Does CADA level 3 require personnel to be EU citizens?

Summary Yes. As proposed, Cloud and AI Development Act (CADA) Union assurance level 3 would require that the personnel involved in providing the cloud service — including the personnel of subcontractors — be Union citizens. Where appropriate, personnel handling classified information must also hold the necessary national security clearance issued by a Member State. The rule is in Annex II, Section 3.1(d), and applies to anyone who supports the delivery, administration, security, availability or operation of the audited service — not just senior staff. CADA is a proposal and is not yet in force.

Detail

As proposed, CADA would introduce a "Union cloud computing sovereignty framework" intended to reduce reliance on cloud services subject to third-country control and to protect public order. Central to it are four "Union assurance levels" (1 to 4) that define rising degrees of sovereignty, security and control over data and infrastructure.

For providers aiming to reach Union assurance level 3, the requirements would be markedly stricter than for level 1 or 2 — particularly regarding the people who operate the service.

The citizenship requirement

Under Annex II, Section 3.1(d), a provider seeking recognition at level 3 must meet cumulative criteria, one of which is, verbatim:

"the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens and where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information, as defined in Article 2, point (21), of Regulation (EU) 2021/697;"

As proposed, this means that for a service to qualify for level 3, every individual with operational involvement in delivering it must hold citizenship of an EU Member State. The requirement is not limited to the provider's direct employees; it explicitly extends to the personnel of any subcontractors involved in the service.

Scope of "personnel"

The breadth of the rule is clarified by the audit-evidence annex. Annex III, Audit criterion B (Location of infrastructure, assets, and personnel) defines "personnel," including personnel managed by subcontractors, as individuals who "support the delivery, administration, security, availability, or operation of the audited service." The note under Annex III, Audit criterion D (Union citizenship) adds that personnel involved in the provision of the service could include those with logical or physical access to the infrastructure and assets used to operate the service, those responsible for customer support, and all personnel who have management control of the provider.

So the citizenship requirement is not confined to senior management or core developers. As proposed, it would apply to anyone who could access, configure or maintain the cloud environment — IT support staff, security-operations analysts, network engineers — provided they are involved in providing the level 3 service.

Security clearance for classified information

The criterion has a conditional second part: "where appropriate, the personnel must also have the necessary national security clearance." As proposed, this clearance would be required specifically when personnel handle classified information, the meaning of which is taken from Article 2, point (21), of Regulation (EU) 2021/697. The recitals note that Union assurance levels 3 and 4 should allow for the secure hosting of EU classified information; where a level 3 service hosts such data, the staff handling it would need the relevant security vetting from a Member State.

How this fits the broader level 3 criteria

Citizenship is one element of the level 3 package. As set out in Annex II, Section 3.1, other key requirements include:

1. Establishment: the provider and its involved subcontractors are established in the Union.
2. Location: infrastructure, assets and personnel are located in the Union.
3. Data localisation: customer data (including metadata and telemetry) remains exclusively within the Union.
4. Cybersecurity: a European cybersecurity certificate of at least assurance level "substantial" under a cloud-computing scheme to be established under Regulation (EU) 2019/881 (the Cybersecurity Act); until then, national schemes apply where they exist, and otherwise the highest applicable standards must be demonstrated.
5. No third-country control: the provider and involved subcontractors must not be subject to the control of a third country or a third-country-established legal entity — with a narrow exception where the Commission identifies an "associated third country" under Article 18.
6. Support: technical and operational support must be initiated and performed exclusively within the Union by personnel who are Union residents.

The audit process

Compliance with the citizenship requirement is not self-certified. Under Article 20 and Article 17, level 3 services require an independent third-party audit, with the auditing organisation assessing compliance against the Annex II criteria on the basis of the audit evidence in Annex III.

Specifically, Annex III, Audit criterion D (Union citizenship) indicates the evidence auditors would look for, including:

• proof that the provider has implemented measures to ensure that, where a public sector body requests it, the personnel involved are Union citizens (for example, valid official government-issued documents such as a passport or national identity card);
• organisational charts and job descriptions confirming that, where requested, only personnel with Union citizenship have access to the service's operation, management, maintenance and support;
• access-control policies and audit trails showing that only authorised Union citizens can access the service's systems and data; and
• procedures describing how citizenship is verified before assignment and how compliance is maintained throughout employment.

What this means for you

If you are a cloud service provider or data centre operator aiming to offer CADA level 3 services to EU public-sector bodies, you would need to review your human-resources and subcontracting arrangements carefully.

1. Audit your workforce. Review all employees and subcontractor staff who have any access to your infrastructure, support tickets or administrative panels, and confirm Union citizenship for each.
2. Review subcontractor contracts. You would be responsible for subcontractor compliance. Ensure contracts with vendors (maintenance, security monitoring, customer support) require all staff assigned to your level 3 accounts to be EU citizens, and that you can evidence this to auditors.
3. Implement verification procedures. Establish an HR process to verify citizenship before granting access — checking passports or national ID cards and retaining records — and to maintain compliance during employment, as the audit evidence anticipates.
4. Plan for security clearances. If you intend to host classified information, coordinate early with the relevant Member State authorities so staff can obtain the necessary clearances; this can be time-consuming.
5. Keep support inside the EU. Technical and operational support must be initiated and performed exclusively within the Union by Union residents (Annex II 3.1(h)); remote support from outside the EU would not be permitted for level 3 services.

Common misconceptions

"Only senior management needs to be EU citizens." The rule applies to all personnel involved in providing the service, including junior IT support, network engineers and subcontractor staff — anyone with access to the infrastructure or data (Annex II 3.1(d); Annex III criterion D note).

"Permanent residency is sufficient." The requirement is specifically for Union citizenship. A permanent-residence permit or work visa does not satisfy the level 3 criterion; the individual must be a citizen of an EU Member State.

"This only applies to hosting classified data." The citizenship requirement applies to all level 3 services, regardless of whether classified information is handled. The security-clearance element is an additional requirement that bites only "where appropriate" when handling classified information.

"I can offshore support if I have an EU-based management team." No. Level 3 support must be initiated and performed exclusively within the Union by Union residents (Annex II 3.1(h)). Offshoring support to non-EU countries would not be permitted for level 3 services.

"This is the same as level 4." Level 4 also requires Union-citizen personnel (Annex II 4.1(d)), so the core citizenship rule is shared. But level 4 is stricter overall — for example, a "high" cybersecurity certificate rather than "substantial" (4.1(e)), a stricter effective-control test over software (4.1(i)), and no Article 18 associated-third-country route.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
• CADA Level 4 Personnel Rules: Union Citizens, Clearances & Subcontractors
• Why would a public body require CADA Level 4 over Level 3?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• What evidence does CADA require for personnel citizenship and clearance?

This is general information about a draft EU regulation, not legal advice.