Summary Under the proposed Cloud and AI Development Act (CADA), data residency obligations escalate significantly across the four Union assurance levels. Levels 1, 2, and 3 generally require customer data, metadata, and telemetry to remain exclusively within the Union, but permit a critical exception: a public sector body may explicitly require otherwise. Level 4, however, imposes a strict, non-derogable residency requirement for data identified as sensitive following a risk assessment, with no public-body exception allowed. This distinction ensures that the most critical data remains under strict Union jurisdiction regardless of operational preferences.

Detail

The CADA proposal establishes a tiered sovereignty framework designed to mitigate risks associated with dependence on third-country cloud providers. A core component of this framework is data localisation, which varies strictly by the Union assurance level (UAL) sought by a cloud computing service provider. The specific criteria for each level are set out in Annex II of the proposal.

The framework distinguishes between general operational data and data identified as sensitive, creating a "hard floor" for the highest assurance tier. Across all levels, the definition of "customer data" is expansive, explicitly encompassing not only the content provided by the user but also the digital footprint generated by the service itself.

Union Assurance Level 1: Baseline Residency with Public-Body Exception

For providers seeking Union assurance level 1, the primary requirement is that the provider must be established in the Union. Regarding data, Annex II, point 1.1(c) states that customer data, including metadata and telemetry data, processed, stored, and transferred by the provider and its subcontractors, must "remain exclusively within the Union."

However, this rule includes a critical flexibility mechanism. The requirement for exclusive Union residency applies "unless the public sector body explicitly requires otherwise." This means that if a public sector customer needs to route data outside the Union for legitimate operational reasons, they can contractually waive the strict residency requirement, provided the provider has met the other Level 1 criteria (such as state-of-the-art cybersecurity standards and transparency regarding subcontractors).

At this baseline level, the sovereignty framework prioritises market accessibility while establishing a default presumption of Union data localisation. The exception empowers the public sector to balance sovereignty with operational necessity, though doing so inherently increases exposure to third-country access risks.

Union Assurance Level 2: Strict Residency with Public-Body Exception

Union assurance level 2 introduces more stringent operational controls, including independent third-party audits and requirements for Union-based personnel and infrastructure. The data residency rule mirrors Level 1 in structure but applies to a broader set of operational constraints.

Under Annex II, point 2.1(c), customer data, including metadata and telemetry data, processed by the audited provider and its subcontractors, must "remain exclusively within the Union." Like Level 1, this obligation is subject to the exception: "unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service."

The phrase "at any time" is significant. It ensures that data cannot be temporarily exported for processing or backup and then returned; the exception must be explicit and cover the entire lifecycle of the data.

At this level, the provider must also ensure that data generated by using the service is not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country (Annex II, point 2.1(f)). This adds a layer of protection against data exfiltration for model training, complementing the physical residency rule. The public-body exception remains available, allowing flexibility for non-critical public sector activities that may require global AI capabilities, provided the data residency waiver is explicit.

Union Assurance Level 3: High Assurance with Public-Body Exception

Union assurance level 3 is designed for activities contributing to the preservation of public order in sectors such as national security, defence, and law enforcement. The residency requirement remains consistent with Levels 1 and 2 in its text but operates within a stricter sovereignty context.

According to Annex II, point 3.1(c), customer data, including metadata and telemetry data, must "remain exclusively within the Union unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service."

The key differentiator at Level 3 is not the residency rule itself, but the context in which it operates. Providers at this level must demonstrate that they are not subject to the control of a third country or a legal entity established in a third country, unless the Commission has adopted a specific implementing act recognizing that third country as providing sufficient assurances (Annex II, point 3.1(g)). Consequently, while the public body can technically waive the residency requirement, the underlying sovereignty risks are mitigated by the strict control and ownership criteria. The exception allows for necessary cross-border cooperation in public order contexts, provided the provider's structural independence from third-country control is maintained.

Union Assurance Level 4: Absolute Residency for Sensitive Data

Union assurance level 4 represents the highest tier of sovereignty, intended for the most critical public sector activities. Here, the CADA proposal introduces a fundamental shift in the residency rule: the removal of the public-body exception for sensitive data.

Under Annex II, point 4.1(c), the rule distinguishes between general customer data and data identified as sensitive following a risk assessment. For data identified as sensitive, the provider and its subcontractors must ensure that this data "remain[s] exclusively within the Union and at any time, including before, during or after the configuration or use of the service."

Crucially, unlike Levels 1, 2, and 3, there is no "unless the public sector body explicitly requires otherwise" clause for this sensitive data. This creates an absolute barrier: even if a public sector authority wishes to process sensitive data outside the Union, a Level 4 provider cannot legally do so while maintaining its Level 4 status. This ensures that the most critical data remains under strict Union jurisdiction, regardless of operational preferences.

