CADA Data Residency

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing services seeking Union assurance levels 1 through 4 must keep customer data, including metadata and telemetry, exclusively within the European Union. However, this strict residency rule contains a critical, conditional exception: data may leave the Union only if the public sector body explicitly requires otherwise. For cloud providers, this means you cannot unilaterally decide to transfer data abroad for operational efficiency or cost savings. The transfer must be driven by a specific, documented instruction from the buyer. Failure to document this explicit requirement constitutes a failure to meet the assurance level criteria, regardless of GDPR adequacy decisions or standard Terms of Service clauses.

Detail

The CADA proposal (COM(2026) 502 final) introduces a harmonised sovereignty framework designed to reduce the EU's dependence on third-country cloud providers and safeguard public order. A cornerstone of this framework is the strict localisation of data. To navigate buyer exceptions correctly, providers must look closely at the cumulative criteria set out in Annex II of the proposal, specifically regarding Union assurance levels 1, 2, 3, and 4.

The General Rule: Exclusive Union Residency

For a cloud service to qualify for any Union assurance level, the default position is absolute: data must remain in the EU. Annex II sets out nearly identical wording for the data residency requirement across the lower and middle tiers of the sovereignty framework, with a nuanced shift for Level 4 regarding "sensitive" data.

For Union assurance level 1, Annex II, Section 1, paragraph 1(c) states that:

"the customer data, including metadata and telemetry data, that is processed, stored and transferred by the cloud computing service provider, and by the subcontractors, which are involved in the provision of the service, remain exclusively within the Union, unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service;"

For Union assurance level 2, the requirement is reiterated in Annex II, Section 2, paragraph 2.1(c):

"the customer data, including metadata and telemetry data, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union, unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service;"

The same principle applies to Level 3 (Annex II, Section 3, paragraph 3.1(c)). For Level 4, the rule is slightly more specific in Annex II, Section 4, paragraph 4.1(c), applying to data "identified as sensitive" following a risk assessment, but it retains the same exception mechanism:

"the customer data, including metadata and telemetry data, which, following a risk assessment, is identified as sensitive, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union and at any time... unless the public sector body explicitly requires otherwise..."

Crucially, the text explicitly includes metadata and telemetry data within the definition of "customer data." This means diagnostic logs, performance metrics, and connection data are subject to the same residency constraints as the primary content data.

The Exception: "Unless the Public Sector Body Explicitly Requires Otherwise"

The phrase "unless the public sector body explicitly requires otherwise" is the operative clause for your operations. It shifts the burden of decision-making and justification from the provider to the customer. As a cloud provider, you cannot assume that a standard Terms of Service clause allowing for global data routing, or a general "necessary for service provision" clause, satisfies CADA. The exception is not a general waiver; it is a specific, affirmative requirement from the buyer.

This means that if a public sector body needs to process data in a third country—for example, to comply with a specific international treaty, a unique operational mandate, or a cross-border collaboration agreement—they must explicitly instruct you to do so. Without this explicit instruction, any transfer of customer data, metadata, or telemetry data outside the Union constitutes a failure to meet the assurance level criteria.

The phrase "at any time, including before, during or after the configuration or use of the service" further tightens the rule. It implies that the data must remain in the Union throughout its entire lifecycle unless the explicit instruction covers the specific phase of transfer.

The Role of Articles 19 and 20: Conformity and Audit

How do you prove you are following this rule? This is where Article 19 and Article 20 of the CADA proposal become critical compliance mechanisms.

Article 19 (Conformity self-assessment) applies to providers seeking Union assurance level 1. Under Article 19(1), providers must carry out a conformity self-assessment of compliance with the criteria in Annex II. Article 19(2) requires the provider to issue an "EU statement of conformity" stating that compliance has been demonstrated. By issuing this statement, the provider assumes responsibility for the compliance of the cloud computing service with the criteria, including the data residency rule. Therefore, your self-assessment process must include a robust mechanism for tracking and verifying whether any data transfers outside the Union are backed by explicit buyer instructions. If you cannot demonstrate this link in your self-assessment, you cannot issue a valid statement of conformity.

Article 20 (Independent audit) applies to providers seeking Union assurance levels 2, 3, or 4. These providers must undergo independent third-party audits. Article 20(1) mandates that providers obtain an audit report and opinion from an auditing organisation. The audit will scrutinise your adherence to the Annex II criteria. Auditors will likely examine your data flow diagrams, contractual agreements, and logs to ensure that any data leaving the Union is justified by an explicit requirement from the public sector body. If you cannot produce documentation linking a specific data transfer to a specific buyer instruction, you risk a negative audit opinion, which precludes recognition at that assurance level.

