What are the subcontractor rules for CADA Level 1?

Summary As proposed in the Cloud and AI Development Act (CADA), cloud service providers seeking recognition at Union Assurance Level 1 must adhere to strict rules regarding their supply chain. Providers are required to provide full transparency regarding their use of subcontractors, subject them to due diligence, enforce contractual obligations, and maintain ongoing oversight to ensure compliance with Union legal obligations. Crucially, these specific Level 1 rules apply only to subcontractors that have a direct contractual relationship with the provider and contribute to the provision and the delivery of the cloud computing service. This creates a clear boundary for provider liability and transparency at the baseline assurance level.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. Union Assurance Level 1 serves as the baseline requirement for public sector procurement where activities do not contribute to the preservation of public order in high-risk sectors. While Level 1 is the entry point for the framework, it imposes specific, cumulative obligations on cloud computing service providers regarding their reliance on third parties.

The rules governing subcontractors at this level are not merely administrative; they are designed to ensure that the primary provider retains accountability for the entire service delivery chain, even when parts of the infrastructure or technical support are outsourced. These requirements are explicitly detailed in Annex II of the proposal, specifically under the criteria for Union Assurance Level 1.

Full Transparency and Oversight (Annex II, Section 1.1(f))

The primary obligation regarding subcontractors at Level 1 is codified in Annex II, Section 1.1(f). This provision mandates that the cloud computing service provider must provide full transparency around the use of subcontractors. However, the proposal makes it clear that transparency alone is insufficient; it must be underpinned by active management, control, and verification mechanisms.

According to the text of Annex II, Section 1.1(f), the cloud computing service provider must:

1. Subject subcontractors to due diligence: Before engaging a third party, the provider must conduct thorough checks. This due diligence is intended to verify that the subcontractor possesses the necessary capabilities and legal standing to meet the required standards.
2. Enforce contractual obligations: The provider must bind subcontractors through explicit contracts. These contracts must require the subcontractor to meet Union legal obligations. This ensures that the legal responsibilities of the primary provider are effectively passed down the supply chain, creating a binding legal framework that mirrors the provider's own obligations.
3. Maintain ongoing oversight: Compliance is not a static, one-time event. The proposal requires providers to maintain ongoing oversight of their subcontractors. This implies a continuous monitoring process to ensure that subcontractors remain compliant with Union legal obligations throughout the entire duration of the service provision.

This triad of full transparency, due diligence, and ongoing oversight ensures that the provider cannot outsource its responsibility for legal compliance. Even if a subcontractor performs the technical work, the primary provider remains the accountable entity vis-à-vis the public sector body and the competent authorities.

Definition of Relevant Subcontractors (Annex II, Section 1.2)

A critical nuance in the CADA proposal is the precise definition of which subcontractors are subject to these Level 1 rules. Annex II, Section 1.2 clarifies the scope of application, distinguishing between relevant and irrelevant third parties for the purpose of Level 1 recognition.

The text states:

"For Union assurance level 1, the subcontractors referred to in the first paragraph must be subcontractors that are third parties that have a direct contractual relationship with the cloud computing service provider and that contribute to the provision and the delivery of the cloud computing service."

This definition establishes two strict criteria that must be met simultaneously:

• Direct Contractual Relationship: The rules apply exclusively to entities that have a direct contract with the cloud service provider. This explicitly excludes "sub-subcontractors" (entities contracted by the primary subcontractor) from the specific transparency and oversight requirements of Level 1. While the primary provider is responsible for the service, the Level 1 criteria do not mandate the same level of direct contractual scrutiny for the second tier of the supply chain.
• Contribution to Provision and Delivery: The subcontractor must be actively involved in the core function of providing or delivering the cloud computing service. This likely encompasses entities managing physical infrastructure, providing technical support, handling data storage, or performing operations that directly impact the service's availability and integrity. It likely excludes peripheral services that do not touch the core service delivery or customer data handling in a way that impacts the sovereignty criteria.

