How does a CADA risk assessment treat subcontractors and the cloud supply chain?

Summary Under the proposed Cloud and AI Development Act (CADA), a risk assessment for public procurement treats subcontractors not as peripheral vendors but as integral components of the cloud service itself. Article 29 mandates that Member States and Union entities assess the sensitivity of data and the risks of third-country access, which inherently includes evaluating the entire supply chain's ability to maintain operational autonomy. Crucially, Recital 63 clarifies that "where the cloud computing service provider relies on subcontractors in the provision of the services, the same agreements apply to the subcontractors." Consequently, providers cannot isolate their own compliance; they must demonstrate that their entire subcontractor network meets the rigorous cumulative criteria of Annex II, making the supply chain a central determinant of the sovereignty risk profile.

Detail

The CADA proposal establishes a unified framework for cloud computing sovereignty, shifting focus from purely technical cybersecurity to broader strategic autonomy and data protection. A core mechanism of this framework is the risk assessment conducted by public sector bodies under Article 29. This assessment determines the minimum Union assurance level (1, 2, 3, or 4) required for a specific public sector activity. Crucially, this assessment does not view the cloud service provider in isolation; it evaluates the entire ecosystem delivering the service, including the complex web of subcontractors and the broader supply chain.

The Role of Article 29 Risk Assessments

Article 29(1) requires Member States and Union entities to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine which Union assurance level is appropriate for those activities. Article 29(2) specifies that these assessments must consider:

• The sensitivity, criticality, and magnitude of non-personal and personal data processed.
• The risk of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk of possible service disruption.

Recital 63 reinforces this by stating that in their risk assessments, entities shall assess the sensitivity, criticality, and magnitude of data processed in the cloud environment. It explicitly notes that "where the cloud computing service provider relies on subcontractors in the provision of the services, the same agreements apply to the subcontractors." This means the risk assessment's scope extends downstream: if a primary provider uses a subcontractor for storage, support, or infrastructure, the risk of unauthorized access or disruption via that subcontractor is part of the overall risk picture. The risk assessment is not merely a check on the primary entity's internal controls but a holistic evaluation of the service's resilience against third-country interference.

Subcontractors and Union Assurance Levels

The risk assessment dictates the required assurance level, but the compliance with that level is defined in Annex II. The proposal makes it unequivocally clear that subcontractors are not exempt from these stringent criteria. The criteria for Union assurance levels are cumulative and apply to the "audited provider" and its subcontractors collectively.

For Union Assurance Level 1, Annex II, Section 1.1 sets out cumulative criteria. Notably, 1.1(b) requires that the infrastructure and assets of the cloud computing service provider, "including those of its subcontractors which are involved in the provision of the service," are located in the Union. Similarly, 1.1(c) mandates that customer data processed, stored, and transferred by the provider and its subcontractors remain exclusively within the Union. Furthermore, 1.1(f) requires the provider to subject subcontractors to due diligence, contractual obligations, and ongoing oversight to meet Union legal obligations.

For higher levels (Levels 2, 3, and 4), the requirements become even more rigorous, and the inclusion of subcontractors is explicit and non-negotiable:

• Annex II, Section 2.1(a) (Level 2) states that the audited provider and the subcontractors involved in the provision of the audited service must be established in the Union.
• Annex II, Section 2.1(b) requires that the infrastructure, assets, and personnel of the audited provider, "including those of its subcontractors," are located in the Union.
• Annex II, Section 2.1(c) mandates that customer data remain exclusively within the Union, covering data handled by subcontractors.
• Annex II, Section 3.1(a)-(c) (Level 3) and 4.1(a)-(c) (Level 4) repeat these strict geographic and data residency requirements for subcontractors.

Additionally, for Levels 3 and 4, personnel requirements apply to subcontractors as well. Annex II, Section 3.1(d) requires that personnel, including those of subcontractors, are Union citizens and, where appropriate, possess the necessary national security clearance. For Level 4, Section 4.1(d) reiterates that personnel of subcontractors must be Union citizens with necessary security clearance when handling classified information.

Supply Chain Dependencies as Risk Factors

The CADA framework recognizes that supply chain dependencies are a primary vector for sovereignty risks. Recital 46 highlights that dependence on a limited number of providers subject to third-country control exposes the Union to risks such as misuse, access to sensitive information, and dependency vulnerabilities. Therefore, the risk assessment under Article 29 must account for these supply chain risks.

