Summary Under the proposed Cloud and AI Development Act (CADA), "operational autonomy" is the ability of a cloud provider to control its service without third-country interference, distinct from mere data localisation. For Union Assurance Level 1, providers must document that any outsourced technical support outside the Union does not compromise this autonomy, as required by Annex II, Section 1, point 1.1(d). For Levels 2, 3, and 4, the proposal generally mandates that technical and operational support be initiated and performed exclusively within the Union, with specific personnel and control criteria. Compliance is demonstrated through a conformity self-assessment (Level 1) or independent third-party audits (Levels 2–4), where evidence must align with Article 21 and the detailed lists in Annex III, particularly regarding contractual controls, access paths, and the absence of third-country control.

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. A central pillar of this framework is operational autonomy: the capacity of the provider and the public sector body to manage, secure, and operate the service without undue influence, coercion, or disruption from third countries.

Documenting this autonomy is not a static exercise but a layered evidentiary process that scales with the assurance level sought. The requirements shift from demonstrating controls over external support at Level 1 to demonstrating the absence of such support at higher levels.

The Legal Basis: Annex II Criteria by Level

The specific criteria for operational autonomy are defined in Annex II of the proposal. The text distinguishes sharply between the flexibility allowed at Level 1 and the strict territorial and personnel requirements for Levels 2–4.

Union Assurance Level 1: Managing Outsourced Support

For providers seeking Level 1 recognition, the proposal allows for the outsourcing of technical and operational support to third-party service providers outside the Union. However, this is conditional. Annex II, Section 1, point 1.1(d) mandates that the provider must implement "necessary legal, technical and organisational measures" to ensure:

  1. Traceability of those operations.
  2. Security of those operations.
  3. Governance of those operations.
  4. Crucially, that these operations "do not, in any way, compromise the operational autonomy of the cloud computing service provider."

This criterion requires a provider to prove that even if a support engineer is located in a third country, they cannot unilaterally alter the service, access customer data without strict authorisation, or be compelled by third-country laws to disrupt service. The burden is on the provider to demonstrate that the "operational autonomy" remains intact despite the geographical location of the support function.

Union Assurance Levels 2, 3, and 4: Exclusive Union Support

As the assurance level increases, the scope for out-of-Union support narrows significantly, effectively eliminating it for core operational functions.

  • Level 2: Annex II, Section 2, point 2.1(h) states that "the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union." This criterion removes the flexibility of Level 1; the provider must document that no support activity originates from or is executed by personnel outside the EU.
  • Level 3: Annex II, Section 3, point 3.1(h) reinforces the exclusivity requirement, adding that support must be performed by personnel that are Union residents and by third parties not subject to third-country control.
  • Level 4: Annex II, Section 4, point 4.1(h) mirrors the Level 3 requirement, mandating that support be initiated and performed exclusively within the Union by Union residents and non-controlled third parties.

Furthermore, for Levels 3 and 4, providers must also satisfy Annex II, Sections 3.1(k) and 4.1(k), which require demonstrating "effective legal, technical and organisational separation" between the Union parent company and any third-country subsidiary. This ensures that even if the corporate group has global reach, the specific cloud service remains insulated from third-country control.

The Role of Article 19 and Article 20

The method of proving these criteria depends on the level:

  • Level 1 (Article 19): Providers must carry out a conformity self-assessment. They must issue an EU statement of conformity stating that the criteria in Annex II, including the operational autonomy measures in 1.1(d), have been demonstrated.
  • Levels 2–4 (Article 20): Providers must undergo independent third-party audits. An auditing organisation must verify compliance and issue a "positive" audit opinion. The provider cannot self-certify these higher levels.

Evidence Requirements Under Article 21 and Annex III

Article 21 of the proposal stipulates that audit evidence must be "relevant and sufficient" and "reliable." The specific evidence required to prove operational autonomy is detailed in Annex III, specifically under Audit Criterion H (No technical and operational support outside of the Union) and Audit Criterion G (Absence of third-country control).

To satisfy Article 21 and the audit criteria, providers must prepare the following evidence:

1. Contractual and Legal Measures

  • Binding Clauses: Evidence of contractual clauses stating that all support, administration, maintenance, and monitoring must be initiated and performed exclusively in the Union (for Levels 2–4) or are subject to strict controls (for Level 1).
  • Subcontractor Controls: Clauses requiring advanced disclosure of all subcontractors, prior written approval for new ones, and a right to reject subcontractors located outside the Union.
  • Prohibitions: Explicit prohibitions on third-country support teams accessing customer data, modifying configurations without Union-based approval, or executing commands that could disrupt service.

