How should a legal team assess a cloud vendor's CADA assurance level?

Summary As proposed, the Cloud and AI Development Act (CADA) mandates that public sector bodies procure only cloud services formally recognised under a four-tier Union assurance framework. Legal teams must first determine the required assurance level (1–4) via a mandatory risk assessment under Article 29. Compliance verification requires checking the vendor's status in the central repository (Article 22), confirming they hold either an EU statement of conformity (Level 1) or a 'positive' audit opinion (Levels 2–4) issued under Article 20, and validating that the service meets the cumulative criteria in Annex II. Crucially, for Levels 2 and 3, cybersecurity certification must be at the "substantial" level, while Level 4 requires "high" assurance. Failure to procure at the correct level constitutes a breach of Article 30, exposing the contracting authority to penalties and liability.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a rigorous sovereignty framework that transforms cloud procurement from a commercial decision into a regulatory compliance obligation. For in-house counsel and legal advisors, the core task is to verify that any cloud vendor engaged by a Union entity or public sector body holds the correct Union assurance level and that this status is formally recognised by a national competent authority. This process is governed primarily by Article 16 (the framework), Article 17 (recognition), Article 20 (audits), and Annex II (criteria).

Step 1: Determine the Required Assurance Level via Risk Assessment

Before engaging with any vendor, the legal team must establish the mandatory baseline assurance level for the specific procurement. This is not a matter of preference but a statutory requirement derived from Article 29.

Member States and Union entities must conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must determine whether the activity falls within sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2) or areas such as national security, internal security, external border management, defence, justice, or law enforcement.

• Union Assurance Level 1: This is the mandatory baseline for all public sector procurement. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use services recognised at Level 1.
• Union Assurance Levels 2, 3, or 4: Under Article 30(3), contracting authorities whose activities have been identified as contributing to the preservation of public order must procure only services recognised at Level 2, 3, or 4.

Legal teams must coordinate with risk management to ensure the risk assessment is completed before tendering. Procuring a Level 1 service for a high-risk use case requiring Level 3 is a direct violation of Article 30.

Step 2: Verify Recognition in the Central Repository

A vendor's claim of sovereignty is insufficient; formal recognition is required. Article 17 establishes the mechanism for recognition, while Article 22 mandates the Commission to establish and maintain a central repository of recognised services.

The first due diligence step is to query this central repository. If the vendor's service is not listed as recognised for the specific assurance level required by the risk assessment, the public sector body cannot procure it, except in very limited exceptional circumstances defined in Article 30(4) (e.g., no suitable service exists in the repository, or applying the requirement would result in disproportionate cost). The repository is the single source of truth for compliance.

Step 3: Scrutinise the Evidence of Compliance

The evidence required to prove compliance differs fundamentally between Level 1 and Levels 2–4. Legal teams must request and verify the specific documentation mandated by Article 17 and Article 20.

For Union Assurance Level 1: The provider must submit an EU statement of conformity under Article 19. This is a self-assessment where the provider assumes responsibility for compliance.

• SME Exception: Under Article 17(3), if the provider is a small or medium-sized enterprise (SME), the EU statement of conformity is directly and automatically recognised in all Member States without prior recognition by a national competent authority.
• Non-SMEs: For non-SMEs, the evaluating national competent authority must assess the evidence and prepare a draft recognition decision before the service is listed in the repository.

For Union Assurance Levels 2, 3, and 4: The provider must undergo independent third-party audits under Article 20. They must submit an audit report and a 'positive' audit opinion from an auditing organisation.

• Audit Independence: The auditing organisation must be independent. Under Article 20(4)(a), they cannot have provided non-audit services related to the matters audited to the provider in the 12 months before or after the audit, nor can they have provided auditing services to the provider in the 10 years prior.
• Audit Opinion: The audit report must explicitly state a 'positive' or 'negative' opinion. A 'negative' opinion precludes recognition. Article 20(5) requires the report to include the provider's name, the auditor's name, a declaration of interests, a description of the aspects audited, and the opinion itself.

Legal teams should request the full audit report and the 'positive' audit opinion. If the opinion is not 'positive', the service cannot be recognised at Levels 2, 3, or 4.

Step 4: Validate Annex II Criteria and Third-Country Safeguards

The assurance levels are defined by cumulative criteria in Annex II. Legal teams must verify that the vendor's service architecture meets these hard constraints, paying close attention to data residency, personnel, and third-country control.

Data Residency and Infrastructure:

• Level 1: Infrastructure and assets must be located in the Union. Customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Section 1.1(b)-(c)).
• Levels 2–4: Infrastructure, assets, and personnel involved in the provision of the service must be located in the Union (Annex II, Sections 2.1(b), 3.1(b), 4.1(b)).

Cybersecurity Certification Levels: A critical distinction exists between the levels regarding cybersecurity certification.

