CADA Level 2

Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 2 represents a critical mid-tier sovereignty standard requiring cloud providers to maintain strict EU-based infrastructure, personnel, and data residency, alongside mandatory independent third-party audits. For a legal compliance team, this level mandates verifying that a vendor has secured a "positive" audit opinion, holds a European cybersecurity certificate of at least assurance level "substantial," and has implemented rigorous software supply chain controls, including a complete Software Bill of Materials (SBOM). Crucially, while Level 2 allows for conditional personnel screening, it strictly prohibits the use of customer data for training third-country AI models.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonized framework to mitigate risks associated with dependence on non-European cloud providers. Central to this framework is the Union Cloud Computing Sovereignty Framework, which defines four "Union Assurance Levels" (UALs). As established in Article 16, these levels provide a proportionate mechanism to ensure public order is preserved by maintaining control and agency for public-sector bodies.

Union Assurance Level 2 (UAL 2) is designed for services that require a higher degree of trust and operational autonomy than the baseline Level 1, but do not yet reach the strictest personnel citizenship requirements of Levels 3 and 4. For a legal team assessing a vendor, understanding the specific cumulative criteria of UAL 2 is critical for due diligence, as failure to verify these criteria could expose the contracting authority to sovereignty risks.

Core Criteria for Union Assurance Level 2

The specific requirements for a cloud computing service to be recognized as offering Union Assurance Level 2 are detailed in Annex II, Section 2 of the CADA proposal. To qualify, a provider must meet the following cumulative criteria:

1. Establishment and Location: The audited provider and its subcontractors involved in service provision must be established in the Union. Crucially, the infrastructure, assets, and personnel of the provider (including subcontractors) must be located exclusively within the Union.
2. Data Residency: Customer data, including metadata and telemetry data, processed, stored, or transferred by the provider and its subcontractors must remain exclusively within the Union. This applies at all times, unless the public sector body explicitly requires otherwise.
3. Personnel Screening (Conditional): If the public sector body determines it is necessary, the provider must ensure that personnel meeting additional screening and Union citizenship requirements are available. Unlike Levels 3 and 4, citizenship is not an absolute baseline requirement for Level 2 but is conditional on the public body's specific risk assessment.
4. Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a European cybersecurity certification scheme (such as the EUCS) established under the Cybersecurity Act. Until such a scheme is fully established and available, national cybersecurity certification schemes may apply, or the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law.
5. AI Training Data Restrictions: Data generated by using the audited service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country. Furthermore, this data cannot be transferred outside the Union under any circumstances.
6. Third-Country Control Safeguards: If the provider or its subcontractors are subject to the control of a third country or a legal entity established in a third country, they must demonstrate that legal, technical, and organizational measures are in place to ensure:
   • The third-country control does not restrict the provider's ability to perform the service or undermine its capabilities.
   • Access by the third country to customer data is prevented.
   • The possibility of service disruption or quality degradation by the third country is prevented.
   • The provider is not obliged to implement restrictive measures (such as sanctions or embargoes) imposed by the third country, unless those measures are legitimate under Member State or Union law.
   • Note on Derogation: While Article 18 allows the Commission to recognize third countries for Level 3, Level 2 criteria in Annex II generally require the absence of third-country control unless specific safeguards are proven.
7. Support and Maintenance: Technical and operational support, including sub-outsourcing, must be initiated and performed exclusively within the Union.
8. Software Supply Chain Transparency: The provider must implement specific software supply chain measures, including:
   • A complete and up-to-date Software Bill of Materials (SBOM) and a list of identified dependencies, made available to the auditing organization.
   • Controls to block remote features that could tamper with or disrupt the service.
   • Source code audits for security-relevant components from third-country manufacturers, along with a documented migration plan if the vendor fails or restrictions are imposed.
   • Guarantees that there are no laws in a controlling third country requiring the provider to report software vulnerabilities to that country's authorities before they are publicly known.

The Role of Independent Audits

Unlike Level 1, which allows for self-assessment, Article 20 mandates that providers seeking recognition for Union Assurance Levels 2, 3, or 4 must undergo independent third-party audits.

For a legal team, this means the vendor's claim of compliance cannot be taken on faith alone. The provider must submit an audit report and a "positive" audit opinion to the national competent authority of establishment. Article 20(5) specifies that this audit report must include a declaration of interests, a description of the methodology, main findings, and a clear "positive" or "negative" opinion on compliance with the audit criteria. A "positive" opinion is only issued if all evidence shows the provider complies with the criteria and obligations set out in the Regulation.

