Summary To achieve recognition at CADA Union assurance level 3, a cloud computing service provider must undergo a mandatory independent third-party audit and submit a 'positive' audit opinion to the national competent authority of its establishment, as required by Article 17(4). Unlike lower tiers, Level 3 mandates that all personnel involved in service provision be Union citizens and that infrastructure, assets, and data remain exclusively within the Union. Providers subject to third-country control are generally excluded, unless the European Commission has adopted a specific implementing act under Article 18 designating that third country as providing sufficient safeguards. This tier is designed for public-sector activities contributing to the preservation of public order, requiring rigorous verification of immunity from foreign interference.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. Article 16 sets out this framework, with the specific criteria for each level detailed in Annex II. For cloud computing service providers aiming to serve public sector bodies whose activities contribute to the preservation of public order (as identified under Article 29), procurement at Level 1 is insufficient; they must procure services recognised at Level 2, 3, or 4 (Article 30(3)).

Union assurance level 3 represents a critical threshold of sovereignty. It is designed to ensure that cloud services underpinning sensitive public functions are free from third-country control, data exfiltration, and service disruption. Achieving this status is not a matter of self-declaration but a rigorous administrative and technical process involving independent verification.

The Recognition Process: Article 17 and the Audit Route

The pathway to recognition is strictly defined in Article 17. While Level 1 allows for a conformity self-assessment, Levels 2, 3, and 4 require independent third-party audits.

Article 17(4) explicitly mandates the submission requirements for candidates seeking Level 3 recognition. The provider must submit to the evaluating national competent authority of its establishment:

  1. The audit report.
  2. The 'positive' audit opinion referred to in Article 20.
  3. All evidence provided to the auditing organisation during the audit procedure.

The 'positive' audit opinion is the linchpin of this process. Under Article 20, an auditing organisation may only issue a 'positive' opinion if "all evidence shows that the provider complies with the audit criteria and obligations set out in this Regulation." If the audit reveals any non-compliance, a 'negative' opinion is issued, which precludes recognition. The audit must be performed by an organisation that is independent, possesses proven technical competence, and adheres to strict professional ethics, as detailed in Article 20(4).

Once the application is submitted, the evaluating national competent authority has 60 days to assess the evidence. If the evidence is sufficient, the authority prepares a draft recognition decision and notifies the competent authorities of all other Member States for a 60-day review period (Article 17(5)). This mechanism ensures mutual recognition across the Union. If no reasoned objection is raised within this window, the service is recognised throughout the Union at the appropriate assurance level (Article 17(7)). This cross-border validity is essential for providers serving public bodies across multiple Member States.

The Substantive Criteria: Annex II, Level 3

To secure a 'positive' audit opinion, the provider must meet the cumulative criteria set out in Annex II, Section 3 of the CADA proposal. These criteria are significantly more stringent than those for Levels 1 and 2, focusing heavily on personnel, control, and data sovereignty.

1. Establishment and Location The audited provider and all subcontractors involved in the provision of the service must be established in the Union. Crucially, their infrastructure, assets, and personnel must be located exclusively within the Union (Annex II, 3.1(a)-(b)). This is a strict territorial requirement; no part of the service delivery chain can rely on assets or staff located outside the EU.

2. Data Localisation Customer data, including metadata and telemetry data, must remain exclusively within the Union at all timesβ€”before, during, and after the configuration or use of the serviceβ€”unless the public sector body explicitly requires otherwise (Annex II, 3.1(c)). This prohibition applies regardless of encryption status. The data must not be transferred outside the Union in any case.

3. Personnel and Union Citizenship This is a defining feature of Level 3. Unlike Level 2, where Union citizenship for personnel is conditional (only if the public sector body requires it), Annex II, 3.1(d) mandates that all personnel, including those of subcontractors, must be Union citizens. Furthermore, where the service involves handling classified information, personnel must hold the necessary national security clearance issued by a Member State. This requirement ensures that individuals with access to sensitive public-order data are subject to EU jurisdiction and security vetting.

4. Cybersecurity Certification The service must obtain a European cybersecurity certificate of at least the 'substantial' assurance level under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until such a scheme is available, national cybersecurity certification schemes apply (Annex II, 3.1(e)). Note that Level 4 requires a 'high' assurance level, but Level 3 is satisfied with 'substantial'.

5. AI Training Restrictions Data generated by using the audited service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country. Such data must not be transferred outside the Union under any circumstances (Annex II, 3.1(f)).

6. Immunity from Third-Country Control The default rule for Level 3 is absolute: the audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country (Annex II, 3.1(g)). This criterion addresses the risk of extraterritorial laws (such as the US CLOUD Act) compelling data access or service disruption.

