How do I decide which CADA assurance level to target as a cloud provider?

Summary To decide which Cloud and AI Development Act (CADA) assurance level to target, you must align your service's technical and legal capabilities with the cumulative criteria of Annex II and the procurement mandates of your public-sector customers. Article 16 establishes four Union assurance levels where higher tiers automatically include all lower-tier criteria, allowing you to scale compliance progressively. Crucially, Article 30 dictates that public authorities must procure at least Level 1 for general activities, but are mandated to use Levels 2, 3, or 4 for workloads contributing to the preservation of public order. Therefore, your target level should be determined by the sensitivity of the workloads you intend to host and the specific risk assessments conducted by your public-sector clients under Article 29.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised framework for cloud sovereignty, replacing fragmented national approaches with a single EU-wide standard. For cloud service providers (CSPs) and data centre operators, understanding how to position your service within this framework is critical for accessing public-sector contracts. The decision on which assurance level to target is not arbitrary; it is driven by the technical architecture of your service, your supply chain controls, and the legal demands of your customers under Article 30.

Understanding the Tiered Structure

Article 16 of the CADA proposal establishes the Union cloud computing sovereignty framework, comprising four distinct Union assurance levels. These levels are designed to be cumulative. This means that to achieve recognition at Level 2, 3, or 4, a provider must satisfy all the criteria of the preceding levels. This structure allows providers to build a baseline of compliance at Level 1 and progressively enhance their security, data localisation, and governance measures to reach higher tiers.

The specific criteria for each level are detailed in Annex II of the proposal. These criteria cover several key dimensions:

• Establishment and Location: Where the provider, its subcontractors, infrastructure, and personnel are located.
• Data Residency: Where customer data, including metadata and telemetry, is processed, stored, and transferred.
• Personnel Requirements: Citizenship and security clearance requirements for staff accessing the service.
• Third-Country Control: Restrictions on providers or subcontractors subject to the control of third countries or legal entities established in third countries.
• Cybersecurity Certification: Requirements for obtaining specific levels of certification under the European Cybersecurity Certification Scheme for Cloud Services (EUCS) or equivalent national schemes.
• Software Supply Chain: Transparency regarding software bills of materials (SBOMs) and controls against remote tampering.

Matching Target Levels to Customer Demand

While you can technically target any level for which you meet the criteria, the practical decision is largely dictated by market demand. Article 30 of the CADA proposal sets out the procurement obligations for public authorities, which are the primary drivers for sovereign cloud adoption.

1. The Baseline: Union Assurance Level 1

Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1.

• When to target Level 1: If your target market consists of general public administration bodies handling non-sensitive data (e.g., open data portals, general citizen information sites), Level 1 may be sufficient.
• Criteria Snapshot (Annex II, Level 1):
  • The provider must be established in the Union.
  • Infrastructure and assets, including those of subcontractors, must be located in the Union unless the public sector body explicitly requires otherwise.
  • Customer data must remain exclusively within the Union.
  • Providers subject to third-country control must guarantee that no existing laws in that third country require reporting software vulnerabilities to third-country authorities before they are exploited.
  • Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards (no specific EUCS level mandated yet, but "state-of-the-art" is required).

2. The Public Order Threshold: Levels 2, 3, and 4

Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognised as having Union assurance level 2, 3, or 4.

• When to target Levels 2–4: If you intend to serve ministries of defence, justice, law enforcement, border management, or critical infrastructure operators, you must target at least Level 2.
• Risk Assessment Driver: The specific level (2, 3, or 4) is determined by the risk assessment conducted by the Member State or Union entity under Article 29. These assessments identify which activities contribute to public order in sectors falling under Annex I or II of the NIS2 Directive, as well as national security, defence, and justice.

3. Distinguishing Between Levels 2, 3, and 4

While all three levels are required for public order activities, they offer increasing degrees of sovereignty and stricter criteria:

• Level 2 (Substantial Cybersecurity):

  • Establishment: The audited provider and subcontractors must be established in the Union.
  • Location: Infrastructure, assets, and personnel must be located in the Union.
  • Personnel: Personnel screening and Union citizenship requirements are conditional. If the public sector body determines they are necessary, the provider must ensure personnel meeting those requirements are available.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial' (or equivalent national scheme/high standards if EUCS is not yet established).
  • Third-Country Control: Providers subject to third-country control must demonstrate that such control does not restrain service delivery, allow access to customer data, or disrupt service continuity.

