Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly requires cloud computing service providers to subject subcontractors to ongoing oversight, not merely initial due diligence. Under Annex II, Section 1.1(f), providers must ensure subcontractors meet Union legal obligations through continuous contractual enforcement and monitoring. This requirement applies across all four Union assurance levels, though the intensity of oversight escalates significantly at Levels 2, 3, and 4. Failure to maintain this continuous monitoring could result in the revocation of a provider's Union assurance recognition.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a rigorous sovereignty framework designed to mitigate risks associated with third-country dependencies and ensure the operational autonomy of the Union's cloud ecosystem. A critical, yet often underestimated, component of this framework is the management of the supply chain, specifically the continuous oversight of subcontractors who contribute to the provision of cloud computing services.

The Core Requirement: Ongoing Oversight at Level 1

The foundational requirement for subcontractor management is established in Annex II, Section 1.1(f) of the CADA proposal. This criterion applies to Union Assurance Level 1, which serves as the baseline for all cloud services procured by public sector bodies whose activities are not deemed to contribute to the preservation of public order (as defined in Article 29).

Annex II, Section 1.1(f) states that for Union Assurance Level 1, the cloud computing service provider must:

"provide full transparency around the use of subcontractors. The cloud computing service provider subjects subcontractors to due diligence, contractual obligations and ongoing oversight to meet Union legal obligations;"

This text is definitive: compliance is not a one-time event. Providers cannot simply vet a subcontractor at the point of contract signing and consider the matter closed. They must maintain "ongoing oversight" to ensure that the subcontractor continues to meet Union legal obligations throughout the entire duration of the service provision. The phrase "ongoing oversight" implies a dynamic process of verification, distinct from static initial checks.

Escalation at Higher Assurance Levels

While Level 1 establishes the baseline for ongoing oversight, the requirements become more stringent, specific, and technically demanding at Union Assurance Levels 2, 3, and 4. These higher levels are mandatory for public sector activities identified as contributing to the preservation of public order (such as national security, defense, justice, or law enforcement) following a risk assessment under Article 29.

  • Union Assurance Level 2: Under Annex II, Section 2.1, the provider must ensure that subcontractors are established in the Union and that their infrastructure, assets, and personnel are located in the Union. The provider must demonstrate that necessary legal, technical, and organizational measures are in place to ensure that third-country control does not restrict the provider's ability to perform the service. This implies a continuous monitoring of the subcontractor's operational and legal status to ensure no extraterritorial interference occurs. Specifically, Section 2.1(g) requires measures to prevent access by third countries to customer data and to prevent service disruption, necessitating real-time awareness of the subcontractor's environment.
  • Union Assurance Level 3: Annex II, Section 3.1 introduces strict personnel requirements. It mandates that personnel involved in the provision of the service, including those of subcontractors, are Union citizens. Furthermore, technical and operational support must be initiated and performed exclusively within the Union by personnel who are Union residents and not subject to third-country control. This necessitates rigorous, ongoing verification of personnel status, citizenship, and location, as these attributes can change over time.
  • Union Assurance Level 4: Annex II, Section 4.1 imposes the strictest requirements, including Union citizenship for personnel and strict controls over software supply chains. Providers must demonstrate that third countries do not hold effective control over the design, development, or maintenance of software components used by subcontractors. Section 4.1(i)(ii) requires measures to retain effective control over software components, ensuring a third country does not hold or exercise effective control over their evolution or maintenance. This requires continuous monitoring of the software supply chain and the legal status of the entities maintaining it.

Audit Evidence and Verification

The CADA proposal links these substantive requirements to a robust audit framework. Article 20 mandates independent third-party audits for Union Assurance Levels 2, 3, and 4. Annex III (Audit Evidence) specifies exactly what auditing organizations will examine to verify compliance.

