How do I choose a CADA Union assurance level

Summary You would not choose a Union assurance level on preference or cost alone; you would select the level set by your risk assessment. Under the proposed Cloud and AI Development Act (CADA), public-sector bodies whose activities are not public-order relevant must use at least Union assurance level 1 (Article 30(2)). If your activities are identified as contributing to the preservation of public order under Article 29, you must procure level 2, 3 or 4 (Article 30(3)). Choosing a higher tier than required is possible; choosing a lower tier than required would be non-compliant.

Detail

As proposed, CADA establishes a mandatory, risk-based framework for public-sector cloud procurement. The choice between Union assurance level 1 and the higher tiers is not a commercial decision but a compliance obligation driven by the criticality of the activity and the sensitivity of the data.

The baseline: Union assurance level 1

Article 30(2) sets a floor for public procurement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment must use services recognised at Union assurance level 1.

Level 1 is the entry point. Under Annex II, the provider must be established in the Union, with infrastructure and assets located in the Union, and customer data (including metadata and telemetry) remaining exclusively within the Union unless the public sector body explicitly requires otherwise. Level 1 relies on a self-assessment: under Article 19 the provider carries out a conformity self-assessment and issues an EU statement of conformity. There is no mandatory third-party audit at level 1, which makes it the fastest and least costly tier to achieve.

The trigger: Article 29 risk assessments

Moving beyond level 1 is triggered by the risk assessment in Article 29. By one year after entry into force, and thereafter every two years (or whenever necessary), Member States and Union entities must carry out risk assessments that identify public-sector activities contributing to the preservation of public order and determine the appropriate level. These assessments must consider at least:

• activities in sectors falling under Annex I or II of the NIS2 Directive, and in national security, internal security, external border management, defence, justice or law enforcement;
• the sensitivity, criticality and magnitude of the personal and non-personal data processed;
• the risk of unlawful access by a third country and the risk of service disruption.

If your assessment identifies such an activity, Article 30(3) provides that you may only procure services recognised at Union assurance level 2, 3 or 4. You could not legally use a level 1 service for those activities.

Comparing tiers: self-assessment vs independent audit

The primary differentiator between level 1 and levels 2-4 is the verification mechanism, which drives cost and burden.

• Level 1 (self-assessment): relies on the provider's own assessment under Article 19. Lower cost, but a lower degree of independent verification.
• Levels 2-4 (independent audit): Article 20 requires providers seeking levels 2, 3 or 4 to undergo independent third-party audits at their own expense, yielding an audit report and a "positive" audit opinion. Auditors verify infrastructure and data location, software supply-chain controls and the absence of disqualifying third-country control, among other criteria.

The substantive criteria also rise (Annex II). At level 2, data generated by the service must not be used to train or fine-tune any AI system operated by a third country, and a European cybersecurity certificate of at least "substantial" level is required once the relevant scheme exists (with national or fallback standards until then). Level 3 adds that personnel involved in providing the service must be Union citizens and that the provider and subcontractors must not be subject to third-country control (subject to the narrow Article 18 derogation). Level 4, the highest tier, requires a "high" cybersecurity certificate and that no third country holds effective control over the design, development or maintenance of software components.

Strategic considerations for procurement officers

When drafting tender specifications, align technical requirements with your Article 29 risk assessment.

1. Map your activities: define which services support public-order activities.
2. Apply the minimum requirement: for non-public-order activities, specify level 1. This keeps the market open to a wider range of providers, including SMEs.
3. Specify higher tiers only when necessary: for public-order activities, specify level 2, 3 or 4 based on the risks identified (for example, classified information may point to level 3 or 4).
4. Consider multi-cloud strategies: Article 29(9) requires you to consider, in the risk assessment, whether a multi-vendor or multi-cloud strategy is appropriate.

What this means for you

As a public-sector procurement officer, your role would be to ensure contracts align with the level set by your risk assessment.

• Conduct or review your risk assessment: ensure the Article 29 assessment is completed (within one year of entry into force, then every two years). Without it you cannot determine the mandatory level.
• Draft clear tender documents: state the required level explicitly, for example "the service must be recognised under Article 17 as offering Union assurance level [1/2/3/4]."
• Verify recognition: before award, check the central repository the Commission would maintain under Article 22 to confirm valid recognition.
• Budget for higher tiers: levels 2-4 may cost more because of the audit requirements on providers.
• Plan for transitions: where a risk assessment requires migration to another service, Article 29(6) allows a reasonable transition period not exceeding 12 months.

Common misconceptions

• "I can choose level 1 to save money even for critical services." No. If your activity is identified as public-order relevant under Article 29, Article 30(3) requires level 2, 3 or 4.
• "Level 1 is only for small organisations." No. Level 1 is appropriate for any public sector body whose activities are not public-order relevant, regardless of size.
• "Higher assurance levels are always better." Not necessarily. Levels 3 and 4 impose strict requirements (Union citizenship for personnel, absence of third-country control) that can narrow the provider pool and raise cost without added value where data sensitivity does not justify them.
• "Self-assessment means no oversight." Even at level 1, providers remain subject to national competent authorities' powers (Article 26) and to penalties for non-compliance (Article 24), and the EU statement of conformity must be made publicly available (Article 19(3)).

Related

• CADA Union assurance level 3 vs level 4: what is the highest tier?
• Does a higher CADA assurance level always mean better security?
• CADA Union assurance level 2 vs level 3: what changes?
• CADA Union assurance level 1 vs level 2: what is the difference?
• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?

This is general information about a draft EU regulation, not legal advice.