Is hardware covered by the CADA assurance level criteria?

Summary No, physical hardware is explicitly excluded from the Cloud and AI Development Act (CADA) assurance level criteria. As proposed, CADA limits its sovereignty framework to software, data, and operational governance. The opening paragraph of Annex II clearly states that while "software" falls within the scope of the criteria, "hardware" is "outside of the scope." Consequently, cloud providers can achieve the highest Union assurance levels (including Level 4) using non-EU manufactured servers, provided they meet strict requirements regarding software supply chains, data localization, and personnel citizenship.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels (Article 16). These levels are designed to mitigate risks associated with dependence on third-country providers, such as unauthorized data access, service disruption, and extraterritorial legal interference. However, the legislative text deliberately narrows the scope of these criteria to the logical and operational layers of the cloud service, excluding the physical infrastructure layer.

The Explicit Exclusion in Annex II

The definitive boundary of the CADA sovereignty framework is set in the opening paragraph of Annex II (Criteria for Union Assurance Levels). This section defines the applicability of the criteria for all four assurance levels. It states verbatim:

"For the purpose of the criteria under Union assurance levels 1, 2, 3, and 4, 'software' within the meaning of Regulation (EU) 2024/2847, Article 3, point (4), falls within the scope of this Annex and Annex III to this Regulation. 'Hardware' within the meaning of Regulation (EU) 2024/2847, Article 3, point (5), is outside of the scope."

This provision creates a clear legal distinction:

• In Scope: Software, as defined by the Cyber Resilience Act (Regulation (EU) 2024/2847, Article 3(4)). This includes the code, firmware, and digital components that run the service.
• Out of Scope: Hardware, as defined by the same regulation (Article 3(5)). This covers physical servers, processors, storage devices, networking gear, and the physical casing of the infrastructure.

This exclusion applies uniformly across all four Union assurance levels. While the criteria for Levels 2, 3, and 4 impose rigorous obligations on the software supply chain, they do not mandate that the physical assets hosting the service be designed, manufactured, or sourced within the European Union.

How the Criteria Apply to Software vs. Hardware

The distinction is critical for understanding how providers achieve compliance. The criteria in Annex II focus heavily on the "software supply chain" and "operational control" rather than the provenance of physical assets.

For instance, under Union assurance levels 2, 3, and 4, providers must demonstrate specific software supply chain measures. These include:

• Maintaining a complete and up-to-date Software Bill of Materials (SBOM) (Annex II, 2.1(i), 3.1(i), 4.1(i)).
• Implementing controls to block remote features in software components owned by third-country entities that could tamper with or disrupt the system.
• Ensuring security-relevant components from third-country manufacturers are subject to source code audits and have documented migration plans in case of vendor failure or third-country restrictions.

These obligations target the code and the logical control of the service. A provider could theoretically use servers manufactured in a third country, provided the software running on them is auditable, the SBOM is transparent, and the provider retains effective control over the software's evolution and security remediation.

The Role of Definitions in Article 2

The scope is further anchored by the definitions in Article 2 of the CADA proposal. The regulation does not create new definitions for "hardware" or "software" but cross-references the Cyber Resilience Act (Regulation (EU) 2024/2847):

• Software: Defined in Article 3, point (4) of Regulation (EU) 2024/2847.
• Hardware: Defined in Article 3, point (5) of Regulation (EU) 2024/2847.

By anchoring the scope to these existing definitions, CADA ensures that the sovereignty assessment focuses on the logical and operational control of the service rather than the geographical origin of the physical assets. This approach acknowledges that the global supply chain for semiconductors and hardware is deeply interconnected, and mandating 100% EU hardware for cloud services would be disproportionate and potentially unfeasible. Instead, CADA addresses sovereignty risks through the control of data, the citizenship of personnel, and the transparency of the software stack.

