How does a CTO choose a CADA assurance level for an architecture?

Summary Under the proposed Cloud and AI Development Act (CADA), CTOs do not unilaterally "choose" an assurance level; they must architect to the level mandated by a risk assessment conducted by the contracting authority. Article 30 establishes a baseline requirement of Union Assurance Level 1 for all public sector cloud procurement. However, for activities identified as contributing to the preservation of public order (e.g., defence, justice, critical infrastructure), Article 30(3) mandates the use of services recognised at Level 2, 3, or 4. To select the correct architectural path, a CTO must map their workload's sensitivity, data flows, personnel location, and software supply chain against the cumulative criteria in Annex II. Higher tiers impose stricter constraints on third-country control, personnel citizenship, and cybersecurity certification, directly impacting provider availability and cost.

Detail

The CADA proposal introduces a four-tiered "Union cloud computing sovereignty framework" (Article 16) designed to mitigate risks associated with third-country control, extraterritorial data access, and service disruption. For a CTO or architect, selecting an assurance level is not a commercial preference but a compliance obligation driven by the specific use case defined in the public sector risk assessment (Article 29). The framework is designed to be proportionate: most public services do not require the highest levels of assurance, but critical functions must meet rigorous standards.

The Baseline: Union Assurance Level 1

For the majority of public sector activities not deemed critical to public order, Article 30(2) mandates the use of cloud computing services recognised as offering Union Assurance Level 1. This is the entry point for most enterprise workloads and serves as the minimum baseline for public procurement.

According to Annex II, Section 1, Level 1 requires the following cumulative criteria:

• Establishment: The provider must be established in the Union (Annex II, 1.1(a)).
• Infrastructure Location: Infrastructure and assets, including those of subcontractors, must be located in the Union unless the public sector body explicitly requires otherwise (Annex II, 1.1(b)).
• Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union at all times, unless the public sector body explicitly requires otherwise (Annex II, 1.1(c)).
• Subcontracting & Support: If technical support is outsourced outside the Union, the provider must implement legal, technical, and organisational measures to ensure traceability, security, and governance without compromising operational autonomy (Annex II, 1.1(d)).
• Cybersecurity: The service must comply with state-of-the-art cybersecurity standards (Annex II, 1.1(e)).
• Transparency: Full transparency around subcontractors is required, with due diligence and contractual obligations applied (Annex II, 1.1(f)).
• Vulnerability Reporting: If the provider is subject to the control of a third country, they must guarantee that no laws in that third country require reporting software vulnerabilities to third-country authorities before they are known to be exploited (Annex II, 1.1(g)).

Architectural Implication: For Level 1, the primary architectural constraint is geographic. The CTO must ensure that all data processing, storage, and backup occur within EU borders. Crucially, while data must stay in the Union, technical support and operational assistance can be performed outside the Union, provided robust governance measures are in place. This offers the most flexibility for global providers with EU entities.

The Critical Tiers: Union Assurance Levels 2, 3, and 4

When a Member State's risk assessment (Article 29) identifies a public sector activity as contributing to the preservation of public order (e.g., national security, justice, defence, or critical infrastructure under NIS2), Article 30(3) requires the use of services recognised at Union Assurance Level 2, 3, or 4. The specific level is determined by the sensitivity of the data and the criticality of the service.

Union Assurance Level 2: Sensitive Data & Supply Chain Control

Level 2 introduces stricter controls on personnel, data usage, and software supply chains. It is typically used for sensitive but non-classified data where third-country influence must be mitigated.

Key criteria from Annex II, Section 2 include:

• Personnel: If the public sector body determines it necessary, personnel meeting Union citizenship requirements must be available (Annex II, 2.1(d)). This is a conditional requirement, not an absolute mandate for all Level 2 services.
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (EUCS), or a national scheme if the EU scheme is not yet available (Annex II, 2.1(e)).
• Data Usage: Data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country or legal entity established in a third country, nor transferred outside the Union (Annex II, 2.1(f)).
• Third-Country Control: If the provider is subject to third-country control, they must demonstrate measures to prevent that control from restricting service delivery, accessing customer data, or disrupting service continuity (Annex II, 2.1(g)).
• Support: Technical and operational support must be initiated and performed exclusively within the Union (Annex II, 2.1(h)). This is a significant shift from Level 1.
• Software Supply Chain: The provider must maintain a complete and up-to-date Software Bill of Materials (SBOM) and list of dependencies (Annex II, 2.1(i)(i)). For third-country software, controls must block remote features that could tamper with or disrupt the system, and security-relevant components must be subject to source code audits (Annex II, 2.1(i)(ii)).

Union Assurance Level 3: High Sovereignty & Personnel Citizenship

Level 3 is designed for highly sensitive data, potentially including classified information. It imposes near-total exclusion of third-country influence and stricter personnel requirements.

Key criteria from Annex II, Section 3 include:

• Personnel Citizenship: All personnel involved in providing the service, including subcontractors, must be Union citizens (Annex II, 3.1(d)). National security clearance may be required for handling classified information. Unlike Level 2, this is a mandatory condition for the personnel involved in the service provision.
• Third-Country Control: The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country. A derogation exists only if the Commission has adopted an implementing act under Article 18 identifying a specific third country as providing sufficient assurances (Annex II, 3.1(g)). Note: The draft text cross-references Article 19 in some contexts, but the correct legal basis for third-country derogations is Article 18.
• Support: Support must be performed exclusively within the Union by Union residents and third parties not subject to third-country control (Annex II, 3.1(h)).
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, 3.1(e)).
• Subcontractors: Subcontractors may require access to classified or sensitive information and must meet the same strict criteria (Annex II, 3.2).

