CADA Level 4

Summary As proposed, CADA Level 4 represents the apex of the Union cloud computing sovereignty framework, specifically engineered for the most sensitive public-sector activities, including defence operations and classified workloads. To achieve this recognition, a cloud provider must guarantee that risk-assessed sensitive data remains exclusively within the Union, employ only Union citizens (with necessary national security clearances for classified handling), and operate under zero third-country control. Unlike lower tiers, Level 4 admits no derogations for foreign ownership or extraterritorial legal access, ensuring the strictest possible safeguards for operational autonomy and data confidentiality.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tier "Union cloud computing sovereignty framework" to mitigate the strategic risks of dependence on non-European cloud providers. While Level 1 serves as a baseline and Levels 2 and 3 address general public-order concerns, Level 4 is the most stringent tier. It is designed for activities where the preservation of public order demands the highest level of assurance, such as national defence, intelligence, and the processing of classified information.

The Legal Architecture of Level 4

Under Article 16, cloud computing service providers must meet cumulative criteria set out in Annex II to be recognised as offering a specific Union assurance level. For Level 4, these criteria are exhaustive and designed to eliminate any possibility of third-country influence over infrastructure, personnel, data, or software supply chains.

1. Strict Localisation of Risk-Assessed Sensitive Data

The cornerstone of Level 4 is the absolute localisation of sensitive data. Annex II, section 4.1(c) mandates that "customer data, including metadata and telemetry data, which, following a risk assessment, is identified as sensitive," must remain "exclusively within the Union."

Crucially, this restriction applies "at any time, including before, during or after the configuration or use of the service." Unlike lower tiers which may permit broader data residency definitions or conditional transfers, Level 4 ties data localisation strictly to the outcome of a risk assessment conducted by the Member State or Union entity. This ensures that only data deemed critical to public order or national security is subject to this absolute localisation mandate, while the framework remains proportionate to the actual risk.

2. Mandatory Union Citizenship and Security Clearance

Personnel requirements at Level 4 are significantly tightened to prevent unauthorised access by foreign nationals. Annex II, section 4.1(d) establishes two distinct but linked conditions:

• Union Citizenship: All personnel involved in the provision of the audited service, including those of subcontractors, "are Union citizens." This is a mandatory condition, not a conditional one based on public body preference.
• Security Clearance: The provision further states that "where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information."

This dual requirement ensures that the human element of the cloud stack is fully vetted and aligned with national security protocols. It directly addresses the risk of insider threats or foreign intelligence infiltration within the operational support chain.

3. Absolute Prohibition on Third-Country Control

A defining feature of Level 4 is the absence of any derogation for third-country control. Annex II, section 4.1(g) states unequivocally that "the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."

This stands in sharp contrast to Level 3, which allows for a derogation where the Commission has adopted an implementing act under Article 18 (previously mis-cited as Article 19 in some drafts) recognizing a third country as providing sufficient assurances. At Level 4, no such mechanism exists. The provider must be fully autonomous from third-country jurisdictional reach. This effectively neutralizes risks associated with extraterritorial data access laws (such as the US CLOUD Act) or service disruption via foreign political coercion, ensuring that the provider cannot be compelled by a foreign power to access data or degrade service continuity.

4. Union-Based Infrastructure and Operational Support

To close potential vectors for remote interference, Annex II, section 4.1(b) requires that "the infrastructure, assets, and personnel of the audited provider... are located in the Union."

Furthermore, Annex II, section 4.1(h) mandates that "the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union." This support must be delivered by "personnel that are Union residents, and by third parties that are not subject to the control of a third country." This ensures that even emergency maintenance, patching, or incident response cannot be performed from outside the EU, a critical requirement for defence systems that must remain operational under all circumstances.

5. Highest Cybersecurity and Software Sovereignty

Level 4 demands the highest cybersecurity standards. Annex II, section 4.1(e) requires the service to obtain a European cybersecurity certificate of at least assurance level 'high' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until such a scheme is available, providers must demonstrate compliance with the highest cybersecurity standards under applicable Union law.

