Summary Under the proposed Cloud and AI Development Act (CADA), Union assurance level 3 represents a high tier of sovereignty designed for public-sector bodies handling sensitive data or critical functions. As proposed, it requires that cloud services be entirely free from third-country control, staffed exclusively by Union citizens, and capable of hosting classified information. For public-sector buyers, this means you can only procure these services for activities identified in national risk assessments as contributing to the preservation of public order, such as national security, defense, or law enforcement.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonized "Union cloud computing sovereignty framework" comprising four assurance levels. Union assurance level 3 is not a default requirement for all public procurement; rather, it is a targeted safeguard for high-stakes government operations where the risk of third-country interference must be minimized.

When Must You Use Level 3?

CADA does not mandate Level 3 for every government cloud contract. Instead, it uses a risk-based approach. Under Article 29, Member States and Union entities must conduct risk assessments to determine which public-sector activities contribute to the preservation of public order. These activities include sectors falling under the NIS2 Directive, as well as national security, internal security, external border management, defense, justice, and law enforcement.

If your risk assessment identifies a specific workload or sector as critical to public order, Article 30(3) mandates that you "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." You cannot use Level 1 services for these sensitive functions. Level 3 is often selected over Level 4 when the data is sensitive but does not require the absolute maximum isolation of Level 4, or when specific classified information handling is required.

What Are the Technical and Operational Requirements?

To be recognized as offering Union assurance level 3, a cloud computing service provider must meet cumulative criteria set out in Annex II, Section 3 of the proposal. These criteria are significantly stricter than Level 1 or 2:

  1. No Third-Country Control: The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. This is a strict prohibition. A limited derogation exists only if the Commission has adopted an implementing act under Article 18 identifying a specific third country as providing sufficient assurances.
  2. Union Citizenship for Personnel: All personnel involved in the provision of the service, including subcontractor staff, must be Union citizens. Furthermore, "where appropriate," personnel must also have the necessary national security clearance issued by a Member State when handling classified information.
  3. Data Residency and Sovereignty: Customer data, including metadata and telemetry, must remain exclusively within the Union. The data cannot be transferred outside the Union, nor can it be used to train or fine-tune AI systems operated by third-country entities.
  4. Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least the 'substantial' assurance level under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until then, national schemes or highest-market standards apply.
  5. Software Supply Chain Transparency: Providers must maintain a complete and up-to-date Software Bill of Materials (SBOM). They must demonstrate controls to block remote features that could tamper with systems and ensure that security-relevant components from third-country manufacturers are subject to source code audits.
  6. Operational Support: All technical and operational support must be initiated and performed exclusively within the Union by Union residents and parties not subject to third-country control.

How Is Recognition Verified?

Unlike Level 1, which allows for self-assessment, Level 3 requires independent verification. Under Article 20, providers must undergo independent third-party audits by accredited auditing organizations. These audits produce an audit report and a 'positive' audit opinion. The provider then submits this evidence to the national competent authority of their establishment for formal recognition, which is then valid across the entire EU.

What this means for you

As a public-sector procurement officer, CADA Level 3 changes how you evaluate tenders and manage vendor relationships.

1. Conduct Rigorous Risk Assessments You cannot arbitrarily choose Level 3. You must first complete the risk assessment mandated by Article 29. Document clearly why your specific workload (e.g., police databases, defense communications, or critical infrastructure management) requires this level of assurance. If your activity is standard administrative work, Level 1 may suffice. Using Level 3 unnecessarily may limit your market options and increase costs without adding proportional security value. Note that these assessments must be carried out "thereafter every two years, or whenever necessary" (Article 29(1)).

2. Verify the "No Foreign Control" Clause When reviewing tenders, look beyond the provider's headquarters. A company may be EU-based but owned by a third-country entity. Under Annex II, Level 3 prohibits this. You must request evidence that the provider is not subject to third-country control. This includes checking ownership structures, board composition, and strategic decision-making powers. If a provider is controlled by a foreign state or entity, they are ineligible for Level 3 unless a specific Commission derogation applies under Article 18.

3. Check Personnel Clearances Ensure your contracts specify that all staff accessing your data or infrastructure are Union citizens. If your workload involves classified information, verify that these individuals hold the appropriate national security clearances. This is a hard requirement under Annex II, Section 3, point (d).

4. Demand Audit Evidence, Not Just Self-Declarations Do not accept a simple statement of compliance. Under Article 17 and Article 20, you must require the provider to present a valid audit report and a 'positive' audit opinion from an accredited auditing organization. This report should be listed in the central repository of recognized services maintained by the Commission (Article 22).

5. Plan for Migration and Transition If your current cloud provider does not meet Level 3 criteria, you will need to migrate. Article 29(6) notes that if a risk assessment requires migration to another service, the transition period should not exceed 12 months, taking into account technical feasibility and data portability. Start planning your exit strategies and data portability requirements early.

Common misconceptions

Misconception 1: Level 3 is the default for all government cloud. Reality: No. Level 1 is the baseline for all public procurement (Article 30(2)). Level 3 is only mandatory for activities identified in risk assessments as contributing to public order, such as defense or law enforcement (Article 30(3)).

Misconception 2: Any EU-headquartered provider can offer Level 3. Reality: Not necessarily. Even if a provider is headquartered in the EU, if it is controlled by a third-country entity (e.g., through majority ownership or veto rights), it cannot meet Level 3 criteria unless a specific Commission derogation is in place for that country under Article 18. The "no third-country control" rule is strict.

Misconception 3: Level 3 is the same as Level 4. Reality: They are similar but distinct. Level 4 is the highest tier, often reserved for the most sensitive classified information. While both require Union citizenship and no foreign control, Level 4 requires a 'high' cybersecurity certificate (Annex II 4.1(e)), whereas Level 3 requires 'substantial' (Annex II 3.1(e)). Level 3 is appropriate for many sensitive government workloads that do not reach the absolute peak of sensitivity defined for Level 4.

Misconception 4: Self-certification is enough for Level 3. Reality: Self-certification is only permitted for Level 1 (Article 19). Level 3 requires independent third-party audits and formal recognition by national competent authorities (Article 20 and Article 17).

Misconception 5: The "foreign control" rule has a drafting error in the Annex. Reality: There is no drafting error. Annex II, Section 3.1(g) correctly references Article 18 as the mechanism for the third-country derogation. The text is consistent with the main Regulation; the mechanism allows the Commission to identify specific third countries where providers subject to their control may still be audited for Level 3, provided strict safeguards are met.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.