CADA Union assurance level 2 vs level 3

Summary Under the proposed Cloud and AI Development Act (CADA), moving from Union assurance level 2 to level 3 tightens the sovereignty criteria in Annex II while keeping the same verification route — an independent third-party audit under Article 20. The biggest changes at level 3 are: mandatory Union citizenship for all personnel involved in the service (level 2 only requires personnel located in the Union, with citizenship optional unless the buyer asks); support performed by Union residents not under third-country control; and a near-ban on third-country-controlled providers. Level 3 admits a third-country-controlled provider only by way of the Article 18 derogation, where the Commission has recognised that country as "associated." The cybersecurity certificate stays the same — at least "substantial" at both levels (only level 4 steps up to "high"). CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

CADA's Article 16 would establish a four-tier "Union cloud computing sovereignty framework," with the criteria for each level set out in Annex II. Levels 2 and 3 are both high-assurance tiers requiring independent verification, but level 3 hardens the human-resources, support and ownership criteria.

What stays the same: independent audit and the data baseline

Both levels are verified the same way. Unlike level 1, which relies on a conformity self-assessment (Article 19), levels 2 and 3 require an independent third-party audit under Article 20. The provider undergoes the audit at its own expense to obtain an audit report and a "positive" audit opinion from an auditing organisation that is independent, conflict-free and technically competent (Article 20(1), (4)). The report must state a "positive" or "negative" opinion against the Annex II criteria; a negative opinion comes with operational recommendations and a timeframe (Article 20(5)). The report and positive opinion must be submitted for annual review (Article 20(8)). The criteria are cumulative, so a level 3 service must also satisfy every level 1 and level 2 criterion (Article 20(1)).

Both levels also share the core localisation baseline (Annex II §§2.1, 3.1): the provider and its subcontractors must be established in the Union; their infrastructure, assets and personnel involved in the service must be located in the Union; and customer data — including metadata and telemetry — must remain exclusively within the Union (unless the public sector body explicitly requires otherwise) at all times, before, during and after use. At both levels, data generated by using the service may not be used to train or fine-tune any AI system operated by a third country or third-country entity, and may not be transferred outside the Union.

What changes: personnel, support and supply chain

Personnel — from "located in the Union" to "Union citizens." This is the sharpest change. At level 2, the provider must ensure personnel meeting additional screening and Union-citizenship requirements are available only if the public sector body determines this is necessary (Annex II §2.1(d)). At level 3, citizenship becomes mandatory by default: all personnel — including subcontractor staff — involved in providing the audited service must be Union citizens, and where they handle classified information they must hold the necessary national security clearance issued by a Member State (Annex II §3.1(d)).

Support — Union residents, no third-country control. At level 2, support must be initiated and performed exclusively within the Union (§2.1(h)). Level 3 adds that support must be performed by personnel who are Union residents and by third parties not subject to third-country control (§3.1(h)).

Cybersecurity certificate — unchanged at "substantial." Both level 2 and level 3 require the service to obtain a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act); until such a scheme exists, national schemes apply, or failing that the provider demonstrates the highest cybersecurity standards under applicable Union law (Annex II §§2.1(e), 3.1(e)). The certificate level does not rise between level 2 and level 3 — that step (to "high") happens only at level 4.

Software supply chain. Both levels require an SBOM, documented dependencies, controls against remote tampering, source-code audits and migration plans for third-country software components (§§2.1(i), 3.1(i)). The level 3 wording is materially the same; the practical difference at level 3 comes from the citizenship, residency and ownership constraints layered on top.

The decisive change: third-country control (Article 18)

The structural difference between the levels is how a provider under third-country control is treated.

• Level 2. A provider (or subcontractor) under the control of a third country or a third-country entity may still qualify if it demonstrates that the necessary legal, technical and organisational measures are in place so that: the third country's control does not restrain its ability to deliver the service; third-country access to customer data is prevented; service disruption or degradation by the third country is prevented; and it is not compelled to apply restrictive measures such as sanctions or embargoes unless those are legitimate under Member State or Union law (Annex II §2.1(g)).
• Level 3. As a rule, the provider and its subcontractors must not be subject to third-country control (Annex II §3.1(g)). The only path in is the Article 18 derogation. The Commission may, by implementing act, identify a third country as "associated" — meaning a provider controlled by that country (or an entity established there) may be audited against the level 3 criteria. (Note: Annex II §3.1(g) cross-refers to "Article 19," but the operative associated-third-countries mechanism is set out in Article 18 — an apparent drafting cross-reference error in the proposal.) Even then, the provider must still demonstrate the same technical and organisational safeguards against control, data access and disruption that level 2 requires.

For the Commission to recognise a third country under Article 18, that country must meet cumulative criteria (Article 18(1)): an adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679); no measures letting it control the provider in conflict with the lawful-access rules for non-personal data in Article 32(2)-(3) of the Data Act (Regulation (EU) 2023/2854); no measures to compel service disruption or to force the provider to apply sanctions/embargoes (unless legitimate under Member State or Union law); no measures impeding state-of-the-art technologies; an open market to Union cloud services; and equivalent access for Union-controlled providers to that country's public-procurement procedures. The Commission must repeal, amend or suspend the decision if the country stops meeting the criteria, and must publish the list of qualifying countries (Article 18(2)-(3)).

What this means for you

For providers and data centre operators serving the EU public sector, moving from level 2 to level 3 is mostly a people-and-ownership problem, not a technology problem.

1. Re-staff for citizenship, not just location. Audit your workforce and subcontractor chain. For level 3, everyone involved in providing the service must be a Union citizen (Annex II §3.1(d)) — moving staff into the Union is not enough. You may need to re-scope roles, restrict access, or change subcontractors.
2. Put support on Union-resident hands. Level 3 support must be performed by Union residents and by third parties not under third-country control (§3.1(h)).
3. Map your ownership. If you are controlled by a third-country entity, level 3 is closed to you unless the Commission has recognised your controlling country under Article 18 — and even then you must prove the technical safeguards. There is no technical-controls-only route to level 3 for a controlled provider.
4. Don't budget for a higher cybersecurity certificate. The certificate requirement is the same "substantial" at both levels; plan the "high" upgrade only if you are targeting level 4.
5. Stay audit-ready. Both levels require annual review (Article 20(8)) and prompt notification of any material change that could affect the audit opinion or recognition (Article 23).

Common misconceptions

• "Level 3 is just more cybersecurity than level 2." No. The cybersecurity certificate is the same ("substantial"). The real changes are legal and personnel-based — Union citizenship, Union-resident support, and the third-country-control restriction.
• "Self-assessment is enough for level 2." No. Self-assessment (Article 19) is available only at level 1. Levels 2, 3 and 4 all require an independent third-party audit (Article 20).
• "Encrypted data may leave the Union." No. At both levels customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II §§2.1(c), 3.1(c)). Encryption does not lift that requirement.
• "Third-country-controlled providers are banned from level 3." Not outright. Article 18 creates a pathway via Commission recognition of an "associated" third country — a legal and political assessment, after which the provider must still meet the safeguard criteria.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Union assurance level 3 vs level 4: what is the highest tier?
• CADA Union assurance level 1 vs level 2: what is the difference?
• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
• How do I choose a CADA Union assurance level: level 1 vs a higher tier?
• EUCS high level vs CADA Union assurance level 4: are they equivalent?

This is general information about a draft EU regulation, not legal advice.