How does a cloud provider move up a CADA sovereignty tier?

Summary To move up a sovereignty tier under the proposed Cloud and AI Development Act (CADA), a cloud provider must demonstrate cumulative compliance: meeting every criterion of the lower tier plus the stricter requirements of the higher tier. As explicitly mandated by Article 20(1), failure to meet any requirement of a lower assurance level precludes conformity with higher levels. For Levels 2, 3, and 4, this process requires undergoing a new independent third-party audit and submitting a fresh application for recognition to the national competent authority under Article 17. There is no administrative "upgrade" path; providers must prove full compliance with the entire stack of criteria anew.

Detail

Under the proposed Cloud and AI Development Act (CADA), the path to a higher Union assurance level is strictly cumulative and rigorous. The regulation establishes a four-tier sovereignty framework (Union assurance levels 1 to 4) designed to mitigate risks to public order, data sovereignty, and third-country interference. Moving from one level to the next is not a simple administrative update or a matter of adding a few controls; it is a comprehensive re-evaluation of the provider's entire operational, legal, and technical posture.

The Cumulative Nature of Assurance Levels

The most critical rule for providers seeking to advance is that compliance is cumulative. The proposal explicitly rejects the idea that meeting higher-level criteria automatically satisfies lower-level ones without verification. Article 20(1) of the CADA proposal states:

"An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

This provision creates a "floor" effect. To qualify for Union assurance level 3, a provider must not only meet the specific, stringent criteria for level 3 but must also continue to fully satisfy every requirement of levels 1 and 2. If a provider fails to maintain compliance with a lower-tier criterion—for example, if they allow infrastructure to be located outside the Union in a scenario where Level 1 requires it to be inside (unless explicitly required otherwise by the public sector body)—they cannot be recognized at any higher level, regardless of how robust their Level 3 controls are.

This cumulative structure ensures that the "sovereignty" guarantees of the higher tiers are built upon a solid foundation of baseline compliance. It prevents providers from cherry-picking high-level security measures while neglecting fundamental sovereignty requirements like data localization or establishment in the Union.

The Audit Requirement for Levels 2, 3, and 4

While Union assurance level 1 relies on a conformity self-assessment by the provider (Article 19), moving to levels 2, 3, or 4 triggers a mandatory shift to independent third-party audits. Article 20 outlines that providers seeking recognition at these higher levels must undergo audits at their own expense to obtain an audit report and a "positive" audit opinion.

The audit process is designed to verify that the provider meets the cumulative criteria set out in Annex II of the proposal. The auditing organization must be independent, free from conflicts of interest, and possess proven technical competence. Article 20(4) specifies strict independence requirements: auditors must not have provided non-audit services related to the matters being audited within the 12 months prior to the audit, nor auditing services within the previous 10 years.

For a provider moving up a tier, the audit serves as the primary evidence of compliance. The audit report must include a "positive" opinion, confirming that all evidence shows the provider complies with the audit criteria for the specific higher level sought. A "negative" opinion or an inability to audit certain aspects will block the recognition process entirely. The auditor must assess the provider against the entire set of cumulative criteria, not just the new ones introduced at the target level.

The Recognition Process: A New Application

A common misconception is that a provider already recognized at level 1 can simply request an "upgrade" to level 2. Under CADA, this is not the case. Article 17 establishes a formal recognition mechanism where a cloud computing service provider must submit an application for recognition to the national competent authority of establishment for the specific level they are targeting.

Article 17(4) states that for Union assurance levels 2, 3, and 4, the candidate provider must submit:

1. The audit report.
2. The "positive" audit opinion referred to in Article 20.
3. All evidence provided to the auditing organization during the audit procedure.

The national competent authority of establishment acts as the evaluating authority. It has 60 days to assess the evidence. If the evidence is sufficient, it prepares a draft recognition decision and notifies other Member States for a 60-day review period. If no reasoned objections are raised, the service is recognized throughout the Union at that specific higher assurance level.

Crucially, this is a new application. The previous recognition for the lower level remains valid for services covered by that level, but it does not confer the status of the higher level. The provider must effectively "re-apply" for the higher tier, demonstrating that they meet the full cumulative stack.

Key Differences Between Tiers and the "Stack" Effect

To move up, a provider must understand what additional hurdles exist at each step. While the full criteria are in Annex II, the progression generally involves a tightening of controls that compounds the requirements of the previous tiers:

• Level 1 to 2: The shift from self-assessment to independent audit is the primary hurdle. Level 2 also introduces stricter requirements on software supply chain transparency, including a complete Software Bill of Materials (SBOM), and prohibitions on using customer data to train AI systems operated by third-country entities. Crucially, Level 2 requires that infrastructure, assets, and personnel are located in the Union, whereas Level 1 allows for exceptions if the public sector body explicitly requires otherwise.
• Level 2 to 3: This tier introduces mandatory Union citizenship for personnel involved in the provision of the service (where appropriate) and requires that the provider and subcontractors are not subject to the control of a third country, unless a specific Commission implementing act allows for an exception under strict conditions (Article 18). It also requires a European cybersecurity certificate of at least "substantial" assurance level.
• Level 3 to 4: The highest tier requires a European cybersecurity certificate of at least "high" assurance level. It also demands that sensitive data identified through risk assessment remains exclusively within the Union and imposes the strictest controls on third-country influence and software supply chain dependencies.

