What contractual terms must reflect a CADA assurance level?

Summary As proposed, the Cloud and AI Development Act (CADA) does not mandate a single standard contract form, but it legally obliges public sector bodies and Union entities to procure cloud services holding a specific "Union assurance level" (Article 30). Consequently, in-house counsel must ensure that service level agreements (SLAs) and data processing agreements explicitly bind providers to the cumulative technical and organizational criteria of Annex II corresponding to that level. Contracts must enforce strict data residency, personnel screening (conditional at Level 2, mandatory at Levels 3–4), software supply chain transparency, and ongoing audit currency. Failure to embed these terms risks the provider losing recognition, rendering the contract non-compliant for public authorities and exposing both parties to regulatory penalties under Article 24.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" comprising four distinct assurance levels (Article 16). These are not voluntary marketing labels but legally binding classifications that determine procurement eligibility. Under Article 30(2), contracting authorities must procure, as a minimum, services recognized at Union assurance level 1. For activities identified through risk assessments as contributing to the preservation of public order (e.g., national security, law enforcement, critical infrastructure), authorities must procure services recognized at levels 2, 3, or 4 (Article 30(3)).

Because the regulation ties procurement eligibility directly to these recognized statuses, the contractual terms between a public sector buyer and a cloud provider must explicitly reflect the specific criteria of Annex II. If a contract fails to enforce these criteria, the provider may lose its recognition, rendering the contract legally problematic for the public authority and potentially triggering migration obligations.

Binding Providers to Annex II Criteria

The core of the contractual obligation lies in Annex II, which sets out cumulative criteria for each assurance level. Contracts must incorporate these criteria as material terms, ensuring the provider cannot unilaterally deviate from them.

• Data Residency and Flow: For all levels, but strictly enforced at levels 2–4, customer data (including metadata and telemetry) must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Sections 2.1(c), 3.1(c), 4.1(c)). Contracts must explicitly prohibit the transfer of data outside the EU for any purpose, including training or fine-tuning AI systems operated by third-country entities (Annex II, Sections 2.1(f), 3.1(f), 4.1(f)).
• Personnel and Citizenship: The requirements for personnel vary significantly by level.
  • Level 2: Providers must ensure personnel meeting specific screening and Union citizenship requirements are available if the public sector body determines such requirements are necessary (Annex II, Section 2.1(d)). This is a conditional obligation.
  • Levels 3 & 4: All personnel involved in the service provision, including those of subcontractors, must be Union citizens. Where appropriate, they must also hold necessary national security clearances for handling classified information (Annex II, Sections 3.1(d), 4.1(d)). Contracts must include clauses granting the public sector the right to verify citizenship and security clearances.
• Software Supply Chain: Providers must maintain a complete and up-to-date Software Bill of Materials (SBOM) and document dependencies (Annex II, Sections 2.1(i), 3.1(i), 4.1(i)). Contracts should require providers to demonstrate controls against remote tampering features and to maintain documented migration plans in case third-country vendors fail or impose restrictions.
• Third-Country Control: For Levels 3 and 4, providers generally must not be subject to the control of a third country or a legal entity established in a third country (Annex II, Sections 3.1(g), 4.1(g)). A derogation exists where the Commission has adopted an implementing act under Article 18 identifying a third country as providing sufficient assurances. Contracts must reflect whether such a derogation applies and the specific safeguards required.

Recognition and Audit Currency

A provider's status is not permanent; it relies on ongoing compliance. Article 17 establishes the mechanism for recognition, while Article 20 mandates independent third-party audits for levels 2, 3, and 4.

• Audit Obligations: Contracts must obligate the provider to undergo independent third-party audits by accredited auditing organizations. Under Article 20(8), the audited provider shall annually submit for review the audit report and the associated "positive" audit opinion to the same or a different auditing organisation, which shall assess continued compliance. The contract should specify that the provider bears the cost of these audits and must provide the auditor with full access to premises and data (Article 20(2)).
• Maintenance of Status: The provider must submit the audit report and a "positive" audit opinion to the national competent authority to maintain recognition (Article 17(4)). Contracts should include a warranty that the provider will immediately notify the customer if their recognition is suspended, amended, or revoked.
• Self-Assessment for Level 1: Only Union assurance level 1 allows for a conformity self-assessment (Article 19). Contracts for Level 1 services should reference the provider's EU statement of conformity, while contracts for higher levels must reference the independent audit report.

Transparency and Material Changes

Article 23 imposes transparency obligations on recognized providers. Providers must notify the auditing organization and the national competent authority of any material change in circumstances that may affect their audit report or recognition.

• Contractual Notification: In-house counsel should draft clauses requiring providers to notify the public sector customer simultaneously or prior to notifying the competent authority of any material changes. This ensures the public sector is aware of risks to their service continuity or data sovereignty immediately.
• Subcontractor Control: Annex II requires full transparency around subcontractors. Contracts must bind the provider to due diligence and ongoing oversight of subcontractors, ensuring they also meet the relevant assurance level criteria (Annex II, Sections 1.1(f), 2.1(a)).

What this means for you

For in-house counsel and compliance officers, the CADA proposal shifts the burden of sovereignty assurance from technical self-assessment to legally enforceable contractual governance.

1. Review Existing SLAs: Audit current cloud contracts to identify gaps where the provider's technical controls do not explicitly mirror Annex II criteria. If your organization is a public sector body, ensure your contracts allow for the verification of Union citizenship for personnel at levels 3 and 4.
2. Define "Material Change": Work with legal teams to define "material change" in the context of Article 23. This should include changes in ownership, third-country control, or significant shifts in data processing locations. Ensure your contract triggers immediate notification and potentially remediation steps if such changes occur.
3. Audit Rights: Negotiate audit rights that go beyond financial compliance. Ensure you have the right to review the provider's "positive" audit opinions and SBOMs to verify ongoing compliance with Union assurance levels.
4. Penalties and Termination: Include specific penalty clauses for failure to maintain the recognized assurance level. If a provider loses its recognition due to non-compliance with Annex II, the contract should provide for immediate termination or mandatory migration to a compliant provider. Article 29(6) suggests a maximum 12-month transition period for migrations required by risk assessments, which should be reflected in the contract's termination and transition clauses.

Common misconceptions

• "Self-Assessment is Enough for All Levels": Only Union assurance level 1 allows for a conformity self-assessment (Article 19). Levels 2, 3, and 4 require independent third-party audits (Article 20). Contracts for higher assurance levels must reflect this higher burden of proof.
• "Data Residency Means Data Never Leaves the EU": Annex II allows data to leave the Union if the public sector body explicitly requires otherwise. However, the default contractual position must be strict residency. The onus is on the public sector to explicitly authorize any exception, which should be documented in the contract.
• "Sovereignty is Just About Cybersecurity": While cybersecurity certificates (e.g., EUCS) are required for levels 2–4 (Annex II, Sections 2.1(e), 3.1(e), 4.1(e)), sovereignty under CADA also encompasses operational autonomy, personnel citizenship, and freedom from third-country control. A contract that only addresses cybersecurity fails to meet the full sovereignty framework.
• "Article 19 is the Derogation Mechanism": While Annex II text contains a drafting slip referencing "Article 19" for third-country derogations, the actual mechanism for identifying third countries where providers subject to their control may be audited for Level 3 is established in Article 18 ("Associated third countries"). Contracts should reference the correct legal basis (Article 18) for any such derogation.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What must a US hyperscaler do to reach a CADA assurance level?
• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• What criteria must a provider meet for CADA assurance level 1?

This is general information about a draft EU regulation, not legal advice.