If my cloud is EUCS-high certified, what extra does CADA Tier 3 demand?

Summary Holding a European Cybersecurity Certification Scheme (EUCS) certificate at the 'high' assurance level satisfies the cybersecurity baseline for CADA Union Assurance Level 3, but it does not automatically qualify a provider for Tier 3. The proposed Cloud and AI Development Act (CADA) introduces a distinct sovereignty framework that goes beyond technical security. While EUCS focuses on the resilience of the service, CADA Tier 3 imposes strict requirements on personnel citizenship, data localisation, and third-country control. Specifically, Tier 3 mandates that all personnel involved in service provision be Union citizens, that customer data remain exclusively within the Union, and that the provider is not subject to third-country control unless a specific derogation under Article 18 applies.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. This framework is designed to address risks that existing cybersecurity regimes do not cover. Recital 5 of the proposal explicitly states that while certification under the Cybersecurity Act (CSA2) can address technical cybersecurity criteria, it is "not suited for addressing sovereignty concerns that go beyond these technical elements." Consequently, EUCS-high certification is a necessary component of CADA Tier 3, but it is only one part of a cumulative set of requirements defined in Annex II, Section 3 of the proposal.

To achieve Union Assurance Level 3, a cloud computing service provider must meet all cumulative criteria set out in Annex II. The most significant divergence between EUCS-high and CADA Tier 3 lies in the governance, personnel, and data sovereignty dimensions.

1. Cybersecurity Baseline vs. Sovereignty Controls

Under Annex II, Section 3(1)(e), a Tier 3 service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881. An EUCS certificate at the 'high' level exceeds this minimum threshold, meaning the technical cybersecurity baseline is satisfied. However, EUCS does not assess whether the provider is subject to foreign legal jurisdiction, whether personnel are Union citizens, or whether data is physically located within the Union. CADA Tier 3 fills this gap by imposing strict sovereignty controls that are independent of technical security posture.

2. Third-Country Control and the Article 18 Derogation

The most stringent requirement of CADA Tier 3 is found in Annex II, Section 3(1)(g). It states that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." This is a binary exclusion; if a provider is controlled by a third country, it cannot meet Tier 3 unless a specific derogation applies.

However, Recital 61 and Annex II, Section 3(1)(g) provide a narrow pathway for providers subject to third-country control. The Commission may adopt an implementing act under Article 18 identifying third countries that provide sufficient assurances. If such an act exists for a specific third country, a provider subject to that country's control may be audited for Tier 3, provided they demonstrate that:

• The third country has implemented specific safeguards ensuring no risk of unauthorised access to Union data or service disruption (Recital 61).
• The provider has implemented necessary legal, technical, and organisational measures to ensure that the third country's control does not restrict service delivery, access customer data, or disrupt continuity (Annex II, Section 3(1)(g)(i)-(iv)).

This stands in contrast to EUCS, which focuses on the technical resilience of the service rather than the geopolitical risk of the provider's ownership structure.

3. Personnel Citizenship and Security Clearance

EUCS does not mandate specific citizenship for staff. CADA Tier 3 introduces strict personnel requirements under Annex II, Section 3(1)(d). It requires that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." Furthermore, where appropriate, personnel must have the necessary national security clearance issued by a Member State when handling classified information.

This requirement extends to technical and operational support. Annex II, Section 3(1)(h) mandates that such support "are initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country." This creates a significant operational shift for global providers who may currently rely on support centres outside the Union.

4. Data Localisation and AI Training Restrictions

While EUCS allows for data flows subject to security measures, CADA Tier 3 imposes strict localisation. Annex II, Section 3(1)(c) requires that customer data, including metadata and telemetry, "remain exclusively within the Union," unless the public sector body explicitly requires otherwise.

Additionally, Annex II, Section 3(1)(f) prohibits the use of data generated by the audited service to train or fine-tune any AI system operated by a third country or a legal entity established in a third country. This is a critical distinction for providers using global AI models for service improvement, as EUCS does not prohibit such training practices if they are technically secure. The data must not be transferred outside the Union in any case.

5. Software Supply Chain and Source Code Audits

CADA Tier 3 demands transparency and control over the software supply chain that EUCS does not fully capture. Annex II, Section 3(1)(i) requires a complete and up-to-date Software Bill of Materials (SBOM). If software components are owned by a third-country entity, the provider must implement controls to block remote features that could tamper with or disrupt the system. Crucially, the provider must ensure that security-relevant components from third-country manufacturers are subject to source code audits and have a documented migration plan if the vendor fails or a third country imposes restrictions.