Union Assurance Level 4: Maximum Sovereignty & High Security

Level 4 represents the highest level of sovereignty, intended for the most critical public order activities where the risk of third-country interference is unacceptable.

Key criteria from Annex II, Section 4 include:

• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'high' (Annex II, 4.1(e)). This distinguishes it from Level 3, which requires 'substantial'.
• Third-Country Control: Absolute prohibition on third-country control over the provider and subcontractors (Annex II, 4.1(g)). No derogation is available for Level 4.
• Software Control: The provider must demonstrate effective control over software components, ensuring no third country holds effective control over the design, development, maintenance, or evolution of those components (Annex II, 4.1(i)(ii)).
• Data: Sensitive data identified via risk assessment must remain exclusively within the Union (Annex II, 4.1(c)).
• Personnel: All personnel must be Union citizens (Annex II, 4.1(d)).

Balancing Sovereignty, Cost, and Provider Availability

CTOs must balance these strict technical requirements against commercial realities. Higher assurance levels significantly reduce the pool of eligible providers, as fewer vendors can meet the stringent personnel, supply chain, and certification requirements.

• Cost Implications: Levels 2–4 require independent third-party audits (Article 20), which are costly and time-consuming. Additionally, restricting support to Union-based personnel (Level 2+) and requiring Union citizenship (Level 3+) increases operational costs due to labour market constraints.
• Provider Availability: As noted in the Explanatory Memorandum, the EU market share of EU providers has decreased, and non-EU hyperscalers dominate. Many global providers may not qualify for Levels 3 or 4 due to third-country control issues or inability to restrict support personnel to Union citizens. CTOs must verify early in the procurement process whether their preferred vendor holds the necessary recognition in the central repository (Article 22).
• Multi-Cloud Strategies: Article 29(9) encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate to enhance resilience. A CTO might architect a solution where non-critical workloads run on Level 1 providers, while sensitive data resides on Level 3 or 4 providers, ensuring compliance without over-engineering the entire estate.

What this means for you

For CTOs and architects, the CADA proposal shifts the burden of proof from "best effort" to "demonstrable compliance." Your architectural decisions must be defensible against the specific criteria in Annex II.

1. Map Your Workloads: Immediately categorize your public sector workloads based on the risk assessment criteria in Article 29. Identify which services process data related to national security, justice, or critical infrastructure. These will likely require Level 2–4.
2. Audit Your Supply Chain: For any workload targeting Level 2 or higher, you must be able to produce a Software Bill of Materials (SBOM) and demonstrate control over third-country software components. Review your use of open-source libraries and third-country SDKs; ensure you have mechanisms to block remote tampering features (Annex II, 2.1(j)).
3. Verify Provider Recognition: Do not assume a provider is compliant. Check the central repository (Article 22) for services recognised at the required Union Assurance Level. For SMEs, note that EU statements of conformity for Level 1 are automatically recognised in all Member States (Article 17(3)), simplifying cross-border sales.
4. Plan for Audits: Levels 2–4 require annual independent audits (Article 20(8)). Factor the cost and operational overhead of these audits into your budget. Ensure your provider has a process for annual review and can quickly report material changes that might affect their status (Article 23).
5. Design for Data Residency: Architect your data flows to ensure strict EU residency. For Levels 2–4, data cannot leave the Union under any circumstances (unless explicitly waived by the public sector body for Level 1/2, but strictly prohibited for Level 3/4 regarding sensitive data). Disable any telemetry or diagnostic features that might transmit metadata outside the EU.

Common misconceptions

• "We can choose the highest level for all services." While technically possible if the provider offers it, this is often economically inefficient and unnecessary. The framework is designed to be proportionate, and most public services do not require the highest levels of assurance. Over-specifying can limit provider choice and increase costs without adding meaningful security benefits for non-critical workloads.
• "Level 1 allows data to leave the EU freely." No. Even at Level 1, customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, 1.1(c)). The default is strict residency; exceptions must be contractually specified.
• "Open-source software is automatically compliant." Not necessarily. While open source promotes transparency, Annex II requires specific controls for open-source components used in Levels 2–4. Providers must demonstrate controls to prevent remote features from tampering with the system (Annex II, 2.1(j), 3.1(j), 4.1(j)). Simply using open source does not exempt you from supply chain security obligations.
• "Non-EU providers can never qualify for Level 3." This is largely true but with a narrow exception. Level 3 generally prohibits third-country control (Annex II, 3.1(g)). However, the Commission may adopt an implementing act under Article 18 identifying a third country as providing sufficient assurances, allowing providers from that country to be audited for Level 3. This is currently a high bar and subject to strict political and legal criteria.
• "L3 cybersecurity certification is 'high'." No. Under Annex II, Level 3 requires a cybersecurity certificate of at least 'substantial' assurance. Only Level 4 requires a 'high' assurance level (Annex II, 3.1(e) vs 4.1(e)). Confusing these tiers can lead to non-compliant procurement.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why choose a CADA Level 1 provider? The baseline for public procurement
• Which CADA assurance level do I need for my cloud workload?
• What must a US hyperscaler do to reach a CADA assurance level?
• CADA Assurance Levels: The Simplest Board-Level Explanation
• CADA Assurance Levels: The Roadmap from Level 1 to Level 4

This is general information about a draft EU regulation, not legal advice.