What are the four CADA Union assurance levels in the sovereignty framework?

Summary The Cloud and AI Development Act (CADA) is a proposed EU regulation, not yet in force. As proposed in Article 16, it would establish a "Union cloud computing sovereignty framework comprising four Union assurance levels", with the detailed criteria set out in Annex II. The four levels would rise from a baseline of EU establishment and data localisation (Level 1) to the strictest protection against third-country control for sensitive data (Level 4). The criteria are cumulative: Article 20(1) provides that a provider audited at a higher level "shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels", and that failing any lower-level requirement "shall preclude conformity with the higher Union assurance levels". Cybersecurity certification would rise with each tier — Level 3 requires "substantial", and only Level 4 requires "high".

Detail

The CADA proposal would introduce a harmonised framework intended to reduce strategic dependencies on a small number of cloud providers subject to third-country control. Its recitals describe risks such as concentration, "vulnerabilities arising from the extraterritorial application of third-country laws", possible service disruption, and reduced control over data and infrastructure. The four assurance levels are described in the proposal as reflecting "the nuanced and layered nature of sovereignty".

As proposed in Article 16(1), the framework would comprise four Union assurance levels "that cloud computing service providers shall meet in order to provide their cloud computing services to Union entities and public sector bodies". The specific legal, technical and operational criteria for each level are set out in Annex II.

A defining feature is the cumulative structure. Under Article 20(1), a provider audited at a higher level would have to satisfy every criterion of the levels below it; failure to meet any lower-level requirement "shall preclude conformity with the higher Union assurance levels". Each level therefore adds to, rather than replaces, the one beneath it.

The recognition route also differs by level. Level 1 would be reached through a conformity self-assessment under Article 19, ending in an "EU statement of conformity" by which the provider assumes responsibility for compliance. Levels 2, 3 and 4 would instead require an independent third-party audit under Article 20, performed at the provider's own expense and resulting in a "positive" audit opinion. The auditing organisation must be independent, free of conflicts of interest, and have proven competence and objectivity (the proposal does not describe it as "accredited").

The summaries below describe each level as proposed.

Union Assurance Level 1: the baseline

Level 1 would be the minimum standard for cloud services procured by public sector bodies. As set out in Annex II, Section 1.1, its cumulative criteria would include:

• Establishment (1.1(a)): the provider is established in the Union.
• Infrastructure location (1.1(b)): the provider's infrastructure and assets, including those of subcontractors involved in the service, are located in the Union, unless the public sector body explicitly requires otherwise.
• Data localisation (1.1(c)): customer data, including metadata and telemetry, remains exclusively within the Union at any time, unless the public sector body explicitly requires otherwise.
• Cybersecurity (1.1(e)): the service demonstrates compliance with state-of-the-art cybersecurity standards.
• Subcontractor transparency (1.1(f)): full transparency on the use of subcontractors, who are subject to due diligence, contractual obligations and ongoing oversight.
• Vulnerability reporting (1.1(g)): where the provider is under third-country control, it guarantees (demonstrated by independent sources) that no law or practice in that third country requires it to report software-vulnerability information before those vulnerabilities are known to have been exploited.

Level 1 would be reached by self-assessment under Article 19. As proposed in Article 17(3), an EU statement of conformity issued by a provider that is an SME would be "directly and automatically recognised in all Member States without the need for prior recognition".

Union Assurance Level 2: independent audit and supply-chain control

Level 2 would build on Level 1 and require an independent audit. Per Annex II, Section 2.1, the additions would include:

• Personnel location (2.1(b)): infrastructure, assets and personnel of the provider and subcontractors involved are located in the Union.
• Personnel screening (2.1(d)): where the public sector body determines it necessary, the provider ensures personnel meeting additional screening and Union-citizenship requirements are available — not a blanket citizenship rule.
• Cybersecurity certificate (2.1(e)): a European cybersecurity certificate of at least assurance level "substantial" under a cloud scheme to be established under the Cybersecurity Act, where such a scheme exists; otherwise national schemes or the highest applicable standards apply.
• Data-use restriction (2.1(f)): data generated by using the service is not used to train or fine-tune any AI system operated by a third country or a third-country-established entity, and is not transferred outside the Union in any case.
• Third-country control mitigations (2.1(g)): where the provider or subcontractors are under third-country control, they demonstrate measures ensuring that control does not restrain delivery, that third-country access to customer data is prevented, that disruption or degradation is prevented, and that the provider is not obliged to give effect to third-country restrictive measures unless legitimate under Member State or Union law.
• Support localisation (2.1(h)): technical and operational support is initiated and performed exclusively within the Union.
• Software supply chain (2.1(i)): a complete, up-to-date software bill of materials (SBOM) and dependency list; controls on third-country software components (including source-code audits of security-relevant components and a documented migration plan); and the vulnerability-reporting guarantee.