For example, under Audit Criterion B (Location of infrastructure, assets, and personnel), auditors will request evidence that subcontractors' infrastructure and personnel are located in the Union. Under Audit Criterion G (Absence of third-country control), auditors will assess the ownership and control structures of subcontractors, including direct and indirect shareholders up to the ultimate owners. This means that providers must maintain continuous, up-to-date documentation and monitoring mechanisms to prove compliance during audits. If a subcontractor's circumstances change (e.g., a change in ultimate beneficial ownership, a move of infrastructure, or a change in personnel citizenship), the provider must detect this immediately.

Transparency and Reporting Obligations

Article 23 (Transparency obligations) reinforces the need for ongoing monitoring. It requires recognized cloud computing service providers to notify the auditing organization and the national competent authority of any material change in circumstances that may affect their compliance. This includes changes related to subcontractors. Therefore, ongoing monitoring is not just an internal governance exercise; it is a regulatory reporting obligation.

Failure to detect and report a subcontractor's non-compliance could lead to the revocation of the provider's Union Assurance Level recognition under Article 17. Article 17(11) explicitly states that the evaluating national competent authority may revoke recognition where it finds that a provider "intentionally or negligently, supplied incorrect or misleading information." If a provider fails to monitor a subcontractor and subsequently fails to report a material change, this could be construed as negligence.

What this means for you

As a cloud service provider subject to CADA, you must transition from static vendor onboarding to dynamic, continuous supply chain risk management.

  1. Update Contractual Frameworks: Your contracts with subcontractors must include explicit clauses requiring them to maintain compliance with Union legal obligations. These contracts should grant you the right to audit, monitor, and terminate the relationship immediately if compliance is breached. They must also mandate that subcontractors notify you of any material changes in their legal status, ownership, or location.
  2. Implement Continuous Monitoring Tools: For Level 2, 3, and 4 services, you need technical and organizational mechanisms to verify that subcontractor personnel remain Union citizens and that infrastructure remains within the Union. This may involve regular certification requests, automated location verification, and background checks. You must be able to demonstrate that you are actively monitoring these factors, not just relying on self-declarations.
  3. Maintain Audit-Ready Documentation: You must keep a live register of all subcontractors, including their legal structure, ownership details, operational locations, and personnel status. This documentation must be updated in real-time to satisfy auditors under Annex III. The audit evidence requirements in Annex III are extensive, covering everything from lease contracts to payroll records and ownership charts.
  4. Establish Incident Response Protocols: If a subcontractor fails to meet Union legal obligations, you must have a process to immediately mitigate the risk, notify your auditor, and inform the competent authority as required by Article 23. Delay in reporting could be interpreted as a failure of "ongoing oversight."

Common misconceptions

  • "Due diligence is a one-time check." CADA explicitly requires "ongoing oversight" (Annex II, Section 1.1(f)). Initial vetting is insufficient; you must monitor compliance throughout the contract lifecycle.
  • "Level 1 has no subcontractor rules." While Level 1 is less stringent than Levels 2-4, it still requires full transparency, due diligence, and ongoing oversight to ensure subcontractors meet Union legal obligations. The requirement for "ongoing oversight" is identical in wording for Level 1 as the baseline for higher levels.
  • "We only need to monitor direct subcontractors." The definition of subcontractor in Article 2(17) and the criteria in Annex II refer to subcontractors involved in the provision of the service. Providers must ensure oversight extends through the chain, especially for Levels 2-4 where control and location requirements are strict. Annex II, Section 1.2 clarifies that subcontractors must have a direct contractual relationship, but the oversight obligation covers the entire provision chain.
  • "Cybersecurity certification covers sovereignty." CADA distinguishes between cybersecurity (covered by EUCS/Cybersecurity Act) and sovereignty (covered by CADA). A subcontractor may be cyber-secure but still fail sovereignty criteria if they are subject to third-country control or laws. Annex II, Section 2.1(e) and 3.1(e) require a European cybersecurity certificate of at least "substantial" assurance, but this is a separate criterion from the sovereignty requirements regarding control and location.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.