How to meet EU establishment and data localisation for CADA Level 1

Summary As proposed in the Cloud and AI Development Act (CADA), meeting Union Assurance Level 1 requires a cloud computing service provider to be established in the EU and to keep infrastructure, assets, and customer data exclusively within the Union, unless a public sector body explicitly requires otherwise. Providers must demonstrate compliance through a conformity self-assessment and issue an EU statement of conformity under Article 19. Crucially, Article 17(3) establishes that for Small and Medium-sized Enterprises (SMEs), this statement is automatically recognised across the EU without prior national authority review, whereas non-SMEs must undergo a 60-day review period. This baseline assurance level is mandatory for all public sector procurement under the proposal.

Detail

Under the proposed Cloud and AI Development Act (CADA), the Union cloud computing sovereignty framework establishes four assurance levels to mitigate risks associated with dependence on third-country providers. Union Assurance Level 1 serves as the minimum baseline for all public sector procurement of cloud computing services. To qualify, providers must meet specific cumulative criteria regarding establishment, infrastructure location, and data localisation, as set out in Annex II of the regulation.

The Core Criteria for Union Assurance Level 1

According to Annex II, Section 1, a cloud computing service provider must meet the following cumulative criteria to be recognised at Level 1:

1. EU Establishment: The cloud computing service provider must be established in the Union.
2. Infrastructure and Assets Location: The infrastructure and assets of the provider, including those of its subcontractors involved in the provision of the service, must be located in the Union.
3. Data Localisation: Customer data, including metadata and telemetry data, processed, stored, and transferred by the provider and its subcontractors, must remain exclusively within the Union.
4. Subcontracting Safeguards: If technical and operational support is outsourced to third-party service providers outside the Union, the provider must implement legal, technical, and organisational measures to ensure traceability, security, and governance. Crucially, these operations must not compromise the operational autonomy of the cloud computing service provider.
5. Cybersecurity Standards: The provider must demonstrate that the service complies with state-of-the-art cybersecurity standards.
6. Transparency and Due Diligence: The provider must provide full transparency around the use of subcontractors and subject them to due diligence, contractual obligations, and ongoing oversight to meet Union legal obligations.
7. Vulnerability Reporting: If the provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that no laws or practices in that third country require it to report software vulnerabilities to third-country authorities before those vulnerabilities are known to have been exploited.

The Public Sector Body Opt-Out Mechanism

A critical nuance in the CADA proposal is the flexibility afforded to the customer regarding data and infrastructure location. The criteria for infrastructure location (Annex II, 1.1(b)) and data localisation (Annex II, 1.1(c)) include the specific phrase: "unless the public sector body explicitly requires otherwise."

This means that while the default requirement for Level 1 is strict EU localisation for infrastructure and data, a public sector body can waive this requirement if it explicitly requires data or infrastructure to be located outside the Union. The legal trigger is an active requirement by the public sector body, not merely a passive permission. This opt-out mechanism allows for specific use cases where cross-border data flows are operationally necessary.

However, the provider must still be established in the Union; the opt-out does not apply to the establishment criterion. Furthermore, this flexibility is specific to Level 1. For higher assurance levels (2, 3, and 4), the criteria regarding infrastructure and data become stricter, often removing the "unless" clause for infrastructure or imposing additional personnel and control requirements.

Demonstrating Compliance: The Article 19 Self-Assessment and Article 17 Recognition

Unlike Levels 2, 3, and 4, which require independent third-party audits, Union Assurance Level 1 relies on a conformity self-assessment. The process involves two distinct articles:

• The Self-Assessment (Article 19): Article 19 outlines the obligation for providers to carry out a conformity self-assessment of compliance with the criteria set out in Annex II. Following this assessment, the provider issues an "EU statement of conformity." By issuing this statement, the provider assumes full responsibility for the compliance of its cloud computing service with the Level 1 criteria. The provider must make this statement publicly available.
• The Recognition Procedure (Article 17): While Article 19 defines the content of the compliance proof, Article 17(3) defines the procedural mechanism for recognition.
  • For Non-SMEs: The provider must submit the EU statement of conformity to the national competent authority of establishment. The authority then assesses the evidence and notifies other Member States. Crucially, other Member States have a 60-day review period to raise reasoned objections before the recognition is deemed accepted across the Union.
  • For SMEs: Article 17(3) provides a derogation: the EU statement of conformity issued by SMEs shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority. This significantly reduces the administrative burden for smaller providers.

