How do I meet personnel screening and EU citizenship requirements under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union assurance levels 2, 3, or 4 must navigate a tiered personnel framework. Crucially, for Level 2, the requirement for Union citizens is conditional: providers must be able to supply screened or EU-citizen personnel only if the public sector buyer explicitly requires it. For Levels 3 and 4, Union citizenship becomes a mandatory baseline for all personnel involved in the service, regardless of specific buyer requests. This distinction makes Level 2 a "buyer-driven" obligation, while Levels 3 and 4 impose a strict "provider-driven" standard.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework designed to mitigate risks associated with third-country control and ensure operational autonomy. A central pillar of this framework is the personnel criterion, which ensures that the individuals managing, operating, and supporting the cloud infrastructure are subject to Union jurisdiction and, where necessary, security vetting.

However, the proposal does not apply a single, rigid rule across all assurance levels. Instead, it creates a graduated approach that balances market flexibility with the need for high-security public services. Understanding the distinction between the conditional requirement at Level 2 and the mandatory requirement at Levels 3 and 4 is essential for compliance.

The Buyer-Driven Nature of Level 2 Personnel Requirements

For cloud computing service providers aiming for Union assurance level 2, the personnel requirement is not an absolute mandate to hire only EU citizens. Instead, it is a capability requirement triggered by the customer.

According to Annex II, Section 2.1(d) of the proposal, the criterion states:

"if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available;"

This phrasing establishes a conditional obligation. The provider is not required to restructure their entire global workforce or restrict general operations to EU citizens for all clients. Rather, the provider must demonstrate to the auditing organization that they possess the operational capacity to deploy personnel who are Union citizens (and who may be subject to additional screening) to the specific service instance if the public sector body (the contracting authority) deems it necessary for their security posture.

In practice, this means a Level 2 provider can employ non-EU citizens for general support or for services sold to private sector clients. However, when a public sector body procures a Level 2 service and includes a specific requirement for Union citizenship in their risk assessment or tender, the provider must be able to fulfill that request immediately. The burden is on the provider to prove they have a "pool" of eligible personnel ready for deployment.

Mandatory Union Citizenship at Levels 3 and 4

The framework becomes significantly more prescriptive at higher assurance levels, reflecting the sensitivity of the data and the critical nature of the public order functions involved.

For Union assurance level 3, Annex II, Section 3.1(d) removes the conditional "if" and establishes a baseline requirement:

"the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens and where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information..."

Similarly, for Union assurance level 4, Annex II, Section 4.1(d) reiterates this strict standard:

"the personnel, including the personnel of the subcontractors , which are involved in the provision of the audited service are Union citizens and, where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information;"

At these levels, the requirement for Union citizenship is mandatory for all personnel involved in the provision of the audited service. This includes not only the primary provider's staff but also the staff of any subcontractors involved in the service chain. The phrase "where appropriate" regarding national security clearances acknowledges that not all Level 3 or 4 services involve classified information; however, the citizenship requirement itself is absolute. If a provider cannot guarantee that every individual with access to the service is a Union citizen, they cannot be recognized at Level 3 or 4.

Audit Evidence and Verification Procedures

To prove compliance with these personnel criteria, providers must undergo independent third-party audits for Levels 2, 3, and 4. The specific evidence required is detailed in Annex III of the proposal.

Annex III, Section 4 outlines "Audit criterion D – Union citizenship." It requires the audited provider to provide the auditing organization with proof that they have implemented measures to ensure Union citizenship. The evidence must be robust and verifiable:

• Identity Verification: Valid official government-issued documents (e.g., passports, national identity cards) for all relevant personnel.
• Organizational Structure: Organizational charts and job descriptions confirming that personnel with Union citizenship have access to the service's operation, management, maintenance, and support.
• Access Control: Policies and audit trails demonstrating that only authorized personnel who are Union citizens can access the service's systems and data.
• Procedural Documentation: Procedures describing how citizenship is verified before assignment and how compliance is maintained throughout the employment lifecycle.

For Levels 3 and 4, the audit will verify that the entire chain of personnel—from the primary provider to every subcontractor—meets this criterion. The auditor will specifically check for "logical or physical access to infrastructure and assets" and "management control" of the cloud service provider. If a single subcontractor employee with access is not a Union citizen, the service fails the Level 3 or 4 criteria.

