How to get CADA Union assurance level 2 recognition

Summary To obtain recognition at CADA Union assurance level 2, a cloud computing service provider must undergo a mandatory independent third-party audit and secure a 'positive' audit opinion. Unlike the self-assessment route for Level 1, Level 2 requires submitting the audit report, the positive opinion, and all supporting evidence to the national competent authority of establishment under Article 17(4). The provider must satisfy the cumulative criteria in Annex II, which include strict EU establishment, data localisation (data must remain exclusively in the Union), and a European cybersecurity certificate of at least 'substantial' assurance. Crucially, Article 20(1) mandates that providers must also meet all Level 1 criteria to qualify for Level 2. As proposed, this recognition, once granted without objection from other Member States, is valid across the entire Union.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a four-tier framework to safeguard the Union's public order and reduce dependence on third-country providers. Union assurance level 2 represents the first tier requiring independent verification, moving beyond the self-declaration model of Level 1. The path to recognition is strictly defined by Article 17 (Recognition of cloud computing service providers) and Article 20 (Independent audit), with the substantive requirements detailed in Annex II.

The Audit Route: Article 20

The cornerstone of Level 2 recognition is the independent audit. Article 20(1) explicitly states that cloud computing service providers seeking recognition at Union assurance level 2, 3, or 4 "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation."

This is not a voluntary certification but a mandatory compliance gate. The audit must be conducted by an organisation that meets strict independence criteria under Article 20(4). The auditor must be independent from the provider and any connected legal persons. Specifically:

• They must not have provided non-audit services related to the audited matters in the 12 months before or after the audit.
• They must not have provided auditing services to the provider in the 10 years prior.
• Their fees cannot be contingent on the audit result.

The outcome of this process is an audit report and an audit opinion. Article 20(5) requires the report to be substantiated in writing, including a declaration of interests, methodology, and findings. The opinion must be either 'positive' or 'negative'. A 'positive' opinion is issued only where "all evidence shows that the provider complies with the audit criteria." If the opinion is negative, the report must include operational recommendations for compliance.

Furthermore, Article 20(8) establishes a continuous compliance obligation: the audited provider must "annually submit for review the audit report and the associated 'positive' audit opinion" to confirm continued compliance. Failure to meet any requirements of a lower assurance level precludes conformity with the higher level, as stated in Article 20(1).

The Recognition Process: Article 17

Once the provider secures a positive audit opinion, they must apply for formal recognition. Article 17(1) mandates that the provider submit an application to the national competent authority of establishment.

Article 17(4) is the critical procedural link for Level 2. It specifies the evidence required for levels 2, 3, and 4:

"For Union assurance levels 2, 3 and 4, the candidate cloud computing service provider shall submit to the evaluating national competent authority the audit report, the 'positive' audit opinion referred to in Article 20 and all the evidence provided to the auditing organisation during the audit procedure."

The national competent authority of establishment acts as the "evaluating national competent authority." Under Article 17(5), within 60 days of accepting the application, this authority must assess the evidence. If sufficient, it prepares a draft recognition decision and notifies other Member States' competent authorities for a 60-day review period.

This mechanism ensures a "single market" approach. If no reasoned objection is raised within the review period, Article 17(7) states that "the conclusions by the evaluating national competent authority shall be deemed accepted by all Member States," and the service is recognised throughout the Union. If objections are raised, the matter may be referred to the Commission for a binding decision under Article 17(10).

Substantive Criteria: Annex II Level 2

To obtain the 'positive' audit opinion required by Article 17(4), the provider must satisfy the cumulative criteria in Annex II, Section 2 (Union assurance level 2). These criteria are designed to ensure operational autonomy and data sovereignty.

1. EU Establishment and Location

Under Annex II, 2.1(a) and (b), the audited provider and all subcontractors involved in the service provision must be established in the Union. Furthermore, their infrastructure, assets, and personnel must be located in the Union. This is a strict territorial requirement that goes beyond mere corporate registration; it demands physical presence and operational control within the EU.

2. Data Localisation

Annex II, 2.1(c) mandates that customer data, including metadata and telemetry data, processed, stored, and transferred by the provider and its subcontractors "remain exclusively within the Union." This applies at all times, including before, during, or after the configuration or use of the service. An exception exists only if the public sector body explicitly requires otherwise. This creates a high bar for data residency, effectively prohibiting cross-border data flows for Level 2 services unless explicitly waived by the customer.

3. Cybersecurity Certification

A key differentiator for Level 2 is the cybersecurity requirement. Annex II, 2.1(e) states that the audited service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act).

• Transitional Provision: Until such a Union-wide scheme is established, national cybersecurity certification schemes shall apply where they exist.
• Fallback: Where no Union or national schemes exist, the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law.
• Note on Assurance Levels: The requirement is for 'substantial' assurance. This is distinct from Level 4, which requires a 'high' assurance level certificate.

