Is a higher CADA tier always better for a buyer? Cost, choice & risk

Summary No, a higher Cloud and AI Development Act (CADA) assurance level is not always better for a buyer. As proposed, CADA establishes four Union assurance levels, each imposing stricter technical, legal, and operational requirements. While higher tiers (Levels 3 and 4) offer maximum sovereignty and data protection, they significantly increase costs, drastically reduce the pool of eligible providers, and may be disproportionate for low-risk activities. Buyers must match the assurance level to the specific sensitivity of their data and the criticality of their operations, rather than defaulting to the highest tier. Crucially, Level 4 strictly prohibits third-country control with no derogation, making it unavailable to many global providers even if they have EU subsidiaries.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a harmonised framework for cloud computing sovereignty, designed to reduce the EU's dependence on third-country providers and protect public order. Central to this framework is the concept of Union assurance levels, outlined in Article 16 and detailed in Annex II of the proposal. These levels range from 1 to 4, with each successive tier adding cumulative criteria that cloud service providers must meet to be recognised.

The Four Assurance Levels: A Progressive Ladder

Article 16 establishes that cloud computing service providers must meet specific criteria to be recognised as offering a particular Union assurance level. These criteria are set out in Annex II and become progressively more stringent:

• Union Assurance Level 1 (Baseline): This is the entry level. Providers must be established in the Union, with infrastructure and assets located in the Union. Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency around the use of subcontractors.
• Union Assurance Level 2 (Substantial): This level builds on Level 1 but adds stricter controls. Personnel involved in service provision must be located in the Union. If the public sector body determines it necessary, additional personnel screening and Union citizenship requirements may apply. Crucially, data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country, nor can it be transferred outside the Union. Providers must obtain a European cybersecurity certificate of at least assurance level 'substantial' (once the relevant scheme is established) or demonstrate compliance with the highest cybersecurity standards under applicable Union law.
• Union Assurance Level 3 (High Sovereignty): This tier introduces even tighter constraints. All personnel, including those of subcontractors, must be Union citizens. If handling classified information, they must also hold necessary national security clearances. The service must obtain a European cybersecurity certificate of at least assurance level 'substantial'.
  • Third-Country Control: Unlike Level 4, Level 3 does allow for a derogation. The audited provider and its subcontractors must generally not be subject to the control of a third country. However, Annex II, Section 3.1(g) explicitly states that a provider subject to third-country control may be audited for Level 3 where the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances.
  • Support: Technical and operational support must be performed exclusively within the Union by personnel who are Union residents and by third parties not subject to third-country control.
• Union Assurance Level 4 (Maximum Sovereignty): This is the highest level, designed for the most sensitive data and critical infrastructure. It requires Union citizenship for all personnel and mandates a European cybersecurity certificate of at least assurance level 'high'.
  • Critical Distinction: Unlike Level 3, Level 4 does NOT contain a derogation for third-country control. Annex II, Section 4.1(g) states unequivocally that the provider and subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." There is no "unless" clause referencing Article 18. This means a provider controlled by a non-EU entity (e.g., a US hyperscaler's EU subsidiary) cannot qualify for Level 4, regardless of any Commission decision on the third country.
  • Supply Chain: It imposes stricter software supply chain measures, requiring providers to demonstrate that a third country does not hold effective control over the design, development, maintenance, and evolution of software components.

Why Higher Is Not Always Better

While Level 4 offers the highest degree of sovereignty, it is not the optimal choice for every procurement. The proposal explicitly recognises that the framework should be proportionate. Recital 52 states that the Union assurance levels should provide a proportionate framework to ensure public order is preserved, noting that "Most public services would not require the highest levels of assurance."