The Associated Third-Country Pathway: Article 18

The prohibition on third-country control in Annex II, 3.1(g) appears to be a binary exclusion. However, Article 18 provides a specific derogation mechanism, often referred to as the "associated third-country" pathway. This is the only route for a provider subject to third-country control to achieve Union assurance level 3.

Under Article 18, the Commission may adopt implementing acts identifying specific third countries whose cloud computing service providers may be audited against the Level 3 criteria. This is permitted only if the third country fulfils strict cumulative criteria:

  • It is subject to a relevant adequacy decision adopted under Article 45 of the GDPR (Article 18(1)(a)).
  • It has no measures enabling control over the provider that would conflict with lawful access to non-personal data (Article 18(1)(b)).
  • It has no measures compelling the provider to degrade or disrupt service continuity (Article 18(1)(c)).
  • It maintains an open market to Union cloud computing services (Article 18(1)(e)).
  • It grants equivalent levels of access to public procurement procedures for Union entities (Article 18(1)(f)).

If the Commission adopts such a decision, the provider is not automatically exempt. They must still demonstrate that necessary legal, technical, and organisational measures are in place to ensure that the third country's control does not:

  • Restrain the provider's ability to perform the service.
  • Allow access to customer data.
  • Disrupt service continuity or degrade quality.
  • Oblige the provider to comply with restrictive measures (sanctions, embargoes) unless legitimate under EU law (Annex II, 3.1(g), points i-iv).

This pathway is narrow and requires active Commission intervention. Providers must monitor the Commission's list of designated third countries; without such a designation, any provider subject to third-country control is ineligible for Level 3.

What this means for you

As a cloud service provider aiming for Union assurance level 3, your compliance strategy must address both the procedural audit route and the substantive operational constraints.

1. Initiate the Independent Audit Early You cannot self-certify for Level 3. You must engage an independent auditing organisation that meets the criteria of Article 20(4). This auditor will require exhaustive evidence, including software bills of materials (SBOMs), data flow diagrams, and proof of personnel citizenship. Start documenting your supply chain and personnel records immediately, as the audit criteria in Annex III are exhaustive and specific.

2. Assess Third-Country Control Status If your provider is owned or controlled by a non-EU entity, you are likely ineligible for Level 3 unless your parent country is designated under Article 18. If your country is not on the Commission's list, you must either restructure to remove third-country control or limit your offering to Level 1 or 2. Do not assume that a GDPR adequacy decision alone is sufficient; the specific Article 18 implementing act is required.

3. Restructure Personnel and Operations Ensure that all staff interacting with the service infrastructure are Union citizens. For services handling classified data, verify that these individuals hold the requisite national security clearances. Additionally, confirm that all technical support and operational assistance are initiated and performed exclusively within the Union, by Union residents, and by third parties not subject to third-country control (Annex II, 3.1(h)).

4. Manage Subcontractor Risk Your subcontractors are held to the same standard. You must ensure they are established in the Union, their staff are Union citizens, and they are not subject to third-country control. Conduct rigorous due diligence on your supply chain, as any non-compliant subcontractor will cause the entire audit to fail.

Common misconceptions

Misconception 1: "We can self-certify for Level 3 if we meet the technical criteria." Incorrect. Self-assessment is only permitted for Union assurance level 1 (Article 19). Levels 2, 3, and 4 require mandatory independent third-party audits resulting in a 'positive' audit opinion (Article 20).

Misconception 2: "Being incorporated in the EU is enough for Level 3." Incorrect. While establishment in the Union is required, Annex II, 3.1(g) explicitly prohibits providers subject to the control of a third country. Ownership structure and control mechanisms are scrutinised heavily. A provider incorporated in Germany but controlled by a US holding company is generally excluded from Level 3 unless the US is designated under Article 18 and specific safeguards are proven.

Misconception 3: "Level 3 is just a higher version of Level 2." While cumulative, the jump in personnel requirements is significant. Level 2 allows for personnel screening if the public sector body determines it necessary (Annex II, 2.1(d)). Level 3 mandates Union citizenship for all personnel involved in service provision as a baseline requirement, regardless of the specific data sensitivity, unless derogated by specific national security clearance requirements (Annex II, 3.1(d)).

Misconception 4: "We can store data outside the EU if it is encrypted." Incorrect. Annex II, 3.1(c) requires customer data to remain exclusively within the Union. Encryption does not exempt a provider from data localisation requirements. The data must not leave the Union territory, regardless of its format.

Misconception 5: "The Article 18 derogation applies automatically to all adequacy countries." Incorrect. An adequacy decision under the GDPR is a precondition for Article 18, but it is not sufficient on its own. The Commission must adopt a specific implementing act under Article 18 identifying the third country as providing sufficient safeguards against control and disruption. Without this specific act, the default exclusion in Annex II, 3.1(g) applies.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.