Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 serves as the mandatory baseline for all public sector cloud procurement where no specific public-order risk has been identified. As proposed in Article 16 and detailed in Annex II, this level requires a provider to be established in the EU, keep all infrastructure and customer data (including metadata) exclusively within the Union, and demonstrate compliance via a self-assessed "EU statement of conformity" under Article 19. Crucially, Level 1 is not a high-security certification; it does not require independent third-party audits, does not mandate Union-citizen personnel, and does not guarantee freedom from third-country control (beyond specific vulnerability-reporting safeguards). For a CTO, Level 1 is the entry ticket for EU public contracts, but it is insufficient for sensitive, critical, or classified workloads.

Detail

To understand the practical implications of CADA Level 1, one must distinguish between the self-assessed baseline of Level 1 and the audited, higher-assurance tiers (Levels 2–4). The framework is established by Article 16, which mandates four assurance levels, with criteria set out in Annex II.

1. The Core Criteria: A Self-Assessed Baseline (Annex II, Section 1)

Level 1 is the foundational tier. Unlike Levels 2, 3, and 4, it does not require an independent third-party audit. Instead, the provider must perform a conformity self-assessment against the cumulative criteria in Annex II, 1.1:

  • EU Establishment: The provider must be established in the Union (Annex II, 1.1(a)).
  • Infrastructure Location: The provider's infrastructure and assets, including those of subcontractors involved in the service, must be located in the Union (Annex II, 1.1(b)).
  • Data Residency: Customer data, including metadata and telemetry, processed, stored, or transferred by the provider and its subcontractors, must remain exclusively within the Union (Annex II, 1.1(c)). Exceptions apply only if the public sector body explicitly requires otherwise.
  • Operational Autonomy: If technical support is outsourced outside the Union, the provider must implement measures to ensure traceability, security, and governance, ensuring these operations do not compromise operational autonomy (Annex II, 1.1(d)).
  • Cybersecurity Standards: The service must comply with state-of-the-art cybersecurity standards (Annex II, 1.1(e)).
  • Subcontractor Transparency: The provider must provide full transparency regarding subcontractors and subject them to due diligence and contractual obligations (Annex II, 1.1(f)).
  • Vulnerability Reporting: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to third-country authorities prior to those vulnerabilities being known to have been exploited (Annex II, 1.1(g)).

2. The Mechanism: Self-Assessment and the EU Statement of Conformity (Article 19)

The procedural engine for Level 1 is Article 19.

  • Self-Assessment: Under Article 19(1), the provider carries out a conformity self-assessment against the Annex II criteria.
  • The Statement: Following this, under Article 19(2), the provider issues an "EU statement of conformity." By issuing this statement, the provider assumes full responsibility for compliance.
  • Transparency: This statement must be made publicly available (Article 19(3)).

Recognition Process:

  • For SMEs: Article 17(3) provides a derogation: their EU statement of conformity is directly and automatically recognized in all Member States without prior recognition by a national competent authority.
  • For Larger Providers: They must submit the statement to the national competent authority of their establishment for recognition under Article 17.

3. Procurement Obligations: The Mandatory Floor

Article 30(2) establishes the procurement rule: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order (via risk assessment under Article 29) shall use cloud computing services recognized as having a Union assurance level 1. It is the mandatory floor, not the ceiling.

4. Critical Distinctions: Level 1 vs. Levels 2–4

Understanding what Level 1 lacks is as important as knowing what it requires.

  • No Independent Audit: Levels 2, 3, and 4 require independent third-party audits under Article 20. Level 1 relies solely on the provider's self-declaration.
  • No Personnel Citizenship Requirement: Levels 2, 3, and 4 include criteria regarding Union citizenship for personnel (conditional at Level 2, mandatory at Levels 3 and 4). Level 1 has no such requirement.
  • No "High" Cybersecurity Certification: Level 1 requires "state-of-the-art" standards. Levels 2 and 3 require a European cybersecurity certificate of at least "substantial" assurance. Level 4 requires a "high" assurance certificate (Annex II, 4.1(e)).
  • Third-Country Control: While Level 1 requires safeguards against pre-exploitation vulnerability reporting, it does not strictly prohibit third-country control in the same absolute manner as Level 4 (which requires no third-country control at all).

What this means for you

As a CTO or architect evaluating providers for EU public sector work, CADA Level 1 shifts your due diligence from "trust us" to "prove residency and establishment." Here is your action plan:

1. Verify EU Establishment, Not Just Presence

Many global hyperscalers have "offices" in the EU. Under CADA, "established" implies a deeper legal and operational footprint. You must verify that the legal entity providing the service is incorporated under the law of a Member State.

  • Action: Request the provider's corporate registry extracts, proof of a registered office, and evidence of central administration in the EU. Look for stable and effective presence: physical offices, permanent staff, local payroll, and banking functions in the Union.

2. Audit Data Flows and Metadata

Level 1 requires that all customer data, including metadata and telemetry, remains in the Union. This is stricter than many current commercial contracts which often route logs to global hubs.

  • Action: Map your data flows. Ensure that logging, monitoring, and telemetry data generated by the cloud infrastructure are not routed to third-country headquarters for analysis or storage unless your specific contract explicitly allows it (which is rare for public sector).

3. Scrutinize Subcontractor Chains

The provider is responsible for subcontractors involved in the service delivery.

  • Action: Ask for a list of key subcontractors. Verify that their assets and data handling also comply with the EU-only location requirement. If a subcontractor provides support from outside the EU, demand evidence of the "legal, technical and organisational measures" that protect operational autonomy (Annex II, 1.1(d)).

4. Request the EU Statement of Conformity

Since Level 1 is self-assessed, the "EU statement of conformity" is your primary compliance document.

  • Action: Do not accept a generic marketing claim. Request the formal EU statement of conformity issued under Article 19. Ensure it is publicly available or provided directly to you. For SMEs, this document is sufficient for cross-border recognition.

5. Understand the Limits

Level 1 does not guarantee:

  • That personnel are EU citizens (required for Level 2+).
  • That the provider is free from third-country control (beyond the vulnerability reporting guarantee).
  • That the service has undergone an independent audit.
  • Action: If your use case involves sensitive data, national security, or critical infrastructure, Level 1 is likely insufficient. You must conduct a risk assessment under Article 29 to determine if Level 2, 3, or 4 is required.

Common misconceptions

Misconception 1: "Level 1 is a low-security tier." It is not "low security"; it is "baseline sovereignty." It mandates strict data residency and EU establishment. However, it lacks the rigorous third-party audit and personnel screening of higher levels. It is designed for standard public sector workloads, not critical national infrastructure.

Misconception 2: "A US provider with an EU subsidiary automatically qualifies." Not necessarily. The provider must be established in the Union. If the US parent retains effective control over strategic decisions, data access, or operational continuity, the provider may fail the operational autonomy or control criteria. Furthermore, if the provider is subject to third-country control, they must guarantee no mandatory pre-exploitation vulnerability reporting to that third country (Annex II, 1.1(g)).

Misconception 3: "Self-assessment means no accountability." False. The provider assumes legal responsibility for the conformity statement (Article 19(2)). Under Article 24, Member States must lay down penalties for infringements, and recipients have the right to seek compensation for damages caused by non-compliance. National competent authorities can investigate and revoke recognition if information is incorrect or misleading (Article 17(11)).

Misconception 4: "Level 1 allows data transfer outside the EU." By default, no. Data must remain exclusively within the Union. The only exception is if the public sector body explicitly requires otherwise. This is an opt-in for the buyer, not a default right for the provider.

Related

This is general information about a draft EU regulation, not legal advice.