2. Technical Controls and Access Paths

  • Geographic Restrictions: Evidence of geographically restricted network controls that prevent administrative access from outside the Union.
  • Access Path Verification: Documentation showing that administrative access to systems used to operate the service is provided through access paths located within the Union.
  • Privileged Access Management (PAM): Implementation of PAM controls and monitoring mechanisms to ensure that no remote access for technical support originates from outside the Union.
  • Break-Glass Procedures: For Level 1, evidence of "break-glass" procedures where any action initiated from outside the Union requires dual-authorisation from within the Union.

3. Organisational and Personnel Evidence

  • Subcontractor Registers: An up-to-date register of all subcontractors involved in technical support.
  • Personnel Verification: For Levels 3 and 4, evidence that personnel providing support are Union residents (e.g., employment contracts, payroll records, timesheets).
  • Chain of Command: Documentation showing that third-country support staff (if any for Level 1) are contractually and operationally subordinate to Union-based managers, with the Union entity retaining final decision-making authority.
  • Separation of Subsidiaries: For Levels 3 and 4, evidence of legal and operational separation between the Union entity and any third-country subsidiary, proving the subsidiary has no access to systems processing customer data or privileged accounts in Union production environments.

4. Demonstrating "No Compromise" of Autonomy (Level 1 Specific)

For Level 1 providers relying on Annex II, 1.1(d), the evidence must explicitly show that out-of-Union support does not compromise autonomy. This includes:

  • Immutable Logs: Logs of all remote access sessions stored within the Union.
  • Data Access Restrictions: Proof that third-country support teams cannot access customer data without explicit, logged authorisation.
  • Legal Safeguards: Evidence that support contracts include clauses preventing compliance with third-country laws that conflict with EU operational autonomy (e.g., laws mandating service disruption).

What this means for you

If you are a cloud service provider aiming to serve the EU public sector under the proposed CADA, your documentation strategy must be tailored to your target assurance level.

For Level 1 Providers: You retain the flexibility to use global support teams, but you must rigorously document the "firewalls" around them.

  • Action: Review all outsourcing contracts to ensure they contain explicit prohibitions on unauthorised access and configuration changes.
  • Action: Implement technical logging that captures all remote support activities and store these logs within the EU.
  • Action: Prepare a self-assessment under Article 19 that explicitly maps your legal, technical, and organisational measures to the four requirements of Annex II, 1.1(d).

For Level 2, 3, and 4 Providers: You must effectively eliminate out-of-Union technical support.

  • Action: Restructure your support operations to ensure that no personnel located outside the EU have administrative access to your production environments.
  • Action: Document the legal and technical separation between your EU entity and any third-country affiliates.
  • Action: Prepare for an independent audit under Article 20, ensuring your evidence (contracts, network diagrams, personnel records) aligns perfectly with Annex III, Criterion H.

Audit Readiness: Regardless of the level, maintain an up-to-date subcontractor register. Ensure your technical documentation includes detailed diagrams of your support infrastructure, highlighting where access paths originate and terminate. This evidence will be scrutinised by auditing organisations under Article 21.

Common misconceptions

Misconception 1: "Operational autonomy is the same as data localisation." Many providers confuse the two. While data must remain in the Union (Annex II, 1.1(c)), operational autonomy refers to the control over the service. You can have data physically located in the EU but still lack operational autonomy if your support team is in a third country with extraterritorial laws that could force them to disrupt service or access data. CADA requires you to prove you retain control regardless of where the data sits.

Misconception 2: "Self-assessment is sufficient for all levels." Article 19 applies only to Level 1. For Levels 2, 3, and 4, Article 20 mandates independent third-party audits. You cannot self-certify higher assurance levels. The evidence you prepare for self-assessment must be robust enough to withstand independent audit scrutiny, particularly regarding the strict "exclusively within the Union" requirement in Annex II, 2.1(h).

Misconception 3: "Out-of-Union support is allowed if it's just for monitoring." For Levels 2–4, Annex II explicitly requires that technical and operational support be initiated and performed exclusively within the Union. This includes monitoring, incident response, and maintenance. Even passive monitoring from outside the Union could be viewed as a breach of the exclusive support requirement. For Level 1, while out-of-Union support is permitted, it must not compromise operational autonomy, which may effectively preclude any monitoring that provides access to sensitive configuration data.

Misconception 4: "A third-country subsidiary can provide support if it's a separate legal entity." For Levels 3 and 4, Annex II, Sections 3.1(k) and 4.1(k) require "effective legal, technical and organisational separation." Merely having a separate legal entity is insufficient; you must prove the subsidiary has no access to systems processing customer data and no privileged accounts in Union production environments. The audit evidence must demonstrate this total isolation.

Related

This is general information about a draft EU regulation, not legal advice.