Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 imposes a strict territorial confinement rule: all customer data, explicitly including metadata and telemetry data, must remain exclusively within the European Union. This obligation binds both the cloud provider and its subcontractors at every stage of the service lifecycle. The only permitted exception is if the public sector body explicitly requires otherwise. This provision ensures that the decision to transfer data outside the Unionβ€”and the associated sovereignty risksβ€”rests solely with the public authority, not the provider.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. This framework is structured around four distinct "Union assurance levels," designed to provide a graduated approach to sovereignty, security, and operational autonomy. For public sector bodies and Union entities, Union Assurance Level 1 serves as the mandatory baseline for procurement, as outlined in Article 30(2) of the proposal.

To achieve recognition at Level 1, a cloud computing service provider must satisfy a set of cumulative criteria detailed in Annex II of the regulation. The most critical of these regarding data sovereignty is the data residency obligation found in Annex II, Section 1.1(c).

The Core Data Residency Obligation

The proposal establishes a comprehensive territorial boundary for data processing. According to Annex II, Section 1.1(c), for a service to be recognised at Union Assurance Level 1, the following condition must be met:

"the customer data, including metadata and telemetry data, that is processed, stored and transferred by the cloud computing service provider, and by the subcontractors, which are involved in the provision of the service, remain exclusively within the Union, unless the public sector body explicitly requires otherwise and at any time, including before, during or after the configuration or use of the service;"

This text creates a robust and unambiguous residency requirement. It is not limited to the primary data inputs (the "customer data" in the narrow sense) but explicitly expands the scope to include:

  1. Customer Data: The core information input into the service or generated by the public sector body's use of it.
  2. Metadata: Data describing the data, such as access logs, configuration settings, and administrative records.
  3. Telemetry Data: Operational data generated by the infrastructure itself, including performance metrics, usage statistics, system health indicators, and network traffic data.

The phrase "remain exclusively within the Union" prohibits any processing, storage, or transfer of these data types outside the EU territory. This applies to the entire data lifecycle, covering the period "before, during or after the configuration or use of the service." This ensures that even during setup, maintenance, or decommissioning phases, data cannot be routed through non-EU jurisdictions.

Scope: Providers and Subcontractors

The obligation is not limited to the primary cloud service provider. Annex II, Section 1.1(c) explicitly extends the requirement to "subcontractors, which are involved in the provision of the service."

This creates a chain of liability and compliance. If a Level 1 provider outsources any aspect of the serviceβ€”such as technical support, storage management, or operational assistanceβ€”to a third party, that subcontractor is equally bound by the residency rule. The primary provider cannot circumvent the requirement by offloading data processing to a non-EU vendor. The regulation mandates that the provider ensures "traceability, security and governance" of these operations, as noted in Annex II, Section 1.1(d), to guarantee that operational autonomy is not compromised.

The Exception: Explicit Public Sector Requirement

The regulation provides a single, narrowly defined exception to the exclusivity rule. Data may leave the Union "unless the public sector body explicitly requires otherwise."

This exception is critical for understanding the allocation of risk and decision-making power:

  • Provider Limitation: The cloud provider cannot unilaterally decide to transfer data abroad for reasons of cost efficiency, technical redundancy, or global architecture.
  • Public Authority Discretion: The decision to transfer data outside the EU rests entirely with the public sector body. The public authority must explicitly request or mandate the transfer.
  • Risk Ownership: By requiring an explicit instruction, the regulation ensures that the public authority retains sovereignty over its data and accepts the associated risks of cross-border transfer.

The phrase "at any time" reinforces that this exception applies throughout the entire service lifecycle, from initial configuration to final archival.

Recognition and Conformity Assessment

To offer services at Union Assurance Level 1, a provider must undergo a recognition procedure under Article 17 of the proposal. Specifically, Article 17(3) states that for Level 1, the provider must submit an "EU statement of conformity" to the national competent authority of establishment.

