What are the four CADA tiers called and what do their names mean?

Summary The four tiers in the proposed Cloud and AI Development Act (CADA) are officially named Union assurance levels 1, 2, 3, and 4. As established in Article 16(1), these are not generic quality ratings but a graduated framework of sovereignty assurance. The names denote increasing stringency regarding where data is stored, who controls the infrastructure, and the degree of insulation from third-country laws. Level 1 is the baseline for all public procurement; Levels 2–4 are mandatory for activities deemed critical to the preservation of public order, with Level 4 representing the highest degree of operational autonomy and personnel restrictions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, addresses the EU's strategic dependence on non-European cloud providers by establishing a harmonised Union cloud computing sovereignty framework. This framework is the core mechanism for ensuring that public-sector data and operations remain under European jurisdiction.

The Official Terminology: Union Assurance Levels

Under Article 16(1), the regulation explicitly establishes a framework comprising four distinct tiers. The proposal names these tiers "Union assurance levels" (specifically, Union assurance levels 1, 2, 3, and 4).

The choice of the word "assurance" is legally significant. It distinguishes this framework from standard cybersecurity certifications. While cybersecurity is a prerequisite, "assurance" here refers to assurance of sovereignty and operational autonomy. The levels represent a ladder of increasing strictness regarding:

• Establishment: Where the provider is legally incorporated.
• Location: Where infrastructure, assets, and personnel are physically situated.
• Control: Whether the provider is subject to the control of a third country or legal entity established outside the Union.
• Data Residency: Whether customer data remains exclusively within the Union.

What the Names Mean: A Graduated Approach

The numbers 1 through 4 indicate a progressive increase in the stringency of the criteria a cloud computing service provider must meet, as detailed in Annex II of the proposal.

Union Assurance Level 1: The Baseline

This is the minimum standard required for all public-sector procurement under CADA.

• Establishment: The provider must be established in the Union.
• Location: Infrastructure and assets must be located in the Union, unless the public sector body explicitly requires otherwise.
• Data: Customer data (including metadata and telemetry) must remain exclusively within the Union, unless explicitly required otherwise by the public sector body.
• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Transparency: Full transparency regarding subcontractors is required, with due diligence and ongoing oversight.
• Third-Country Control: If the provider is subject to third-country control, they must guarantee that no laws in that country require reporting software vulnerabilities to authorities before they are known to be exploited.

Union Assurance Level 2: Enhanced Control

Level 2 introduces stricter requirements on personnel location and supply chain integrity.

• Personnel: Infrastructure, assets, and personnel (including those of subcontractors) must be located in the Union.
• AI Training: Data generated by the service cannot be used to train or fine-tune AI systems operated by a third country or a legal entity established in a third country.
• Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote features that could tamper with the service.
• Third-Country Control: If subject to third-country control, the provider must demonstrate that such control cannot restrict service delivery, access data, or disrupt continuity.
• Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial' (or equivalent national standards until a Union scheme is established).

Union Assurance Level 3: High Sovereignty

Level 3 is designed for sensitive activities and introduces mandatory personnel citizenship requirements.

• Personnel Citizenship: All personnel involved in the service must be Union citizens. Where appropriate, they must hold necessary national security clearances.
• Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'substantial'.
• Third-Country Control: Providers and subcontractors must not be subject to the control of a third country.
  • Derogation: By way of derogation, a provider subject to third-country control may qualify if the Commission has adopted an implementing act under Article 18 recognizing that third country as providing sufficient assurances.
• Support: Technical and operational support must be initiated and performed exclusively within the Union by Union residents.

Union Assurance Level 4: Maximum Sovereignty

This is the highest tier, reserved for the most critical public order activities involving classified information.

• Personnel: All personnel must be Union citizens with necessary national security clearances.
• Cybersecurity: Requires a European cybersecurity certificate of at least assurance level 'high'.
• Third-Country Control: Strictly prohibits third-country control. No derogations are available for this level.
• Separation: Requires effective legal, technical, and organisational separation between the Union parent company and any third-country subsidiaries.
• Data: Sensitive data identified after a risk assessment must remain exclusively within the Union.

Why "Assurance" and Not "Security"?

The naming convention reflects a critical distinction between technical cybersecurity and geopolitical sovereignty. A service can be technically secure (encrypted, firewalled) but still subject to the laws of a third country that may compel data access or service disruption (e.g., via the US CLOUD Act). CADA's "assurance levels" certify that the provider has taken legal, technical, and organisational steps to assure the public sector that such external pressures will not compromise the service or the data.

What this means for you

For public-sector procurement officers and compliance teams, understanding these tier names is essential for adhering to Article 30 of CADA.

1. Mandatory Minimum: Under Article 30(2), all contracting authorities must procure, as a minimum requirement, cloud services recognised as having Union assurance level 1. Procuring a service below this baseline is not permitted.
2. Risk-Based Procurement: For activities identified in your national risk assessment (under Article 29) as contributing to the preservation of public order (e.g., defence, justice, law enforcement, critical infrastructure), you must procure services with Union assurance levels 2, 3, or 4. The specific level required depends on the sensitivity of the data and the criticality of the function.
3. Verification: You must verify that providers have been formally recognised by the competent authority of their establishment. This status is recorded in the central repository maintained by the Commission under Article 22.
4. Transition Planning: If your current provider does not meet these assurance levels, you must plan for migration. Article 29(6) allows for a reasonable transition period of up to 12 months to migrate to a compliant provider, considering technical feasibility and data portability.

Common misconceptions

"Level 1 is optional." No. Under Article 30(2), Union assurance level 1 is the mandatory minimum for all public sector cloud procurement. No public body may procure a service that fails to meet this baseline.

"These are just cybersecurity certifications." While cybersecurity is a component, these levels are primarily about sovereignty and operational autonomy. A service can be highly secure but fail to meet Level 3 if it is controlled by a third-country entity without specific derogations under Article 18.

"Level 4 is for everyone." No. The framework is proportionate. Level 4 is reserved for the most sensitive activities involving classified information or critical public order functions. Most public services will operate at Level 1 or 2, as determined by the risk assessment in Article 29.

"The names might change to 'Gold/Silver/Bronze'." The proposal uses the specific legal term "Union assurance levels." While political debate may use shorthand, the legal obligations and technical criteria are tied to these specific designations in Article 16 and Annex II.

Related

• Why does CADA create a four-tier cloud sovereignty framework?
• CADA Sovereignty Tiers: Protection Against Foreign Law Explained
• CADA Vulnerability Disclosure Rule: What the Draft Requires Across Tiers
• What is the four-tier sovereignty framework in CADA in plain English?
• CADA public sector body: definition, data residency powers & assurance tiers

This is general information about a draft EU regulation, not legal advice.