Because of the cumulative rule in Article 20(1), a Level 4 provider must simultaneously satisfy the "substantial" cybersecurity requirement of Level 3, the "Union citizenship" requirement of Level 3, the "SBOM" requirement of Level 2, and the "establishment in the Union" requirement of Level 1, all while meeting the new "high" cybersecurity and "no third-country control" requirements of Level 4.

Transparency and Ongoing Compliance

Recognition is not a one-time event. Article 23 imposes transparency obligations on recognized providers. If a provider moves up a tier, they must report any material changes in circumstances that may affect the audit report or the recognition. If a change occurs that impacts compliance with the higher tier's criteria, the provider must notify the auditing organization and the national competent authority. This could lead to the amendment or revocation of the audit report and the recognition decision.

Furthermore, Article 20(8) requires that the audit report and positive opinion be submitted for annual review. This ensures that the provider maintains the higher tier's standards over time. Failure to maintain these standards can result in the revocation of the recognition, effectively downgrading the provider's status. The cumulative nature of the criteria means that a failure in a lower-tier requirement discovered during an annual review of a higher-tier service can lead to the loss of the higher-tier recognition.

What this means for you

For cloud service providers and data centre operators, moving up a sovereignty tier is a strategic investment that requires significant operational and legal preparation. It is not merely a marketing upgrade but a structural transformation of your service delivery model.

1. Audit Readiness is Non-Negotiable If you are currently at Level 1 (self-assessed) and wish to move to Level 2, you must immediately begin preparing for a full independent audit. This means ensuring your documentation, including your Software Bill of Materials (SBOM) and data flow diagrams, is audit-ready. You must engage an auditing organization that meets the strict independence criteria of Article 20(4). Do not assume that your internal controls are sufficient; they must be verified by an external, independent body.

2. Cumulative Compliance Checks Before applying for a higher tier, conduct a gap analysis against all lower-level criteria. Do not assume that meeting Level 3 criteria automatically satisfies Level 1 and 2. For example, if Level 1 requires that infrastructure be located in the Union unless explicitly required otherwise by the public sector body, ensure this exception is documented and valid for your Level 3 application. A single failure in a lower-tier criterion will result in the rejection of your higher-tier application. The auditor will check each criterion individually.

3. Personnel and Control Structures Moving to Level 3 or 4 may require significant changes to your workforce and corporate structure. You may need to verify Union citizenship for key personnel and demonstrate effective legal, technical, and organizational separation from any third-country subsidiaries or controlling entities. Ensure your corporate governance documents and shareholding structures are transparent and can withstand the deep-dive scrutiny of an auditor assessing "control" under Annex II.

4. Engage with National Competent Authorities Early The recognition process under Article 17 involves a 60-day assessment period followed by a 60-day review by other Member States. Delays can occur if evidence is insufficient. Engage with your national competent authority early to clarify expectations for the specific higher tier you are targeting. Prepare to submit comprehensive evidence, not just the audit opinion.

5. Budget for Annual Reviews Higher tiers require annual audit reviews (Article 20(8)). Factor these recurring costs and the operational burden of maintaining audit readiness into your business model. The investment in compliance is ongoing, not a one-off cost.

Common misconceptions

Misconception 1: "I can just add the new criteria to my existing certification." Incorrect. CADA does not provide for "upgrading" an existing certificate. You must submit a new application for recognition for the specific higher level you are targeting, accompanied by a new audit report and positive opinion for that level. The previous recognition for the lower level remains valid but is distinct from the new higher-level recognition.

Misconception 2: "If I meet Level 3 criteria, I automatically meet Levels 1 and 2." While the criteria are cumulative, this is not always technically automatic. For instance, Level 1 allows for infrastructure outside the Union if the public sector body explicitly requires it. Level 3 has stricter rules. You must explicitly demonstrate compliance with the specific wording of each lower level. An auditor will check each criterion individually. Failure in any lower-level criterion precludes conformity with the higher level.

Misconception 3: "Self-assessment is enough for Level 2 if I have strong internal controls." No. Article 20(1) mandates independent third-party audits for Levels 2, 3, and 4. Self-assessment is only permitted for Level 1. You cannot self-certify for higher tiers.

Misconception 4: "Recognition in one Member State is enough for my national market." Recognition is Union-wide. Article 17(7) states that if no objections are raised during the review period, the service is recognized throughout the Union. You apply to your national competent authority of establishment, but the effect is cross-border. This reduces fragmentation but increases the scrutiny, as other Member States have the right to raise reasoned objections.

Related

• Why is CADA Level 4 the highest sovereignty tier?
• Why does CADA create a four-tier cloud sovereignty framework?
• What is the four-tier sovereignty framework in CADA in plain English?
• What is the cheapest CADA tier for a cloud provider to enter?
• How does CADA balance sovereignty with provider availability?

This is general information about a draft EU regulation, not legal advice.