Unlike Levels 2, 3, and 4, which require independent third-party audits, Level 1 relies on a conformity self-assessment by the provider, as detailed in Article 19. The provider must document evidence demonstrating compliance with the criteria in Annex II, including the strict data residency rule. However, this self-assessment is not a mere formality; the national competent authority must verify the evidence to ensure the provider can technically and legally guarantee that data remains within the Union.

Implications for Data Sovereignty and Infrastructure

This data residency rule is a cornerstone of CADA's objective to reduce dependence on third-country providers and safeguard the Union's public order. By mandating that data stays within the EU, the proposal mitigates risks associated with extraterritorial access by foreign governments (such as under the US CLOUD Act) and ensures that EU data remains under the jurisdiction of EU laws, including the GDPR.

For providers, this means that infrastructure located outside the EU cannot be used for any part of the service delivery for Level 1 customers, unless explicitly authorised by the public body. This includes:

  • Backup and Disaster Recovery: Replicas of data must be stored in EU-based facilities.
  • Analytics and Monitoring: Telemetry data used for service improvement or security monitoring must not be processed in non-EU regions.
  • Support Operations: Technical support and administrative access must be initiated and performed within the Union, as required by Annex II, Section 1.1(d) and Section 2.1(h) (which sets the precedent for higher levels).

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the CADA Level 1 data residency rule introduces specific obligations and strategic considerations:

1. Contractual Review and Amendments

Review existing and future cloud service contracts to ensure they include explicit clauses guaranteeing data residency within the EU. Contracts must state that no customer data, metadata, or telemetry data will be transferred outside the Union unless explicitly requested in writing by your organisation. Ensure that these obligations flow down to all subcontractors used by the provider, as the provider remains liable for their compliance.

2. Technical Due Diligence

Verify that your cloud provider's infrastructure is physically and logically confined to the EU. Request evidence of their compliance with Annex II, Section 1.1(c). This may include:

  • Data flow diagrams showing that no data leaves the Union.
  • Infrastructure maps confirming the location of primary, backup, and disaster recovery sites.
  • Subcontractor lists and evidence of their EU location.

3. Internal Governance for Data Transfers

Establish a clear internal process for authorising any data transfers outside the EU. Since the exception requires an "explicit requirement" from the public sector body, your organisation must have a documented procedure for approving such transfers. This should include a risk assessment of the transfer and a formal authorisation from the relevant data protection or security officer. Without this explicit instruction, the provider is legally barred from transferring data.

4. Monitoring and Auditing

Even though Level 1 relies on self-assessment, maintain the right to audit your provider's compliance. Include contractual rights to request evidence of residency compliance and to conduct audits if there is suspicion of non-compliance. Ensure that your provider monitors its subcontractors for compliance with the same rules.

5. Penalties and Enforcement

Be aware that non-compliance with CADA provisions can lead to penalties. Article 24(1) requires Member States to lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." While the specific fines are determined by national law, the CADA framework provides a basis for enforcement actions by national competent authorities. Failure to comply with the data residency rule could result in the revocation of the provider's Level 1 recognition, disrupting your services.

Common misconceptions

Misconception 1: Only primary customer data must stay in the EU. Reality: The rule explicitly includes metadata and telemetry data. All data generated or processed in connection with the service, including logs and operational metrics, must remain within the Union.

Misconception 2: Providers can transfer data abroad for backups or analytics. Reality: Unless the public sector body explicitly requires it, no data can leave the EU. Providers cannot unilaterally decide to use non-EU infrastructure for backups, analytics, or support.

Misconception 3: Level 1 requires an independent audit. Reality: Level 1 is based on a conformity self-assessment by the provider. Independent third-party audits are required only for Levels 2, 3, and 4. However, the national competent authority still verifies the self-assessment.

Misconception 4: The rule applies only to personal data. Reality: The rule applies to all customer data, regardless of whether it is personal or non-personal. It is a sovereignty and operational autonomy rule, not just a data protection rule.

Misconception 5: Subcontractors are exempt from the rule. Reality: The obligation extends to all subcontractors involved in the provision of the service. The primary provider is responsible for ensuring their subcontractors comply with the residency requirement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.