What criteria must a provider meet for CADA assurance level 1?

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider seeking Union assurance level 1 would have to meet seven cumulative criteria set out in Annex II, Section 1.1(a)–(g): be established in the Union; keep its infrastructure, assets and customer data (including metadata and telemetry) within the Union unless the public sector body explicitly requires otherwise; preserve its operational autonomy where it relies on non-EU support; demonstrate state-of-the-art cybersecurity; provide full transparency and due diligence over subcontractors; and, where it is under third-country control, guarantee that no foreign law forces it to report software vulnerabilities to that country before they are exploited. Level 1 is the only level proven by self-assessment under Article 19 — the provider issues a public EU statement of conformity and assumes responsibility for it. For SME providers, that statement would be recognised automatically across all Member States (Article 17(3)). "Cumulative" is strict: miss any one criterion and the service does not qualify.

Detail

CADA, as proposed, would establish a Union cloud computing sovereignty framework comprising four "Union assurance levels," with the criteria for each set out in Annex II (Article 16(1)). Union assurance level 1 is the baseline tier. As proposed, public sector bodies and Union entities whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1" (Article 30(2)). For most ordinary public services, then, Level 1 recognition would be the condition for being procured at all.

To be recognised as offering Union assurance level 1, a provider would have to satisfy the cumulative criteria in Annex II, Section 1.1(a) through (g). "Cumulative" means each criterion is mandatory; failing any single one would prevent recognition. The criteria below are quoted or closely paraphrased from the proposal.

1. EU establishment — Annex II, 1.1(a)

The provider "is established in the Union." This anchors the provider within EU jurisdiction and enforcement. Note that under the proposal the Member State of main establishment — the head or registered office from which principal financial functions and operational control are exercised — would have exclusive competence to enforce this Chapter (Article 25(4)), so a genuine, substantive EU presence matters, not merely a registration.

2. EU infrastructure and assets — Annex II, 1.1(b)

The "infrastructure and assets" of the provider, including those of its subcontractors involved in providing the service, are "located in the Union unless the public sector body explicitly requires otherwise." This localises the servers, storage and network components behind the service inside EU borders, reducing exposure to extraterritorial access.

3. EU data residency — Annex II, 1.1(c)

Customer data, "including metadata and telemetry data," that is processed, stored and transferred by the provider and its subcontractors "remain exclusively within the Union, unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service." The residency rule is continuous and covers the full lifecycle, with the same explicit-waiver carve-out as criterion (b).

4. Outsourcing and operational autonomy — Annex II, 1.1(d)

Where the provider outsources technical and operational support or assistance — "including any subsequent sub-outsourcing arrangements" — to third-party providers outside the Union, it must implement "the necessary legal, technical and organisational measures" to ensure "traceability, security and governance" of those operations, and those operations must not "in any way, compromise the operational autonomy" of the provider. As proposed, Level 1 does not ban non-EU support outright; it conditions it on safeguards and on the provider retaining control of the service.

5. State-of-the-art cybersecurity — Annex II, 1.1(e)

The provider "demonstrates that the service complies with the state-of-the-art cybersecurity standards." Unlike the higher levels — where, as proposed, the service must hold a European cybersecurity certificate at assurance level "substantial" (Levels 2 and 3) or "high" (Level 4) under a cloud scheme to be established under the Cybersecurity Act, Regulation (EU) 2019/881 — Level 1 does not require a formal certificate. It requires the provider to demonstrate state-of-the-art compliance.

6. Subcontractor transparency and due diligence — Annex II, 1.1(f)

The provider "provides full transparency around the use of subcontractors" and "subjects subcontractors to due diligence, contractual obligations and ongoing oversight to meet Union legal obligations." For Level 1, "subcontractors" are defined narrowly: third parties with a direct contractual relationship with the provider that contribute to the provision and delivery of the service (Annex II, Section 1.2).

7. Third-country control and vulnerability reporting — Annex II, 1.1(g)

Where the provider is "subject to the control of a third country or a legal entity established in a third-country," it must guarantee — "demonstrated by independent sources" — that "there are no existing laws and practices in that third country" requiring it to report software-vulnerability information to that country's authorities "prior to those vulnerabilities being known to have been exploited." This criterion only bites where the provider is under third-country control; a wholly EU-controlled provider has nothing to demonstrate here.

