Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 2, 3, or 4 must ensure that all technical and operational support is both initiated and performed exclusively within the European Union. This requirement, established in Article 16 and detailed in Annex II, prohibits support workflows from being triggered or executed outside the EU. At Union assurance level 3, the rules tighten further: support personnel must be Union citizens (for access) and Union residents (for performance), and the provider must not be subject to third-country control. The specific derogation allowing third-country control for Level 3 is governed by Article 18, not Article 19.

Detail

The Cloud and AI Development Act (CADA) introduces a rigorous sovereignty framework to mitigate risks associated with third-country control, extraterritorial data access, and operational discontinuity. A cornerstone of this framework is the geographic and operational containment of technical support. Article 16 establishes the Union cloud computing sovereignty framework comprising four assurance levels, while Annex II sets out the specific cumulative criteria providers must meet for each level.

The requirement to initiate and perform support exclusively within the Union applies to cloud computing service providers seeking recognition at Union assurance levels 2, 3, and 4. This represents a significant escalation from Union assurance level 1, which permits outsourced support outside the Union provided that operational autonomy is preserved and necessary security measures are implemented.

Union Assurance Level 2: Initiation and Performance within the Union

For Union assurance level 2, Annex II, Section 2.1(h) mandates that:

"the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union;"

This criterion imposes two distinct operational constraints:

  1. Initiation: The trigger for any support activityβ€”whether a user ticket, an automated alert, or a service requestβ€”must originate from within the Union. The regulation requires that the support workflow itself be initiated within the EU. This prevents support centers located in third countries from accepting the initial trigger for services provided to Union entities under this assurance level.
  2. Performance: The actual execution of the supportβ€”diagnosis, troubleshooting, configuration changes, or maintenanceβ€”must be carried out by personnel and systems physically located within the EU. This effectively bans offshore support centers for services certified at this level, unless those centers are physically situated in an EU Member State.

Union Assurance Level 3: Added Personnel and Control Restrictions

For Union assurance level 3, the requirements become more stringent, adding layers of personnel qualification and control restrictions. Annex II, Section 3.1(h) states:

"the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country;"

This adds two critical layers to the Level 2 requirements:

  1. Union Residents: The personnel performing the support must be Union residents. This is distinct from the requirement for Union citizenship found in Annex II, Section 3.1(d), which applies to personnel handling classified information. While Annex III (Audit Criterion D) requires proof of Union citizenship for access to sensitive data, the "initiated and performed" rule in 3.1(h) specifically targets the residency of the personnel executing the support tasks.
  2. No Third-Country Control: The personnel and the third-party providers (including subcontractors) must not be subject to the control of a third country or a legal entity established in a third country. This prevents scenarios where a support team is physically in the EU but operationally directed or legally compelled by a foreign parent company.

Important Derogation: While Level 3 generally prohibits third-country control, Annex II, Section 3.1(g) provides a specific derogation. A provider subject to third-country control may still be audited for Level 3 where the Commission has adopted an implementing act under Article 18 (Associated third countries). This is a critical distinction: the relevant article for third-country eligibility is Article 18, not Article 19 (which governs conformity self-assessment for Level 1).

Union Assurance Level 4: Consistent with Level 3

Union assurance level 4 mirrors the strict personnel and control requirements of Level 3 regarding support. Annex II, Section 4.1(h) repeats the same language:

"the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country;"

Additionally, Level 4 requires a European cybersecurity certificate of at least assurance level 'high' (Annex II 4.1(e)), whereas Level 2 and 3 require at least 'substantial'.

Verification and Audit Evidence

To demonstrate compliance, providers must provide robust audit evidence. Annex III outlines the specific evidence required for auditing these criteria. For the "No technical and operational support outside of the Union" criterion (Audit Criterion H), auditing organizations must verify:

  • Binding contractual clauses stating that all support, administration, maintenance, and incident response must be initiated and performed exclusively in the Union.
  • Evidence that there is no remote access for technical and operational support from outside the Union.
  • Proof that help desks, security operations centers (SOCs), and network operations centers (NOCs) are exclusively provided from the Union.
  • Geographically restricted network controls and Union-based administrative infrastructure.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers, these provisions have profound architectural and operational implications.

  1. Re-evaluate Your Support Stack: If you are targeting public sector contracts that require Union assurance levels 2 or higher, your current support model is likely non-compliant. If your support tickets are routed through a global ticketing system based in the US or Asia, or if your L2/L3 support engineers are located in third countries, you will fail the audit. You must architect a support flow where the initial contact and all subsequent technical actions occur within the EU.
  2. Subcontractor Scrutiny: The rule applies to "subsequent sub-outsourcing arrangements." You cannot outsource support to a third-party vendor that uses offshore resources. You must ensure your entire support supply chain is EU-based. For Levels 3 and 4, you must also verify the residency and control status of every individual in that chain.
  3. Network Architecture Changes: To prevent remote access from outside the Union, you may need to implement strict geofencing for administrative interfaces. Support portals and remote management tools must be accessible only from EU IP ranges or via EU-based secure gateways.
  4. Personnel Management for Levels 3/4: For higher assurance levels, HR policies must ensure that support staff are Union residents and that their employment contracts do not expose them to foreign control mechanisms. This may require restructuring global employment arrangements for technical teams. Note that while Annex III (Audit Criterion D) focuses on proving Union citizenship for access to classified data, the support performance rule in Annex II 3.1(h) specifically mandates Union residency.
  5. Documentation Burden: You will need to maintain comprehensive evidence, including contractual clauses, access logs, and network diagrams, to prove to auditing organizations that no support was initiated or performed from outside the Union.

Common misconceptions

Misconception 1: "As long as the support engineer is working from an EU office, it doesn't matter where the ticket originated." Correction: False. Annex II 2.1(h) and 3.1(h) explicitly state that support must be initiated within the Union. If a user in a third country opens a ticket, or if an automated alert from a third-country data center triggers the support workflow, this may violate the "initiated exclusively within the Union" requirement for services provided to EU public sector bodies under these assurance levels. The entire lifecycle of the support interaction must be contained within the EU.

Misconception 2: "We can use offshore support if we have a local EU manager overseeing it." Correction: False. The requirement is that the support is performed exclusively within the Union. Offshore performance is prohibited regardless of local oversight. The actual technical work must be done by personnel located in the EU.

Misconception 3: "Level 1 has the same support restrictions." Correction: False. Annex II Section 1.1 (Level 1) does not contain the strict "initiated and performed exclusively within the Union" clause for technical support. Level 1 only requires that if technical support is outsourced outside the Union, necessary measures are implemented to ensure traceability and security, and that operational autonomy is not compromised. The strict geographic ban on initiation and performance starts at Level 2.

Misconception 4: "Union resident means the same as physically present in the EU." Correction: Not necessarily. For Levels 3 and 4, Annex II 3.1(h) and 4.1(h) specify "personnel that are Union residents." While they must also be performing the work within the Union, the "resident" status is a legal/jurisdictional requirement that adds a layer of stability and legal tie to the EU, beyond just physical presence during work hours. This is distinct from the Union citizenship requirement in 3.1(d) for handling classified information.

Misconception 5: "The third-country control rule for Level 3 is in Article 19." Correction: False. The implementing act allowing a third-country controlled provider to qualify for Level 3 is adopted under Article 18 (Associated third countries), as referenced in Annex II 3.1(g). Article 19 governs conformity self-assessment for Level 1.

Related

This is general information about a draft EU regulation, not legal advice.