Summary Under the proposed Cloud and AI Development Act (CADA), the rules for outsourcing technical and operational support are strictly tiered by the Union assurance level. For Union assurance level 1, providers may outsource support to third parties outside the EU, provided they implement robust legal, technical, and organisational safeguards that ensure traceability and do not compromise operational autonomy. For Union assurance levels 2 and 3, all technical and operational support must be initiated and performed exclusively within the Union. Furthermore, for level 3, the support personnel must be Union residents, and any third-party support providers must not be subject to the control of a third country. These rules ensure that even if data remains in the EU, the human and corporate entities managing the service are not vulnerable to foreign legal coercion.

Detail

The CADA proposal establishes a granular sovereignty framework designed to mitigate risks associated with third-country control, unauthorized data access, and service disruption. A critical component of this framework is the regulation of technical and operational support, which is treated as a potential vector for unauthorized access or service degradation. The requirements escalate significantly as the assurance level increases, moving from safeguarded flexibility at level 1 to strict geographical and political containment at levels 2, 3, and 4.

Union Assurance Level 1: Safeguarded Non-EU Outsourcing

At the baseline level of sovereignty, the CADA allows for a degree of operational flexibility, acknowledging that many EU-based providers rely on global support networks. Annex II, Section 1.1(d) states that if a cloud computing service provider outsources technical and operational support to third-party service providers outside the Union, it must implement necessary legal, technical, and organisational measures. These measures must ensure the traceability, security, and governance of those operations. Crucially, the outsourcing must not, in any way, compromise the operational autonomy of the cloud computing service provider. This provision permits non-EU support only if the provider can demonstrate that external dependencies are ring-fenced to protect the provider's independence and that no third-country laws can force a disruption of service or unauthorized access.

Union Assurance Level 2: Strict EU Localization

The requirements tighten considerably for Union assurance level 2. Annex II, Section 2.1(h) mandates that technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, must be initiated and performed exclusively within the Union. This means that no support ticket, maintenance activity, or operational intervention can originate from or be executed by personnel located outside the EU. This rule applies to the provider itself and its subcontractors involved in the service provision. The intent is to eliminate the risk of extraterritorial legal processes (such as those under the US CLOUD Act) compelling support staff to access data or disrupt services. At this level, the physical location of the support action is the primary determinant of compliance.

Union Assurance Level 3: Union Residents and No Third-Country Control

For Union assurance level 3, the CADA imposes the most stringent constraints on support operations, reflecting the higher sensitivity of the data and the criticality of the public sector activities served. Annex II, Section 3.1(h) requires that technical and operational support be initiated and performed exclusively within the Union, but adds two critical layers that distinguish it from Level 2:

  1. Personnel Residency: The support must be carried out by personnel who are Union residents. This goes beyond mere physical presence; it requires a legal status of residence within the EU.
  2. Third-Party Control: The support must be provided by third parties that are not subject to the control of a third country or a legal entity established in a third country.

This ensures that even if the support is performed within the EU borders, the individuals and entities executing the support are not vulnerable to foreign legal coercion that could override EU sovereignty requirements. A support company physically located in France but controlled by a parent entity in a third country would fail this criterion unless the Commission has adopted a specific implementing act under Article 18 (formerly mis-cited as Article 19 in some drafts) identifying that third country as providing sufficient assurances.

Union Assurance Level 4: Highest Containment

While the focus often remains on levels 1–3, Annex II, Section 4.1(h) mirrors the level 3 requirements for Union assurance level 4. Support must be initiated and performed exclusively within the Union by Union resident personnel and third parties not subject to third-country control. This consistency ensures that the highest tiers of sovereignty maintain identical operational containment standards, preventing any dilution of security at the highest assurance levels.

Verification and Audit Evidence

Compliance with these outsourcing rules is not self-declared at levels 2–4; it is subject to independent third-party audit. Article 20 of the CADA requires providers seeking recognition for levels 2, 3, or 4 to undergo independent audits. Annex III, Section 8 (Audit criterion H) specifies the evidence auditors must request to verify compliance with the support location rules. This includes:

  • Binding contractual clauses stating that all support, administration, maintenance, and operational activities must be initiated and performed exclusively in the Union.
  • Evidence that the provider maintains an up-to-date subcontractor register.
  • Evidence that the provider has implemented legal, technical, and organisational measures to ensure there can be no remote access for technical and operational support from outside the Union.
  • Proof that help desk/support services, infrastructure administration, and security operations centre (SOC) activities are exclusively provided from the Union, including the access paths used to operate the service.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers or preparing for public sector tenders, these rules have immediate architectural and contractual implications.

For Cloud Providers: If you aim to bid for Union assurance levels 2, 3, or 4, you must restructure your support operations. You cannot rely on global shared service centres (SSCs) located in Asia, the Americas, or other non-EU jurisdictions for L1/L2 support. You must establish or contract support teams physically located in the EU. For level 3, you must further vet your support subcontractors to ensure they are not controlled by third-country entities (e.g., a subsidiary of a US or Chinese parent company). You will need to implement geographically restricted network controls and privileged access management (PAM) policies that technically prevent support access from outside the EU.

For Public Sector Buyers and Private Sector Entities in Critical Sectors: When procuring cloud services, you must verify the provider's assurance level against your risk assessment (as required by Article 29). If your activity is deemed to require level 3 (e.g., national security, justice, or critical infrastructure), you must ensure the provider's support chain is free from third-country control. This goes beyond data residency; it extends to the human and corporate entities managing the service's operational health. You must request evidence that the support team consists of Union residents and that the support provider is not subject to third-country control.

For SMEs: SMEs may find level 1 more accessible, as it permits outsourced support with safeguards. However, you must document these safeguards rigorously. If you grow into a provider for higher assurance levels, you must plan for the significant operational overhead of establishing EU-only support infrastructure and vetting your supply chain for third-country control.

Common misconceptions

Misconception 1: "Data residency is the only requirement." Many assume that if data stays in the EU, the service is sovereign. CADA explicitly decouples data location from support location. At levels 2–4, even if data never leaves the EU, the service fails the sovereignty test if support tickets are handled by staff in a third country.

Misconception 2: "Level 1 allows unrestricted global support." Level 1 does allow non-EU support, but it is not unrestricted. Annex II 1.1(d) requires that the outsourcing does not compromise the provider's operational autonomy. Providers must demonstrate legal and technical safeguards to ensure that third-country support staff cannot be compelled to disrupt service or access data in a way that undermines EU control.

Misconception 3: "EU citizenship is required for support staff." For levels 2 and 3, the requirement is for support to be performed within the Union and, for level 3, by Union residents. It does not explicitly mandate EU citizenship for all support staff at these levels, though level 3 personnel handling classified information may need security clearances (see Annex II 3.1(d)). The key constraint is residency and lack of third-country control, not necessarily passport nationality for all operational roles.

Misconception 4: "Remote access from outside the EU is allowed if the server is in the EU." At levels 2–4, this is prohibited. Annex III, Section 8 requires evidence that there is "no remote access for technical and operational support from outside the Union." This means support portals, SSH tunnels, and admin consoles must be geographically locked to EU IP ranges or access points.

Related

This is general information about a draft EU regulation, not legal advice.