Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union Assurance Levels 2, 3, or 4 must prove that all technical and operational support is both initiated and performed exclusively within the Union. This is a dual geographic and operational constraint found in Annex II, Sections 2.1(h) and 3.1(h). While Level 2 requires the activity to be in the EU, Level 3 imposes stricter personnel requirements: support must be performed by Union residents and by third parties not subject to third-country control. Providers cannot rely on self-declaration; they must submit comprehensive evidence to independent auditors under Article 21 and Annex III, including binding contractual clauses, geofenced access logs, and proof of no remote access from outside the EU.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a granular sovereignty framework designed to eliminate risks associated with third-country interference, data access, and operational disruption. A cornerstone of this framework is the "support delivery" criterion. It is not sufficient for a provider to simply store data in the EU; the human and technical processes required to maintain that infrastructure must also remain under Union jurisdiction and control.

The Core Obligation: Initiation and Performance

The primary legal requirement for demonstrating EU-only support delivery is codified in Annex II of the proposal. For Union Assurance Level 2, Section 2.1(h) mandates that:

"the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union."

This same requirement is reiterated for Union Assurance Level 3 in Section 3.1(h). The phrasing "initiated and performed" is legally significant. It closes a potential loophole where a support ticket might be logged in an EU data centre but the actual troubleshooting, configuration, or incident response is executed by an engineer located in a third country. Under CADA, the entire lifecycle of the support interactionβ€”from the moment the request is received to the moment the issue is resolvedβ€”must occur within the Union's borders.

Level 3 Specifics: Personnel Residency and Control

The distinction between Level 2 and Level 3 becomes critical when examining the personnel executing the support. While Level 2 focuses on the location of the activity, Level 3 adds a layer of personnel sovereignty.

Annex II, Section 3.1(h) explicitly states that for Level 3, support must be performed:

  1. Exclusively within the Union;
  2. By personnel that are Union residents; and
  3. By third parties that are not subject to the control of a third country or a legal entity established in a third country.

This creates a three-pronged test for Level 3 compliance:

  • Geographic: The work happens in the EU.
  • Residency: The individuals doing the work are residents of the EU (distinct from citizenship, though often overlapping in practice for security clearance contexts).
  • Control: The entity employing these individuals (or the subcontractor providing them) must not be under the control of a non-EU government or legal entity.

This means a provider cannot simply hire a global staffing firm with an EU office if that firm is ultimately controlled by a third-country parent company, unless a specific derogation under Article 18 (associated third countries) applies. The "control" test looks at ownership, voting rights, and the ability to direct strategic decisions, as detailed in Annex III, Section 7.

Audit Evidence Requirements: Article 21 and Annex III

Providers do not self-certify these claims. Article 21 requires that compliance with the criteria in Annex II be verified by an independent auditing organisation. The specific evidence required to prove compliance with the support delivery rules is exhaustively listed in Annex III, Section 8 (Audit criterion H – No technical and operational support outside of the Union).

To secure a "positive" audit opinion, a provider must supply the following evidence to the auditor:

  • Binding Contractual Clauses: The provider must demonstrate the existence of binding contracts stating that all support, administration, maintenance, monitoring, incident response, and operational activities must be initiated and performed exclusively in the Union. These contracts must include clauses requiring advanced disclosure of all subcontractors, prior written approval for engaging new subcontractors, and a contractual right to reject any subcontractor located outside the Union.
  • Subcontractor Register: An up-to-date register of all subcontractors involved in the provision of the service, specifically those performing support functions.
  • Proof of No Outsourcing Outside the Union: Evidence demonstrating that the provider does not subcontract or transfer these specific activities outside the Union.
  • Technical Access Controls: Evidence of legal, technical, and organisational measures ensuring no remote access for technical and operational support from outside the Union. This includes proof that help desks, Security Operations Centres (SOC), Network Operations Centres (NOC), privileged access, backup handling, and disaster recovery operations are exclusively provided from the Union.
  • Administrative Access Paths: Evidence that administrative access to systems used to operate the service is provided through access paths located within the Union. This is typically demonstrated through geographically restricted network controls, Union-based administrative infrastructure, and Privileged Access Management (PAM) controls that block non-EU IP ranges.
  • Exit Procedures: Evidence that personnel departing the company have no further access to the audited service and that all access policies are immediately revoked.
  • No Third-Country Control: Procedures and evidence demonstrating that there is no effective control of a third country or legal entity established in a third country over the support functions, including for subsequent sub-outsourcing.

The Role of Article 16 and Recognition

Article 16 establishes the Union cloud computing sovereignty framework comprising four assurance levels. To be recognised as offering a specific level, a provider must submit an application to the national competent authority of establishment. Under Article 17(4), for Levels 2, 3, and 4, this application must include the audit report and a "positive" audit opinion from an independent auditing organisation.

The auditor's opinion is the linchpin of the process. If the auditor finds that support was initiated or performed outside the Union, or that personnel do not meet the residency/control criteria for Level 3, they must issue a negative opinion. Without a positive opinion, the national competent authority cannot recognise the service at that level, effectively barring the provider from public procurement contracts requiring Level 2 or higher.

What this means for you

For CTOs, cloud architects, and public-sector procurement officers, the implications of these rules are immediate and operational:

  1. Map Your Support Chain End-to-End: You must audit every touchpoint of your support delivery. If your global ticketing system auto-routes tickets to the "cheapest available agent" regardless of location, you are likely non-compliant with Annex II 2.1(h) and 3.1(h). You need technical controls (geofencing, routing rules) to lock support routing strictly to EU-based instances.
  2. Scrutinise Subcontractor Agreements: If you outsource SOC, NOC, or help desk functions, your contracts must explicitly forbid work being performed outside the EU. Furthermore, for Level 3, you must verify that your subcontractors themselves are not controlled by third-country entities. A "local" office of a US hyperscaler may not qualify if the ultimate control lies outside the Union.
  3. Verify Personnel Residency (Level 3): For Level 3, HR processes must be updated to verify the residency of all support staff. You must also ensure these staff members are not employed by entities subject to third-country control. This may require a shift in hiring strategies or the use of dedicated, EU-only support teams.
  4. Prepare for Technical Scrutiny: Expect auditors to request access to your PAM logs, network geofencing configurations, and subcontractor registers. "Trust" or verbal assurances are not evidence. Under Annex III, you must provide documented, technical proof that remote access from outside the Union is technically impossible or contractually prohibited and monitored.

Common misconceptions

"Data Localization is Enough" No. You can have all data stored in Frankfurt, but if your support engineers are in Bangalore, Dublin (if not meeting residency/control criteria), or any other location outside the Union, you fail the support delivery criteria. CADA explicitly separates data location from the location of support operations.

"Remote Access is Allowed if Encrypted" No. Annex III, Section 8 explicitly requires evidence that there is no remote access for technical and operational support from outside the Union. Encryption of the data stream does not negate the geographic restriction on the initiation and performance of the support task. The support activity itself must originate and conclude within the Union.

"Level 2 and 3 Are the Same for Support" No. While both levels require support to be initiated and performed in the Union, Level 3 adds the critical requirement that personnel must be Union residents and the supporting third parties must not be subject to third-country control. This is a decisive distinction for staffing strategies and outsourcing decisions. A provider might qualify for Level 2 with a mixed-residency team, but would fail Level 3 without a dedicated EU-resident workforce.

"Self-Certification is Sufficient" No. Unlike Level 1, which allows for a self-assessment, Levels 2, 3, and 4 require independent third-party audits under Article 20. The provider must pay for an auditor to verify the evidence listed in Annex III.

Related

This is general information about a draft EU regulation, not legal advice.