What CADA due-diligence checklist should compliance teams use?

Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) would transform cloud procurement into a rigorous sovereignty verification exercise. Compliance teams must verify that providers hold a formal "Union assurance level" (Article 17) and meet the cumulative criteria in Annex II. The checklist requires confirming valid audit opinions for Levels 2–4 (Article 20), full subcontractor transparency, and specific safeguards against third-country control. Crucially, the required assurance level depends on the buyer's risk assessment under Article 29: public-order-relevant activities would mandate Level 2, 3, or 4, while Level 1 would be insufficient. Failure to procure at the correct level would constitute a breach of the proposed sovereignty framework.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonized "Union cloud computing sovereignty framework" designed to mitigate risks of extraterritorial access and operational disruption. For legal and compliance teams, vendor due diligence under CADA is not merely a contractual review but a regulatory verification of a provider's status within this four-tier framework. The core obligation lies in ensuring that the cloud service provider is formally recognized at a specific "Union assurance level" that matches the public sector body's risk profile.

1. Verify Formal Recognition and Assurance Level (Articles 16 & 17)

The first step in any CADA due diligence process is to confirm that the provider is not merely claiming sovereignty but has been formally recognized under the framework established by Article 16.

• Check the Central Repository: Under Article 22, the Commission must maintain a central repository of recognized services. Compliance teams must verify the provider's status here. A provider cannot claim a level without this recognition.
• Distinguish the Evidence Required: The nature of the proof depends on the level:
  • Union Assurance Level 1: Providers submit an "EU statement of conformity" based on a self-assessment (Article 19). Notably, Article 17(3) provides a specific derogation for Small and Medium-sized Enterprises (SMEs): their statements of conformity are "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority."
  • Union Assurance Levels 2, 3, and 4: Providers must undergo independent third-party audits. Article 17(4) requires the submission of an audit report and a "positive" audit opinion from an accredited auditing organization.
• Actionable Check: Request the provider's recognition decision or the entry in the central repository. For Level 1 (non-SME), ensure the national competent authority has issued a recognition decision; for SMEs, verify the self-declaration. For Levels 2–4, request the audit report and the "positive" opinion.

2. Scrutinize Annex II Criteria: Data, Infrastructure, and Personnel

The "Union assurance levels" correspond to strict, cumulative criteria set out in Annex II. Due diligence must verify operational alignment with these criteria, which escalate significantly from Level 1 to Level 4.

Data and Infrastructure Localization

• Data Residency: Across all levels, customer data (including metadata and telemetry) must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Level 1.1(c); 2.1(c); 3.1(c)).
• Infrastructure & Assets: For Levels 2, 3, and 4, the infrastructure, assets, and personnel of the provider and its subcontractors must be located in the Union (Annex II, Level 2.1(b); 3.1(b); 4.1(b)).
• Actionable Check: Request a data flow diagram and a list of infrastructure locations. Verify that no backup, disaster recovery, or log storage exists outside the Union.

Personnel Citizenship (The Conditional vs. Mandatory Distinction) A critical nuance in CADA is the requirement for Union-citizen personnel.

• Level 2 (Conditional): Annex II, Level 2.1(d) states that if the public sector body determines that "imposing additional personnel screening and Union citizenship requirements are necessary," the provider must ensure such personnel are available. It is not an absolute mandate for Level 2 unless triggered by the buyer.
• Levels 3 & 4 (Mandatory): Annex II, Level 3.1(d) and 4.1(d) mandate that personnel (including subcontractors) are Union citizens and, where appropriate, hold national security clearance.
• Actionable Check: For Level 2, confirm if your risk assessment triggers the citizenship requirement. For Levels 3 and 4, demand proof of citizenship and clearance for all operational staff.

3. Audit Currency and Independence (Article 20)

For providers seeking Levels 2–4, the validity of the audit is paramount. Article 20 sets strict conditions for these independent audits.

• Independence: The auditing organization must be independent. Article 20(4)(a) prohibits auditors from providing non-audit services to the provider in the 12 months before or after the audit, and prohibits auditing the same provider within a 10-year period.
• Currency: Article 20(8) requires providers to submit the audit report and opinion for annual review. The auditing organization must assess continued compliance and may confirm, update, or revoke the opinion.
• The "Positive" Opinion: A "positive" opinion is only issued if "all evidence shows that the provider complies with the audit criteria" (Article 20(5)(g)).
• Actionable Check: Do not accept an audit report older than 12 months. Verify the date of the most recent annual review. Check for any "negative" opinions or revoked recognitions in the central repository.

4. Subcontractor Transparency and Tiers

CADA treats the supply chain as a critical sovereignty vector. Annex II requires full transparency regarding subcontractors.

• Definition: Subcontractors are third parties with a direct contractual relationship contributing to the service (Annex II, Level 1.2; 2.2; 3.2; 4.2).
• Level 1: Providers must subject subcontractors to due diligence and ongoing oversight (Annex II, Level 1.1(f)).
• Levels 2–4: Subcontractors involved in the provision of the service must also be established in the Union (Annex II, Level 2.1(a); 3.1(a); 4.1(a)).
• Actionable Check: Request a complete list of all subcontractors. For Levels 2–4, verify that every listed subcontractor is established in the Union and subject to the same sovereignty criteria.

5. Third-Country Control and Safeguards

The most complex part of CADA due diligence is assessing "control" by a third country or a legal entity established in a third country.

