Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 does not mandate a specific, named cybersecurity certification scheme like the European Cybersecurity Certification Scheme for Cloud Services (EUCS). Instead, as proposed in Annex II, criterion 1.1(e), a provider must simply "demonstrate that the service complies with the state-of-the-art cybersecurity standards." This is a self-assessment obligation based on evidence, contrasting sharply with Levels 2–4, which require independent third-party audits and, where available, formal European cybersecurity certificates at "substantial" or "high" assurance levels.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tier "Union cloud computing sovereignty framework" to help public sector bodies and Union entities manage risks associated with cloud computing services. A central component of this framework is the definition of "Union assurance levels" (UALs), which dictate the strictness of sovereignty, data localisation, and cybersecurity requirements a provider must meet.

For Union Assurance Level 1, the cybersecurity requirement is distinct from the higher tiers. According to Annex II, paragraph 1.1(e) of the CADA proposal, a provider seeking recognition for Level 1 must demonstrate that "the service complies with the state-of-the-art cybersecurity standards."

"State-of-the-Art" vs. Specific Certification

The phrase "state-of-the-art" is a dynamic legal concept within the proposal. It implies that providers must align with current best practices in cybersecurity, such as those defined by widely recognised industry frameworks (e.g., ISO/IEC 27001, NIST, or the Cyber Resilience Act's essential requirements). However, CADA does not explicitly name a single mandatory standard for Level 1. Instead, it places the onus on the provider to prove compliance through a conformity self-assessment.

As outlined in Article 19, providers seeking Level 1 recognition must carry out a conformity self-assessment and issue an "EU statement of conformity." This statement must be publicly available. Crucially, for SMEs, the proposal includes a derogation: the EU statement of conformity issued by an SME is "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority" (Article 17(3)). This mechanism is designed to lower the barrier to entry for smaller European providers while maintaining a baseline of security.

Contrast with Levels 2–4 and EUCS

The cybersecurity requirements escalate significantly for Union Assurance Levels 2, 3, and 4. Unlike Level 1, these higher levels require independent third-party audits (Article 20).

Furthermore, Annex II explicitly links Levels 2–4 to the European Cybersecurity Certification Scheme for Cloud Services (EUCS), which is being developed under the Cybersecurity Act (Regulation (EU) 2019/881). The distinction in certification levels is precise:

  • Level 2 and 3: Annex II, paragraphs 2.1(e) and 3.1(e), state that the audited service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under the Cybersecurity Act. It is a common misconception that Level 3 requires a "high" level; the text explicitly sets the bar at "substantial" for both Level 2 and Level 3.
  • Level 4: Annex II, paragraph 4.1(e), requires a certificate of at least assurance level "high".

Until the EUCS scheme is fully established and available, Annex II provides a transitional measure: "national cybersecurity certification schemes shall apply, where they exist." If no Union or national scheme exists, the provider must demonstrate compliance with the "highest cybersecurity standards under applicable Union law."

This creates a clear bifurcation: Level 1 relies on self-declared alignment with general best practices ("state-of-the-art"), while Levels 2–4 require formal, audited certification against specific, rigorous EU or national cybersecurity frameworks.

What this means for you

For CTOs, architects, and SMEs, the distinction between Level 1 and higher levels has practical implications for compliance costs, time-to-market, and technical architecture.

For SMEs and Level 1 Providers

If you are an SME providing cloud services to the EU public sector, Level 1 is likely your entry point. The requirement to "comply with state-of-the-art cybersecurity standards" means you do not need to undergo a costly, independent EUCS audit immediately. Instead, you must:

  1. Document Your Standards: Maintain clear documentation showing your security controls align with recognised best practices (e.g., ISO 27001 certification, SOC 2 reports, or adherence to the NIS2 Directive's risk management measures).
  2. Issue a Statement of Conformity: Prepare an EU statement of conformity as required by Article 19. For SMEs, this is a powerful advantage, as it bypasses the need for a national competent authority's prior recognition (Article 17(3)).
  3. Monitor "State-of-the-Art": Since the standard is dynamic, you must continuously update your security posture. What is "state-of-the-art" today may change tomorrow. Regular internal reviews and updates to your security policies are essential to maintain this claim.

For Architects and Larger Providers

If you aim for Levels 2–4, the cybersecurity bar is much higher. You cannot rely on self-assessment. You must prepare for independent audits (Article 20) and eventual EUCS certification.

  • Audit Readiness: Your architecture must be designed for auditability. Annex III details the evidence auditing organisations will request, including access logs, support access policies, and data flow diagrams.
  • EUCS Alignment: Start aligning your controls with the EUCS "substantial" or "high" assurance levels now. While the scheme is still developing, early alignment reduces future migration costs.
  • Subcontractor Management: Levels 2–4 require strict controls over subcontractors, including their location and cybersecurity posture (Annex II, 2.1(a)-(c)). Ensure your supply chain is transparent and secure.

Strategic Implications

The "state-of-the-art" requirement for Level 1 is less prescriptive but potentially more ambiguous. Providers should be prepared to justify their choice of standards to competent authorities or auditors if challenged. Keeping up with emerging EU cybersecurity initiatives, such as the Cyber Resilience Act, will be crucial in demonstrating that your "state-of-the-art" claim is robust.

Common misconceptions

Misconception 1: CADA Level 1 requires EUCS certification. Fact: No. EUCS certification is explicitly required for Levels 2–4 (Annex II, 2.1(e), 3.1(e), 4.1(e)). Level 1 only requires a demonstration of compliance with "state-of-the-art cybersecurity standards" (Annex II, 1.1(e)). While EUCS may eventually become the de facto standard, it is not a mandatory prerequisite for Level 1 recognition under the current proposal.

Misconception 2: "State-of-the-art" means any standard will do. Fact: "State-of-the-art" is a legal term of art. It implies alignment with the current best practices in the industry. Using outdated or non-recognised frameworks may not suffice. Providers should rely on widely accepted international standards (ISO, NIST) or EU-specific frameworks (NIS2, Cyber Resilience Act) to substantiate their claim.

Misconception 3: Level 1 is a "low security" level. Fact: Level 1 is the baseline for sovereignty assurance, not necessarily low security. It still requires the provider to be established in the Union, keep infrastructure and data within the Union (unless explicitly required otherwise by the public sector body), and demonstrate robust cybersecurity. However, it lacks the independent audit and strict personnel/citizenship requirements of higher levels.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.