Furthermore, Article 20(8) requires that the audited provider annually submit the audit report and opinion for review to confirm continued compliance. The auditing organization must be independent, having no conflicts of interest, such as providing non-audit services to the provider in the 12 months before or after the audit.

Verification and Recognition

The recognition process is governed by Article 17. Once a provider submits the required evidence (the audit report and positive opinion) to the national competent authority, that authority assesses the evidence within 60 days. If recognized, the service is registered in a central repository maintained by the Commission (Article 22), which serves as a single source of truth for contracting authorities. Legal teams should verify that the vendor is listed in this central repository as offering Union Assurance Level 2.

What this means for you

For in-house counsel and compliance officers, the introduction of CADA Level 2 transforms vendor risk assessment from a contractual exercise into a regulatory compliance obligation. Here is how to operationalize these requirements:

1. Demand the Audit Report, Not Just a Statement: Under Article 20, a self-declaration is insufficient for Level 2. You must request the vendor's latest independent audit report and verify that it contains a "positive" audit opinion. Check the auditor's independence to ensure no conflicts of interest exist, as required by Article 20(4).
2. Verify Cybersecurity Certifications: Ensure the vendor holds a valid European cybersecurity certificate of at least "substantial" assurance level. If the EUCS scheme is not yet fully operational for their specific service, ask for evidence of national certification or proof of adherence to the highest cybersecurity standards under Union law, as per Annex II, Section 2.1(e).
3. Scrutinize the SBOM and Supply Chain: Request the vendor's Software Bill of Materials (SBOM). Annex II, Section 2.1(i) requires this to be complete and up-to-date. Your legal team should review this to identify any third-country dependencies and verify that the vendor has documented migration plans for critical components, protecting against supply chain coercion.
4. Confirm Data Residency and AI Usage Clauses: Review the Data Processing Agreement (DPA) to ensure it explicitly states that all customer data, including telemetry and metadata, remains exclusively within the EU. Additionally, verify that the contract prohibits the use of your data to train AI models operated by third-country entities, a strict requirement of Annex II, Section 2.1(f).
5. Check the Central Repository: Before signing a contract, check the central repository of recognized services established by the Commission (Article 22). If the vendor is not listed as offering Union Assurance Level 2, they are not legally recognized as such under CADA, regardless of their internal claims.
6. Monitor for Material Changes: Article 23 imposes transparency obligations on providers. Ensure your contract includes a clause requiring the vendor to notify you immediately of any material changes that could affect their Level 2 status, such as a change in control or a breach of data residency.

Common misconceptions

• "Level 2 means all staff must be EU citizens." This is incorrect. Union citizenship requirements for personnel are mandatory for Level 3 and Level 4. For Level 2, Annex II, Section 2.1(d) only requires that personnel meeting additional screening and citizenship requirements be available if the public sector body determines it is necessary.
• "Self-assessment is sufficient for Level 2." No. Self-assessment is only permitted for Union Assurance Level 1 (Article 19). Level 2 strictly requires an independent third-party audit and a "positive" audit opinion (Article 20).
• "Data can leave the EU if it is encrypted." Under Level 2, customer data must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, Section 2.1(c)). Encryption does not automatically exempt data from this residency requirement under the sovereignty framework.
• "Third-country ownership disqualifies a vendor." Not necessarily. A provider subject to third-country control can still achieve Level 2 if they demonstrate effective legal, technical, and organizational separation measures that prevent third-country access to data or service disruption (Annex II, Section 2.1(g)). However, this requires rigorous audit evidence.
• "Level 2 requires 'high' cybersecurity certification." This is a common error. Level 2 requires a certificate of at least "substantial" assurance. The "high" assurance level is a specific requirement reserved for Union Assurance Level 4 (Annex II, Section 4.1(e)).

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How should a legal team assess a cloud vendor's CADA assurance level?
• How does a legal team check a non-EU vendor's CADA level 3 eligibility?
• CADA Level 3: SBOM, Source Code Audits & Third-Country Controls
• What must a US hyperscaler do to reach a CADA assurance level?
• CADA Subcontractor Rules: What Providers Must Declare for Level 1

This is general information about a draft EU regulation, not legal advice.