How to handle subcontractors under CADA

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers cannot outsource their sovereignty obligations. To qualify for any Union assurance level, providers must rigorously manage their supply chain. For Union assurance level 1, Annex II, Section 1, points (d) and (f) mandate that providers implement legal, technical, and organizational measures to ensure outsourced support does not compromise operational autonomy, while maintaining full transparency through due diligence, contractual obligations, and ongoing oversight. For Levels 2, 3, and 4, these requirements intensify: subcontractors must be established in the Union, their personnel must be Union citizens (conditional at Level 2, mandatory at Levels 3–4), and all technical support must be performed exclusively within the EU. Article 17 governs the recognition process, requiring providers to submit evidence of these controls to national competent authorities, with Levels 2–4 subject to independent third-party audits.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereignty framework that treats the cloud service provider and its immediate supply chain as a single unit of compliance. The regulation explicitly rejects the notion that outsourcing technical support or operational tasks absolves a provider of sovereignty risks. Instead, it imposes a "chain of custody" obligation where the primary provider remains ultimately responsible for the actions, location, and control of every subcontractor involved in the delivery of the service.

The specific obligations vary significantly by assurance level, ranging from self-assessed transparency at Level 1 to rigorous, audited citizenship and location requirements at Levels 3 and 4.

The Foundation: Union Assurance Level 1 Requirements

For providers seeking Union assurance level 1, the criteria are set out in Annex II, Section 1. While this level relies on a conformity self-assessment rather than an independent audit, the criteria are cumulative and mandatory. Two specific provisions in Annex II, Section 1, points (d) and (f) form the bedrock of subcontractor management at this level:

1. Preserving Operational Autonomy (Point d) Annex II, Section 1, point (d) addresses the risk of external influence when support is outsourced. It states that where a cloud computing service provider outsources technical and operational support or assistance—including any subsequent sub-outsourcing arrangements—to third-party service providers outside the Union, the provider must implement necessary legal, technical and organisational measures.

These measures must ensure:

• Traceability: The ability to track the flow of support and data.
• Security: Protection of the service against unauthorized access or tampering.
• Governance: Clear lines of authority and control.

Crucially, the provision mandates that these operations "do not, in any way, compromise the operational autonomy of the cloud computing service provider." As proposed, this means the provider must retain the ability to control the service's availability, integrity, and confidentiality, regardless of where the support staff is located. The provider must be able to prevent any external entity from exerting influence that could disrupt service continuity, access data, or alter the service's behavior.

2. Transparency, Due Diligence, and Oversight (Point f) Annex II, Section 1, point (f) imposes a strict transparency regime. It requires the provider to "provide full transparency around the use of subcontractors." This is not a passive disclosure but an active governance requirement. The provider must:

• Subject subcontractors to due diligence.
• Impose contractual obligations.
• Maintain ongoing oversight.

The objective is to ensure that subcontractors meet Union legal obligations. The provider must document how these controls are implemented and be prepared to demonstrate them to a competent authority if challenged.

Definition of Subcontractor at Level 1 It is vital to note the scope defined in Annex II, Section 1, point 1.2. For Level 1, "subcontractors" are defined strictly as "third parties that have a direct contractual relationship with the cloud computing service provider and that contribute to the provision and the delivery of the cloud computing service." This focuses the regulatory burden on the immediate supply chain, excluding distant, indirect suppliers who do not have a direct link to the primary provider.

Escalation: Requirements for Levels 2, 3, and 4

As providers seek higher assurance levels, the requirements for subcontractors become significantly more stringent, shifting from "measures to prevent compromise" to absolute prohibitions on non-EU presence and control. These levels are subject to independent third-party audits under Article 20, and the evidence must be submitted to the national competent authority under Article 17.

1. Establishment and Location (Levels 2, 3, and 4) For Union assurance levels 2, 3, and 4, the criteria in Annex II, Sections 2, 3, and 4 impose a strict geographical constraint. Subcontractors involved in the provision of the audited service must be established in the Union. Furthermore, their infrastructure, assets, and personnel must be located in the Union. This creates a "chain of custody" where the provider must verify that every subcontractor in the direct chain meets these geographical criteria. Unlike Level 1, there is no allowance for outsourced support outside the Union.

2. Personnel Citizenship (Levels 2, 3, and 4) The requirement for Union citizenship evolves across these levels:

• Level 2: Annex II, Section 2, point (d) states that if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider "should ensure that personnel meeting those requirements are available." This is a conditional requirement, triggered by the specific needs of the public sector body.
• Level 3: Annex II, Section 3, point (d) makes the requirement mandatory. It states that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." Additionally, where appropriate, personnel must have the necessary national security clearance when handling classified information.
• Level 4: Annex II, Section 4, point (d) reinforces the Level 3 requirement, mandating that personnel are Union citizens and, where appropriate, possess national security clearance.

3. Technical and Operational Support (Levels 2, 3, and 4) For these levels, Annex II, Sections 2, 3, and 4, point (h) (and equivalent points in each section) mandates that technical and operational support, including subsequent sub-outsourcing arrangements, must be initiated and performed exclusively within the Union. This eliminates the possibility of remote support from outside the EU, a possibility that remains (with safeguards) at Level 1.

