How does a provider get recognised at CADA assurance level 4?

Summary To obtain Union Assurance Level 4 recognition under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must undergo a rigorous independent third-party audit resulting in a "positive" audit opinion, as mandated by Article 20. The provider must then submit this audit report, the opinion, and all supporting evidence to the national competent authority of establishment for formal recognition under Article 17(4). Crucially, Level 4 is not a standalone tier; Article 20(1) explicitly requires that a provider satisfy all cumulative criteria for Levels 1, 2, and 3 before meeting the additional, stricter requirements of Level 4. This ensures the highest degree of sovereignty, including strict data localisation, Union-only personnel, and absolute absence of third-country control.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a tiered sovereignty framework designed to safeguard the Union's public order. Union Assurance Level 4 represents the apex of this framework, intended for the most critical public sector activities, such as those involving national security, defence, justice, or the processing of classified information. The path to recognition is a multi-stage process combining strict technical criteria with a formalised administrative procedure.

1. The Cumulative Nature of Assurance Levels

A fundamental principle of the CADA sovereignty framework is that assurance levels are cumulative. A provider cannot "skip" levels or apply solely for Level 4 without demonstrating compliance with the foundational tiers.

Article 20(1) states unequivocally that an audited provider undergoing an audit procedure at a higher Union assurance level "shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels." It further clarifies that "failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

Therefore, to qualify for Level 4, a provider must first demonstrate compliance with:

• Level 1: Basic establishment in the Union, data localisation, and transparency regarding subcontractors.
• Level 2: Enhanced cybersecurity certification (at least "substantial" assurance), stricter controls on data usage for AI training, and comprehensive software supply chain measures.
• Level 3: Mandatory Union citizenship for personnel (unless a public body explicitly waives this), and strict guarantees against third-country control over the provider.
• Level 4: The highest tier, which adds requirements for a "high" assurance level cybersecurity certificate, specific handling of sensitive data identified via risk assessment, and absolute guarantees that no third country holds effective control over the software supply chain.

This cumulative structure ensures that the highest level of sovereignty is built upon a verified foundation of lower-level compliance.

2. The Independent Audit Requirement (Article 20)

Unlike Level 1, which permits a conformity self-assessment, Level 4 strictly requires external verification. Article 20 mandates that providers seeking recognition at Levels 2, 3, or 4 must undergo independent third-party audits at their own expense.

Audit Scope and Independence

The auditing organisation must be independent from the provider and free of conflicts of interest. Article 20(4) details strict independence requirements:

• The auditor must not have provided non-audit services related to the audited matters to the provider (or connected legal persons) in the 12-month period before the audit or commit to not providing them in the 12-month period after.
• The auditor must not have provided auditing services to the provider in the 10-year period before the audit.
• Fees must not be contingent on the result of the audit.

Audit Evidence and Criteria

The audit is conducted against the criteria set out in Annex II and the evidence listed in Annex III. For Level 4, the auditor must verify:

• Infrastructure and Assets: Located exclusively in the Union.
• Personnel: Must be Union citizens (with necessary security clearances for classified information).
• Data Localisation: Customer data (including sensitive data identified in risk assessments) must remain exclusively within the Union.
• Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
• Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level "high" under a scheme established under Regulation (EU) 2019/881.
• Software Supply Chain: Measures must be in place to retain effective control over software components, ensuring no third country holds effective control over design, development, or maintenance.

The "Positive" Audit Opinion

The outcome of the audit is critical. Article 20(5) requires the auditing organisation to issue an audit report containing a "positive" or "negative" audit opinion.

• A "positive" opinion is given only where all evidence shows that the provider complies with the applicable audit criteria for Union Assurance Level 4.
• A "negative" opinion is issued if the provider does not comply.
• If the auditor cannot reach a conclusion on specific aspects, the report must explain why.

Only a "positive" audit opinion allows the provider to proceed to the recognition phase.

3. The Recognition Procedure under Article 17

Once the provider secures a positive audit opinion, they must apply for formal Union-wide recognition. This process is governed by Article 17.