Documenting the Buyer Instruction

Because the exception relies on the buyer's explicit requirement, documentation is your primary defence and a mandatory compliance artifact. You should implement processes to capture and store these instructions in a way that is auditable.

1. Contractual Clauses: Specific addendums to service agreements where the public sector body explicitly authorises data transfer to specific third countries for defined purposes. The instruction should be specific to the exception, not buried in general terms of service.
2. Operational Logs: Technical logs that tag data transfers with reference numbers to the specific contractual authorisation or buyer instruction. This creates a chain of evidence linking the technical action to the legal requirement.
3. Change Management: If a buyer withdraws their explicit requirement, your systems must be capable of halting those transfers immediately to maintain compliance. The "explicit requirement" is a dynamic state, not a one-time permission.
4. Subcontractor Chain: The criteria explicitly mention subcontractors. You must ensure your sub-processors are contractually bound to respect the same residency rules and that any exceptions are communicated down the supply chain. If your subcontractor transfers data outside the Union without the buyer's explicit instruction, your service fails to meet the assurance level criteria.

What this means for you

As a cloud service provider or data centre operator, you must update your compliance, sales, and technical workflows immediately.

1. Sales and Contracting

Your legal teams must distinguish between standard data processing agreements (DPAs) and CADA-specific sovereignty requirements. When selling to public sector bodies, you must clarify that data residency is the default. If the buyer wants data to leave the EU, this must be explicitly stated in the contract or a formal instruction. Vague language like "data may be stored globally" or "data may be transferred as necessary" will not satisfy the "explicitly requires otherwise" standard. You may need to introduce a specific "CADA Data Residency Exception" clause in your contracts.

2. Technical Architecture

Your infrastructure must support granular data localisation. You need the ability to route data exclusively within the Union by default, with the capability to override this only when a specific, documented exception is active. This may require tagging data at the storage and processing layers to ensure telemetry and metadata also respect the residency rule unless explicitly waived. Your systems should be able to generate reports showing exactly which data sets left the Union and under which specific buyer instruction.

3. Audit Readiness

For Level 1, ensure your self-assessment documentation includes evidence of how you verify buyer instructions. For Levels 2–4, prepare for auditors to test this control. They may ask to see the chain of evidence from a specific data transfer to the contractual clause or formal instruction that authorised it. If the instruction is missing, the audit will fail.

4. Subcontractor Management

The rule applies to subcontractors as well. You must ensure your sub-processors are contractually bound to respect the same residency rules and that any exceptions are communicated down the supply chain. You are responsible for ensuring that your subcontractors do not transfer data outside the Union without the buyer's explicit instruction.

Common misconceptions

"GDPR adequacy decisions allow data to leave the EU." This is incorrect in the context of CADA assurance levels. While the GDPR allows transfers to countries with adequacy decisions, CADA's sovereignty framework is stricter. Even if a country is deemed adequate under GDPR, data cannot leave the Union under CADA assurance levels unless the public sector body explicitly requires it. The two regimes address different risks: GDPR focuses on privacy protection, while CADA focuses on strategic autonomy and operational control.

"Telemetry data is exempt from residency rules." Annex II explicitly includes "metadata and telemetry data" in the definition of customer data that must remain in the Union. You cannot argue that diagnostic or performance data is less sensitive; it is subject to the same residency constraints unless the buyer explicitly allows otherwise.

"A general data processing agreement is enough." A standard DPA that includes a clause for "necessary transfers" is likely insufficient. The CADA text uses the phrase "explicitly requires otherwise," which suggests a higher threshold than general consent. The instruction should be specific to the exception, not buried in general terms of service.

"Only the primary data provider is responsible." The criteria explicitly mention subcontractors. If your subcontractor transfers data outside the Union without the buyer's explicit instruction, your service fails to meet the assurance level criteria, regardless of whether your own systems complied.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does a public buyer procure cloud services correctly under CADA?
• How does a public body share cloud or data centre services in the EuroCloud Federation?
• How to handle environmental and water permits for a CADA data centre zone
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• What is the data centre permit timeline under CADA?

This is general information about a draft EU regulation, not legal advice.