Union Assurance Level 3: high-assurance, citizenship and a narrow third-country route

Level 3 would add to Level 2, per Annex II, Section 3.1:

• Union citizenship (3.1(d)): personnel involved, including subcontractor personnel, are Union citizens and, where appropriate, hold national security clearance issued by a Member State when handling classified information.
• Cybersecurity certificate (3.1(e)): at least assurance level "substantial" — the same standard as Level 2, not "high".
• No third-country control, by way of derogation (3.1(g)): the provider and subcontractors are not subject to third-country control. As a derogation, a provider under third-country control may be audited for Level 3 only where the Commission has adopted an implementing act under Article 18 identifying the relevant third country. Under Article 18(1), that requires the third country to satisfy six cumulative criteria — an adequacy decision under the GDPR is only the first of them; the others concern lawful-access safeguards under the Data Act, no measures compelling service degradation or improper sanctions, no obstruction of state-of-the-art technologies, an open market to Union cloud services, and equivalent access to public procurement for Union-controlled providers. Even where the derogation applies, the provider must still demonstrate the mitigating measures mirroring Level 2.
• Support personnel (3.1(h)): support is initiated and performed exclusively within the Union, by personnel who are Union residents, and by third parties not under third-country control.

Union Assurance Level 4: the highest tier, no third-country route

Level 4 would be the strictest tier, building on Level 3 under Annex II, Section 4.1:

• Sensitive-data localisation (4.1(c)): customer data that, following a risk assessment, is identified as sensitive remains exclusively within the Union at any time. There is no "unless the public sector body requires otherwise" carve-out for this criterion.
• Cybersecurity certificate (4.1(e)): at least assurance level "high" — the only level requiring "high".
• No third-country control, no derogation (4.1(g)): the provider and subcontractors must not be subject to third-country control, and there is no Article 18 derogation at Level 4.
• Effective control over software (4.1(i)): the provider demonstrates that no third country or third-country entity holds or exercises "effective control over the design, development, maintenance, and evolution" of software components — including the ability to materially influence technical evolution, maintenance priorities, security remediation and long-term continuity.

What this means for you

For public-sector readers, the four levels would offer a risk-based ladder rather than a one-size-fits-all rule. You would not apply the highest level to everything.

• A risk assessment comes first. As proposed in Article 29, Member States and Union entities carry out risk assessments to identify public-sector activities that contribute to the preservation of public order. The proposal does not set a fixed review cadence.
• Default to Level 1. Under Article 30(2), entities whose activities have not been identified as contributing to public order would "use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1".
• Higher levels for public-order activities. Under Article 30(3), contracting authorities whose activities have been so identified — in NIS2 Annex I or II sectors, or in national security, internal security, external border management, defence, justice or law enforcement — "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4". The recitals note that most public services would not require the highest levels.
• Cumulative compliance simplifies evaluation. A provider recognised at Level 3 has, by definition, met every Level 1 and Level 2 criterion (Article 20(1)) — but the audit behind that claim is correspondingly demanding.

Common misconceptions

• "Level 1 is optional." As proposed, Level 1 would be the mandatory floor for public-sector cloud procurement under Article 30(2); there is no non-assured option.
• "Level 3 needs a 'high' cybersecurity certificate." No. Level 3 would require at least "substantial" (Annex II 3.1(e)). Only Level 4 would require "high" (Annex II 4.1(e)).
• "A GDPR adequacy decision is enough to put a third-country provider into Level 3." No. The Article 18 route requires six cumulative criteria; adequacy is only one of them, and the provider must additionally demonstrate the mitigating measures in Annex II.
• "Third-country-controlled providers might still reach Level 4." No. Unlike Level 3, Level 4 has no derogation for third-country control (Annex II 4.1(g)).
• "The criteria are fixed." Under Article 16(3), the Commission would review Annex II and Annex III "at least every 18 months", and Article 16(2) would allow amendment by delegated act.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why does CADA create a four-tier cloud sovereignty framework?
• What is the four-tier sovereignty framework in CADA in plain English?
• How do the four CADA assurance levels differ from each other?
• Who must meet CADA Union assurance levels?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels

This is general information about a draft EU regulation, not legal advice.