The Role of Subcontractors

It is critical to note that these personnel requirements extend fully to subcontractors. Annex II explicitly states that criteria apply to "subcontractors which are involved in the provision of the audited service."

Therefore, a primary cloud provider cannot outsource critical operational tasks to a third party that fails to meet the citizenship or screening requirements applicable to that assurance level. The primary provider remains accountable for ensuring their subcontractors' personnel also satisfy these conditions. For Level 2, this means the subcontractor must be able to provide EU citizens if the buyer requires it. For Levels 3 and 4, the subcontractor must employ only Union citizens for the relevant roles.

What this means for you

If you are a cloud service provider aiming for Union assurance levels 2, 3, or 4, you must adjust your human resources, operational protocols, and subcontractor management strategies to accommodate these sovereignty requirements.

1. Develop a Tiered Workforce Strategy

• For Level 2: You do not need to segregate your entire workforce. However, you must maintain a dedicated, verifiable pool of vetted, EU-citizen personnel who can be deployed to specific customer environments upon request. Your HR systems must be able to quickly identify and assign these individuals to specific projects or data centers.
• For Levels 3 & 4: You must restructure your operational teams to ensure that every individual with access to the service is a Union citizen. This may require hiring locally in the EU or restructuring global teams to isolate EU-based operations for these specific service tiers.

2. Implement Robust Verification Processes

Establish a secure, compliant process for verifying the citizenship and, where necessary, the security clearance status of your employees and subcontractors. This verification must be documented and available for audit. Ensure that you have access control policies that technically enforce these restrictions (e.g., Identity and Access Management (IAM) policies that restrict administrative access to verified EU-citizen accounts).

3. Manage Subcontractor Compliance

If you use subcontractors for operations, maintenance, or support, your contracts must explicitly require them to meet the same personnel criteria. You are responsible for auditing their compliance. For Levels 3 and 4, this means your subcontractors must also employ only Union citizens for the relevant roles. You cannot rely on a subcontractor's general compliance; you must verify their specific personnel for the audited service.

4. Prepare for Audit

Gather the evidence specified in Annex III, Section 4. This includes organizational charts, access logs, and verification procedures. Be prepared to demonstrate to auditors that you can effectively isolate EU-citizen personnel for high-assurance services if required by the customer (Level 2) or that all involved personnel are EU citizens (Levels 3 and 4).

5. Clarify Requirements with Buyers

Engage with public sector clients early to understand their specific risk assessments. Under Article 29, public sector bodies must conduct risk assessments to determine the appropriate assurance level. If they require Level 2, clarify whether they will trigger the additional personnel screening clause. This allows you to plan resource allocation effectively and avoid last-minute compliance failures.

Common misconceptions

"All cloud staff must be EU citizens to get any assurance level." Incorrect. Union assurance level 1 has no citizenship requirement. For level 2, EU citizenship is only required if the public sector buyer explicitly demands it. Only at levels 3 and 4 does EU citizenship become a mandatory baseline for all personnel involved in the service.

"I can use non-EU staff for technical support if they are remote." Incorrect for levels 3 and 4, and potentially for level 2 if the buyer requires screening. The criteria specify that personnel "involved in the provision of the audited service" must be Union citizens (for levels 3/4) or meet the buyer's requirements (for level 2). This includes technical and operational support. For level 2, if the buyer requires EU citizenship, remote support from non-EU staff would violate the criteria.

"Citizenship verification is a one-time HR task." Incorrect. The audit criteria require ongoing verification. You must have procedures in place to ensure compliance is maintained throughout employment, including handling cases where citizenship status might change or where new hires are onboarded. Access controls must be updated in real-time to reflect verified status.

"Subcontractors are responsible for their own personnel compliance." Incorrect. The cloud computing service provider is ultimately responsible for the entire service chain. Annex II explicitly includes subcontractor personnel in the criteria. You must audit and enforce these requirements on your subcontractors.

Related

• How do I meet sustainability requirements for a data centre in a CADA acceleration zone?
• How to meet EU establishment and data localisation for CADA Level 1
• Who pays for the independent audit under CADA? Costs for Levels 1–4
• Which National Competent Authority Do I Apply to for CADA Recognition?
• Where do I start with CADA compliance if I am completely new to it?

This is general information about a draft EU regulation, not legal advice.