For open-source software, the provider must demonstrate controls to prevent the use of remote features that could tamper with the system (Annex II, Section 3(1)(j)). This level of supply chain scrutiny goes beyond the typical scope of cybersecurity certification.

6. Separation of Third-Country Subsidiaries

If the provider maintains a subsidiary in a third country, Annex II, Section 3(1)(k) requires effective legal, technical, and organisational separation between the Union parent company and the third-country subsidiary. This ensures that the third-country entity cannot access Union customer data or influence Union operations. The subsidiary must have no privileged accounts within Union production environments and no authority to instruct Union operational staff to disclose data.

What this means for you

For cloud service providers, holding an EUCS-high certificate is a necessary but insufficient step toward CADA Tier 3 recognition. You must treat CADA Tier 3 as a comprehensive sovereignty audit, not just a cybersecurity certification.

Immediate Actions for Providers:

• Audit Ownership Structures: Conduct a thorough review of your ownership and control structures. If you are subject to third-country control, you must determine if a derogation under Article 18 is available. If the Commission has not adopted an implementing act for your country of control, you cannot achieve Tier 3.
• Review Personnel Policies: Ensure all personnel involved in service delivery, including subcontractors, are Union citizens. Verify that national security clearance processes are in place for staff handling classified information. Restructure support operations to ensure they are performed exclusively by Union residents within the Union.
• Implement Data Localisation: Architect your services to ensure that all customer data, metadata, and telemetry remain within the Union. Review your AI training pipelines to ensure no customer data is used to train third-country AI models.
• Prepare for Source Code Audits: Develop a robust SBOM and ensure that any third-country software components are subject to source code audits. Document migration plans for critical dependencies.
• Engage with National Competent Authorities: As proposed in Article 17, you must submit an application for recognition to the national competent authority of your establishment. Prepare to provide extensive evidence, including audit reports and audit opinions, to demonstrate compliance with all Annex II criteria.

For Public Sector Buyers: When procuring cloud services, do not assume that EUCS-high certification equals CADA Tier 3 compliance. Require providers to demonstrate compliance with the specific sovereignty criteria in Annex II, particularly regarding third-country control and personnel citizenship. Use the risk assessment mechanism in Article 29 to determine if Tier 3 is required for your specific use case.

Common misconceptions

Misconception 1: EUCS-high is equivalent to CADA Tier 3. This is incorrect. EUCS-high addresses technical cybersecurity. CADA Tier 3 addresses both cybersecurity and sovereignty. A provider can have excellent cybersecurity (EUCS-high) but fail Tier 3 due to third-country ownership, non-Union citizen staff, or data flows outside the Union.

Misconception 2: Third-country providers can never achieve Tier 3. While generally true, there is a derogation. If the Commission adopts an implementing act under Article 18 recognising a third country as providing sufficient assurances, providers subject to that country's control may be audited for Tier 3. However, this requires strict legal, technical, and organisational measures to prevent third-country access or disruption.

Misconception 3: CADA Tier 3 only applies to the cloud provider. CADA Tier 3 extends to subcontractors. Annex II, Section 3(1)(a) and (b) require that subcontractors involved in service provision are also established in the Union and their infrastructure and personnel are located in the Union. You are responsible for ensuring your supply chain meets these sovereignty criteria.

Misconception 4: Data can leave the Union if it is encrypted. CADA Tier 3 requires data to remain "exclusively within the Union" (Annex II, Section 3(1)(c)). Encryption does not override this localisation requirement unless the public sector body explicitly requires otherwise. The regulation focuses on the physical and legal location of data, not just its technical protection.

Misconception 5: EUCS 'high' is the only cybersecurity level needed. While EUCS-high satisfies the requirement, Annex II, Section 3(1)(e) technically requires a certificate of at least 'substantial' assurance. However, in practice, EUCS-high is the relevant benchmark for high-security services. The key takeaway is that the cybersecurity certificate is a prerequisite, not the sufficient condition for Tier 3.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How do EUCS and DORA cloud audits combine with a CADA tier audit?
• Does the AI Act's high-risk hosting need CADA tier 4 for defence AI?
• Do AI Act high-risk systems need a specific CADA sovereignty tier?
• Will EUCS levels map directly to CADA Union assurance levels?
• Which existing EU certifications can be reused as CADA tier evidence?

This is general information about a draft EU regulation, not legal advice.