How should a compliance team document a CADA tier decision?

Summary Under the proposed Cloud and AI Development Act (CADA), compliance teams must document tier decisions by anchoring them in a mandatory risk assessment under Article 29. This documentation must explicitly map data sensitivity and criticality to the chosen Union assurance level (1–4) as defined in Annex II, and retain proof of the vendor's formal recognition. For levels 2, 3, and 4, this includes preserving the independent audit report and the "positive" audit opinion. Crucially, the decision must distinguish between activities requiring the baseline Article 30(2) level 1 and those requiring Article 30(3) levels 2–4 due to public-order relevance.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. For legal and compliance teams, the critical obligation is not merely selecting a vendor but rigorously documenting the justification for that selection. This process is a two-step chain: first, an internal determination of risk and data sensitivity; second, the verification of the vendor's external recognition against the specific criteria in Annex II.

Step 1: The Risk Assessment Foundation (Article 29)

The documentation process begins with the risk assessment mandated by Article 29. Member States and Union entities must carry out these assessments to identify public sector activities that "contribute to the preservation of public order." This assessment must be conducted within one year of the Regulation's entry into force and updated every two years or whenever necessary.

Your compliance file must explicitly reference the specific risk assessment that triggered the requirement for a specific assurance level. Article 29(2) requires the assessment to consider:

• The sensitivity, criticality, and magnitude of non-personal data processed.
• The nature, scope, context, and purpose of processing personal data.
• The risk of unlawful access to data by a third country or a legal entity established in a third country.
• The risk of service disruption.

Documentation must link the chosen assurance level directly to these factors. For example, if an activity involves law enforcement or national security (as listed in Article 29(1)), the risk assessment must justify why a higher tier is necessary. The Commission is empowered to specify the methodology for these assessments via implementing acts, and Member States must communicate their results to the Commission within three months.

Step 2: Mapping Data Sensitivity to Assurance Levels

Once the risk is assessed, the compliance team must map the data sensitivity to the required tier. This mapping determines the procurement obligation under Article 30.

• Baseline Requirement (Article 30(2)): For activities not identified as contributing to the preservation of public order, the minimum requirement is Union assurance level 1. This level relies on a self-assessment and an EU statement of conformity issued by the provider (Article 19).
• Public Order Requirement (Article 30(3)): For activities identified as contributing to public order (e.g., national security, defense, justice, law enforcement), contracting authorities must procure only services recognized as offering Union assurance levels 2, 3, or 4.

Your documentation must record this mapping clearly:

1. Activity Classification: State the specific public sector activity and its classification under the Article 29 risk assessment.
2. Data Sensitivity: Detail the types of data involved (e.g., personal data, classified information, sensitive operational data).
3. Tier Justification: Explain why the chosen level (e.g., Level 3) is proportionate to the risk, citing the specific criteria in Annex II that address the identified risks (e.g., personnel citizenship, data localization, third-country control).

This mapping is the legal basis for excluding vendors that do not meet the higher sovereignty criteria. It demonstrates that the procurement decision is tailored to the actual risks, satisfying the principle of proportionality.

Step 3: Retaining Vendor Recognition and Audit Evidence

The final step is verifying and retaining evidence of the vendor's status. While Article 22 establishes a central repository of recognized services, reliance on this public list alone is insufficient for robust compliance. You must retain the underlying evidence.

For Union Assurance Level 1: The vendor must issue an EU statement of conformity following a self-assessment (Article 19). Your records should include:

• A copy of the statement.
• Evidence that the provider is established in the Union (Annex II, 1.1(a)).
• Confirmation that infrastructure and data remain in the Union unless explicitly required otherwise by the public body (Annex II, 1.1(b)-(c)).

For Union Assurance Levels 2, 3, and 4: These levels require independent third-party audits (Article 20). Your compliance file must retain:

• The full audit report and the "positive" audit opinion issued by an auditing organization.
• Evidence that the auditor met the independence and competence criteria (Article 20(4)), such as no non-audit services in the preceding 12 months.
• Documentation of the annual review of the audit report, as providers must submit reports for review annually (Article 20(8)).

