CADA Level 4 Cybersecurity

Summary As proposed, the Cloud and AI Development Act (CADA) requires cloud computing service providers seeking Union Assurance Level 4 to obtain a European cybersecurity certificate of at least assurance level 'high' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), established under Regulation (EU) 2019/881. If the EUCS scheme is not yet established or available, providers must rely on existing national cybersecurity certification schemes where they exist. In the absence of both Union and national schemes, providers must demonstrate compliance with the highest cybersecurity standards under applicable Union law. This requirement is distinct from Level 2 and Level 3, which only require a 'substantial' assurance level.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. This framework is structured around four distinct Union assurance levels (Level 1 to Level 4), each imposing progressively stricter requirements on establishment, data localisation, personnel, and cybersecurity.

For the highest tier, Union Assurance Level 4, the cybersecurity certification requirement is explicitly defined in Annex II, Section 4.1(e) of the proposal. The text mandates that the audited service must obtain:

"a European cybersecurity certificate of at least assurance level 'high' under a European cybersecurity certification scheme covering cloud computing services to be established under Regulation (EU) 2019/881, provided that such a scheme has been established under that Regulation and is available to cloud computing service providers."

Regulation (EU) 2019/881 is the Cybersecurity Act, which provides the legal basis for the European Cybersecurity Certification Scheme for Cloud Services (EUCS). Consequently, the primary benchmark for Level 4 is the EUCS 'high' assurance level. This represents a significant elevation from the requirements for Level 2 and Level 3, which, as detailed in Annex II, Sections 2.1(e) and 3.1(e), require only a certificate of at least assurance level 'substantial'.

The Transitional Regime: What happens if EUCS is not ready?

The proposal acknowledges that the EUCS scheme may not be immediately operational when CADA enters into force. To ensure the framework remains functional during this interim period, Annex II, Section 4.1(e) establishes a clear transitional mechanism. The text states:

"Until the establishment of such a scheme, national cybersecurity certification schemes shall apply, where they exist. Where no Union or national cybersecurity certification schemes exist, the audited provider is to demonstrate that the service complies with the highest cybersecurity standards under applicable Union law."

This creates a three-tier fallback hierarchy for providers seeking Level 4 recognition:

1. Primary: The EUCS 'high' certificate (once the scheme is established and available to providers).
2. Secondary: A valid national cybersecurity certification scheme from a Member State, applicable where such a scheme exists.
3. Tertiary: A demonstration of compliance with the "highest cybersecurity standards under applicable Union law" if neither a Union nor a national scheme is available.

Context within the Assurance Levels

The cybersecurity requirement escalates progressively across the four levels, reflecting the increasing sensitivity of the data and the criticality of the public sector activities involved:

• Level 1: Requires the provider to demonstrate that the service complies with "state-of-the-art cybersecurity standards" (Annex II, 1.1(e)). This is a self-assessment criterion without a mandatory third-party certificate.
• Level 2 & Level 3: Require a European cybersecurity certificate of at least assurance level 'substantial' under EUCS (Annex II, 2.1(e) and 3.1(e)). If EUCS is not available, national schemes or the highest standards under Union law apply.
• Level 4: Requires the 'high' assurance level under EUCS (Annex II, 4.1(e)).

This progression ensures that services handling the most sensitive data—such as classified information or data critical to national security and public order—are subject to the most rigorous independent verification of their technical resilience.

Role of National Competent Authorities and Auditing

The certification is not merely a paper exercise; it is integrated into the broader recognition mechanism outlined in Article 17 of the proposal. A cloud computing service provider aiming for Level 4 must submit an application for recognition to the national competent authority of establishment. This application must include the audit report and a 'positive' audit opinion from an independent auditing organisation (Article 17(4)).

The auditing organisation, defined in Article 2(17), must be independent, possess proven expertise in cloud computing services, and adhere to high professional ethics. The audit evidence required to support the cybersecurity certification claim is detailed in Annex III, which mandates that auditors assess compliance against the criteria in Annex II. For the cybersecurity criterion, auditors will verify the validity of the certificate or the demonstration of compliance with the highest standards, ensuring that the provider's claims are substantiated by objective evidence.

Interaction with Other EU Legislation

It is important to distinguish CADA's cybersecurity requirements from other EU frameworks. The NIS2 Directive (Directive (EU) 2022/2555) imposes cybersecurity risk management obligations on essential and important entities, including cloud providers. However, CADA's assurance levels go beyond general risk management by mandating specific, auditable certification benchmarks for public sector procurement.

Furthermore, CADA complements the Cybersecurity Act. While the Cybersecurity Act focuses on the technical cybersecurity of ICT products and services, CADA integrates these technical safeguards into a broader sovereignty framework that also addresses operational autonomy, data localisation, and third-country control. The 'high' EUCS certificate thus serves as a technical pillar within a wider legal and operational trust framework.

What this means for you

For CTOs, architects, and SMEs evaluating their market strategy, the Level 4 requirement has several practical implications:

1. Investment in 'High' Assurance Controls: If you target critical public sector contracts (e.g., defence, justice, or national security infrastructure), you must design your architecture to meet the 'high' assurance level of EUCS. This typically involves more rigorous penetration testing, stricter identity and access management, and advanced incident response capabilities compared to the 'substantial' level required for Level 2 and 3.
2. Monitor EUCS Development: Since EUCS is still being finalised, you must track its publication and the definition of the 'high' assurance level. Until then, you should identify which national cybersecurity certification schemes in your target Member States are recognised as equivalent or sufficient.
3. Prepare for National Schemes: If you operate in Member States with robust national certification schemes (e.g., Germany's C5/BSI Cloud Computing Certification or France's ANSSI labels), obtaining these certifications now may position you well for Level 4 recognition during the transitional period.
4. Documentation for 'Highest Standards': If you operate in a jurisdiction without a specific national scheme, you must be prepared to document and demonstrate compliance with the "highest cybersecurity standards under applicable Union law." This will likely involve aligning with best practices from ENISA, ETSI, and ISO/IEC standards, and having these verified by an independent auditor.
5. Audit Readiness: Ensure your processes are audit-ready. The independent auditing organisation will need access to your technical documentation, security policies, and operational logs to verify your compliance with the cybersecurity criterion.

Common misconceptions

• Misconception: Level 4 requires a specific national certificate only.
  • Reality: The primary requirement is the EU-wide EUCS 'high' certificate. National schemes are a transitional fallback until EUCS is established and available.
• Misconception: Any cybersecurity certificate suffices for Level 4.
  • Reality: The certificate must be of at least the 'high' assurance level under EUCS. Lower assurance levels (e.g., 'basic' or 'substantial') are insufficient for Level 4, though they may suffice for Level 2 or 3.
• Misconception: CADA replaces NIS2 cybersecurity obligations.
  • Reality: CADA complements NIS2. Providers must still comply with NIS2 risk management obligations, but CADA adds a specific certification benchmark for public sector sovereignty assurance.
• Misconception: Self-assessment is enough for Level 4.
  • Reality: Level 4 requires an independent third-party audit and a 'positive' audit opinion. Self-assessment is only permitted for Level 1.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Level 2 Cybersecurity: The 'Substantial' EUCS Certificate Requirement
• What SBOM requirement does CADA level 2 impose?
• What cybersecurity standard does CADA Level 1 require?
• CADA and EUCS: How the EU Cybersecurity Certification Scheme fits the Sovereignty Framework
• Does CADA require a European cybersecurity certificate?

This is general information about a draft EU regulation, not legal advice.