Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 relies on a conformity self-assessment rather than an independent third-party audit. While Article 19(2) makes the resulting "EU statement of conformity" legally bindingβplacing full responsibility on the provider for any false declarationβit lacks the external technical verification required for higher tiers. Consequently, Level 1 serves as a mandatory baseline for non-critical public-sector activities but is generally insufficient for sensitive workloads. For data contributing to the preservation of public order, buyers must procure services at Union Assurance Levels 2, 3, or 4, which mandate independent audits to verify strict sovereignty criteria.
Detail
The proposed Cloud and AI Development Act (CADA) establishes a four-tier "Union assurance level" framework to standardise how public-sector bodies assess the sovereignty and resilience of cloud computing services. A pivotal distinction in this framework is the verification mechanism: Level 1 is self-declared, whereas Levels 2, 3, and 4 require independent third-party audits. Understanding this difference is essential for procurement officers weighing the risk profile of their cloud acquisitions.
The Mechanism of Level 1: Self-Assessment and Legal Responsibility
For Union Assurance Level 1, the regulation does not mandate an external audit. Instead, Article 19(1) requires cloud computing service providers to carry out a "conformity self-assessment" of their compliance with the criteria set out in Annex II.
The legal weight of this process is anchored in Article 19(2). Following the self-assessment, the provider must issue an "EU statement of conformity" stating that compliance with the Level 1 criteria has been demonstrated. Crucially, the text of the proposal states: "By issuing such a statement, the cloud computing service provider shall assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1."
This creates a mechanism of legal accountability without external validation. The provider is not merely making a marketing claim; they are making a formal declaration that carries legal liability. Under Article 19(3), this statement must be made publicly available.
The process includes a specific facilitation for smaller entities. Article 17(3) provides that for small and medium-sized enterprises (SMEs), the EU statement of conformity is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority." For larger providers, the statement is submitted to the national competent authority for a formal recognition procedure, but the underlying evidence remains the provider's own self-assessment.
Is Self-Assessment "Trustworthy"?
The trustworthiness of Level 1 depends entirely on the buyer's definition of "trust." In the context of CADA, Level 1 offers legal certainty but lacks technical assurance.
- Legal Bindingness and Liability: The self-assessment is not a voluntary code of conduct. By issuing the statement under Article 19(2), the provider accepts full responsibility. If a provider falsely declares compliance, they are subject to the penalty regime in Article 24. Member States must lay down rules for penalties that are "effective, proportionate and dissuasive." Furthermore, Article 24(3) explicitly grants recipients the right to seek compensation for damage or loss suffered due to a provider's infringement. This creates a strong deterrent against false declarations.
- Absence of Independent Verification: Unlike Levels 2, 3, and 4, which require an independent audit by an auditing organisation under Article 20, Level 1 relies solely on the provider's internal controls and documentation. There is no external expert verifying that the infrastructure is physically located in the Union, that data flows are truly restricted, or that the software supply chain is secure. For a procurement officer, the "trust" in Level 1 is placed in the provider's internal governance and the threat of post-hoc legal liability, rather than pre-contractual technical proof.
Weighing Level 1 Against Audited Levels (2-4) for Sensitive Workloads
The CADA proposal explicitly differentiates between general public-sector activities and those critical to the Union's security. This distinction dictates when Level 1 is sufficient and when it is legally inadequate.
Article 30(2) establishes the baseline: "Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order... shall use cloud computing services that have been recognised... as having a Union assurance level 1."
However, for activities identified as contributing to the preservation of public order, Article 30(3) imposes a strict prohibition on Level 1. It mandates that contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."
The divergence in trustworthiness stems from the verification requirements for these higher levels:
- Level 2: Requires an independent audit to verify criteria such as the exclusive location of infrastructure, assets, and personnel in the Union, and the prohibition of using service-generated data to train third-country AI systems.
- Level 3 & 4: Escalate these requirements, mandating that personnel be Union citizens (with security clearances where necessary) and that the provider is not subject to third-country control. Article 20 requires that for these levels, providers undergo "independent third-party audits" to obtain a "positive" audit opinion.
For sensitive workloadsβsuch as those involving national security, law enforcement, or critical infrastructureβthe self-assessed Level 1 is insufficient. The lack of an independent audit trail means a buyer cannot verify the provider's claims regarding third-country access risks or service continuity. The rigorous audit process required for Levels 2-4 provides the evidentiary depth necessary to mitigate these high-stakes risks.
What this means for you
For public-sector procurement officers and compliance teams, the distinction between self-assessment and independent audit is a critical risk management factor.
- Deploy Level 1 for Non-Critical Services: You may confidently procure Level 1 services for general administrative tasks, internal communications, or processing of non-sensitive data where the risk to public order is negligible. The legal liability assumed by the provider under Article 19(2) provides a baseline of accountability sufficient for these use cases.
- Mandate Audited Levels for Sensitive Data: If your workload involves sensitive personal data, classified information, or critical infrastructure management, Level 1 is legally and technically inadequate. You must conduct a risk assessment under Article 29 to determine if your activity contributes to public order. If it does, Article 30(3) requires you to procure only services recognised at Level 2, 3, or 4.
- Verify the Statement and Repository: Before contracting, ensure the provider has publicly published their EU statement of conformity as required by Article 19(3). Additionally, verify their status in the central repository of recognised services, which the Commission is required to establish and maintain under Article 22.
- Monitor for Material Changes: Providers are obligated to notify authorities of any material changes that could affect their assurance level under Article 23. Your procurement contracts should include clauses requiring immediate notification if a provider's Level 1 status is revoked or if they fail to maintain compliance, triggering a re-evaluation of the service.
Common misconceptions
"Self-assessment means no regulation." This is incorrect. Level 1 is fully regulated. The provider must meet specific technical and legal criteria outlined in Annex II and assumes full legal liability for false declarations under Article 19(2). Penalties for non-compliance apply equally to all assurance levels.
"Level 1 is only for private companies." No. Public-sector bodies are required to use Level 1 services for non-critical activities under Article 30(2). It is a mandatory baseline for the public sector, not merely an option for private entities.
"SMEs are exempt from the rules." SMEs are not exempt from the substantive criteria. They benefit from a simplified recognition process where their statement is automatically recognised across the Union under Article 17(3), but they must still comply with all Level 1 requirements and issue a valid EU statement of conformity.
"Level 1 guarantees the same data sovereignty as Level 4." It guarantees a baseline of data localisation (data remains in the Union unless explicitly required otherwise), but it does not provide the same depth of sovereignty protections as Levels 2-4. Specifically, Level 1 does not mandate Union citizenship for personnel, nor does it strictly prohibit third-country control over the provider, which are key differentiators for high-assurance levels.
Related
- CADA Conformity Self-Assessment: The Level 1 Pathway Explained
- CADA SME Self-Assessment: Automatic Recognition for Level 1 Cloud Services
- When does CADA require self-assessment versus an independent audit?
- CADA Level 4: Sensitive Data Risk Assessment & Strict Residency Rules
- CADA Level 3: Sovereignty Requirements for Public Sector Buyers
This is general information about a draft EU regulation, not legal advice.