Summary Under the proposed Cloud and AI Development Act (CADA), a provider evidences operational autonomy by demonstrating that outsourcing technical support to third parties outside the Union does not compromise its ability to act independently. This requires implementing specific legal, technical, and organizational measures that ensure full traceability, security, and governance of those operations. As proposed in Annex II, Section 1.1(d), these operations must "do not, in any way, compromise the operational autonomy of the cloud computing service provider." Providers must document these controls and supply specific evidence listed in Annex III to auditors to prove that external dependencies do not undermine the service's sovereignty or continuity.

Detail

As proposed, CADA establishes a Union cloud computing sovereignty framework to mitigate risks associated with dependence on third-country providers. A core component of this framework is the requirement for cloud computing service providers to maintain operational autonomy, even when they rely on subcontractors or external support entities located outside the European Union. This requirement is distinct from data localisation; it focuses on the provider's ability to control the service without external interference.

The Legal Requirement: Annex II 1.1(d)

The requirement for operational autonomy is explicitly defined in Annex II, Section 1.1(d) of the proposal. For a service to qualify for Union assurance level 1, the provider must ensure that if it outsources technical and operational support or assistance to third-party service providers outside the Union, it implements the necessary legal, technical, and organizational measures.

The text of the proposal is precise: these measures must ensure the traceability, security and governance of those operations. Crucially, the provision states that these operations "do not, in any way, compromise the operational autonomy of the cloud computing service provider."

This creates a conditional permission: outsourcing outside the Union is not banned at Level 1, but it is strictly conditional on the provider's ability to prove that the external party cannot dictate service terms, access data without authorization, or disrupt continuity. The burden of proof lies entirely with the provider to demonstrate that the "chain of command" remains within the Union.

The Role of Audit Evidence: Annex III

While Annex II sets the criteria, Annex III details the specific audit evidence required to prove compliance. Under Article 21, audit evidence must be "relevant and sufficient" and "reliable." For operational autonomy specifically, the auditing organization must assess the provider's compliance by examining documented evidence of the measures in place.

The proposal outlines specific evidence categories that auditors will scrutinize to verify that traceability, security, and governance are maintained:

  1. Traceability and Monitoring: Auditors will look for evidence that all support activities initiated by the external third party are logged, monitored, and attributable. The provider must demonstrate that it retains visibility into all actions taken by the subcontractor. This includes maintaining an up-to-date subcontractor register and evidence that the provider does not transfer activities outside the Union without strict controls. The provider must show that administrative access to systems is provided through access paths located within the Union, often demonstrated through geographically restricted network controls and privileged access management (PAM) logs.

  2. Security and Access Control: Technical evidence is required to prove that external support does not create unauthorized access paths to customer data or infrastructure. This includes network diagrams illustrating the exclusive use of Union-based infrastructure for data storage and processing, even if support is remote. Auditors will examine access logs, support access policies, and privileged access records to ensure that third parties cannot access customer data without prior authorization. The provider must also demonstrate that there is no remote access for technical support from outside the Union that bypasses Union-based administrative infrastructure.

  3. Governance and Contractual Rights: Documentation must show that the provider retains ultimate decision-making power. This includes binding contractual clauses stating that all support, administration, and maintenance must be initiated and performed exclusively in the Union (or strictly controlled if outside). Contracts must include rights to audit the subcontractor, terminate support arrangements if autonomy is threatened, and enforce compliance with Union legal obligations. The provider must also demonstrate that it has procedures to ensure that personnel departing from the company (including subcontractors) have no further access to the service.

The Audit Opinion and Article 20

The audit process is governed by Article 20, which requires an independent third-party audit for assurance levels 2, 3, and 4, and a self-assessment for Level 1 (though Level 1 providers outsourcing outside the Union must still demonstrate compliance with the Annex II criteria). The auditing organization prepares an audit report that includes a 'positive' or 'negative' audit opinion.

A 'positive' opinion is given only where all evidence shows that the provider complies with the audit criteria, including the operational autonomy requirements. If the audit opinion is 'negative', the provider cannot be recognized as offering the relevant Union assurance level. The report must include operational recommendations on specific measures to achieve compliance if the opinion is negative.

Evolution at Higher Assurance Levels

While Annex II 1.1(d) applies to Level 1, the requirement for operational autonomy becomes stricter at higher levels. For Union assurance levels 2, 3, and 4, the criteria in Annex II (Sections 2.1(h), 3.1(h), and 4.1(h)) require that technical and operational support or assistance be initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country.

At these higher levels, the "outsourcing outside the Union" permission of Level 1 is effectively removed for technical support. However, the audit evidence in Annex III remains critical to ensure that any remaining external links (e.g., software supply chains, global subsidiaries) do not allow third-country authorities to exert control, disrupt continuity, or access data. The focus shifts from "proving control over external support" to "proving the absence of external support."

What this means for you

For CTOs, architects, and SMEs evaluating their cloud infrastructure, evidencing operational autonomy requires a shift from informal vendor relationships to rigorously documented and technically enforced governance.

1. Review and Rewrite Outsourcing Contracts If you outsource technical support to providers outside the EU, your contracts must explicitly address operational autonomy. Standard Service Level Agreements (SLAs) are insufficient. You need clauses that guarantee your right to audit, restrict the subcontractor's ability to act on instructions from third-country authorities, and ensure all actions are logged and traceable. Contracts must explicitly state that the provider retains the right to reject any subcontractors located outside the Union if they cannot meet the autonomy criteria.

2. Implement Technical Controls for Traceability You must demonstrate technical oversight. This means implementing monitoring tools that log all activities performed by external support teams. You need to show that these teams cannot access customer data without your explicit authorization and that their access is limited to the minimum necessary for support. Implement geographically restricted network controls to ensure administrative access paths are located within the Union.

3. Prepare for the Audit Auditors will request evidence of your governance framework. Maintain up-to-date documentation of your security policies, access controls, and incident response procedures related to outsourced support. Ensure that your audit trails are comprehensive and that you can demonstrate how you monitor and govern external operations. The audit report must be able to substantiate that the provider's operational autonomy is preserved.

4. Assess Risk Continuously Conduct a risk assessment to identify how outsourcing impacts your operational autonomy. If a subcontractor's actions could disrupt service or expose data, you must implement mitigating measures. Document these measures and how they ensure autonomy. Remember that under Article 23, you must notify the auditing organization and the competent authority of any material change in circumstances that may affect the audit report or opinion.

Common misconceptions

Misconception 1: Operational autonomy means no outsourcing. Incorrect. CADA allows outsourcing technical support outside the Union at Level 1, provided the provider implements measures to ensure traceability, security, and governance. The key is not the absence of outsourcing, but the presence of controls that prevent the subcontractor from compromising autonomy. At Levels 2, 3, and 4, however, support must be performed exclusively within the Union.

Misconception 2: Compliance is a one-time certification. Incorrect. Operational autonomy must be maintained continuously. Audits are annual for higher levels, and providers must report material changes that could affect their autonomy. If a subcontractor's practices change, the provider must reassess and update its controls and documentation immediately.

Misconception 3: Legal contracts alone are sufficient. Incorrect. While legal measures are essential, CADA requires technical and organizational measures as well. You must demonstrate technical controls (e.g., logging, access restrictions, geofencing) that enforce the contractual obligations. Auditors will look for technical evidence, not just paper trails.

Related

This is general information about a draft EU regulation, not legal advice.