How do I move my cloud service up a CADA sovereignty tier?

Summary To move your cloud service to a higher CADA sovereignty tier, you must satisfy all cumulative criteria of your current level and the target level simultaneously. As proposed in Article 20(1), an audited provider seeking a higher Union assurance level "shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels." Failure to meet any lower-level requirement precludes conformity with the higher level. The process requires a new independent third-party audit against the full set of target criteria, followed by a formal re-application for recognition to your national competent authority under Article 17. You cannot skip levels; to reach Level 3, you must prove compliance with Levels 1, 2, and 3.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a tiered sovereignty framework known as the Union Assurance Levels (UALs). These levels—ranging from Level 1 to Level 4—are not isolated certifications but a strictly cumulative hierarchy. The legislative text explicitly designs this structure to ensure that higher tiers represent a comprehensive strengthening of sovereignty, not just the addition of specific controls.

The Cumulative Nature of Assurance Levels

The foundational rule for advancing tiers is codified in Article 20(1) of the CADA proposal. This article mandates:

"An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

This provision has two critical implications for providers seeking to upgrade:

1. No Delta Audits: You cannot audit only the "delta" (the differences) between your current level and the target level. An auditor must verify compliance with every criterion in Annex II for Level 1, Level 2, and Level 3 if you are seeking Level 3 recognition.
2. Preclusion of Higher Tiers: If your infrastructure, personnel, or governance fails a single requirement at a lower level (e.g., a data residency gap at Level 1), you are legally precluded from being recognised at any higher level, regardless of how robust your Level 3-specific controls might be.

Step 1: Comprehensive Gap Analysis and Remediation

Before initiating a formal audit, you must conduct a rigorous gap analysis against Annex II of the CADA proposal. The criteria become significantly more restrictive at each step, often requiring structural changes to your business model.

• Moving from Level 1 to Level 2:

  • Shift to Independent Audit: Level 1 relies on a self-assessment (Article 19). Level 2 requires an independent third-party audit.
  • Data & AI Restrictions: You must demonstrate that data generated by the service is not used to train or fine-tune AI systems operated by third countries (Annex II, 2.1(f)).
  • Supply Chain Transparency: You must implement a complete Software Bill of Materials (SBOM) and controls to block remote features that could tamper with the service (Annex II, 2.1(i)).
  • Cybersecurity: You must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881, or demonstrate compliance with the highest cybersecurity standards if such a scheme is not yet available (Annex II, 2.1(e)). Note that 'substantial' is the required level for L2 and L3; only L4 requires 'high'.

• Moving from Level 2 to Level 3:

  • Personnel Citizenship: A critical shift occurs here. For Level 3, Annex II, 3.1(d) requires that "the personnel, including the personnel of the subcontractors... are Union citizens." This is a mandatory requirement for L3 and L4, whereas for L2 it is conditional (only if the public sector body requires it).
  • Third-Country Control: You must demonstrate that neither the provider nor its subcontractors are subject to the control of a third country or a legal entity established in a third country (Annex II, 3.1(g)).
  • Derogation Path: If you are subject to third-country control, you may only qualify for Level 3 if the Commission has adopted an implementing act under Article 18 recognising that third country as providing sufficient assurances. This is a specific derogation mechanism, not a general exception.

• Moving from Level 3 to Level 4:

  • Highest Cybersecurity: You must obtain a European cybersecurity certificate of at least assurance level 'high' (Annex II, 4.1(e)).
  • Effective Control: You must prove that no third country holds "effective control" over the design, development, maintenance, or evolution of software components (Annex II, 4.1(i)).
  • Data Sensitivity: While Level 3 requires data to remain in the Union, Level 4 specifically targets data identified as "sensitive" following a risk assessment, ensuring it remains exclusively within the Union at all times (Annex II, 4.1(c)).

Step 2: The Independent Audit (Article 20)

For Levels 2, 3, and 4, recognition is impossible without an independent third-party audit. You must contract an auditing organisation that meets the strict independence and competence requirements of Article 20(4).

1. Select an Auditor: The auditor must be independent, with no conflicts of interest. Specifically, they must not have provided non-audit services to you in the 12 months preceding the audit, nor have they audited you in the preceding 10 years. They must also not be paid contingent fees based on the audit result.
2. Conduct the Audit: The auditor will assess your compliance against the full set of criteria in Annex II for your target level. They will gather audit evidence as detailed in Annex III, which includes:
   • Verifying the location of infrastructure and assets (e.g., lease contracts, utility bills).
   • Verifying the citizenship and location of personnel (e.g., passports, employment contracts).
   • Analyzing ownership structures to prove the absence of third-country control (e.g., cap tables, board minutes, voting rights).
   • Reviewing data flow diagrams to ensure data does not leave the Union.
3. Receive the Opinion: The auditor must issue a written audit report containing either a 'positive' or 'negative' audit opinion. A 'positive' opinion is only given if "all evidence shows that the provider complies with the audit criteria and obligations set out by this Regulation" (Recital (56)). If the auditor cannot conclude on specific aspects, they must explain why, which may hinder recognition.