It is important to note that the Level 4 exception applies specifically to data "identified as sensitive" following a risk assessment. For non-sensitive data processed under a Level 4 service, the general rules may still apply, but the threshold for "sensitive" is high, covering data that could undermine public order if compromised. The absence of the waiver for sensitive data is the defining feature of the highest assurance tier.

The Role of Metadata and Telemetry

A consistent thread across all four levels is the inclusion of metadata and telemetry data in the residency requirements. The CADA definition of "customer data" in the context of these annexes explicitly includes:

  • Data input into the service by the customer.
  • Data produced through the customer's use of the service.
  • Telemetry and metadata derived from the interaction with the service.

This prevents providers from bypassing residency rules by physically storing customer files in the Union while routing diagnostic logs, performance metrics, or usage patterns to third-country servers for analysis or support. At Levels 2, 3, and 4, this is further reinforced by the requirement that technical and operational support must be initiated and performed exclusively within the Union (Annex II, points 2.1(h), 3.1(h), and 4.1(h)).

The inclusion of telemetry is particularly critical. In modern cloud architectures, telemetry often contains information about the nature of the workload, the volume of data processed, and the timing of operations. By mandating that this data also remains within the Union (subject to the Level 1–3 public-body exception), CADA ensures that the "shadow" of the data processing cannot be used to infer sensitive information or facilitate third-country surveillance.

What this means for you

For in-house counsel and compliance officers, understanding these tiered residency rules is essential for both procurement and service design. The distinction between a "waivable" rule and an "absolute" rule fundamentally changes the risk profile of a cloud contract.

For Public Sector Procurement Officers:

  • Risk Assessment is Key: Under Article 29, you must conduct risk assessments to determine which Union assurance level is appropriate for your activities. If your data is classified as sensitive and requires absolute jurisdictional control, you must procure a Level 4 service.
  • Contractual Leverage: For Levels 1, 2, and 3, you have the contractual power to waive the residency requirement if necessary for specific operational needs. However, exercising this waiver increases your exposure to third-country access risks. Document the justification for any such waiver carefully, as it represents a deliberate departure from the default sovereignty framework.
  • Level 4 Constraints: If you require a Level 4 service, do not attempt to negotiate data transfer clauses for sensitive data outside the Union. The provider cannot comply with such a request without losing its Level 4 recognition. The "unless the public sector body explicitly requires otherwise" clause is simply absent for sensitive data at this tier.

For Cloud Service Providers:

  • Architecture Design: Your infrastructure must be capable of isolating data flows. For Levels 2–4, you must ensure that no metadata or telemetry leaves the Union unless explicitly permitted by the public body (Levels 1–3) or unless it is non-sensitive data at Level 4.
  • Audit Readiness: Auditing organisations will examine data flow diagrams, access logs, and support records to verify compliance with these residency rules (Annex III). Ensure your logging mechanisms capture the location of all data processing activities, including those performed by subcontractors.
  • Subcontractor Management: The residency obligations extend to subcontractors involved in the provision of the service. You must enforce these same geographic constraints on your supply chain. A breach by a subcontractor in a third country could result in the loss of your Union assurance recognition.

Common misconceptions

Misconception 1: "Level 1 has no data residency requirements." Incorrect. Annex II, point 1.1(c) explicitly requires that customer data, including metadata and telemetry, remain exclusively within the Union. The difference is the availability of the public-body exception, not the absence of the rule.

Misconception 2: "Metadata can be processed outside the Union for technical support." Incorrect. The CADA definition of customer data explicitly includes metadata and telemetry. At Levels 2, 3, and 4, technical support must also be performed exclusively within the Union. Routing telemetry to a global support centre in a third country would violate the Level 2, 3, or 4 criteria unless the public body explicitly waives the requirement (for Levels 1–3) or the data is not classified as sensitive at Level 4.

Misconception 3: "Level 4 allows data transfers if the provider has a Level 3 waiver." Incorrect. Level 4 has its own distinct criteria. The absence of the public-body exception for sensitive data in Annex II, point 4.1(c) means that sensitive data cannot leave the Union under any circumstances while the service maintains its Level 4 status. A waiver valid for Level 3 does not apply to the stricter constraints of Level 4.

Misconception 4: "Only customer content is subject to residency rules." Incorrect. The rules explicitly cover "metadata and telemetry data." This ensures that the operational footprint of the service cannot be used to bypass sovereignty requirements.

Related

This is general information about a draft EU regulation, not legal advice.