The Role of Due Diligence, Contractual Obligations, and Ongoing Oversight

The CADA proposal emphasizes that compliance is a continuous process, not a one-time event. Article 17 outlines the recognition process, where providers submit evidence to the national competent authority. For Level 1, this includes an EU statement of conformity. For Levels 2–4, it requires a positive audit opinion from an independent auditing organization.

To satisfy these requirements, providers must demonstrate a robust governance framework:

• Due Diligence: Before engaging a subcontractor, the provider must conduct thorough due diligence. This includes verifying the subcontractor's legal status, location, ownership structure (to ensure no third-country control), and technical capabilities. For higher levels, this extends to verifying the citizenship of key personnel and the location of their infrastructure.
• Contractual Obligations: The provider must impose strict contractual obligations on subcontractors. These contracts should explicitly require compliance with CADA criteria, including data localization, security standards, and reporting requirements. They should also include audit rights, allowing the primary provider (and by extension, the independent auditor) to inspect the subcontractor's compliance.
• Ongoing Oversight: Compliance must be monitored continuously. The provider must have mechanisms in place to track subcontractor performance, detect changes in their ownership or location, and respond to incidents. This oversight ensures that the subcontractor remains compliant throughout the contract term. If a subcontractor fails to meet the criteria, the provider must take corrective action, which may include terminating the contract or replacing the subcontractor.

Transparency and Operational Autonomy in Practice

Transparency is a recurring theme in the CADA sovereignty framework. Providers must be able to map their entire supply chain and disclose this information to competent authorities and auditors. This transparency allows regulators to assess the risk of third-country influence or operational disruption.

Operational autonomy is equally critical. The CADA proposal seeks to ensure that EU public sector bodies and critical entities are not held hostage by foreign providers or subcontractors. By requiring legal, technical, and organizational measures to prevent the compromise of operational autonomy (especially for outsourced support outside the Union at Level 1), the regulation ensures that the primary provider retains control over the service's availability, integrity, and confidentiality. This means that even if a subcontractor is involved, the provider must have the technical ability to override, isolate, or replace that subcontractor's contributions without disrupting the service or losing access to data.

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector or critical private entities, managing subcontractors is no longer just a commercial issue—it is a compliance imperative.

• Map Your Supply Chain: You must identify all subcontractors with direct contractual relationships that contribute to service delivery. Document their location, ownership, and personnel details. For Levels 2–4, verify that they are established in the Union.
• Update Contracts: Review and revise subcontractor agreements to include CADA-specific clauses. These should cover data localization, security standards, audit rights, and requirements for maintaining operational autonomy. Ensure that subcontractors are contractually obligated to notify you of any material changes that could affect compliance.
• Implement Governance Processes: Establish formal due diligence procedures for onboarding new subcontractors and ongoing monitoring processes for existing ones. This includes regular audits or assessments of subcontractor compliance.
• Prepare for Audits: If you are targeting Levels 2–4, prepare for independent audits that will scrutinize your subcontractor management. Ensure you have documented evidence of due diligence, contractual obligations, and oversight activities. This includes records of personnel citizenship checks, infrastructure location verification, and security assessments.
• Maintain Operational Control: Ensure that your technical architecture allows you to maintain operational autonomy, even when using subcontractors. This may involve implementing technical controls to isolate subcontractor access, ensuring data remains under your control, and having contingency plans to replace subcontractors if necessary.

Failure to properly manage subcontractors can result in non-recognition of your assurance level, loss of public sector contracts, and potential penalties. The CADA proposal places the ultimate responsibility on the cloud service provider, so robust subcontractor governance is essential for market access in the EU.

Common misconceptions

• "I only need to worry about my direct employees." Incorrect. CADA explicitly extends requirements to subcontractors with direct contractual relationships. Their compliance is part of your compliance.
• "Transparency means just listing subcontractors in a brochure." Incorrect. Transparency under CADA requires providing detailed information to competent authorities and auditors, including evidence of due diligence, contractual safeguards, and ongoing oversight. It is a verifiable compliance requirement, not a marketing exercise.
• "Operational autonomy is only about data location." Incorrect. Operational autonomy also covers the ability to control service continuity, prevent disruption, and maintain decision-making power. Even if data is in the EU, if a foreign subcontractor can disrupt the service or influence its operation, you may fail the autonomy criterion.
• "Level 1 is less strict because it's self-assessed." Incorrect. While Level 1 does not require an independent audit, the criteria in Annex II are still mandatory. You must be able to demonstrate compliance with points (d) and (f) if challenged by a competent authority. The burden of proof remains on the provider.
• "Union citizenship is mandatory for all levels." Incorrect. At Level 2, Union citizenship for personnel is conditional (only if the public body requires it). It becomes mandatory only at Levels 3 and 4.

Related

• How to get recognised at CADA Union assurance level 3: Audit, criteria & third-country rules
• How to get CADA Union assurance level 2 recognition: Audit, criteria & process
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does an SME rely on EU-wide CADA level 1 recognition across Member States?
• How does a public buyer verify a provider's CADA assurance level before awarding?

This is general information about a draft EU regulation, not legal advice.