Choosing a higher tier when it is not necessary introduces several significant disadvantages:

1. Increased Costs: Higher assurance levels require more rigorous independent audits, stricter personnel screening (including citizenship verification), and potentially more expensive infrastructure configurations to ensure total separation from third-country entities. These compliance costs are inevitably passed on to the buyer. Article 24 notes that penalties and compensation rules apply to infringements, but the baseline cost of compliance for Levels 3 and 4 is inherently higher due to the exclusion of non-EU personnel and third-country controlled entities.
2. Narrowed Provider Choice: As the criteria become more restrictive, the number of providers capable of meeting them shrinks dramatically. Level 1 may have many eligible providers, while Level 4 may have very few or none, particularly for providers with global parent companies. This reduces competition, which can further drive up prices and limit innovation. Article 30 mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order must procure services recognised as having Union assurance levels 2, 3, or 4. However, for those not identified as such, only Level 1 is required. Forcing a Level 4 requirement where Level 1 suffices artificially restricts the market and may result in no viable bids.
3. Operational Complexity: Higher tiers involve more complex contractual and operational arrangements, such as strict separation of subsidiaries in third countries (Annex II, Sections 2.1(k), 3.1(k), and 4.1(k)) and detailed software supply chain transparency. This can slow down procurement and deployment processes.

Matching Tier to Data Sensitivity

The key to effective CADA compliance is risk-based procurement. Article 29 requires Member States and Union entities to carry out risk assessments to determine which Union assurance level is appropriate for their public sector activities. These assessments must consider:

• The sensitivity, criticality, and magnitude of the data processed (personal and non-personal).
• The risk of unlawful access by a third country.
• The risk of service disruption.

For example, a local government website hosting general information may only require Level 1. In contrast, a national healthcare system processing sensitive patient data or a defence agency handling classified information may require Level 3 or 4. Article 30(2) specifies that entities whose activities have not been identified as contributing to the preservation of public order shall use services recognised as having Union assurance level 1. Only those identified as contributing to public order (e.g., in national security, defence, justice, law enforcement) must procure levels 2, 3, or 4.

What this means for you

As a public-sector procurement officer, your role is to balance security needs with budgetary constraints and operational efficiency. Here is how to approach CADA compliance:

1. Conduct Risk Assessments: Before issuing a tender, carry out the risk assessment mandated by Article 29. Identify whether your activity contributes to the preservation of public order. If it does, determine the specific level of assurance required based on the data sensitivity. Do not assume the highest level is required.
2. Avoid Over-Procurement: Do not default to Level 4 for all cloud services. If your data is non-sensitive and your service is not critical to public order, specify Level 1 in your tender documents. This will give you access to a broader market and lower costs.
3. Check Provider Recognition: Ensure that the providers you consider are officially recognised at the required level. Article 22 requires the Commission to maintain a central repository of recognised services. You can use this repository to verify provider status. Be aware that many large global providers may be excluded from Level 4 entirely due to the strict prohibition on third-country control.
4. Plan for Migration: If your risk assessment indicates a need to move to a higher assurance level, Article 29(6) provides for a reasonable transition period for migration, which shall not exceed 12 months. Plan your procurement timelines accordingly.
5. Consider Multi-Cloud Strategies: Article 29(9) encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate. This can help mitigate risks associated with relying on a single provider, especially if that provider is one of few at a high assurance level.

Common misconceptions

• "Level 4 is the only safe option." This is incorrect. Level 1 provides robust safeguards, including data localisation within the Union and cybersecurity standards. It is suitable for most non-critical public services.
• "All EU-based providers automatically qualify for Level 4." No. Even if a provider is established in the EU, it must meet strict criteria regarding personnel citizenship, absence of third-country control, and cybersecurity certification to qualify for Level 3 or 4. Many EU providers may only qualify for Level 1 or 2. Crucially, Level 4 prohibits third-country control entirely, meaning a provider with a US parent company cannot qualify.
• "Higher tiers are only about data location." While data location is a key factor, higher tiers also involve strict controls on personnel, software supply chains, and third-country influence. For example, Level 3 prohibits any third-country control over the provider unless an Article 18 derogation applies, whereas Level 4 has no such exception.
• "I can choose any level I want." No. Your choice is constrained by the risk assessment. If your activity is identified as contributing to public order, you must procure at least Level 2. If it is not, you must use Level 1. Article 30 makes these requirements mandatory for contracting authorities.

Related

• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance
• How does a buyer compare two providers at the same CADA tier?
• Why is CADA Level 4 the highest sovereignty tier?
• Why does CADA create a four-tier cloud sovereignty framework?

This is general information about a draft EU regulation, not legal advice.