Key Definitions for Implementation

To accurately apply these criteria, providers must understand how CADA defines key terms. While CADA does not have a standalone definition of "customer data" in Article 2, the operative definition for compliance and audits is found in the notes of Annex III:

• Cloud Computing Service: Defined in Article 2(1), referencing Article 6(30) of the NIS2 Directive. It encompasses on-demand access to AI systems hosted remotely.
• Customer Data: For the purpose of the criteria and audits, this includes any data under the control of the customer, whether by legal, contractual, or other means. This includes authentication credentials, data produced through the use of the service, and telemetry/metadata.
• Establishment: In the context of EU law and CADA, "establishment" implies a genuine and stable link to the EU economy. Providers must ensure their legal incorporation, registered office, central administration, and main establishment are within the Union, not just a shell entity.

What this means for you

For cloud service providers and data centre operators aiming to access the EU public sector market, meeting Level 1 criteria is the entry ticket. Here is how to operationalise these requirements:

1. Audit Your Infrastructure Map: You must have a precise inventory of all infrastructure and assets used to deliver your service. This includes primary, backup, disaster recovery, and log storage locations. If any component is outside the EU, you cannot meet Level 1 unless your customer explicitly requires otherwise. Ensure your network diagrams clearly show exclusive use of Union-based infrastructure for data storage and processing.
2. Review Subcontractor Contracts: If you use subcontractors, their infrastructure and assets must also be in the Union. If you outsource technical support to a third country, you must implement robust legal and technical measures to ensure operational autonomy is not compromised. Document these measures thoroughly, as they form part of your self-assessment evidence.
3. Prepare Your EU Statement of Conformity: Develop an internal process to regularly self-assess compliance against Annex II criteria. Draft your EU statement of conformity, ensuring it clearly states your compliance and is publicly accessible.
   • If you are an SME: You can issue this statement and rely on automatic recognition across the EU.
   • If you are a non-SME: You must submit this to your national competent authority and be prepared for a 60-day review period where other Member States may object.
4. Monitor Third-Country Control: If your provider is controlled by a third-country entity, ensure you have documented guarantees that you are not compelled to report vulnerabilities to foreign authorities prematurely. This is a specific criterion for Level 1 that is often overlooked but critical for compliance.
5. Cybersecurity Alignment: Ensure your service meets state-of-the-art cybersecurity standards. While Level 1 does not yet require the European Cybersecurity Certification Scheme (EUCS) (which is required for Levels 2–4), you must still demonstrate robust cybersecurity practices. Aligning with existing standards like ISO 27001 or national cybersecurity certifications can strengthen your self-assessment evidence.

Common misconceptions

• "Level 1 requires an independent audit." Incorrect. Level 1 is based on a conformity self-assessment and an EU statement of conformity under Article 19. Independent third-party audits are only required for Union Assurance Levels 2, 3, and 4.

• "Data can always leave the EU if I use encryption." Not necessarily. The criterion states data must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Encryption alone does not satisfy the localisation criterion; you need an explicit requirement from the customer for data to reside or be processed outside the EU.

• "Only the primary provider needs to be EU-established." While the provider must be established in the Union, the criteria also apply to subcontractors involved in the provision of the service. Their infrastructure and assets must be in the Union, and they must be subject to due diligence and oversight.

• "Level 1 is optional for public sector procurement." No. Article 30(2) of the CADA proposal mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order (i.e., non-critical activities) must use cloud computing services recognised at Union Assurance Level 1. It is the mandatory baseline.

• "SMEs and non-SMEs follow the same recognition path." Incorrect. Article 17(3) creates a distinct path: SMEs benefit from automatic recognition without national authority intervention, while non-SMEs must undergo a formal assessment and a 60-day review period by other Member States.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How do I meet sustainability requirements for a data centre in a CADA acceleration zone?
• CADA vs GDPR: How to Align Cloud Sovereignty with Data Localisation
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• What is the data centre permit timeline under CADA?
• How does an SME rely on EU-wide CADA level 1 recognition across Member States?

This is general information about a draft EU regulation, not legal advice.