Summary Under the proposed Cloud and AI Development Act (CADA), personnel requirements for cloud service providers escalate significantly across the four Union assurance levels defined in Article 16. While Level 1 imposes no specific nationality or location constraints on personnel, Level 2 introduces conditional screening and mandates that all technical support be performed exclusively within the Union. Levels 3 and 4 raise the bar to mandatory Union citizenship for all relevant personnel, require national security clearances for classified work, and restrict technical support to Union residents free from third-country control. These escalating criteria are detailed in Annex II of the proposal and are designed to safeguard public order and prevent third-country interference.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" comprising four assurance levels to mitigate risks associated with third-country control, data access, and operational continuity (Article 16(1)). A critical pillar of this framework is the strict regulation of the human element: the personnel involved in the provision of cloud computing services. The criteria for these personnel requirements are set out in Annex II, which details the cumulative conditions providers must meet to be recognized at each level. The requirements escalate from minimal constraints at Level 1 to stringent citizenship, clearance, and residency mandates at Levels 3 and 4.

Union Assurance Level 1: Baseline with No Personnel Mandates

For Union assurance level 1, Annex II, Section 1, does not impose specific requirements regarding the nationality, location, or clearance status of personnel. The criteria focus primarily on the provider's establishment in the Union, the location of infrastructure and assets, and data residency. While the provider must demonstrate compliance with state-of-the-art cybersecurity standards (Annex II, 1.1(e)) and provide transparency regarding subcontractors (Annex II, 1.1(f)), there are no explicit mandates that staff holding access to customer data or systems must be Union citizens or located within the Union.

This baseline level allows for greater operational flexibility, including the use of global support structures, provided other criteria such as data localization are met. The absence of personnel constraints at this level reflects its suitability for public sector activities that do not contribute to the preservation of public order or involve highly sensitive data.

Union Assurance Level 2: Conditional Screening and Union-Based Support

At Union assurance level 2, personnel requirements begin to tighten, particularly regarding support operations and optional screening. The most significant shift is the introduction of a conditional citizenship requirement. According to Annex II, Section 2.1(d), "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available."

This provision makes citizenship requirements conditional at Level 2. It is not a blanket mandate for the service level itself but rather a customer-driven obligation. If a contracting authority identifies a specific risk or need for Union citizenship in their risk assessment, the provider must be able to supply personnel who meet that criterion.

More critically, Annex II, Section 2.1(h) mandates a strict location requirement for support operations: "the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union." This prevents providers from routing support tickets, maintenance activities, or administrative access to third countries, thereby reducing the risk of unauthorized access or service disruption from outside the Union. Unlike Level 1, Level 2 requires that the act of support happens within EU borders, even if the personnel performing it are not yet mandated to be Union citizens (unless the customer triggers the condition in 2.1(d)).

Union Assurance Level 3: Mandatory Union Citizenship and Security Clearances

Union assurance level 3 introduces strict, non-negotiable mandatory requirements for personnel. Annex II, Section 3.1(d) stipulates that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." This removes the optionality found in Level 2; citizenship is now a prerequisite for all relevant staff.

Furthermore, Annex II, Section 3.1(d) adds a clearance requirement: "where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information, as defined in Article 2, point (21), of Regulation (EU) 2021/697." This ensures that personnel handling sensitive or classified data possess the necessary vetting to protect national security interests.

In addition to citizenship, the location of support becomes more restrictive. Annex II, Section 3.1(h) requires that technical and operational support be initiated and performed "exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country." This dual requirement of Union residency and the absence of third-country control ensures a higher degree of operational autonomy and reduces the risk of foreign influence over support operations.

Union Assurance Level 4: Highest Level of Personnel Control

Union assurance level 4 maintains and reinforces the strict personnel criteria of Level 3, tailored for the most critical public order activities. Annex II, Section 4.1(d) reiterates that "the personnel, including the personnel of the subcontractors, which are involved in the provision of the audited service are Union citizens and, where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information."

Similarly, Annex II, Section 4.1(h) mandates that technical and operational support be performed "exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country."

