What are the four sovereignty tiers (Union assurance levels) in CADA?

Summary As proposed, the Cloud and AI Development Act (CADA) would establish a "Union cloud computing sovereignty framework" of four tiers — Union assurance levels 1 to 4 — that cloud providers would meet to serve EU public bodies (Article 16). Level 1 rests on a provider self-assessment; Levels 2, 3 and 4 require an independent third-party audit, with progressively stricter rules on data localisation, personnel and third-country control. The criteria sit in Annex II. CADA is a proposal (COM(2026) 502 final), so none of this is in force yet.

Detail

The proposed CADA aims to reduce the EU's dependence on a limited number of non-European cloud providers. Article 16, as proposed, would create a Union cloud computing sovereignty framework "comprising four Union assurance levels, the criteria for which are set out in Annex II," that providers must meet to supply Union entities and public sector bodies. The levels form a ladder of trust, letting public buyers match assurance to the sensitivity of the activity.

Union assurance level 1 — self-assessment baseline

Level 1 is the baseline for ordinary public-sector cloud. There is no independent audit: under Article 19, as proposed, the provider carries out a conformity self-assessment against the Annex II Level 1 criteria and issues an EU statement of conformity (recognition is then sought from the national competent authority under Article 17).

The Annex II Level 1 criteria include: the provider is established in the Union; its infrastructure and assets (including those of subcontractors involved in the service) are located in the Union "unless the public sector body explicitly requires otherwise"; customer data, including metadata and telemetry, remains exclusively within the Union on the same caveat; full transparency over subcontractors; and — where the provider is under third-country control — a guarantee that no laws or practices in that country require it to report software vulnerabilities to that country's authorities before they are known to have been exploited.

For SMEs, the proposal offers a streamlined path: under Article 17(3), an SME's EU statement of conformity for Level 1 would be "directly and automatically recognised in all Member States" without prior recognition by a national competent authority.

Union assurance levels 2, 3 and 4 — audited tiers

For more sensitive activities, the higher levels apply. Unlike Level 1, Levels 2, 3 and 4 require an independent third-party audit: under Article 17(4), the provider must submit the audit report and a "positive" audit opinion (Article 20) to the evaluating national competent authority.

Union assurance level 2 adds operational controls (Annex II, section 2):

• The audited provider and subcontractors involved in the service are established in the Union, and the infrastructure, assets and personnel are located in the Union.
• Customer data remains exclusively in the Union, and data generated by using the service may not be used to train or fine-tune any AI system operated by a third country, nor transferred outside the Union.
• Where the provider is under third-country control, it must show that legal, technical and organisational measures prevent that control from restricting service delivery, prevent third-country access to customer data, and prevent service disruption.
• The service obtains a European cybersecurity certificate of at least assurance level 'substantial' once such a scheme exists (with national schemes or the highest applicable standards in the interim).
• Note: at Level 2, Union-citizenship of personnel is not mandatory by default; under Annex II 2.1(d) it applies only where the public sector body determines that additional personnel screening and citizenship requirements are necessary.

Union assurance level 3 tightens this further (Annex II, section 3):

• Union-citizen personnel become mandatory: the personnel (including subcontractors) involved in the service must be Union citizens, and must hold national security clearance where appropriate when handling classified information.
• Technical and operational support must be initiated and performed exclusively within the Union by Union-resident personnel not subject to third-country control.
• As a rule, providers under third-country control are excluded. By derogation, the Commission may — by implementing act for "associated third countries" under Article 18 — allow a controlled provider from such a country to be audited at Level 3, provided it also proves effective legal, technical and organisational separation and the other safeguards.

Union assurance level 4 is the highest tier, for the most critical activities (Annex II, section 4):

• No third-country control: neither the provider nor its subcontractors may be subject to the control of a third country or a third-country entity, with no derogation for associated third countries.
• Personnel must be Union citizens and hold national security clearance where appropriate for classified information.
• The provider must demonstrate effective control over software components, showing no third country holds or exercises effective control over their design, development, maintenance or evolution.
• The service obtains a European cybersecurity certificate of at least assurance level 'high'.

How the levels work together

The framework would also create transparency. Under Article 22, the Commission would establish and maintain a publicly available central repository of recognised services, so public authorities can identify which providers meet which level. The Commission may amend Annex II by delegated act and must review it at least every 18 months (Article 16).

What this means for you

For public-sector and procurement officers, this four-tier framework as proposed would change how you evaluate cloud providers — commercial assurances and generic certifications would no longer be enough.

1. Run the risk assessment first. Under Article 29, your Member State or Union entity must carry out a risk assessment identifying which activities contribute to the preservation of public order. Under Article 30(2), activities not so identified must use a service recognised at Level 1; under Article 30(3), activities that are identified (in the listed NIS2 sectors and areas such as defence, justice or law enforcement) must use a service recognised at Level 2, 3 or 4.

2. Verify recognition, not claims. For Levels 2-4, check the Article 22 central repository for a valid recognition decision rather than relying on a provider's self-description. For Level 1, verify the EU statement of conformity.

3. Plan for migration. If a current provider does not meet the required level, Article 29(6) allows a transition period not exceeding 12 months, taking account of technical feasibility, service continuity and data portability. Start early.

4. Use Union added value. When procuring innovative cloud or AI, Article 32 requires non-price "Union added value" award criteria (for example, favouring EU-designed or EU-manufactured hardware) — kept ancillary and not decisive.

Common misconceptions

"Level 1 means no third-country involvement." Not quite. As proposed, a provider under third-country control can still reach Level 1, provided it guarantees that no third-country laws require it to report software vulnerabilities to that country's authorities before they are known to have been exploited (Annex II, 1.1(g)). The restrictions tighten sharply at Levels 3 and 4, where third-country control is prohibited (with a narrow Article 18 derogation only at Level 3).

"Higher levels are always mandatory." No. The framework is risk-based. Activities not identified as preserving public order need only Level 1 (Article 30(2)); Levels 2-4 apply only to identified public-order activities (Article 30(3)).

"CADA replaces the GDPR or the Cybersecurity Act." No. CADA would complement them. The GDPR still governs personal data; the Cybersecurity Act (Regulation (EU) 2019/881) and any future cloud certification scheme address technical cybersecurity. CADA adds a sovereignty layer — operational autonomy, foreign-access and disruption risks. A service can be GDPR-compliant and secure yet still fail CADA's sovereignty criteria.

"SMEs are shut out of the higher levels." No. SMEs benefit from automatic Level 1 recognition (Article 17(3)) but are not barred from Levels 2-4; they would simply need to pass the independent audit and meet the same criteria.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why can't existing EU laws already solve cloud sovereignty? (CADA)
• What is the EU Tech Sovereignty package and how does CADA fit in?
• CADA vs SecNumCloud: what is the difference between CADA and a national sovereignty label?
• What is the CADA sovereignty risk assessment (Article 29)?
• What is cloud sovereignty and why does it matter for the EU under CADA?

This is general information about a draft EU regulation, not legal advice.