Step 3: Re-application for Recognition (Article 17)

A new audit opinion does not automatically grant a new tier. You must formally apply for recognition.

1. Submit Application: Under Article 17(1), you must submit an application for recognition to the national competent authority of your establishment.
2. Provide Evidence: For Levels 2, 3, and 4, you must submit the audit report, the 'positive' audit opinion, and all evidence provided to the auditing organisation during the procedure (Article 17(4)).
3. Authority Assessment: The evaluating national competent authority has 60 days to assess the evidence. They will prepare a draft recognition decision and notify other Member States' competent authorities for a 60-day review period.
4. Objections and Resolution: During the review period, other Member States may submit reasoned objections. If no objections are raised, the recognition is deemed accepted across the Union. If objections are raised, the evaluating authority must assess them and either maintain or revoke the draft decision. If disagreements persist, the matter may be referred to the Commission for a binding decision (Article 17(10)).

Step 4: Central Repository Registration

Once recognised, the national competent authority of establishment will register your service in the central repository maintained by the Commission (Article 22). Your service will then be listed as offering the new Union Assurance Level, making it eligible for procurement by public sector bodies requiring that specific tier.

What this means for you

For cloud service providers and data centre operators, moving up a sovereignty tier is a strategic commercial decision with significant operational and financial implications.

• Cumulative Audit Costs: You must bear the full cost of the independent third-party audit (Article 20(1)). As the criteria become more complex at Levels 3 and 4, audit fees will likely increase due to the depth of the required evidence, particularly regarding ownership structures, personnel citizenship verification, and software supply chain transparency.
• Operational Overhaul: Moving to Level 3 or 4 may require you to restructure your operations. If you have personnel who are not Union citizens, you may need to relocate or replace them to meet the mandatory citizenship requirements for L3/L4. If you have third-country shareholders with veto rights or significant influence, you may fail the "control" test unless specific derogations under Article 18 apply.
• Transparency Burden: You must maintain detailed documentation for audit evidence, including SBOMs, data flow diagrams, and proof of personnel location. Article 23 requires you to promptly notify the auditor and competent authority of any material changes that could affect your recognition, which could trigger a re-audit or revocation of your status.
• Market Access: Achieving a higher tier unlocks access to high-value public sector contracts. Public authorities dealing with sensitive data or public order concerns must procure services at the level determined by their risk assessment (Article 30). Without the higher tier, you are excluded from these markets.

Common misconceptions

Misconception 1: I can audit only the differences between levels. This is incorrect. Article 20(1) explicitly states that you must satisfy all cumulative criteria of lower levels. An auditor must verify Level 1 and 2 criteria even if you are only seeking Level 3 recognition.

Misconception 2: A 'positive' audit opinion guarantees recognition. No. The audit opinion is a prerequisite, but the final decision lies with the national competent authority under Article 17. Other Member States can object during the review period, and the Commission can intervene. Recognition is a legal status granted by the authority, not just a technical certification.

Misconception 3: Third-country ownership automatically disqualifies me from Level 3. Not necessarily. Annex II, Section 3, point (g) allows for derogations. If the Commission has adopted an implementing act under Article 18 recognising your controlling third country as providing sufficient assurances (e.g., due to an adequacy decision and specific safeguards), you may still qualify for Level 3. However, you must demonstrate strict legal, technical, and organisational separation to prevent third-country access to data or service disruption. Note that Article 18 is the correct reference for third-country derogations, not Article 19.

Misconception 4: I can self-assess for Level 2. No. Self-assessment is only permitted for Union Assurance Level 1 (Article 19). Levels 2, 3, and 4 strictly require independent third-party audits by accredited organisations.

Misconception 5: Level 3 requires 'high' cybersecurity certification. No. Annex II specifies that Level 2 and Level 3 require a European cybersecurity certificate of at least assurance level 'substantial'. Only Level 4 requires the 'high' assurance level.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How does a cloud provider get recognised under a CADA sovereignty tier?
• How does a startup get its cloud service in front of CADA public buyers?
• How does a managed service reseller position itself under CADA recognition rules?
• How does a cloud provider check whether CADA's sovereignty rules apply to it?
• How to scope workloads under CADA's sovereignty rules: A guide for CTOs

This is general information about a draft EU regulation, not legal advice.