The escalation from Level 2 to Levels 3 and 4 is significant: Level 2 allows for optional citizenship screening based on customer demand, whereas Levels 3 and 4 make Union citizenship a non-negotiable prerequisite for any personnel involved in service provision. This reflects the heightened sensitivity of the data and the critical nature of the public order activities these services support, such as law enforcement, defence, and national security.

The Role of Third-Country Derogations

It is important to note that Article 18 provides a mechanism for the Commission to identify third countries as "associated" for the purpose of Union assurance level 3. Under Annex II, Section 3.1(g), a provider subject to the control of a third country may still qualify for Level 3 if the Commission has adopted an implementing act under Article 18 (note: the draft text in Annex II 3.1(g) references "Article 19" in a drafting slip, but the correct cross-reference for third-country derogations is Article 18). Even in such cases, the provider must demonstrate that the third country's control does not restrict service delivery, access to data, or service continuity. However, the personnel criteria in 3.1(d) (Union citizenship) and 3.1(h) (Union residents) remain mandatory regardless of the third-country status of the provider's parent entity.

What this means for you

For cloud service providers and data centre operators aiming to serve the EU public sector, understanding these personnel escalations is crucial for operational planning, workforce strategy, and compliance.

  1. Workforce Restructuring and Residency: If you currently rely on global support teams or non-EU staff for maintenance and customer support, you will need to restructure your operations to achieve Union assurance levels 2, 3, and 4. For Level 2, all support activities must be performed within the Union. For Levels 3 and 4, these staff must also be Union residents and Union citizens. This may require establishing dedicated EU-based support centres and hiring locally.
  2. Security Clearance Processes: Providers targeting Levels 3 and 4 must establish robust processes for vetting personnel and obtaining national security clearances. This may involve longer onboarding times, stricter ongoing monitoring of staff backgrounds, and coordination with Member State authorities. You must be prepared to demonstrate that personnel handling classified information possess the necessary clearance.
  3. Subcontractor Management: The requirements apply to subcontractors as well. Annex II explicitly includes "personnel of the subcontractors" in the citizenship and location criteria for Levels 2, 3, and 4. You must ensure that any third-party providers involved in service delivery meet the same personnel criteria. This includes verifying their citizenship status, ensuring their support teams are located within the Union, and confirming they are not subject to third-country control.
  4. Customer-Specific Requirements for Level 2: For Level 2, be prepared to offer optional personnel screening and Union citizenship options if requested by a public sector body. This may require maintaining a pool of pre-vetted EU citizen staff who can be deployed to specific contracts upon request, even if your general support team includes non-EU citizens.
  5. Audit Evidence: Under Annex III, auditors will require specific evidence to verify these criteria. For citizenship, this includes valid official government documents (e.g., passports, national ID cards) and organisational charts. For support location, auditors will examine employment contracts, payroll records, timesheets, and network diagrams proving that support is initiated and performed exclusively within the Union.

Common misconceptions

  • Myth: Union citizenship is required for all assurance levels.
    • Fact: Union citizenship is only mandatory for Levels 3 and 4. At Level 2, it is conditional (only if the public sector body requires it), and Level 1 has no citizenship requirements.
  • Myth: Technical support can be provided from anywhere as long as data stays in the EU.
    • Fact: From Level 2 upwards, technical and operational support must be initiated and performed exclusively within the Union. For Levels 3 and 4, this support must also be provided by Union residents not subject to third-country control.
  • Myth: Security clearances are optional for all levels.
    • Fact: Security clearances are mandatory for Levels 3 and 4 when personnel handle classified information. They are not a general requirement for Level 1 or 2 unless specifically requested by a public sector body under Level 2's optional screening clause.
  • Myth: A provider controlled by a US company can never reach Level 3.
    • Fact: While Annex II, Section 3.1(g) generally prohibits third-country control, Article 18 allows the Commission to grant a derogation for specific third countries. If such a decision is made, a provider controlled by that third country may still qualify for Level 3, provided they meet the strict personnel and operational autonomy criteria.

Related

This is general information about a draft EU regulation, not legal advice.