How Level 1 is proven — self-assessment under Article 19

Level 1 is unique among the four levels: it is demonstrated by conformity self-assessment, not by independent third-party audit (Article 19(1)). After self-assessing against the Annex II Level 1 criteria, the provider issues an "EU statement of conformity" declaring that compliance has been demonstrated; by issuing it the provider "assume[s] responsibility for the compliance" of the service with those criteria (Article 19(2)). The statement must be made publicly available (Article 19(3)).

The provider then applies for recognition to the national competent authority of its Member State of establishment, submitting that statement plus the necessary evidence (Article 17(3)). By way of derogation, where the provider is an SME, the EU statement of conformity "shall be directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority" (Article 17(3)). For this purpose "SME" takes the meaning in Article 2(8) of the proposal, which refers to the definition in Annex I to Commission Recommendation 2003/361/EC.

What this means for you

If you operate cloud services or data centres and want to serve the EU public sector, Level 1 recognition would, as proposed, be the entry condition for the large majority of public buyers — those outside the public-order categories (Article 30(2)). Practical steps to prepare:

• Confirm genuine EU establishment. Make sure your operating entity is established in the Union with real operational control and financial functions exercised from within it, since the Member State of main establishment would hold exclusive enforcement competence (Article 25(4)).
• Map infrastructure and assets. Document that the servers, storage and network assets behind the service — including those of in-scope subcontractors — sit in the EU (1.1(b)). Track any client that has explicitly required otherwise.
• Enforce data residency end to end. Build technical controls so that customer data, metadata and telemetry stay in the Union across the full lifecycle (1.1(c)), with a clear, documented process for handling explicit client waivers.
• Protect operational autonomy on non-EU support. If you use support providers outside the Union — including any sub-outsourcing — record the legal, technical and organisational measures ensuring traceability, security and governance, and showing the arrangement does not compromise your operational autonomy (1.1(d)).
• Tighten subcontractor governance. Maintain a transparent register of in-scope subcontractors and bind them through due diligence, contractual obligations and ongoing oversight (1.1(f), 1.2).
• Check third-country control exposure. If a third country or third-country entity controls you, obtain independent-source evidence that no local law forces premature vulnerability reporting (1.1(g)). If such a law exists, you cannot meet this criterion.
• Build and publish the self-assessment package. Document compliance with each Annex II Level 1 criterion, issue the EU statement of conformity, and publish it (Article 19). If you are an SME, that statement alone would secure automatic cross-border recognition (Article 17(3)).

Common misconceptions

"Level 1 is optional for public buyers." As proposed, it is the mandatory baseline for public sector bodies and Union entities whose activities are not identified as contributing to the preservation of public order: those bodies "shall use" services recognised at Union assurance level 1 (Article 30(2)). Bodies in the public-order categories face a higher bar — they "shall only procure" services recognised at Level 2, 3 or 4 (Article 30(3)).

"Data residency means data can never leave the EU." Criteria 1.1(b) and 1.1(c) carry an express carve-out: the localisation and residency requirements apply "unless the public sector body explicitly requires otherwise." The default is strict EU residency, but a public sector client can explicitly authorise otherwise. You need both the technical controls to enforce the default and a clean process to document any waiver.

"Only large hyperscalers can meet these criteria." Not so. The proposal includes an SME derogation (Article 17(3)) under which an SME's EU statement of conformity is recognised automatically across all Member States without prior national authority approval — designed to open the market to smaller European providers. "SME" follows Article 2(8), which points to Annex I of Commission Recommendation 2003/361/EC.

"Level 1 requires a cybersecurity certificate." At Level 1, criterion 1.1(e) requires the provider to demonstrate compliance with state-of-the-art cybersecurity standards. The requirement for a formal European cybersecurity certificate — at level "substantial" or "high" under a Cybersecurity Act cloud scheme — applies only at the higher assurance levels (2, 3 and 4), as proposed.

"Level 1 still requires an independent audit." It does not. Level 1 is proven by self-assessment and a public EU statement of conformity (Article 19). Independent third-party audits apply to Levels 2, 3 and 4 (Article 20).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• Who must meet CADA Union assurance levels?
• What must a US hyperscaler do to reach a CADA assurance level?

This is general information about a draft EU regulation, not legal advice.