Summary Under the proposed Cloud and AI Development Act (CADA), a "Union assurance level 2" designation provides a robust mid-tier sovereignty guarantee suitable for many healthcare cloud services, but it is not the highest tier of protection. As proposed, Level 2 requires that cloud providers and their subcontractors be established in the EU, that all infrastructure, assets, and personnel remain exclusively within the Union, and that the service holds a European cybersecurity certificate of at least assurance level "substantial." For healthcare buyers, this ensures patient data stays in the EU and is protected by strict audit trails. However, Level 2 does not automatically mandate that all staff hold EU citizenship, nor does it prohibit third-country ownership if specific safeguards are met. Buyers must conduct a risk assessment under Article 29 to determine if Level 2 is sufficient or if highly sensitive records (e.g., genetic data, critical infrastructure links) require the stricter personnel and control requirements of Level 3 or 4.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. This framework is designed to help public sector bodies, including healthcare providers and hospitals, mitigate risks associated with dependence on non-European cloud providers and ensure the resilience of critical health data. Understanding the specific criteria of "Union assurance level 2" is critical for procurement officers evaluating cloud services for patient data.

The Core Requirements of Level 2

According to Annex II of the CADA proposal, Union assurance level 2 imposes cumulative criteria on cloud computing service providers. For a healthcare buyer, the most significant operational requirements are:

  1. Establishment and Location: The cloud provider and any subcontractors involved in the service must be established in the Union. Crucially, the infrastructure, assets, and personnel involved in providing the service must be located exclusively within the Union. This ensures that the physical and logical operations supporting patient data remain under EU jurisdiction.
  2. Data Residency: Customer data, including metadata and telemetry data, must remain exclusively within the Union at all times (before, during, and after configuration or use), unless the public sector body explicitly requires otherwise. This is a strict data localization rule that prevents patient records from being routed through non-EU servers for backup or processing.
  3. Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a scheme to be established under Regulation (EU) 2019/881 (the Cybersecurity Act). Until such a scheme is fully operational, national cybersecurity certification schemes may apply. Where no Union or national schemes exist, the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law.
  4. Third-Country Control Safeguards: If the provider is subject to the control of a third country (e.g., owned by a non-EU entity), they must demonstrate that this control does not restrict their ability to perform the service, prevent access to customer data by third countries, or disrupt service continuity. They must implement legal, technical, and organizational measures to ensure that third-country laws (such as foreign surveillance acts) do not override EU obligations.
  5. Software Supply Chain Transparency: The provider must maintain a complete and up-to-date Software Bill of Materials (SBOM) and document dependencies. If they use software from third-country manufacturers, they must implement controls to block remote features that could tamper with or disrupt the system and ensure security-relevant components are subject to source code audits.

How Level 2 Compares to Levels 3 and 4

While Level 2 offers strong guarantees regarding data location and infrastructure, it is not the most stringent tier. The proposal distinguishes levels based on the sensitivity of the data and the criticality of the service to public order.

  • Level 2 vs. Level 3: Level 3 adds stricter personnel requirements. Under Annex II, Level 3 requires that all personnel involved in providing the service (including subcontractors) must be Union citizens. It also requires that technical support be performed exclusively by Union residents who are not subject to third-country control. Level 2 allows for personnel screening if the public sector body determines it is necessary, but it is not an automatic baseline requirement for all staff to be citizens.
  • Level 2 vs. Level 4: Level 4 is the highest tier, reserved for the most sensitive data and critical public order functions. It requires a European cybersecurity certificate of assurance level "high" (rather than "substantial") and mandates that the provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country. Level 2 allows for third-country control provided specific safeguards are met.

The Procurement Process: Risk Assessment First

CADA does not automatically mandate Level 2 for all healthcare data. Instead, Article 29 requires Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate for specific public sector activities. These assessments consider the sensitivity, criticality, and magnitude of the data processed.

  • Article 30(2) states that public sector bodies whose activities have not been identified as contributing to the preservation of public order must use at least Union assurance level 1.
  • Article 30(3) states that contracting authorities whose activities have been identified as contributing to the preservation of public order (which can include certain healthcare functions involving critical infrastructure or sensitive personal data) must procure services recognized as offering Union assurance levels 2, 3, or 4.

Therefore, a healthcare buyer cannot simply assume Level 2 is the default. They must first complete the risk assessment mandated by Article 29. If the assessment determines that the data is highly sensitive or critical to public order, the buyer must choose between levels 2, 3, and 4 based on the specific risks identified. For standard patient records, Level 2 may suffice. For highly sensitive records (e.g., those involving national security, critical health infrastructure, or classified information), Level 3 or 4 may be required.

What this means for you

For public-sector procurement officers in the healthcare sector, the introduction of CADA's assurance levels changes how you evaluate cloud vendors. Here is what you need to do:

  1. Conduct the Article 29 Risk Assessment: Before issuing a tender, you must determine if your specific cloud use case contributes to the preservation of public order. If it does, you cannot accept Level 1. You must decide if Level 2 is sufficient or if the sensitivity of the patient data (e.g., genetic data, mental health records, or data linked to critical infrastructure) requires Level 3 or 4.
  2. Verify "Substantial" Certification: When evaluating tenders for Level 2, ensure the provider has or can obtain the required "substantial" cybersecurity certification. Check that they have a valid SBOM and that their supply chain controls are documented.
  3. Check for Third-Country Control: If a vendor is owned by a non-EU company, scrutinize their compliance with the Level 2 criteria regarding third-country control. They must prove that their parent company cannot access EU patient data or disrupt services.
  4. Plan for Audits: Level 2 requires independent third-party audits. Ensure your procurement contract includes clauses that allow for these audits and that the provider submits the audit report and "positive" audit opinion to the national competent authority for recognition.
  5. Consider Level 3 or 4 for High-Risk Data: If your risk assessment reveals that the data is exceptionally sensitive, consider mandating Level 3 or 4. Level 3 guarantees EU citizen staff and stricter support localization. Level 4 guarantees no third-country control and "high" cybersecurity certification.

Common misconceptions

  • "Level 2 means all staff are EU citizens." This is incorrect. Level 2 only requires that personnel are located in the EU. It allows for personnel screening if the buyer deems it necessary. Level 3 is the tier that mandates Union citizenship for all involved personnel.
  • "Level 2 allows data to leave the EU for backup." No. Under Annex II, Level 2 requires that customer data remain exclusively within the Union at all times, unless the public sector body explicitly requires otherwise. Backup locations must also be in the EU.
  • "All healthcare data requires Level 4." Not necessarily. CADA uses a risk-based approach. While some highly sensitive healthcare data may require Level 4, many standard healthcare cloud services may only require Level 2 or 3, depending on the outcome of the Article 29 risk assessment. Level 4 is reserved for cases where the risk to public order is highest and third-country control is entirely unacceptable.
  • "Level 2 is a guarantee against all third-country influence." Level 2 allows providers to be subject to third-country control, provided they implement robust legal and technical safeguards to prevent data access or service disruption. If you want to eliminate third-country control entirely, you must look at Level 4.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.