Does a higher CADA assurance level always mean better security?

No. As proposed under the Cloud and AI Development Act (CADA), a higher Union assurance level does not automatically mean superior technical cybersecurity. Higher levels do mandate stricter controls — independent audits and, at the top tiers, specific European cybersecurity certifications — but the levels are fundamentally designed to measure sovereignty and operational autonomy, not raw technical resilience. A service can be highly secure technically yet fail a higher level because of third-country control or data flows. The "level" is a composite of legal jurisdiction, data localisation and supply-chain control, not a standalone security rating.

Detail

CADA would introduce a four-tier "Union cloud computing sovereignty framework" (Article 16) to mitigate risks from dependence on third-country providers. To see why a higher level is not the same as "better security," distinguish the sovereignty criteria that define the levels from the technical cybersecurity standards that sit within them.

Sovereignty vs. cybersecurity

As proposed in Article 16, the Union assurance levels (1 to 4) exist to safeguard the Union's public order by ensuring control over data, assets and technology systems. The criteria, detailed in Annex II, focus heavily on:

Jurisdiction and control: whether the provider and its subcontractors are subject to the control of a third country or a legal entity established in a third country.
Data localisation: requirements for customer data, metadata and telemetry to remain exclusively within the Union.
Personnel and infrastructure: requirements for infrastructure, assets and personnel to be located in the Union, and for personnel to be Union citizens (at levels 3 and 4).

These are sovereignty and operational-autonomy metrics. A provider might have state-of-the-art encryption and strong intrusion detection (high technical security) yet fail to qualify for level 3 if it is foreign-controlled or routes data outside the Union. A "higher" level reflects a higher degree of legal and operational insulation from foreign jurisdiction — not necessarily stronger technical cyber defence.

The role of cybersecurity certifications

The levels do incorporate cybersecurity requirements, mainly at the higher tiers. Annex II specifies that for levels 2, 3 and 4 the audited service must obtain a European cybersecurity certificate:

Levels 2 and 3: at least assurance level "substantial" under a European cybersecurity certification scheme covering cloud computing services, to be established under Regulation (EU) 2019/881 (the Cybersecurity Act) — Annex II, sections 2.1(e) and 3.1(e).
Level 4: at least assurance level "high" — Annex II, section 4.1(e).

Crucially, Annex II contains a fallback: until that EU scheme is established and available, "national cybersecurity certification schemes shall apply, where they exist," and where no Union or national scheme exists, the provider must demonstrate compliance with "the highest cybersecurity standards under applicable Union law." The explanatory memorandum notes the proposal complements the Cybersecurity Act and that the European Cybersecurity Certification Scheme for Cloud Services (EUCS) could be leveraged within the framework. So a level 4 service must meet a higher certificate level than a level 2 one, linking the two concepts. But the jump from level 1 to level 2 mainly involves a shift from self-assessment to independent third-party audit (Article 20) — a change in verification, not a direct measure of technical improvement.

Independent audits and verification

Compliance is verified differently across the levels. Article 19 lets providers issue a self-assessed "EU statement of conformity" for level 1, with no mandatory independent audit. Article 20 mandates independent third-party audits for levels 2, 3 and 4.

A level 2 service has therefore undergone an independent audit against its criteria, while a level 1 service has not. That does not make level 1 "insecure"; it lacks the external validation required for higher sovereignty claims. The audit criteria (Annex II) include technical security measures, but also supply-chain transparency, an SBOM and the absence of third-country control.

Practical implications of the levels

Level 1: baseline sovereignty. Provider established in the Union; infrastructure and data in the Union (unless the public sector body requires otherwise); state-of-the-art cybersecurity standards. Self-assessed.
Level 2: independent audit required. Personnel and infrastructure in the Union; "substantial" cybersecurity certification (subject to the fallback above).
Level 3: strict data localisation; personnel must be Union citizens; "substantial" certification; no third-country control, save the Article 18 derogation for an "associated third country."
Level 4: all level 3 criteria plus "high" certification; no third-country control and no Article 18 derogation.

A provider could have a more robust configuration at level 1 than a level 2 competitor, yet the level 2 service offers greater assurance against extraterritorial data access and service disruption by foreign states.

What this means for you

For CTOs, architects and SMEs evaluating providers, decouple "security" from "sovereignty" in procurement.

Define your risk profile. If your concern is foreign-government access to data or continuity in geopolitical crises, target a higher Union assurance level (2–4). If your concern is technical resilience against attackers, look at the provider's cybersecurity certification level regardless of the CADA level.
Check the audit, not just the level. A level 1 service is self-assessed. If you need externally verified practices, a level 2 service may be preferable simply because it has undergone an independent audit (Article 20), even where technical differences are marginal.
Understand the trade-offs. Levels 3 and 4 impose strict data localisation and personnel restrictions, which may limit global redundancy or offshore support and affect performance or cost. Ensure your architecture can support these constraints.
Consider the EuroCloud Federation. For public sector bodies, Article 34 establishes the European public sector cloud federation ("EuroCloud Federation") to facilitate sharing of public sector data centre and cloud services. Understanding the assurance levels matters for participating.

Common misconceptions

"Level 4 is the most secure cloud service available."
- Correction: level 4 is the most sovereign. It guarantees no third-country control and a "high" cybersecurity certificate. A level 2 service could still have more advanced threat-detection tooling. Level 4 guarantees control, not necessarily superior defence against every threat.
"Self-assessment at level 1 means the service is insecure."
- Correction: level 1 requires compliance with state-of-the-art cybersecurity standards (Annex II, section 1.1(e)). The lack of an audit means no independent verification, but the provider must still demonstrate compliance.
"CADA replaces the EUCS."
- Correction: they are complementary. CADA sets the sovereignty framework; the EUCS (once adopted) would provide the technical cybersecurity certification CADA references for higher levels. The explanatory memorandum states the EUCS could be leveraged within the CADA framework.
"All EU providers automatically qualify for level 4."
- Correction: even EU-established providers may fail level 4 if they cannot show their software supply chain is free from third-country control or that any third-country subsidiary is effectively separated (Annex II, level 4 criteria).

Official sources

Cybersecurity Act (Regulation (EU) 2019/881)

This is general information about a draft EU regulation, not legal advice.