Summary Under the proposed Cloud and AI Development Act (CADA), a "subcontractor" is strictly defined as a third party that holds a direct contractual relationship with the cloud computing service provider and actively contributes to the provision or delivery of the cloud service. This definition applies uniformly across all four Union assurance levels. However, the obligations imposed on these subcontractors tighten significantly at higher tiers: while levels 1 and 2 focus on establishment and data location, Union assurance levels 3 and 4 explicitly account for subcontractors that "may require access to classified or sensitive information," triggering mandatory Union citizenship and security clearance requirements for personnel.

Detail

The proposed CADA establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, as set out in Article 16. To qualify for recognition at any of these levels, cloud computing service providers must demonstrate strict control over their supply chain. The definition of who qualifies as a subcontractor is consistent across the tiers, but the criteria for auditing, controlling, and vetting those subcontractors vary dramatically by level.

The Core Definition: Direct Contractual Link

Across the entire framework, CADA defines a subcontractor in nearly identical terms, anchoring the definition on the existence of a direct contract and a functional contribution to the service.

For Union assurance level 1, Annex II, point 1.2 states that subcontractors are "third parties that have a direct contractual relationship with the cloud computing service provider and that contribute to the provision and the delivery of the cloud computing service."

This exact phrasing is repeated for the higher tiers, ensuring a consistent baseline for identification:

  • Union assurance level 2: Annex II, point 2.2 uses the same definition.
  • Union assurance level 3: Annex II, point 3.2 retains the core definition but adds a critical qualifier: these subcontractors "may require access to classified or sensitive information, as defined in Article 2, point (22), of Regulation (EU) 2021/697."
  • Union assurance level 4: Annex II, point 4.2 similarly notes that subcontractors "may require access to classified or sensitive information in order to carry out the service provision."

This consistency ensures that the audit trail begins with the primary provider. While the definition focuses on the direct contractual partner, the provider remains responsible for ensuring that all entities involved in the service provision (including sub-subcontractors) meet the applicable criteria. The provider cannot outsource compliance obligations to indirect layers of the supply chain.

Tier-Specific Subcontractor Obligations

While the definition of "subcontractor" remains stable, the regulatory burden placed on these entities escalates with the assurance level, particularly regarding location, personnel, and control.

Union Assurance Level 1 (Baseline) At this level, the focus is on transparency and operational autonomy. The provider must provide full transparency around the use of subcontractors (Annex II, point 1.1(f)). The provider must subject these subcontractors to due diligence, contractual obligations, and ongoing oversight to ensure they meet Union legal obligations. Crucially, if the provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to third-country authorities before they are publicly known (Annex II, point 1.1(g)). At Level 1, subcontractors are not required to be established in the Union, provided the public sector body does not explicitly require otherwise.

Union Assurance Level 2 (Enhanced Control) At Level 2, the requirements for subcontractors become significantly stricter regarding location and control:

  • Establishment: The subcontractors involved in the provision of the service must be established in the Union (Annex II, point 2.1(a)).
  • Location: Their infrastructure, assets, and personnel involved in the service must also be located in the Union (Annex II, point 2.1(b)).
  • Third-Country Control: If the provider or its subcontractors are subject to third-country control, they must demonstrate that such control does not restrict service delivery, prevent third-country access to customer data, or disrupt service continuity (Annex II, point 2.1(g)).
  • Support: Technical and operational support provided by these subcontractors must be initiated and performed exclusively within the Union (Annex II, point 2.1(h)).

Union Assurance Levels 3 and 4 (Strict Sovereignty & Classified Data) For Levels 3 and 4, the requirements become stringent, specifically addressing the handling of sensitive and classified data.

  • Personnel: The personnel of the subcontractors must be Union citizens (Annex II, point 3.1(d) and 4.1(d)). Where appropriate, these personnel must also possess the necessary national security clearance issued by a Member State when handling classified information.
  • Control: The provider and its subcontractors generally must not be subject to the control of a third country or a legal entity established in a third country (Annex II, point 3.1(g) and 4.1(g)).
  • Derogation: There is a narrow derogation for Level 3 if the Commission has adopted an implementing act under Article 18 (not Article 19, which is a drafting slip in some contexts; the text specifies Article 18 for third-country recognition) recognizing a third country as providing sufficient assurances. Even then, strict legal, technical, and organizational separation measures must be enforced to prevent access to customer data or service disruption.
  • Sensitive Access: As noted in Annex II, points 3.2 and 4.2, the definition of subcontractors at these levels explicitly acknowledges that they "may require access to classified or sensitive information." This triggers the mandatory security clearance and citizenship requirements for their staff.

Audit Evidence and Verification

Auditing organizations will verify these subcontractor relationships using evidence outlined in Annex III. This includes reviewing the provider's subcontractor register, contractual clauses ensuring no remote access from outside the Union for support activities, and evidence that subcontractors do not hold privileged accounts in Union production environments if they are third-country subsidiaries (Annex III, Section 11). Auditors must also verify that personnel involved in the service are Union citizens and, where required, hold valid security clearances (Annex III, Section 4).

What this means for you

For in-house counsel, compliance officers, and cloud service providers, the CADA proposal transforms subcontractor management from a standard contractual exercise into a core sovereignty compliance requirement.

  1. Map the Direct Contract Chain: You must identify every third party with a direct contractual relationship that contributes to service delivery. This is the legal definition of a subcontractor under CADA. Ensure your contracts with these entities include clauses that allow for the due diligence, oversight, and audit access required by Annex II, point 1.1(f) and subsequent tiers.
  2. Verify Establishment and Location: If you are targeting Union assurance levels 2, 3, or 4, verify that your subcontractors are established in the EU and that their infrastructure and personnel are located within the Union. For levels 3 and 4, this is non-negotiable.
  3. Screen Personnel for Citizenship and Clearance: For levels 3 and 4, you must ensure that all personnel of your subcontractors are Union citizens. If the service involves classified or sensitive information, you must verify that these personnel hold the necessary national security clearances. This requires a robust HR and background-check process for your entire supply chain.
  4. Document Control Structures: Document the ownership and control structures of your subcontractors. If a subcontractor is controlled by a third-country entity, you must demonstrate that this control cannot be used to access EU data, disrupt services, or enforce third-country sanctions that conflict with EU law.
  5. Prepare for Audits: Maintain an up-to-date subcontractor register. Auditors will request evidence of binding contractual clauses, access logs proving no remote support from outside the Union, and proof of citizenship/clearance for relevant personnel.

Common misconceptions

  • "Only direct vendors are subcontractors." While CADA defines subcontractors as those with a direct contractual relationship, the provider is responsible for ensuring all entities involved in the service (including sub-subcontractors) meet the criteria. The provider cannot outsource compliance to indirect layers.
  • "Level 1 has no subcontractor rules." Level 1 requires transparency, due diligence, and contractual oversight. It does not require EU establishment for subcontractors, but it does require that the provider maintains operational autonomy and that no third-country laws compel vulnerability reporting to foreign authorities.
  • "Classified information only applies to government clouds." The definition of subcontractors at levels 3 and 4 explicitly mentions access to "classified or sensitive information." This triggers strict personnel clearance requirements, impacting any provider serving public sector bodies with high-assurance needs, regardless of whether the data is formally "classified" at the moment of contract signing.
  • "Article 19 governs third-country derogations." The text of the proposal specifies Article 18 as the mechanism for the Commission to recognize third countries for Level 3 assurance. References to Article 19 in this context are often a drafting slip; the correct cross-reference is Article 18.

Related

This is general information about a draft EU regulation, not legal advice.