logging into the system to start a task) and the performance (e.g., executing the fix) must occur within the Union. A scenario where an EU manager assigns a task to a non-EU engineer to execute would fail the audit.

Related

• Can CADA Level 1 support be outsourced outside the EU?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
• CADA Outsourcing Rules: Technical Support by Assurance Level
• How to prove EU-only support delivery under CADA: Level 2 vs Level 3 rules

This is general information about a draft EU regulation, not legal advice.