Summary To achieve recognition at CADA Union assurance level 4, a cloud computing service provider must undergo a rigorous independent third-party audit and submit the resulting 'positive' audit opinion and report to the national competent authority of its establishment under Article 17(4). The service must satisfy the strictest cumulative criteria in Annex II, including absolute data localisation, mandatory Union citizenship for all personnel, a complete prohibition on third-country control, and a 'high' cybersecurity certification. This tier is specifically designed for highly critical sovereign use cases where the preservation of public order is paramount.

Detail

Under the proposed Cloud and AI Development Act (CADA), Union assurance level 4 represents the apex of the EU's cloud sovereignty framework. It is not merely a higher security tier but a distinct legal status designed to safeguard the Union's public order in the most sensitive domains. As proposed in COM(2026) 502 final, this level targets activities in national security, internal security, external border management, defence, justice, and law enforcement, where any compromise of operational autonomy or data confidentiality could undermine the Union's strategic interests.

Achieving level 4 recognition is a mandatory prerequisite for any cloud provider wishing to serve these critical public sector functions. The path to recognition is a multi-stage legal process involving independent verification, national authority evaluation, and EU-wide mutual recognition, governed strictly by Article 17, Article 20, and Annex II.

1. The Mandatory Audit: Article 20

Unlike Union assurance level 1, which permits a conformity self-assessment, level 4 mandates formal, independent third-party verification. Article 20 establishes the framework for these audits, which are a non-negotiable condition for recognition.

Article 20(1) explicitly states that cloud computing service providers seeking recognition at level 4 "shall undergo at their own expense, independent third-party audits to obtain an audit report and an audit opinion from an auditing organisation." Crucially, this article introduces the principle of cumulative compliance: "An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels." This means a provider seeking level 4 must demonstrably meet the criteria for levels 1, 2, and 3 in addition to the specific level 4 requirements. Failure to meet any requirement of a lower tier precludes conformity with level 4.

The independence of the auditor is strictly regulated. Article 20(4) outlines core independence requirements to prevent conflicts of interest:

  • The auditing organisation must not have provided non-audit services related to the audited matters to the provider or connected legal persons in the 12-month period before or after the audit.
  • It must not have provided auditing services to the same provider in the 10-year period preceding the audit.
  • Fees must not be contingent on the result of the audit.

The output of this process is critical. Under Article 20(5), the auditing organisation must prepare a substantiated audit report including a 'positive' or 'negative' audit opinion. A 'positive' opinion is issued only where "all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation." If the opinion is 'negative', the report must include operational recommendations and a timeframe for compliance. Furthermore, Article 20(8) mandates that the audit report and opinion be submitted for annual review to ensure continued compliance, meaning level 4 recognition is not a one-time achievement but a continuous obligation.

2. The Strictest Cumulative Criteria: Annex II, Level 4

The substantive requirements for level 4 are detailed in Annex II, Section 4 of the CADA proposal. These criteria are cumulative; every single condition must be met without exception. The level 4 criteria are the most restrictive in the framework, targeting full operational autonomy and immunity from third-country influence.

Key criteria include:

  • Establishment and Location: The provider and all subcontractors involved in service provision must be established in the Union. All infrastructure, assets, and personnel must be physically located in the Union (Annex II, 4.1(a)-(b)).
  • Data Localisation: Customer data identified as sensitive following a risk assessment must remain exclusively within the Union at all times, including during configuration, use, and after service termination. No transfer outside the Union is permitted (Annex II, 4.1(c)).
  • Personnel Citizenship: All personnel, including subcontractor staff, involved in providing the service must be Union citizens. Where appropriate, they must also hold necessary national security clearances issued by a Member State when handling classified information (Annex II, 4.1(d)). This is a mandatory requirement for level 4, unlike level 2 where it is conditional.
  • Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least 'high' assurance level under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until then, national schemes apply (Annex II, 4.1(e)). Note that while levels 2 and 3 require 'substantial' assurance, level 4 requires 'high'.
  • AI Training Prohibition: Data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country. Such data cannot be transferred outside the Union under any circumstances (Annex II, 4.1(f)).
  • No Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. This is a strict prohibition with no derogation for associated third countries (unlike level 3) (Annex II, 4.1(g)).
  • Support and Maintenance: All technical and operational support, including sub-outsourcing, must be initiated and performed exclusively within the Union by Union resident personnel and third parties not subject to third-country control (Annex II, 4.1(h)).
  • Software Supply Chain: Providers must demonstrate effective control over software components, ensuring no third country holds effective control over design, development, or maintenance. This includes preventing material influence on technical evolution or security remediation by foreign entities (Annex II, 4.1(i)).
  • Global Subsidiaries: If the provider maintains a subsidiary in a third country, it must demonstrate effective legal, technical, and organisational separation, ensuring the subsidiary has no access to Union customer data or privileged accounts (Annex II, 4.1(k)).