Submission to Competent Authority

Under Article 17(4), the candidate cloud computing service provider must submit the following to the national competent authority of establishment:

1. The audit report.
2. The "positive" audit opinion referred to in Article 20.
3. All evidence provided to the auditing organisation during the audit procedure.

Evaluation and Mutual Recognition

The evaluating national competent authority has 60 days to assess the evidence. If the evidence is sufficient, the authority prepares a draft recognition decision and notifies the competent authorities of other Member States for a 60-day review period.

• During this period, other Member States may submit a reasoned objection if they believe the draft decision does not comply with the Union assurance level criteria.
• If no reasoned objection is raised, the conclusions are deemed accepted by all Member States. The evaluating authority then adopts the recognition decision, and the service is recognised throughout the Union as offering Union Assurance Level 4.

If an objection is raised, the evaluating authority must assess it. If it intends to maintain its draft decision despite the objection, the matter may be referred to the Commission for a binding decision.

4. Ongoing Compliance and Transparency

Recognition is not a static status. Article 23 imposes transparency obligations on recognised providers. They must notify the auditing organisation and the national competent authority of any material changes in circumstances that may affect the audit report or the recognition.

Furthermore, Article 20(8) mandates an annual review. The audited provider must submit the audit report and the associated "positive" audit opinion to an auditing organisation (which may be the same or a different one) for an annual assessment of continued compliance. Based on this review, the auditor may confirm, update, or revoke the initial audit report and opinion.

What this means for you

For cloud service providers aiming for CADA Level 4 recognition, the operational and strategic implications are profound:

• Adopt a "Cumulative First" Strategy: You cannot treat Level 4 as a separate project. Your governance, infrastructure, and personnel policies must be designed to satisfy Level 1, 2, and 3 criteria first. Any gap in a lower level (e.g., a subcontractor located outside the Union, or a lack of Union citizenship for key staff) will automatically disqualify you from Level 4.
• Invest in Audit-Ready Evidence: The audit is evidence-based. You must maintain meticulous, up-to-date records of your Software Bill of Materials (SBOM), personnel citizenship and security clearances, data flow diagrams, and ownership structures. Annex III provides a detailed list of evidence auditors will request; prepare these documents proactively.
• Select Auditors with High-Level Expertise: Choose an auditing organisation that meets the strict independence criteria of Article 20(4) and has proven competence in assessing complex sovereignty criteria, particularly regarding third-country control and software supply chain effective control.
• Prepare for the 60-Day Clock: The recognition timeline is tight. Under Article 17(5), the 60-day evaluation period can be suspended if the authority requests further information. Ensure your initial submission is complete to avoid delays.
• Budget for Continuous Compliance: Level 4 is not a one-time certification. You must budget for annual audits and the administrative burden of reporting material changes under Article 23.

Common misconceptions

"Level 4 is just about having a 'high' cybersecurity certificate." No. While a "high" assurance cybersecurity certificate is a mandatory criterion under Annex II(4)(e), Level 4 is primarily about sovereignty. It demands absolute operational autonomy, meaning no third country can legally or technically compel the provider to access data, disrupt service, or control the software supply chain.

"I can self-assess for Level 4 if my internal controls are strong." Absolutely not. Self-assessment is permitted only for Level 1 under Article 19. Levels 2, 3, and 4 strictly require an independent third-party audit and a "positive" audit opinion as per Article 20.

"Meeting Level 3 criteria is sufficient for Level 4." No. The criteria are cumulative. You must explicitly meet the additional Level 4 requirements, such as the specific handling of sensitive data identified in risk assessments, the "high" cybersecurity certificate, and the stricter software supply chain controls that ensure no third country holds effective control over software components.

"The audit opinion is valid forever." No. Article 20(8) requires an annual review of the audit report and opinion. The auditing organisation must assess continued compliance and may revoke the opinion if the provider no longer meets the criteria.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How does a provider get recognised at CADA assurance level 3?
• How does a provider get recognised at CADA assurance level 2?
• How does a cloud provider get recognised at CADA assurance level 1?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• What criteria must a provider meet for CADA assurance level 4?

This is general information about a draft EU regulation, not legal advice.