Why Hardware is Excluded

The legislative intent, as reflected in the structure of the proposal, suggests that physical infrastructure risks are addressed through other EU instruments. For example:

• The Cyber Resilience Act (CRA) regulates the cybersecurity of hardware and software products placed on the market.
• The Cybersecurity Act and the upcoming European Cybersecurity Certification Scheme for Cloud Services (EUCS) address technical cybersecurity standards.
• The Chips Act and related industrial policies address the supply chain for semiconductors.

CADA fills a specific gap: the sovereignty of the cloud service itself. It focuses on whether a third country can legally or technically compel the provider to access data, disrupt service, or undermine public order. These risks are primarily mediated through software, data flows, and personnel, not the physical silicon. Therefore, the framework assumes that physical infrastructure risks are managed elsewhere, allowing CADA to concentrate on the unique sovereignty risks of cloud services, such as data access and operational continuity.

What this means for you

For CTOs, cloud architects, procurement officers, and SMEs evaluating their cloud strategy under the proposed CADA, this exclusion has several practical implications:

1. Hardware Procurement Freedom: You are not required to switch to EU-designed or EU-manufactured servers, chips, or networking equipment to comply with CADA's sovereignty framework. A cloud provider can use non-EU hardware and still achieve Union assurance level 4, as long as the software, data, and personnel meet the strict criteria. This allows organizations to leverage global hardware supply chains while maintaining sovereignty compliance.
2. Focus on Software Supply Chain: Your compliance efforts should prioritize software visibility and control. Ensure your cloud providers can provide a detailed SBOM and demonstrate control over the software stack. The risk of non-compliance lies in the code, not the chip. Providers must be able to prove that third-country software components are auditable and that migration plans exist.
3. Data and Personnel are Key: Since hardware is out of scope, the critical differentiators for higher assurance levels (2–4) become data localization and personnel citizenship.
   • For Levels 3 and 4, all personnel involved in service provision must be Union citizens (Annex II, 3.1(d), 4.1(d)).
   • All customer data must remain exclusively within the Union (Annex II, 3.1(c), 4.1(c)).
   • The physical location of the server is less relevant than the legal and operational controls over the software and data.
4. Audit Preparation: When preparing for independent audits required for levels 2–4, focus on documenting software dependencies, source code auditability, and migration plans for third-country software components. Do not waste resources trying to prove the origin of physical hardware, as it is not part of the audit criteria. Auditors will look for evidence of software control, not hardware provenance.

Common misconceptions

• "CADA requires EU-made servers." False. The proposal explicitly excludes hardware from the assurance criteria in the opening paragraph of Annex II. You can use non-EU hardware and still achieve the highest sovereignty levels, provided the software and data controls are met.

• "The Cyber Resilience Act (CRA) and CADA have the same scope." False. While CADA references the CRA for definitions, their scopes differ. The CRA regulates the cybersecurity of hardware and software products placed on the market. CADA regulates the sovereignty of cloud services. A piece of hardware can be CRA-compliant but still be used in a CADA service that fails to meet assurance level criteria due to software or data issues (e.g., lack of SBOM or third-country control).

• "Data localization means servers must be in the EU." Partially true, but misleading. While data must remain in the Union, the hardware itself is not scrutinized for its origin (where it was made). The focus is on where the data is processed and stored (Annex II, 3.1(c), 4.1(c)). The physical server could be manufactured in a third country, but if it is located in the EU and the data never leaves the Union, it can comply with the data localization criteria.

• "Hardware is irrelevant to sovereignty." Nuanced. While hardware is excluded from the assurance level criteria, it is not irrelevant to the broader ecosystem. Other EU policies (like the Chips Act) address hardware supply chains. However, for the specific purpose of obtaining a CADA Union assurance level, hardware origin is not a criterion.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• What criteria must a provider meet for CADA assurance level 1?
• How often are the CADA assurance level criteria reviewed and updated?

This is general information about a draft EU regulation, not legal advice.