CADA Level 1 vs Level 2

Summary For public-sector buyers, the distinction between CADA Union Assurance Level 1 and Level 2 is defined by the verification mechanism and the depth of operational sovereignty. As proposed, Level 1 relies on a self-assessment by the provider, serving as a baseline for general public services. Level 2 requires a rigorous independent third-party audit and introduces stricter safeguards: mandatory location of personnel within the Union, a mandatory European cybersecurity certification of at least "substantial" assurance, and explicit bans on using generated data to train third-country AI systems. Buyers must procure Level 1 for standard activities, but Level 2 (or higher) becomes mandatory for any activity identified as contributing to the preservation of public order.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. This framework comprises four "Union assurance levels" designed to mitigate risks associated with dependencies on third-country providers. For procurement officers and public bodies, understanding the specific divergence between Level 1 and Level 2 is critical, as these levels dictate the minimum legal requirements for cloud services used by the public sector.

Verification: Self-Assessment vs. Independent Audit

The most immediate operational difference for buyers lies in how compliance is proven and verified.

Union Assurance Level 1 is based on a conformity self-assessment. Under Article 19, cloud computing service providers seeking recognition for Level 1 must carry out their own assessment of compliance with the criteria set out in Annex II, Section 1. Following this self-assessment, the provider issues an "EU statement of conformity" stating that compliance has been demonstrated. By issuing this statement, the provider assumes full responsibility for the service's compliance. This statement must be made publicly available. Notably, for small and medium-sized enterprises (SMEs), this self-assessment is directly and automatically recognised across all Member States without prior recognition by a national competent authority, lowering the barrier to entry for smaller EU providers.

Union Assurance Level 2, by contrast, mandates independent third-party audits. Article 20 requires that providers seeking recognition for Level 2 (as well as Levels 3 and 4) must undergo independent audits at their own expense. An auditing organisation assesses the provider against the criteria in Annex II and issues an audit report and an audit opinion. A "positive" audit opinion is required for recognition. This introduces a layer of external verification and accountability that is absent in Level 1, providing buyers with greater assurance that the claimed sovereignty measures are technically and legally implemented and not merely declared.

Core Criteria: Location, Certification, and Data Control

While both levels require the provider to be established in the Union and keep customer data within the Union, Level 2 imposes significantly stricter physical, operational, and technical constraints.

Level 1 Criteria (Annex II, Section 1):

• Establishment: The provider must be established in the Union.
• Infrastructure: Infrastructure and assets, including those of subcontractors, must be located in the Union (unless the public sector body explicitly requires otherwise).
• Data: Customer data, including metadata and telemetry, must remain exclusively within the Union (unless explicitly required otherwise by the public sector body).
• Subcontracting: If technical support is outsourced to third parties outside the Union, legal, technical, and organisational measures must ensure traceability, security, and governance, without compromising operational autonomy.
• Cybersecurity: The service must comply with state-of-the-art cybersecurity standards.
• Transparency: Full transparency regarding subcontractors and due diligence obligations are required.

Level 2 Criteria (Annex II, Section 2): Level 2 includes the foundational requirements of Level 1 but adds significant restrictions that fundamentally alter the service model:

• Personnel Location: The personnel of the audited provider and its subcontractors involved in the service provision must be located in the Union. This is a key differentiator; Level 1 does not explicitly mandate the physical location of personnel, only infrastructure and data. Level 2 closes the gap where remote support from outside the EU could compromise sovereignty.
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a European cybersecurity certification scheme covering cloud computing services (to be established under Regulation (EU) 2019/881, commonly referred to as EUCS). Until such a scheme is established, national cybersecurity certification schemes apply. This is a hard requirement for Level 2 that does not exist for Level 1.
• AI Training Restrictions: Data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country or a third-country legal entity, nor can it be transferred outside the Union in any case. This prevents the indirect leakage of public data into foreign AI models.
• Software Supply Chain: Providers must demonstrate robust software supply chain measures, including a complete Software Bill of Materials (SBOM) and controls to block remote features that could tamper with or disrupt the system.

Relevance to Public Procurement

Article 30 of CADA links these levels directly to procurement obligations. Public sector bodies whose activities have not been identified as contributing to the preservation of public order in risk assessments (conducted under Article 29) must procure cloud services with at least Union Assurance Level 1.

However, if a risk assessment determines that a public sector activity contributes to the preservation of public order (e.g., in sectors listed in Annex I or II of the NIS2 Directive, or in areas of national security, defence, justice, or law enforcement), the contracting authority must procure services recognised as offering Union Assurance Level 2, 3, or 4. Therefore, Level 2 represents the entry point for "sovereign" cloud services in sensitive or critical public sector use cases, whereas Level 1 serves as the baseline for general administrative functions.

What this means for you

For public-sector procurement officers, the choice between Level 1 and Level 2 is not merely technical; it is a risk-management decision guided by your organisation's risk assessment under Article 29.

1. Conduct the Risk Assessment First: Before issuing a tender, you must determine if your cloud usage falls under the "preservation of public order" criteria. If your data involves sensitive public order activities, you cannot procure a Level 1 service. You must mandate Level 2 or higher.
2. Verify the Evidence:
   • For Level 1, request the provider's EU statement of conformity. Verify that it is publicly available and that the provider is established in the EU. Remember that for SMEs, this statement is automatically recognised.
   • For Level 2, request the audit report and the "positive" audit opinion from an independent auditing organisation. Check that the auditor meets the independence and competence requirements set out in Article 20.
3. Check for EUCS Certification: For Level 2 services, confirm that the provider holds a cybersecurity certificate of at least 'substantial' assurance level under the EUCS framework (or an equivalent national scheme if EUCS is not yet available). This is a hard requirement for Level 2 that does not exist for Level 1.
4. Personnel Location: In your contract clauses for Level 2, explicitly reference the requirement that personnel involved in service provision must be located in the Union. This is a critical safeguard against third-country influence that is not explicitly mandated at Level 1.

Common misconceptions

• "Level 1 is not 'sovereign'." This is incorrect. Level 1 is part of the Union cloud computing sovereignty framework. It ensures that data and infrastructure remain in the Union and that the provider is established in the EU. It is the minimum baseline for public sector cloud use.
• "Level 2 is only for classified data." No. Level 2 is for activities contributing to the preservation of public order, which is broader than just classified information. Level 3 and 4 are typically required for the highest levels of sensitivity, including classified information hosting. Level 2 is the step up from general administration to sensitive public services.
• "Self-assessment means no oversight." While Level 1 is self-assessed, providers are still subject to the oversight of national competent authorities. Article 25 and 26 grant these authorities investigative and enforcement powers. Furthermore, providers must report material changes that could affect their compliance (Article 23).
• "Level 2 requires EU citizenship for all staff." This is a common confusion with Level 3 and 4. Level 2 requires personnel to be located in the Union. Level 3 and 4 explicitly require personnel to be Union citizens (and potentially hold security clearances).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Recognition: What Public Buyers Need to Know About Sovereignty Tiers
• CADA Level 3: Sovereignty Requirements for Public Sector Buyers
• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• What must a US hyperscaler do to reach a CADA assurance level?

This is general information about a draft EU regulation, not legal advice.