4. AI Training Data Restrictions

Annex II, 2.1(f) imposes a strict prohibition on data usage: data generated by using the audited service "are not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country," and such data "are not transferred outside the Union in any case." This prevents the indirect leakage of EU data into non-EU AI training pipelines.

5. Third-Country Control Safeguards

If the provider or its subcontractors are subject to the control of a third country or a third-country legal entity, Annex II, 2.1(g) requires the implementation of legal, technical, and organisational measures to ensure:

• Control does not restrict the provider's ability to perform the service.
• Access by a third country to customer data is prevented.
• Disruption or degradation of service continuity/quality is prevented.
• The provider is not obliged to comply with third-country restrictive measures (e.g., sanctions) unless legitimate under Union law.

6. Technical Support and Software Supply Chain

• Support: Annex II, 2.1(h) requires that technical and operational support, including sub-outsourcing, be initiated and performed exclusively within the Union.
• SBOM: Annex II, 2.1(i) mandates a complete and up-to-date Software Bill of Materials (SBOM). For third-country software components, providers must block remote features that could tamper with the system and have a documented migration plan.
• Open Source: Annex II, 2.1(j) requires controls to prevent remote features in open-source software that could disrupt the system.
• Subsidiary Separation: Annex II, 2.1(k) requires effective legal, technical, and organisational separation between the Union parent company and any third-country subsidiary.

Cumulative Inclusion of Level 1 Criteria

A critical aspect of the CADA framework is the cumulative nature of the assurance levels. Article 20(1) explicitly states: "An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

Therefore, to achieve Union assurance level 2, a provider must also meet all criteria for Union assurance level 1 (Annex II, Section 1). This includes:

• Being established in the Union.
• Ensuring infrastructure and assets are located in the Union (unless the public sector body explicitly requires otherwise).
• Ensuring customer data remains exclusively in the Union (unless explicitly required otherwise).
• Demonstrating compliance with state-of-the-art cybersecurity standards.
• Providing full transparency on subcontractors.
• Guaranteeing no third-country laws require reporting software vulnerabilities prior to exploitation (if controlled by a third country).

This cumulative requirement ensures that Level 2 is a robust enhancement of the baseline, not a replacement.

What this means for you

For cloud service providers aiming for Union assurance level 2, the path is rigorous and demands significant operational restructuring.

• Audit Preparation is Critical: You cannot self-assess. You must engage an independent auditor early. Prepare your documentation to prove compliance with Annex II criteria, particularly the SBOM, data flow diagrams, and subcontractor contracts.
• Subcontractor Due Diligence: Your sovereignty obligations extend to your supply chain. You must ensure all subcontractors involved in the service are EU-established and EU-located. Their compliance is part of your audit scope.
• Cybersecurity Certification Strategy: You must secure a 'substantial' assurance level certificate. If the EU-wide EUCS scheme is not yet operational, identify the relevant national scheme immediately. Do not rely on generic ISO certifications; they must map to the specific assurance levels defined in the Cybersecurity Act framework.
• Third-Country Firewalls: If your corporate structure involves third-country control, you must implement and document robust legal and technical firewalls. You must prove that no third-country law can compel you to access EU data or disrupt service.
• Annual Compliance: Recognition is not a one-time event. Article 20(8) requires an annual review. You must be prepared for recurring audits and immediate reporting of any material changes in circumstances under Article 23.
• Data Localisation Reality: Be prepared to host all customer data, metadata, and telemetry exclusively in the Union. Encryption does not bypass this requirement. Any exception requires explicit, written instruction from the public sector body.

Common misconceptions

• "Self-assessment is enough for Level 2." No. Article 20(1) mandates an independent third-party audit for Level 2. Self-assessment is only valid for Level 1.
• "Level 2 criteria replace Level 1." No. Article 20(1) states that higher levels are cumulative. You must meet all Level 1 criteria plus the additional Level 2 criteria.
• "Any cybersecurity certificate works." No. You specifically need a certificate of at least 'substantial' assurance under the European cybersecurity certification scheme (or national equivalent). Lower assurance levels are insufficient.
• "Data can leave the EU if encrypted." No. Annex II, 2.1(c) requires data to remain exclusively within the Union. Encryption is not an exemption; the physical location of the data must be in the EU.
• "Recognition is only valid in my home Member State." No. Under Article 17(7), if no objection is raised during the 60-day review period by other Member States, the recognition is valid throughout the Union.
• "Third-country control automatically disqualifies Level 2." Not necessarily. Annex II, 2.1(g) allows providers subject to third-country control to qualify if they can demonstrate specific legal, technical, and organisational measures that prevent third-country interference. However, for Level 3 and 4, the rules are stricter (Level 3 allows derogations via Article 18; Level 4 generally prohibits third-country control).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How to get recognised at CADA Union assurance level 3: Audit, criteria & third-country rules
• How do I get recognised at CADA Union assurance level 4?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does an SME rely on EU-wide CADA level 1 recognition across Member States?
• How does a public buyer verify a provider's CADA assurance level before awarding?

This is general information about a draft EU regulation, not legal advice.