Context within the Broader Level 1 Criteria

These subcontractor rules are part of a broader set of cumulative criteria for Level 1 found in Annex II, Section 1.1. They interact with other critical requirements, such as:

• Establishment: The provider must be established in the Union.
• Location of Infrastructure: The infrastructure and assets of the provider, including those of its subcontractors, must be located in the Union, unless the public sector body explicitly requires otherwise.
• Data Localisation: Customer data, including metadata and telemetry, processed by the provider and its subcontractors must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.

The subcontractor rules in 1.1(f) and 1.2 act as the governance mechanism for these location and data criteria. They ensure that while providers can outsource parts of their operations, they cannot outsource their responsibility for ensuring that the subcontractor's infrastructure is in the Union and that the subcontractor's handling of data complies with Union law. Without the due diligence and contractual obligations mandated by 1.1(f), the provider could not guarantee that the subcontractor's assets and data flows meet the requirements of 1.1(b) and 1.1(c).

What this means for you

If you are a cloud service provider or data centre operator seeking to serve the EU public sector under the proposed CADA, you must adapt your vendor management and contracting processes to meet these new standards. The shift from informal vendor relationships to a regulated supply chain is significant.

1. Audit Your Supply Chain: You must identify all third parties that have a direct contractual relationship with you and contribute to the provision and delivery of your cloud services. You must be able to list them transparently and demonstrate their role in the service.
2. Update Contracts: Review existing and draft contracts with these specific subcontractors. Ensure they include explicit clauses that bind the subcontractor to comply with all relevant Union legal obligations. This may include data protection (GDPR), cybersecurity standards, and specific sovereignty-related requirements. The contract must serve as the legal vehicle for your ongoing oversight.
3. Implement Due Diligence Processes: Establish a formal, documented process for vetting subcontractors before engagement. This should assess their legal compliance posture, security standards, and operational reliability. This is not a "check-the-box" exercise but a substantive evaluation required by the proposal.
4. Establish Ongoing Monitoring: Move beyond annual audits if necessary. Implement mechanisms for continuous oversight, such as regular reporting, access to logs, or periodic compliance checks, to ensure subcontractors remain compliant throughout the contract term. The proposal requires ongoing oversight, implying a dynamic process.
5. Prepare for Transparency Requests: Be ready to disclose your subcontractor landscape to public sector bodies and competent authorities. Full transparency implies that you cannot hide behind complex supply chains; you must know and be able to articulate who is involved in your service delivery and how they are managed.

Common misconceptions

• "All subcontractors are included." This is incorrect. The rules apply specifically to subcontractors with a direct contractual relationship with the provider who contribute to the provision and delivery of the service. Sub-subcontractors or entities providing peripheral, non-service-delivery support may not fall under this specific Level 1 definition, though they may still be relevant for higher assurance levels or other legal obligations.

• "Due diligence is a one-time check." The proposal explicitly requires ongoing oversight. Compliance is dynamic, and providers must continuously monitor subcontractors to ensure they maintain their compliance with Union legal obligations. A one-time check at the start of the contract is insufficient.

• "Transparency means just listing names." "Full transparency" coupled with due diligence, contractual obligations, and ongoing oversight implies a deeper level of disclosure. It likely requires providing information on the nature of the subcontractor's role, their compliance status, and the measures in place to ensure their adherence to Union law.

• "Level 1 has no subcontractor restrictions." While Level 1 is the baseline, it is not unregulated. The requirement for full transparency, due diligence, and contractual binding is a significant operational change for many providers who may currently have loose or informal subcontractor arrangements.

• "The rules apply to the whole supply chain." At Level 1, the rules are limited to the first tier of subcontractors (those with a direct contract). Higher assurance levels (Levels 2, 3, and 4) may impose stricter requirements that extend further down the supply chain, but Level 1 focuses on the direct contractual link.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Subcontractor Rules: What Providers Must Declare for Level 1
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• CADA Level 4 Personnel Rules: Union Citizens, Clearances & Subcontractors
• CADA Level 4: Sensitive Data Risk Assessment & Strict Residency Rules
• CADA Level 4 Data Residency: Strict Rules for Sensitive Data

This is general information about a draft EU regulation, not legal advice.