How does a buyer compare two providers at the same CADA tier?

Summary When two cloud providers hold the same Union assurance level under the proposed Cloud and AI Development Act (CADA), they meet the identical baseline sovereignty criteria defined in Annex II, but they differ in operational maturity, audit currency, and specific contractual safeguards. To distinguish between them, buyers must examine the central repository under Article 22 for recognition status, verify the recency and scope of the independent audit opinion (mandatory for Levels 2–4), and assess optional risk-mitigation factors such as personnel screening availability and the granularity of support localization.

Detail

Under the proposed CADA, the Union cloud computing sovereignty framework establishes four Union assurance levels (Article 16). A provider's recognition at a specific level—whether Level 1, 2, 3, or 4—certifies that it has met the cumulative criteria set out in Annex II. However, recognition at the same tier does not guarantee identical service quality, operational resilience, or granular risk profiles. For in-house counsel and compliance officers, comparing providers within the same tier requires looking beyond the binary "recognized/not recognized" status to the nuances of audit evidence, governance structures, and optional enhancements permitted or required by the specific assurance level.

1. Verify Recognition and Audit Currency via the Central Repository

The first step in comparison is verifying the current status of the providers in the central repository of recognised services, established under Article 22. This repository is maintained by the Commission and publicly available. It lists services recognized as offering Union assurance levels 1–4.

• For Union Assurance Level 1: Providers self-assess conformity and issue an EU statement of conformity (Article 19). When comparing two Level 1 providers, counsel should verify that the statement is current and that the provider is established in the Union. Since Level 1 relies on self-assessment, the baseline for comparison is lower than for higher tiers, focusing on establishment, infrastructure location, and data residency within the Union (Annex II, Section 1).
• For Union Assurance Levels 2, 3, and 4: Recognition requires a "positive" audit opinion from an independent auditing organisation (Article 20). When comparing providers at these levels, counsel must check the central repository for the date of the audit opinion and the auditing organisation's name. A provider with a recent, unqualified positive opinion is generally lower risk than one with an older audit, as audits must be reviewed annually (Article 20(8)). The repository also records any revocations or amendments, which remain visible for five years (Article 22(3)).

2. Analyze the Specifics of the Audit Report

While the central repository confirms recognition, the underlying audit report provides the substance for comparison. Under Article 20(5), the audit report must include a description of the specific aspects audited, the methodology applied, and the main findings.

• Audit Scope and Depth: For Levels 2–4, providers must demonstrate compliance with stricter criteria in Annex II, such as the absence of third-country control, data localization, and cybersecurity certification. Counsel should request summaries of the audit findings to compare how thoroughly each provider addressed software supply chain risks (e.g., SBOMs, source code audits) and third-party subcontractor oversight.
• Negative Opinions or Qualifications: If a provider's audit report contained qualified aspects or recommendations for remediation, this is a critical differentiator. A provider with a clean "positive" opinion across all criteria is preferable to one with pending remedial actions, even if both are currently recognized.

3. Compare Optional Enhancements and Personnel Requirements

Annex II sets cumulative criteria for each level, but some criteria allow for additional safeguards that can distinguish providers within the same tier.

• Personnel Screening (Level 2): At Union Assurance Level 2, Annex II, Section 2.1(d) states that if the public sector body determines that additional personnel screening and Union citizenship requirements are necessary, the provider should ensure such personnel are available. When comparing two Level 2 providers, counsel should ask: Does Provider A proactively offer Union-only personnel for support roles, while Provider B only does so if explicitly requested? Proactive alignment with stricter screening reduces administrative burden and risk.
• Strict Personnel and Subcontractor Rules (Levels 3 and 4): At Levels 3 and 4, all personnel and subcontractors involved in service provision must be Union citizens and located in the Union (Annex II, Sections 3.1 and 4.1). Here, comparison shifts to the robustness of the provider's internal controls to enforce this. Which provider has more rigorous background checks and security clearances for their staff? Which has a more transparent subcontractor register?
• Cybersecurity Certification: Levels 2, 3, and 4 require a European cybersecurity certificate of at least "substantial" (Levels 2–3) or "high" (Level 4) assurance under the EUCS scheme (Annex II). If the EUCS is not yet fully established, national schemes may apply. Comparing the specific certification body and the depth of the cybersecurity assessment can reveal differences in security posture.

4. Assess Support and Operational Models

The location and nature of technical support are critical differentiators. Annex II requires that technical and operational support be initiated and performed exclusively within the Union for Levels 2–4. However, the quality and structure of this support vary.

• Support Localization: Does the provider have a dedicated, Union-based support team, or do they rely on a global team with some Union-based members? Annex II requires that support be performed by Union residents and parties not subject to third-country control. Counsel should verify the provider's organizational chart to ensure no third-country entities have access to support tools or data.
• Subcontractor Transparency: Annex II requires full transparency around subcontractors. Compare the providers' subcontractor registers. A provider with a smaller, more controlled subcontractor base may present lower supply chain risk than one with a complex, global subcontracting network, even if both are compliant.

5. Evaluate Transparency and Reporting Obligations

Under Article 23, providers must notify the auditing organisation and competent authority of any material changes that could affect their recognition. A provider with a transparent, proactive communication channel regarding changes in ownership, infrastructure, or subcontractors is preferable. Counsel should evaluate the provider's willingness to share this information during the procurement process.

What this means for you

For in-house counsel and compliance officers, comparing providers at the same CADA tier involves a shift from binary compliance checking to nuanced risk assessment.

1. Conduct Repository Checks: Regularly monitor the central repository under Article 22 for any updates to the providers' recognition status, including revocations or amendments.
2. Request Audit Summaries: For Levels 2–4, request summaries of the audit reports to compare the depth of the assessment and any identified risks or remedial actions.
3. Verify Personnel and Support: Confirm that the provider's support model and personnel policies align with your organization's risk appetite, particularly regarding personnel screening and subcontractor oversight.
4. Document Your Assessment: Maintain records of your comparison process, including the audit dates, repository status, and any additional safeguards negotiated, to demonstrate due diligence in your procurement decisions.

Common misconceptions

• "Same tier means identical risk." Incorrect. While baseline criteria are identical, operational maturity, audit recency, and optional safeguards vary significantly between providers.
• "Self-assessment is sufficient for high-risk use cases." Incorrect. Level 1 relies on self-assessment. For activities contributing to public order, Article 30 requires Levels 2–4, which mandate independent audits.
• "Recognition is permanent." Incorrect. Recognition can be revoked if a provider fails to maintain compliance or provides misleading information. Annual audits for Levels 2–4 ensure ongoing oversight.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Is a higher CADA tier always better for a buyer? Cost, choice & risk
• Why is CADA Level 4 the highest sovereignty tier?
• Why does CADA create a four-tier cloud sovereignty framework?
• Which CADA tier suits defence and intelligence workloads?

This is general information about a draft EU regulation, not legal advice.