If a provider relies on a subcontractor that is controlled by a third country, or if the supply chain includes components (such as software or hardware) that could be remotely manipulated or disrupted by a third country, the provider may fail to meet the criteria for higher assurance levels. For instance, Annex II, Section 2.1(g) requires that if the provider or its subcontractors are subject to third-country control, they must demonstrate that legal, technical, and organizational measures are in place to prevent third-country access to data or disruption of service. For Level 4, Section 4.1(g) outright prohibits the provider and its subcontractors from being subject to third-country control.

A specific derogation exists for Union Assurance Level 3 regarding third-country control. Annex II, Section 3.1(g) states that a provider subject to third-country control may be audited for Level 3 "where the Commission has adopted an implementing act under Article 18." Article 18 (titled "Associated third countries") sets out the conditions under which the Commission may identify third countries as providing sufficient assurances. This mechanism allows for a controlled exception where the third country has implemented specific safeguards, but it does not apply to Level 4, which requires absolute absence of third-country control.

Thus, the supply chain is not just a logistical detail; it is a determinant of whether a service can achieve the assurance level required by the risk assessment. A provider with a robust internal setup but a fragile or non-compliant subcontractor network will likely fail to secure contracts for critical public sector activities.

What this means for you

For cloud service providers and data centre operators, the CADA proposal means that your compliance strategy must be holistic. You cannot achieve Union Assurance Level 2, 3, or 4 by ensuring only your own direct operations are compliant. You must extend your governance, technical controls, and contractual oversight to every subcontractor involved in the provision of the service.

1. Map Your Supply Chain: Identify every subcontractor that handles infrastructure, assets, personnel, or data related to the service. This includes secondary and tertiary subcontractors if they have access to customer data or operational control. The definition of "personnel" in Annex III includes individuals managed by subcontractors who support the delivery or operation of the service.
2. Contractual Alignment: Your contracts with subcontractors must explicitly mandate compliance with the relevant Annex II criteria. This includes data residency, personnel citizenship (for Levels 3 and 4), and prohibitions on third-country access. As Recital 63 notes, the same agreements apply to subcontractors.
3. Due Diligence and Auditing: Implement rigorous due diligence processes to verify subcontractor compliance. For Levels 2-4, independent audits will scrutinize your subcontractor relationships. Ensure your subcontractors can provide the necessary evidence (e.g., proof of establishment, data flow diagrams, personnel records) as outlined in Annex III.
4. Risk Assessment Preparation: When bidding for public sector contracts, be prepared to demonstrate how your supply chain mitigates the risks identified in Article 29. Show that you have measures in place to prevent unauthorized access and service disruption, even if a subcontractor is compromised.

Common misconceptions

• Misconception: "Only the primary provider needs to be EU-established."
  • Reality: For Union Assurance Levels 2, 3, and 4, subcontractors involved in the service provision must also be established in the Union (Annex II, Sections 2.1(a), 3.1(a), 4.1(a)).
• Misconception: "Data residency only applies to our own data centres."
  • Reality: Data residency requirements explicitly cover data processed, stored, and transferred by subcontractors (Annex II, Sections 1.1(c), 2.1(c), 3.1(c), 4.1(c)).
• Misconception: "Subcontractor compliance is a private contract issue."
  • Reality: Subcontractor compliance is a regulatory requirement for achieving Union Assurance Levels. Failure to ensure subcontractor compliance can lead to the revocation of recognition or failure to pass the audit (Article 23, Article 20).
• Misconception: "Risk assessments only look at the provider's technical setup."
  • Reality: Article 29 risk assessments evaluate the entire service ecosystem, including supply chain dependencies, to determine the appropriate assurance level for preserving public order.
• Misconception: "Third-country control is allowed for all levels if safeguards exist."
  • Reality: While Article 18 allows for a derogation for Level 3 under specific Commission implementing acts, Level 4 strictly prohibits the provider and its subcontractors from being subject to third-country control (Annex II, Section 4.1(g)).

Related

• CADA Risk Assessment vs NIS2: How Article 29 Interacts with Supply-Chain Security
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• Why does CADA treat dependence on non-EU providers as a strategic risk?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.