How does a provider get recognised at CADA assurance level 3?

Summary As proposed, to be recognised at Union assurance level 3 under the Cloud and AI Development Act (CADA), a provider must undergo an independent third-party audit and obtain a "positive" audit opinion confirming compliance with the Annex II level 3 criteria (Article 20). It then submits the audit report, the positive opinion and all audit evidence to the national competent authority of its establishment (Article 17(4)), which evaluates the file and, if satisfied, runs an EU-wide review before recognition takes effect across the Union. A provider subject to third-country control can reach level 3 only if the Commission has designated the controlling country as an "associated third country" under Article 18.

Detail

Level 3 is one of the higher tiers in CADA's four-level sovereignty framework, intended for public sector activities that contribute to the preservation of public order. Unlike level 1, which relies on a conformity self-assessment, level 3 requires external verification through audit.

Step 1: Conduct an independent third-party audit

Before approaching any authority, a provider must demonstrate compliance with the level 3 criteria in Annex II, point 3.1. Under Article 20(1), providers seeking levels 2, 3 or 4 must undergo, at their own expense, independent third-party audits to obtain an audit report and audit opinion. A provider audited at a higher level must satisfy all cumulative criteria of the lower levels; failure to meet any lower-level requirement precludes conformity with the higher level (Article 20(1)).

The auditing organisation assesses the provider against the level 3 criteria, which include:

• Establishment and location: the provider and its in-scope subcontractors are established in the Union, with infrastructure, assets and personnel located in the Union (Annex II, points 3.1(a)-(b)).
• Data localisation: customer data, including metadata and telemetry, remains exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, point 3.1(c)).
• Personnel: personnel involved in the service are Union citizens and, where appropriate, hold the necessary national security clearance from a Member State when handling classified information (Annex II, point 3.1(d)).
• Cybersecurity certification: the service obtains a European cybersecurity certificate of at least the "substantial" level under a cloud certification scheme to be established under Regulation (EU) 2019/881; until such a scheme exists, national schemes apply where they exist, failing which the provider demonstrates compliance with the highest cybersecurity standards under applicable Union law (Annex II, point 3.1(e)).
• Absence of third-country control: the provider and its in-scope subcontractors are not subject to the control of a third country or a legal entity established in a third country, subject to the associated-third-country derogation (Annex II, point 3.1(g)).

The audit also covers technical and operational support being initiated and performed exclusively within the Union by Union-resident personnel and by third parties not subject to third-country control (Annex II, point 3.1(h)), and software supply chain measures including an SBOM (Annex II, point 3.1(i)).

Article 20 requires providers to cooperate with auditors, including granting access to relevant data and premises (Article 20(2)). The audit report must be substantiated in writing and include a "positive" or "negative" opinion; a positive opinion identifies the assurance level to be recognised (Article 20(5)(g), (i)).

Step 2: Handle third-country control via associated third countries

The requirement not to be subject to third-country control is a major hurdle for many globally controlled providers. CADA provides a narrow pathway. Article 18 would empower the Commission to identify, by implementing act, third countries whose providers - although subject to that country's control - may be audited against the level 3 criteria. To qualify, the third country must meet cumulative criteria including:

• a relevant adequacy decision under Article 45 of the GDPR (Article 18(1)(a));
• no measures enabling control that would conflict with the lawful-access requirements for non-personal data in Article 32(2)-(3) of the Data Act (Article 18(1)(b));
• no measures to compel the provider to degrade or disrupt service, and no measures obliging compliance with illegitimate restrictive measures (Article 18(1)(c));
• no measures impeding the supply of state-of-the-art technologies (Article 18(1)(d)), an open market to Union cloud services (Article 18(1)(e)), and reciprocal procurement access (Article 18(1)(f)).

