Summary Pursuing Union Assurance Level 3 or 4 under the proposed Cloud and AI Development Act (CADA) is a strategic investment to access exclusive, high-value public-sector markets that are legally closed to lower-tier providers. As proposed in Article 16(1), these tiers are mandatory for activities preserving public order in critical sectors such as defense, justice, and national security. While Level 1 offers a baseline for general services, Levels 3 and 4 unlock contracts with Union entities and Member States that cannot legally procure from lower-tier providers. The business case hinges on weighing the substantial costs of independent third-party audits and supply-chain restructuring against the revenue potential of this protected market segment, where services are listed in the central repository established under Article 22.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a tiered sovereignty framework designed to reduce the EU's dependence on non-European cloud providers and safeguard public order. For cloud service providers (CSPs), the decision to pursue Union Assurance Levels 3 or 4 is not merely a compliance exercise but a fundamental market-entry strategy.

The Regulatory Mandate: Article 16(1) and Public Order

The core of the business case is rooted in Article 16(1), which establishes the Union cloud computing sovereignty framework comprising four assurance levels. The criteria for these levels are detailed in Annex II. Crucially, the proposal mandates that cloud computing service providers must meet these specific criteria to provide services to Union entities and public sector bodies.

While Union Assurance Level 1 serves as a baseline for general public sector use, Levels 3 and 4 are reserved for the most sensitive operations. The proposal explicitly links these higher levels to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as national security, internal security, external border management, defense, justice, and law enforcement.

Under Article 29, Member States and Union entities are required to conduct risk assessments to determine which assurance level is appropriate for their activities. If a public sector activity is deemed critical to public order, Article 30(3) legally obliges the contracting authority to procure only cloud computing services recognized at Union assurance levels 2, 3, or 4. Consequently, providers who do not pursue these higher tiers are effectively excluded from a significant and lucrative portion of the European public sector market.

Market Access: The "Sovereign Premium"

The primary financial justification for pursuing Level 3 or 4 is exclusive market access. By achieving recognition at these levels, a provider positions itself as a vendor of choice for:

  1. Defense and National Security: These sectors handle classified information and require the highest degree of operational autonomy. Level 4, in particular, allows for the secure hosting of EU classified information, as noted in the recitals.
  2. Justice and Law Enforcement: Agencies dealing with criminal investigations and judicial processes require strict data confidentiality and protection against third-country access.
  3. Critical Infrastructure: Public sector bodies managing critical digital infrastructure, energy grids, and healthcare systems often fall under the scrutiny of higher assurance requirements due to the potential impact of service disruption on public order.

This creates a "sovereign premium" in the market. European public buyers are increasingly under pressure to reduce dependencies on third-country providers. A Level 3 or 4 recognized service provides a clear, auditable guarantee of sovereignty, making it a preferred choice in public procurement procedures. This can lead to larger, more stable contracts with longer durations compared to commercial cloud services.

The Cost-Benefit Analysis: Audit Rigor vs. Revenue

Pursuing Level 3 or 4 is not without significant cost. Unlike Level 1, which allows for self-assessment and an EU statement of conformity, Levels 2, 3, and 4 require independent third-party audits. Article 22 mandates that the Commission establish and maintain a central repository of services recognized as offering Union assurance levels 1-4. To be listed in this repositoryβ€”and thus visible to public buyersβ€”a provider must undergo a rigorous audit process.

The audit criteria for Level 3 and 4 are stringent and impose structural costs:

  • Union Establishment and Location: Infrastructure, assets, and personnel must be located in the Union. This may require significant capital expenditure to build or acquire local data centers and operational hubs.
  • Personnel Citizenship: For Level 3 and 4, personnel involved in the provision of the service must be Union citizens. For Level 4, they may also require national security clearances. This restricts the global talent pool and may necessitate complex HR restructuring.
  • Cybersecurity Certification: Services must obtain a European cybersecurity certificate of at least assurance level 'substantial' (for Level 3) or 'high' (for Level 4) under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until such a scheme is established, national schemes apply, or providers must demonstrate compliance with the highest cybersecurity standards under applicable Union law.
  • Third-Country Control: Providers must demonstrate that they are not subject to the control of a third country or a legal entity established in a third country. While Article 18 allows for a derogation for Level 3 if the Commission adopts an implementing act identifying a third country with sufficient safeguards, this is a complex, case-by-case process. Level 4 generally prohibits third-country control entirely.

The cost of these audits, the potential need to restructure supply chains to ensure Union-based personnel and infrastructure, and the ongoing compliance monitoring must be weighed against the expected revenue from public sector contracts. Providers must also consider the time-to-market; the recognition process involves application to the national competent authority of establishment and a review period, which can delay market entry.

Strategic Positioning and the Ripple Effect

For providers, pursuing Level 3 or 4 is also a brand-building exercise. It signals a commitment to European sovereignty, security, and resilience. This can enhance trust not only with public sector buyers but also with private sector entities in regulated industries (such as finance and healthcare) that may voluntarily adopt similar risk assessments under Article 31. While Article 31 allows private sector entities to conduct similar impact assessments, the mandatory nature of the public sector requirements creates a ripple effect, driving broader market demand for sovereign cloud services.

What this means for you

If you are a cloud service provider or data centre operator, you must evaluate your current infrastructure and supply chain against the criteria for Level 3 and 4.

  1. Assess Your Supply Chain: Ensure that your subcontractors and personnel meet the Union location and citizenship requirements. Review your software bill of materials (SBOM) and supply chain controls to ensure compliance with the rigorous audit criteria.
  2. Engage with Auditing Organisations: Identify auditing organisations that are independent and compliant with CADA requirements. Engage early to understand the evidence needed for the audit.
  3. Calculate the ROI: Model the costs of achieving and maintaining Level 3 or 4 recognition against the potential revenue from public sector tenders in defense, justice, and critical infrastructure. Consider the long-term stability of these contracts.
  4. Prepare for the Central Repository: Understand that your recognition will be published in the central repository established under Article 22. Ensure that your transparency obligations are met and that you are prepared to report any material changes that could affect your recognition status.
  5. Monitor Delegated Acts: The specific criteria and audit evidence are detailed in Annexes II and III, which may be updated via delegated acts. Stay informed about these developments to ensure ongoing compliance.

Common misconceptions

"Level 1 is sufficient for all public sector work." This is incorrect. While Level 1 is the minimum for general public sector bodies, it is not sufficient for activities deemed critical to public order, such as defense or law enforcement. These activities require Levels 2, 3, or 4.

"Level 3 and 4 are only for EU-owned companies." While the criteria are strict regarding control and location, the proposal does allow for derogations. For example, under Article 18, the Commission may recognize third countries as providing sufficient assurances for Level 3, provided specific safeguards are met. However, this is an exception, not the rule, and Level 4 generally prohibits third-country control.

"The audit is a one-time event." Audits are annual. Providers must submit their audit report and opinion for review annually to demonstrate continued compliance. Any material change in circumstances must be reported promptly.

"Private sector companies are not affected." While the mandatory requirements apply to public sector procurement, the proposal encourages private sector entities in high-criticality sectors (under NIS2) to conduct similar impact assessments. This creates a de facto demand for higher assurance levels in the private sector as well.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.