EUCS high level vs CADA Union assurance level 4

Summary No. The European Cybersecurity Certification Scheme for Cloud Services (EUCS) "high" assurance level and the proposed CADA's Union assurance level 4 are not equivalent. EUCS measures technical cybersecurity robustness; CADA's level 4 measures the highest tier of sovereignty — establishment, data location, personnel and freedom from third-country control. They are complementary: a level 4 service must also hold an EUCS-type certificate of at least "high" (where such a scheme exists), so EUCS "high" is a component of level 4, not its equivalent. CADA is still a proposal and the text may change.

Detail

The confusion between EUCS and CADA assurance levels comes from a difference in what each framework regulates. As proposed, CADA establishes a sovereignty framework to mitigate strategic dependencies and protect public order, while EUCS (under the Cybersecurity Act) establishes a technical certification for cybersecurity resilience. They address different risk vectors and are not interchangeable.

CADA Union assurance level 4: the sovereignty ceiling

Under CADA Article 16, the Union cloud computing sovereignty framework comprises four Union assurance levels, the criteria for which are set out in Annex II. Level 4 is the strictest tier, intended for the most critical public-order activities (for example, defence and national security).

As proposed, to qualify for level 4 a provider must meet the cumulative criteria in Annex II, section 4.1, which go well beyond technical security controls. Key requirements include:

• Establishment: the provider and its subcontractors involved in the service are established in the Union (4.1(a)).
• Location: infrastructure, assets and personnel involved in the service are located in the Union (4.1(b)).
• Data localisation: customer data — including metadata and telemetry — that is identified as sensitive following a risk assessment must remain exclusively within the Union (4.1(c)).
• Personnel citizenship: personnel involved in providing the service are Union citizens and, where appropriate, hold the necessary national security clearance (4.1(d)).
• Absence of third-country control: the provider and its subcontractors must not be subject to the control of a third country or a third-country entity — an absolute prohibition, with no associated-third-country derogation at level 4 (4.1(g)).
• Cybersecurity certification: the service obtains a European cybersecurity certificate of at least assurance level "high" under a cloud certification scheme to be established under the Cybersecurity Act (Regulation (EU) 2019/881), provided such a scheme exists and is available; otherwise national schemes or, failing that, the highest applicable cybersecurity standards apply (4.1(e)).

EUCS "high": technical cybersecurity

EUCS is a certification scheme developed under the Cybersecurity Act. It assesses a cloud service's ability to withstand cyber threats. The "high" level signals rigorous technical, organisational and procedural cybersecurity controls — for data protection, incident response and system integrity.

Why they are not equivalent

A service can hold an EUCS "high" certificate yet fail CADA level 4. A non-EU-controlled hyperscaler might achieve EUCS "high" through strong technical controls, yet fail level 4 because it is subject to third-country control (for example, under laws such as the US CLOUD Act) and its infrastructure or personnel are not exclusively in the Union.

Conversely, a fully EU-owned, EU-located provider might meet the level 4 sovereignty criteria but fail to achieve a "high" cybersecurity certificate if its technical controls are insufficient. Because level 4 expressly requires a certificate of at least "high" (Annex II, 4.1(e)), EUCS "high" is a component of level 4 — not its equivalent.

Complementarity in public procurement

Under Article 29, Member States and Union entities run risk assessments to determine the appropriate level for their activities. Where an activity is identified as contributing to the preservation of public order, Article 30(3) requires contracting authorities to procure only services recognised at Union assurance levels 2, 3 or 4. For the highest-risk activities, level 4 applies — meaning the provider must demonstrate both technical cybersecurity excellence (a "high" certificate) and full sovereignty (the level 4 criteria). EUCS-type certification keeps the cloud secure from attackers; CADA level 4 keeps it out of reach of foreign-government access.

What this means for you

For in-house counsel and compliance officers, the distinction has direct implications for due diligence, contracting and procurement.

1. Dual compliance burden. If you advise a contracting authority, or a private entity carrying out an impact assessment (Article 31), you cannot accept an EUCS "high" certificate alone when level 4 is required. You must also verify the Annex II sovereignty criteria — ownership and control structures, personnel citizenship, and data-residency evidence.

2. Repository checks. The Commission maintains a central repository of recognised services (Article 22). Confirm the provider's recognised level there — an EUCS "high" listing does not equate to a level 4 recognition. The provider must have completed the independent audit (Article 20) and obtained recognition by the national competent authority of establishment (Article 17).

3. Contractual safeguards. For level 4 services, contracts should guarantee no third-country control or access; exclusive Union location of data and personnel; maintenance of the required cybersecurity certificate; and immediate notification of any material change affecting the assurance level (Article 23).

4. Penalties and liability. Member States would set effective, proportionate and dissuasive penalties for provider infringements (Article 24). Recipients also have a right to seek compensation for damage caused by a provider's infringement of the sovereignty framework (Article 24(3)). Accurate classification is a risk-mitigation imperative.

5. Transition planning. As proposed (Article 48), CADA would apply one year after entry into force. A provider holding EUCS "high" but under third-country control would not qualify for level 4. Where a risk assessment requires migration, Article 29(6) allows a transition period not exceeding 12 months.

Common misconceptions

"EUCS high is the EU's top cloud standard." It is the top cybersecurity certification. CADA level 4 is the top sovereignty tier. A service can be technically secure (EUCS high) yet strategically exposed (not level 4) if it is under third-country control.

"CADA replaces EUCS." No. CADA would incorporate it: reaching level 4 requires a cybersecurity certificate of at least "high" (Annex II, 4.1(e)). The frameworks are layered, not substitutive.

"Higher CADA levels are only for government." The mandatory procurement rules (Article 30) apply to public authorities, but Annex I NIS2 entities may conduct similar impact assessments (Article 31) and adopt these standards voluntarily; public procurement signals often pull the private sector along.

"Level 4 means data never leaves the EU." Nuanced. At level 4, customer data identified as sensitive following a risk assessment must remain exclusively within the Union (Annex II, 4.1(c)). At lower levels, data may leave the Union where the public sector body explicitly requires otherwise, provided the other criteria are met.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Union assurance recognition vs ISO 27001: are they comparable?
• CADA Union assurance level 3 vs level 4: what is the highest tier?
• CADA Union assurance level 2 vs level 3: what changes?
• CADA Union assurance level 1 vs level 2: what is the difference?
• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?

This is general information about a draft EU regulation, not legal advice.