Where a third country is designated, controlled providers may proceed to audit for level 3 but must still demonstrate the safeguards in Annex II, point 3.1(g)(i)-(iv) (no restraint on service delivery, prevention of third-country data access, prevention of service disruption, and no obligation to apply illegitimate restrictive measures). Without a designation, a provider subject to third-country control cannot achieve level 3.

Step 3: Submit the application for recognition

With a positive opinion in hand, the provider applies for recognition. Under Article 17(4), for levels 2, 3 and 4 the candidate must submit to the national competent authority of establishment the audit report, the "positive" audit opinion referred to in Article 20, and all evidence provided to the auditing organisation.

That authority becomes the evaluating national competent authority (Article 17(2)) and has 60 days from accepting the application to assess the evidence (Article 17(5)). If the evidence is sufficient, it prepares a draft recognition decision and notifies the other Member States' competent authorities for a 60-day review period (Article 17(5)(a)). During that period, other authorities may submit a reasoned objection or request for clarification where they consider the draft does not comply with the Annex II criteria (Article 17(6)).

If no reasoned objection or clarification request is submitted, the conclusions are deemed accepted, the evaluating authority adopts the recognition decision, and the service is recognised throughout the Union at level 3 (Article 17(7)). If a reasoned objection is submitted, the evaluating authority assesses it and either maintains or revokes its draft decision (Article 17(9)); where it intends to maintain the draft, the objecting authority may refer the matter to the Commission, which adopts a binding decision (Article 17(10)).

Step 4: Maintain recognition and transparency

Recognition is not a one-off. Under Article 23, on becoming aware of any material change in circumstances that may affect the audit report, the positive opinion or the recognition, the provider must notify the auditing organisation and the national competent authority of establishment as soon as possible. The auditing organisation may then amend or revoke the report or opinion, which can lead the authority to amend or revoke recognition. In addition, the provider must annually submit the audit report and positive opinion for review by an auditing organisation, which may confirm, update or revoke them (Article 20(8)). Recognised services are registered in the Commission's central repository, which is publicly available; revocations remain published there for five years (Article 22).

What this means for you

For providers and data centre operators targeting the EU public sector, level 3 is a demanding but defined route.

1. Budget and plan for audit: you cannot self-certify for level 3. Engage an auditing organisation that meets the independence and competence requirements of Article 20(4), including no related non-audit services in the 12 months before or after the audit and no prior audit of you in the preceding 10 years.
2. Verify your control structure: if you are controlled by a non-EU entity, check whether the controlling country is designated under Article 18. If not, you cannot reach level 3 and may need to restructure so the EU entity is not subject to third-country control, or target level 1 or 2 instead.
3. Engage early with your competent authority: the process runs through a 60-day evaluation and a 60-day cross-border review. A complete, well-evidenced file reduces the risk of a request for further information that suspends the clock (Article 17(5)(b)).
4. Maintain continuous compliance: submit the audit report and opinion for annual review (Article 20(8)) and report material changes promptly (Article 23). Failure to do so can lead to amendment or revocation of recognition.

Common misconceptions

• "An SME can self-assess for level 3." No. Self-assessment under Article 19 applies only to level 1. Levels 2, 3 and 4 require independent third-party audits regardless of company size.
• "Any non-EU-controlled provider can get level 3 if it follows EU law." No. Providers subject to third-country control are excluded from level 3 unless the controlling country is designated as an associated third country under Article 18, and even then the Annex II, point 3.1(g) safeguards must be met.
• "Level 3 recognition is permanent." No. It is subject to annual review of the audit report and opinion (Article 20(8)) and may be revoked if material changes occur or transparency obligations are breached (Article 23). Recognition may also be revoked where incorrect or misleading information was supplied (Article 17(11)).

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• How does a provider get recognised at CADA assurance level 4?
• How does a provider get recognised at CADA assurance level 2?
• How does a cloud provider get recognised at CADA assurance level 1?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• What criteria must a provider meet for CADA assurance level 4?

This is general information about a draft EU regulation, not legal advice.