• Level 1: If subject to third-country control, the provider must guarantee that no laws in that third country require reporting software vulnerabilities to authorities before they are known to be exploited (Annex II, Level 1.1(g)).
• Level 2: Similar safeguards apply, with added requirements to block remote features that could tamper with systems and to ensure effective legal separation between the Union parent and any third-country subsidiary (Annex II, Level 2.1(i); 2.1(k)).
• Level 3 (The Derogation): Generally, providers must not be subject to third-country control (Annex II, Level 3.1(g)). However, Article 18 allows the Commission to adopt implementing acts recognizing specific third countries as providing "sufficient assurances." If a provider is subject to third-country control, they can only qualify for Level 3 if the Commission has issued such a decision for that country. Even then, they must demonstrate robust separation measures to prevent data access or service disruption.
  • Correction Note: The draft text previously mis-referenced this as Article 19; the correct cross-reference for the third-country derogation mechanism is Article 18.
• Level 4 (Strict Prohibition): Annex II, Level 4.1(g) strictly prohibits providers and subcontractors from being subject to third-country control. No derogation exists for Level 4.
• Actionable Check: Investigate the provider's ownership structure (cap table, board composition). If third-country control exists, verify if an Article 18 implementing act covers that specific country. If not, the provider cannot qualify for Level 3 or 4.

6. Align with Risk Assessment (Articles 29 & 30)

The final step is ensuring the vendor's level matches the buyer's legal obligation.

• Risk Assessment: Under Article 29, Member States and Union entities must conduct risk assessments to identify activities that "contribute to the preservation of public order" (e.g., law enforcement, defense, national security).
• Procurement Mandate:
  • Non-Public Order: Must use services recognized at Level 1 (Article 30(2)).
  • Public Order: Must use services recognized at Level 2, 3, or 4 (Article 30(3)).
• Derogations: Article 30(4) allows for exceptions only in exceptional circumstances (e.g., no adequate alternative exists, or disproportionate cost).
• Actionable Check: Confirm your organization's Article 29 risk assessment outcome. If your activity is "public order," a Level 1 provider is legally non-compliant, regardless of their technical capabilities.

What this means for you

For in-house counsel and compliance officers, the CADA proposal shifts vendor due diligence from a commercial negotiation to a statutory compliance imperative. You must integrate the following six steps into your procurement workflows:

1. Map Your Risk Profile: Before engaging a vendor, ensure your organization has completed the Article 29 risk assessment. Determine if your activities contribute to "public order." If yes, you are legally barred from procuring Level 1 services.
2. Verify Recognition Status: Do not rely on marketing claims. Check the Article 22 central repository to confirm the vendor's recognized assurance level. For SMEs offering Level 1, verify their EU statement of conformity is valid.
3. Scrutinize the Audit Opinion: For Levels 2–4, request the latest "positive" audit opinion and report. Check the date of the Article 20(8) annual review to ensure it is current. Verify the auditor's independence (no non-audit services in the last 12 months).
4. Audit the Supply Chain: Request a list of all subcontractors. For Levels 2–4, confirm they are established in the Union. For Level 3, verify if an Article 18 derogation applies if any third-country control exists.
5. Check for Third-Country Control: Investigate the provider's ownership. If subject to third-country control, verify the specific safeguards required by Annex II for their level. Note that Level 4 strictly prohibits such control.
6. Monitor Changes: Article 23 imposes transparency obligations on providers to report material changes (e.g., ownership shifts, new subcontractors). Include contractual clauses requiring immediate notification of such changes to maintain compliance.

Failure to adhere to these checks may result in non-compliance with CADA's procurement rules, potentially exposing your organization to penalties under Article 24 (which requires Member States to lay down effective, proportionate, and dissuasive penalties) and undermining the regulatory goal of protecting public order.

Common misconceptions

"GDPR compliance is enough for cloud sovereignty." Incorrect. While CADA complements the GDPR, it addresses sovereignty risks that go beyond data protection, such as operational autonomy and protection from third-country laws that may compel data access or service disruption. A provider can be GDPR-compliant but still fail CADA's Union assurance level criteria, particularly regarding third-country control and data localization.

"All cloud providers are subject to the same audit requirements." Incorrect. Only providers seeking Union assurance Levels 2, 3, and 4 are subject to independent third-party audits (Article 20). Providers offering Level 1 rely on self-assessment and an EU statement of conformity (Article 19). However, public sector bodies procuring for public-order activities must only use Level 2–4 services, making audits effectively mandatory for those contracts.

"Subcontractors are only relevant if they process personal data." Incorrect. CADA's Annex II criteria apply to all subcontractors involved in the provision of the cloud computing service, regardless of whether they process personal data. For Levels 2–4, these subcontractors must be established in the Union and meet the same sovereignty criteria as the main provider.

"Third-country providers can never qualify for high assurance levels." Partially incorrect. While Level 4 strictly prohibits third-country control, Level 3 allows for exceptions if the Commission has adopted an implementing act under Article 18 recognizing the third country as providing sufficient assurances. However, even in these cases, strict safeguards against third-country access and disruption are required.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How should a compliance team document a CADA tier decision?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• What should a buyer check in the CADA central repository?
• What questions should a CTO ask a vendor about its CADA tier?
• CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance

This is general information about a draft EU regulation, not legal advice.