• Levels 2 and 3: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (Annex II, Sections 2.1(e) and 3.1(e)).
• Level 4: The service must obtain a certificate of at least assurance level 'high' (Annex II, Section 4.1(e)).
• Note: The proposal does not invent new certification levels; it references the existing framework where "substantial" applies to L2/L3 and "high" to L4.

Third-Country Control:

• Level 1: If the provider is subject to the control of a third country, they must guarantee that no laws in that country require reporting software vulnerabilities to authorities prior to exploitation (Annex II, Section 1.1(g)).
• Levels 2 and 3: Providers can be subject to third-country control only if specific legal, technical, and organisational measures prevent that control from restricting service delivery, accessing customer data, or disrupting service continuity (Annex II, Sections 2.1(g) and 3.1(g)).
  • Derogation for Level 3: Under Article 18, the Commission may adopt implementing acts identifying third countries where providers subject to their control can be audited for Level 3, provided the country has an adequacy decision and no measures compelling service disruption. Legal teams must check if the vendor relies on such a Commission decision.
• Level 4: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country (Annex II, Section 4.1(g)). This is a strict prohibition with no derogation.

Personnel Requirements:

• Levels 2 and 3: Personnel must be Union citizens if the public sector body explicitly requires it (Annex II, Sections 2.1(d) and 3.1(d)). This is a conditional requirement, not an absolute mandate for all Level 2/3 services.
• Level 4: Personnel must be Union citizens, and where appropriate, hold national security clearance (Annex II, Section 4.1(d)).

Step 5: Ongoing Monitoring and Penalties

Recognition is dynamic. Article 23 imposes transparency obligations on providers to notify the auditing organisation and the national competent authority of any material change in circumstances that may affect their recognition. If the audit report is amended or revoked, the competent authority may revoke the recognition.

Article 24 sets out the penalty framework. Member States must lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." Factors for imposing penalties include the nature, gravity, and duration of the infringement, and the provider's turnover. Crucially, Article 24(3) grants recipients of the service (the public sector body) the right to seek compensation for damage suffered due to the provider's infringement.

What this means for you

For in-house counsel, CADA transforms cloud procurement into a regulated compliance function with specific legal risks.

1. Integrate Risk Assessments Early: Do not wait for the procurement phase. Ensure your risk assessment under Article 29 is completed and aligned with the required assurance level before drafting tender documents. The level determines the entire vendor pool.
2. Mandate Repository Checks: Make verification in the central repository (Article 22) a mandatory pre-condition for any contract signature. If the vendor is not listed for the required level, the contract cannot be awarded, barring exceptional derogations.
3. Audit the Auditors: For Levels 2–4, verify the independence of the auditing organisation under Article 20(4). Ensure they have not provided conflicting non-audit services to the vendor in the relevant 12-month or 10-year windows.
4. Verify Certification Levels: Ensure the vendor holds the correct cybersecurity certificate: "substantial" for Levels 2 and 3, and "high" for Level 4. Do not accept a "substantial" certificate for a Level 4 requirement.
5. Monitor for Changes: Establish contractual clauses requiring vendors to notify you immediately of any material changes under Article 23. Include rights to terminate if recognition is revoked or if a 'negative' audit opinion is issued.
6. Prepare for Liability: Understand that procuring a non-compliant service is an infringement. Ensure your organisation has processes to avoid this, as failure to procure the correct assurance level can expose the public body to reputational risk and potential liability for damages under Article 24(3).

Common misconceptions

• "Cybersecurity certification equals sovereignty." Incorrect. While Levels 2–4 require a European cybersecurity certificate, sovereignty under CADA goes far beyond technical security. It includes data residency, personnel location, and freedom from third-country legal coercion. A service can be highly secure but fail sovereignty criteria if its data leaves the EU or if it is controlled by a foreign government without the necessary safeguards.
• "We can use any global provider if they have an EU subsidiary." Not necessarily. For Level 4, the provider and subcontractors must not be subject to third-country control (Annex II, Section 4.1(g)). For Levels 2 and 3, strict separation measures are required if there is third-country control. Simply having an EU legal entity is insufficient if the ultimate control lies abroad without the necessary safeguards or a Commission decision under Article 18.
• "Level 1 is just a self-declaration with no oversight." While Level 1 relies on an EU statement of conformity (Article 19), it is still subject to recognition by the national competent authority for non-SMEs (Article 17(3)). Furthermore, providers must meet the cumulative criteria in Annex II, Section 1, including data residency and cybersecurity standards. It is not a free pass.
• "Private sector companies are exempt." While Article 30 directly binds public sector bodies, Article 31 allows private sector entities in critical sectors (under NIS2) to conduct similar impact assessments. Moreover, public procurement requirements often trickle down to private suppliers through subcontracting and market expectations.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How does a legal team check a non-EU vendor's CADA level 3 eligibility?
• CADA Level 2: What Legal Teams Must Verify in Vendor Audits
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Which CADA assurance level do I need for my cloud workload?
• What questions should a CTO ask a vendor about its CADA tier?

This is general information about a draft EU regulation, not legal advice.