Regarding the software supply chain, Annex II, section 4.1(i) requires the provider to demonstrate "effective control" over software components. This includes proving that "a third country or a legal entity established in a third country does not hold or exercise effective control over the design, development, maintenance, and evolution of those components." This goes beyond mere ownership, scrutinizing the ability to influence technical evolution and security remediation.

The Trigger: Risk Assessments and Public Order

The applicability of Level 4 is not automatic for all public-sector bodies. Article 29 obliges Member States and Union entities to conduct risk assessments to determine which public-sector activities "contribute to the preservation of public order." These assessments must consider the "sensitivity, criticality, and magnitude" of the data processed.

Only activities identified as requiring the highest level of protection—typically those in defence, national security, or involving classified information—will be mapped to Level 4. Article 30(3) then mandates that contracting authorities for these identified activities "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4." While the law permits levels 2 and 3 for some public-order activities, Level 4 is the requisite choice for the most sensitive classified workloads where the risk assessment dictates the highest assurance.

What this means for you

For public-sector procurement officers, defence officials, and cloud providers, CADA Level 4 introduces a clear, harmonised, and non-negotiable standard for the most critical workloads.

• Procurement Strategy: When tendering for cloud services supporting defence operations or classified data, you must specify Union assurance level 4 as a minimum requirement. You cannot rely on national sovereignty definitions alone; you must procure services that have been formally recognised under the CADA framework.
• Vendor Qualification: Only providers that have undergone independent third-party audits and received a 'positive' audit opinion for Level 4 criteria can be considered. Procurement officers must verify a provider's recognised status via the central repository maintained by the Commission under Article 22.
• Risk Assessment Alignment: Ensure your internal risk assessments (Article 29) clearly document why specific workloads require Level 4. This justification is crucial for compliance and for defending procurement decisions against challenges. The assessment must explicitly link the sensitivity of the data to the need for the highest assurance level.
• Transition Planning: If you currently use non-compliant providers for classified workloads, you must plan a migration to a Level 4-compliant service. Article 29(6) allows for a reasonable transition period, not exceeding 12 months, to migrate to a compliant provider, taking into account technical feasibility and data portability.
• For Providers: Achieving Level 4 requires a fundamental restructuring of the supply chain. Providers must ensure that no third-country entity holds effective control over their software evolution and that all support personnel are Union residents. This may require establishing fully autonomous EU subsidiaries with strict governance firewalls.

Common misconceptions

"Level 4 is for all classified data automatically." While Level 4 is designed for classified workloads, the requirement to use it is triggered by a risk assessment (Article 29). Not all data processed by defence bodies may require Level 4; the assessment determines the appropriate level based on sensitivity and criticality. However, for the most sensitive classified information, Level 4 is the expected and likely mandatory standard.

"Level 3 is sufficient for defence workloads." Level 3 allows for derogations where a third country is deemed to provide sufficient assurances (Article 18). For defence and classified workloads where absolute autonomy from third-country control is required, Level 4 is necessary because it prohibits any third-country control entirely. Level 3 may be appropriate for less sensitive security-related data, but Level 4 is the benchmark for the highest protection.

"Data localisation means all data must stay in the EU." At Level 4, the requirement is specifically for "sensitive" data as identified by the risk assessment (Annex II, 4.1(c)). While this covers the core classified workloads, it is precise in its scope. However, in practice, for defence workloads, the majority of data will likely be classified as sensitive, resulting in de facto full localisation.

"National security clearances are optional." At Level 4, Union citizenship is mandatory for all personnel involved in service provision. National security clearance is required "where appropriate" for handling classified information. For defence workloads involving classified data, this effectively makes clearance a mandatory de facto requirement for the personnel accessing that data.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA tier suits defence and intelligence workloads?
• CADA Level 3: Handling Classified Information and Personnel Requirements
• What cybersecurity standard does CADA Level 1 require?
• CADA Level 3 & 4: The Business Case for Sovereign Cloud Providers
• Why would a public body require CADA Level 4 over Level 3?

This is general information about a draft EU regulation, not legal advice.