Summary As proposed in the Cloud and AI Development Act (CADA), a provider seeking recognition at Union assurance level 4 must meet a set of cumulative criteria in Annex II, point 4.1, plus all the cumulative criteria of the lower levels (Article 20(1)). In essence, the provider and its in-scope subcontractors must be established and located in the Union; sensitive customer data must stay in the Union; personnel must be Union citizens with national security clearance where appropriate; the provider and its subcontractors must not be subject to third-country control (with no associated-third-country derogation at this level); and the service must obtain a European cybersecurity certificate of at least the "high" assurance level. Recognition requires an independent third-party audit (Article 20).
Detail
CADA's Union cloud computing sovereignty framework comprises four assurance levels, the criteria for which are in Annex II (Article 16(1)). Level 4 is the highest tier, for public sector activities identified through risk assessment as needing the strongest protections, such as those involving classified information or core national security functions.
To be recognised at level 4, a provider must undergo an independent third-party audit (Article 20) and meet the cumulative criteria in Annex II, point 4.1. Because the levels are cumulative, the provider must also satisfy the applicable lower-level criteria; failure to meet any lower-level requirement precludes conformity with level 4 (Article 20(1)).
1. Union establishment and location
Annex II, point 4.1(a) requires that the audited provider and the subcontractors involved in the provision of the audited service are established in the Union. Annex II, point 4.1(b) requires that the infrastructure, assets and personnel of the provider, including those of its in-scope subcontractors, are located in the Union. This covers the legal entities, the physical and logical infrastructure, and the people delivering the service.
2. Data localisation for sensitive data
Annex II, point 4.1(c) requires that customer data - including metadata and telemetry - which, following a risk assessment, is identified as sensitive, and which is processed, stored and transferred by the provider and its in-scope subcontractors, remains exclusively within the Union at all times, including before, during and after the configuration or use of the service. The level 4 localisation obligation is thus framed around data identified as sensitive through risk assessment.
3. Personnel: Union citizenship and clearance
Annex II, point 4.1(d) requires that personnel involved in providing the service, including subcontractor personnel, are Union citizens and, where appropriate, hold the necessary national security clearance issued by a Member State when handling classified information.
4. Cybersecurity certification: "high" assurance level
Annex II, point 4.1(e) requires the service to obtain a European cybersecurity certificate of at least assurance level "high" under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881 (the Cybersecurity Act). The scheme under development is commonly referred to as the EUCS, though the proposal itself does not use that label. Until such a scheme is established and available, national cybersecurity certification schemes apply where they exist; where no Union or national scheme exists, the provider must demonstrate that the service complies with the highest cybersecurity standards under applicable Union law.
5. No third-country control
Annex II, point 4.1(g) requires that the audited provider and its in-scope subcontractors are not subject to the control of a third country or a legal entity established in a third country. Unlike level 3, level 4 contains no associated-third-country derogation: there is no Article 18 pathway at this level. "Control" is defined by reference to Article 2, point (6), of Regulation (EU) 2021/697 (Article 2, point (21) of CADA).
6. Software supply chain and effective control
Annex II, point 4.1(i) requires a complete, up-to-date SBOM and a documented list of relevant dependencies (point 4.1(i)(i)), and measures to retain effective control over software components or products by demonstrating that a third country or a third-country legal entity does not hold or exercise effective control over their design, development, maintenance and evolution (point 4.1(i)(ii)). The proposal states that effective control "includes the ability to materially influence the technical evolution, maintenance priorities, security remediation, and long-term continuity of the component."
7. Technical and operational support
Annex II, point 4.1(h) requires that technical and operational support or assistance related to the service, including any subsequent sub-outsourcing, is initiated and performed exclusively within the Union, by personnel who are Union residents, and by third parties that are not subject to third-country control.
8. Open-source software controls
Annex II, point 4.1(j) requires that, where open-source-licensed software is used, the provider demonstrates implemented and documented controls preventing the use of any remote features or mechanisms that could materially tamper with or disrupt a device, system or software.
9. Separation from third-country subsidiaries
Annex II, point 4.1(k) requires that, where the provider offers services outside the Union and maintains a subsidiary in a third country, it has implemented measures to ensure and enforce effective legal, technical and organisational separation between the Union parent and any such third-country subsidiary.
10. Subcontractor requirements
Annex II, point 4.2 provides that the subcontractors in scope are third parties with a direct contractual relationship to the provider that contribute to the provision and delivery of the service and that may require access to classified or sensitive information in order to carry out the service provision. They must meet the applicable criteria above.
What this means for you
For providers targeting the most critical EU public sector use cases, level 4 is the strictest sovereignty bar and typically requires structural change rather than incremental controls.
First, audit your ownership and supply chain to eliminate any point of third-country control - ownership, board composition and strategic decision-making - because there is no associated-third-country derogation at level 4. Examine your software supply chain so you can evidence effective control over the design and evolution of critical components (Annex II, point 4.1(i)(ii)), or migrate to alternatives that let you do so.
Second, plan for the "high" cybersecurity certificate (Annex II, point 4.1(e)). Until the Union scheme is available, expect to rely on a qualifying national scheme or, absent any scheme, to demonstrate compliance with the highest cybersecurity standards under applicable Union law.
Third, ensure personnel with access are Union citizens with appropriate clearances (Annex II, point 4.1(d)), and that all technical and operational support runs within the Union by Union residents and non-controlled third parties (Annex II, point 4.1(h)).
Fourth, implement and document data localisation for data identified as sensitive through risk assessment (Annex II, point 4.1(c)), with evidence ready for audit.
Common misconceptions
"Level 4 allows third-country providers with strong safeguards." No. Level 3 offers a narrow derogation for providers controlled by associated third countries (Article 18); level 4 contains no such derogation. The no-control criterion in Annex II, point 4.1(g) is not displaced by safeguards.
"A 'high' certificate is optional if national certifications exist." National schemes apply only on a transitional basis until the Union scheme is established and available (Annex II, point 4.1(e)). The level 4 requirement is a certificate of at least the "high" assurance level.
"Open-source software is inherently compliant." No. Annex II, point 4.1(j) still requires documented controls preventing remote tampering or disruption, regardless of licensing model.
"Subcontractors face lighter requirements." In-scope subcontractors are third parties with a direct contractual relationship that may require access to classified or sensitive information (Annex II, point 4.2); they must meet the applicable level 4 criteria, including establishment, location, personnel and absence of third-country control.
Official sources
Related
- What criteria must a provider meet for CADA assurance level 3?
- What criteria must a provider meet for CADA assurance level 2?
- What criteria must a provider meet for CADA assurance level 1?
- Who must meet CADA Union assurance levels?
- What must a US hyperscaler do to reach a CADA assurance level?
This is general information about a draft EU regulation, not legal advice.