• Level 3 (High Sovereignty):

  • Personnel: Stricter requirements. Personnel, including subcontractor staff, must be Union citizens. Where appropriate, they must hold national security clearances issued by a Member State when handling classified information.
  • Third-Country Control: Providers and subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
  • Derogation: By way of derogation, a provider subject to third-country control may be audited for Level 3 where the Commission has adopted an implementing act under Article 18 (Associated third countries) recognising that third country as providing sufficient assurances. Note: Annex II 3.1(g) contains a drafting slip referencing Article 19, but the substantive mechanism for third-country recognition is established in Article 18.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.

• Level 4 (Maximum Sovereignty):

  • Personnel: Personnel must be Union citizens and, where appropriate, hold national security clearances.
  • Third-Country Control: Providers and subcontractors must not be subject to the control of a third country. No derogation for third-country control is available at this level.
  • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
  • Software Supply Chain: Stricter controls requiring providers to demonstrate that a third country does not hold effective control over the design, development, maintenance, and evolution of software components.

Strategic Considerations for Providers

When deciding which level to target, consider the following strategic factors:

1. Cost of Compliance: Higher assurance levels involve more rigorous audits (Article 20), stricter personnel vetting, and potentially more complex supply chain restructuring. Level 1 requires a self-assessment and an EU statement of conformity (Article 19). Levels 2–4 require independent third-party audits. Calculate whether the market size of public-order contracts justifies the investment in Level 3 or 4 compliance.
2. Supply Chain Audits: Annex II places heavy emphasis on subcontractors. If your infrastructure relies on global hyperscalers or non-EU software vendors, achieving Level 3 or 4 may require significant architectural changes to ensure legal, technical, and organisational separation from third-country control.
3. Third-Country Control: If your provider is subject to the control of a third country (e.g., through ownership or governance structures), you face higher hurdles. At Level 3 and 4, you generally cannot be subject to third-country control unless the Commission has issued a specific decision recognising that country under Article 18. This is a high bar, requiring the third country to meet strict criteria regarding data access, service continuity, and reciprocity.

What this means for you

As a cloud service provider or data centre operator, you cannot simply "choose" a level in isolation. You must align your compliance roadmap with the procurement pipelines of your target customers.

• Conduct a Gap Analysis: Map your current service architecture against Annex II. Identify where you fail to meet Level 1 criteria (e.g., data flows outside the EU, non-EU subcontractors). If you cannot meet Level 1, you are excluded from public-sector procurement under Article 30(2).
• Engage with Public Buyers: Understand the risk assessments of your target public-sector clients. Ask them which assurance level their risk assessment under Article 29 has determined is necessary for their specific workloads. Do not assume all public bodies require Level 4; many general administrative functions may only require Level 1 or 2.
• Prepare for Audits: If targeting Levels 2–4, begin preparing for independent third-party audits now. Ensure your documentation, including Software Bills of Materials (SBOMs) and evidence of data localisation, is audit-ready.
• Monitor Third-Country Developments: If you are a provider subject to third-country control, closely monitor the Commission's decisions under Article 18. Your ability to compete for Level 3 and 4 contracts may depend on whether your home country is recognised as providing sufficient assurances.

Common misconceptions

• Misconception: "I can mix and match criteria."
  • Reality: The criteria are cumulative. You cannot pick and choose elements from Level 2 and Level 4. To be recognised at Level 4, you must fully comply with all criteria for Levels 1, 2, and 3 as well.
• Misconception: "Level 1 is optional for public sector."
  • Reality: Article 30(2) makes Level 1 the minimum requirement for all public sector bodies that do not have public-order relevance. There is no "no-assurance" option for public procurement under CADA.
• Misconception: "Third-country providers are banned."
  • Reality: Third-country providers are not banned, but they face significant restrictions. At Level 1, they can compete if they guarantee no third-country laws require vulnerability reporting. At Levels 3 and 4, they are generally excluded unless the Commission has specifically recognised their home country under Article 18, which requires strict safeguards against data access and service disruption.
• Misconception: "Cybersecurity certification is enough."
  • Reality: While cybersecurity certification (e.g., EUCS) is a criterion for Levels 2–4, it is not sufficient on its own. CADA adds layers of sovereignty requirements regarding data residency, personnel citizenship, and supply chain control that go beyond pure cybersecurity.
• Misconception: "Level 3 and 4 personnel rules are the same."
  • Reality: While both require Union citizens, Level 4 adds the requirement for a 'high' cybersecurity certificate and stricter software supply chain controls regarding effective control over component evolution, which are not present in Level 3.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How does a public buyer verify a provider's CADA assurance level before awarding?
• How does a non-EU cloud provider qualify under CADA assurance level 3?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a public buyer justify procuring above the minimum CADA assurance level?
• How to determine the required CADA Union assurance level for public workloads

This is general information about a draft EU regulation, not legal advice.