3. The Recognition Procedure: Article 17

Once a 'positive' audit opinion is obtained, the provider must apply for formal recognition. Article 17 sets out the mechanism for this process, ensuring a harmonised approach across the Union.

Under Article 17(4), a candidate provider seeking level 4 recognition must submit to the evaluating national competent authority:

  1. The audit report;
  2. The 'positive' audit opinion referred to in Article 20; and
  3. All evidence provided to the auditing organisation during the audit procedure.

The evaluating national competent authority is the authority of the Member State where the provider has its main establishment. Upon receipt, this authority has 60 days to assess the evidence. If sufficient, it prepares a draft recognition decision and notifies the competent authorities of all other Member States for a 60-day review period (Article 17(5)).

During this review, other Member States may submit reasoned objections if they believe the draft decision does not comply with Annex II criteria. If no objections are raised, the service is recognised throughout the Union at level 4. If objections are raised, the evaluating authority must assess them and may maintain or revoke its draft decision. If maintained, the objecting authority may refer the matter to the Commission, which will adopt a binding decision (Article 17(10)).

Once recognised, the service is registered in the central repository maintained by the Commission under Article 22, making it visible to all public sector contracting authorities across the EU.

What this means for you

For cloud service providers and data centre operators, targeting Union assurance level 4 requires a fundamental restructuring of your operational and legal footprint. It is not merely a compliance exercise but a business model transformation.

  • Structural Separation: If you are a global provider with subsidiaries in third countries, you must implement effective legal, technical, and organisational separation between your Union parent company and any third-country subsidiaries (Annex II, 4.1(k)). The third-country subsidiary must have no access to systems processing customer data and no privileged accounts in Union production environments.
  • Personnel Vetting: You must audit your entire workforce, including subcontractors, to ensure Union citizenship. For roles involving classified information, you must coordinate with Member States to obtain necessary security clearances. This is a mandatory requirement for level 4, not an optional add-on.
  • Supply Chain Scrutiny: You must map your entire software supply chain. Any third-country software components must be subject to source code audits, and you must have documented migration plans in case of vendor failure or third-country restrictions. You must prove that no third country can materially influence the technical evolution of your software.
  • Audit Readiness: Prepare for intrusive, annual audits. Auditors will request evidence of physical location (lease contracts, utility bills), personnel location (payroll records, timesheets), and data flows (network diagrams, access logs). You must maintain this evidence continuously, not just at audit time.
  • Strategic Positioning: Level 4 is the gateway to the most critical public sector contracts. As Article 30(3) mandates, contracting authorities whose activities contribute to the preservation of public order must only procure services recognised at level 2, 3, or 4. Level 4 is the only tier that guarantees full immunity from third-country control, making it the preferred choice for defence and intelligence sectors.

Common misconceptions

"Level 4 is just a higher security standard." Incorrect. Level 4 is primarily a sovereignty and autonomy standard. While it requires high cybersecurity certification, its core focus is preventing third-country access, control, or disruption. A provider can have excellent cybersecurity but fail level 4 if it is controlled by a third-country entity.

"We can outsource support to our global NOC." Incorrect. Annex II, 4.1(h) requires that all technical and operational support be performed exclusively within the Union by Union residents. Global support centres in third countries are prohibited for level 4 services.

"We can use third-country AI models if the data stays in the EU." Incorrect. Annex II, 4.1(f) prohibits using data generated by the service to train or fine-tune any AI system operated by a third country. This prevents indirect data leakage via model updates or feedback loops.

"Recognition is automatic after a positive audit." Incorrect. The audit is a prerequisite, but formal recognition requires the national competent authority's evaluation and the absence of objections from other Member States under Article 17. The process can take several months.

"Level 4 allows for third-country control if safeguards are in place." Incorrect. Unlike level 3, which allows for a derogation if the Commission adopts an implementing act under Article 18 (formerly mis-referenced as Article 19 in some drafts), level 4 strictly prohibits third-country control. Annex II, 4.1(g) states the provider must not be subject to such control, with no exception for associated third countries.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.