Crucially, you must verify that the audit report explicitly addresses the cumulative criteria in Annex II for the specific level. For instance:

• Level 2: Requires a European cybersecurity certificate of at least "substantial" assurance (Annex II, 2.1(e)) and personnel screening if required by the public body (Annex II, 2.1(d)).
• Level 3: Requires that personnel are Union citizens (Annex II, 3.1(d)) and the service obtains a cybersecurity certificate of at least "substantial" assurance (Annex II, 3.1(e)). It also allows for a derogation where a third-country-controlled provider may qualify if the Commission has adopted an implementing act under Article 18 (noting the text's cross-reference to Article 19 in the draft, which is a drafting slip; the correct mechanism for third-country recognition is Article 18).
• Level 4: Requires a cybersecurity certificate of at least "high" assurance (Annex II, 4.1(e)) and strict no-third-country-control rules (Annex II, 4.1(g)).

Step 4: Monitoring Material Changes

Compliance documentation is dynamic. Article 23 imposes transparency obligations on providers to notify auditing organizations and competent authorities of any material changes that may affect their recognition. Your team must document these notifications. If a vendor reports a material change, you must assess whether this affects the validity of your risk assessment and the continued suitability of the vendor.

What this means for you

For in-house counsel and compliance officers, the CADA proposal shifts the burden of proof onto the procuring entity. You cannot assume a vendor is compliant because they are a major market player. You must build a paper trail that connects your internal risk assessment to the vendor's external certification.

Actionable Steps:

1. Update Risk Assessment Templates: Ensure your Article 29 risk assessments explicitly evaluate third-country access risks and service disruption potentials. Document the outcome clearly: does this activity require public order preservation?
2. Create a Tier Mapping Matrix: Develop a clear matrix that maps your data categories (e.g., public, confidential, classified) to the required Union assurance levels. This matrix should be reviewed and approved by legal and security teams.
3. Establish a Vendor Evidence Repository: Create a secure repository for all vendor compliance documents. This should include the EU statement of conformity (for Level 1) or the full audit report and positive opinion (for Levels 2–4). Ensure these documents are updated annually in line with Article 20(8).
4. Monitor the Central Repository: Regularly check the central repository established by the Commission (Article 22) to verify that your vendors' recognitions are still active and have not been revoked.
5. Prepare for Audits: Be ready to demonstrate to national competent authorities that your procurement decisions were based on a valid risk assessment and that the chosen vendor meets the specific criteria of the selected assurance level.

Common misconceptions

Misconception 1: Level 1 is sufficient for all public sector activities. Many organizations assume that the baseline Union assurance level 1 is adequate for all government cloud services. This is incorrect. Article 30(3) explicitly requires levels 2, 3, or 4 for activities identified in the Article 29 risk assessment as contributing to the preservation of public order. Failing to upgrade the tier for sensitive activities exposes the organization to non-compliance.

Misconception 2: Self-certification is enough for high-risk data. Some vendors may offer self-certification for all their services. However, CADA requires independent third-party audits for levels 2, 3, and 4. Relying on a self-assessment for a service handling sensitive public order data would not meet the regulatory requirements of Article 20 and Annex II.

Misconception 3: The risk assessment is a one-time event. Article 29 requires risk assessments to be conducted every two years, or whenever necessary. Compliance teams often treat this as a static checkbox. However, changes in technology, geopolitical risks, or data processing activities may necessitate a reassessment. Documentation must reflect the most recent assessment.

Misconception 4: Third-country vendors can never be used. While CADA aims to reduce dependence on third-country providers, it does not entirely ban them. Article 18 allows the Commission to recognize third countries that meet specific criteria, potentially allowing their providers to qualify for Union assurance level 3. Compliance teams should monitor Commission decisions on associated third countries rather than assuming a blanket prohibition. Note that the draft text contains a cross-reference error in Annex II, 3.1(g) referring to "Article 19" for third-country recognition; the correct legal mechanism is Article 18.

Related

• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• What questions should a CTO ask a vendor about its CADA tier?
• CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance
• What CADA due-diligence checklist should compliance teams use?
• How should a legal team assess a cloud vendor's CADA assurance level?

This is general information about a draft EU regulation, not legal advice.