Summary The proposed Cloud and AI Development Act (CADA) establishes a tiered sovereignty framework where requirements for support and operations teams tighten significantly as assurance levels rise. Under Annex II 1.1(d), Level 1 permits outsourced support outside the Union provided it does not compromise operational autonomy. For Levels 2, 3, and 4, Annex II 2.1(h), 3.1(h), and 4.1(h) mandate that all technical and operational support must be "initiated and performed exclusively within the Union." Crucially, for Levels 3 and 4, this support must be delivered by personnel who are Union residents, and the providers must not be subject to third-country control (unless a specific derogation under Article 18 applies). While Level 2 requires the activity to be in the EU, Levels 3 and 4 add strict personnel constraints (residency and citizenship) and control restrictions that effectively ban reliance on third-country-controlled subcontractors for support functions.

Detail

CADA's sovereignty framework, detailed in Title IV, Chapter I, structures cloud trust through four "Union assurance levels." As providers seek recognition for higher levels, the constraints on their operational footprint, support structures, and personnel become increasingly rigorous. These requirements are designed to mitigate risks related to extraterritorial access, service disruption, and the loss of operational autonomy.

Union Assurance Level 1: Operational Autonomy with Flexible Support

For providers seeking Union Assurance Level 1, the primary focus is on ensuring that the cloud computing service provider retains full operational autonomy. The regulation does not mandate that support teams be physically located within the Union.

Under Annex II, Section 1.1(d), if a provider outsources technical and operational support or assistance to third-party service providers outside the Union, they must implement "necessary legal, technical and organisational measures" to ensure traceability, security, and governance. The critical condition is that these operations "do not, in any way, compromise the operational autonomy of the cloud computing service provider."

This means that while support teams can be located globally, the provider must retain the ability to control service delivery without interference from third-country laws or entities. There are no explicit requirements in Annex II for support personnel to be Union citizens or residents at this level, nor is there a requirement for support activities to be physically located within the Union, provided the autonomy test is met.

Union Assurance Level 2: Union-Based Support Operations

For Union Assurance Level 2, the requirements tighten significantly regarding the geographic location of support activities. Annex II, Section 2.1(h) mandates that "technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union."

This provision effectively bans offshore support centers for Level 2 services. All help desks, security operations centers (SOCs), network operations centers (NOCs), and administrative support must be based in the EU. However, at Level 2, there is no explicit requirement in Annex II that the support personnel themselves must be Union citizens or residents; the regulation focuses on the location of the activity. The personnel performing the support must be located in the Union, but their citizenship or residency status is not explicitly defined as a barrier at this specific tier, unlike the stricter rules for Levels 3 and 4.

Union Assurance Level 3: Union Resident Support Personnel and No Third-Country Control

Union Assurance Level 3 introduces strict personnel residency and control requirements for support teams, marking a significant shift from Level 2. Annex II, Section 3.1(h) states that technical and operational support must be "initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country."

This creates a dual constraint for Level 3:

  1. Residency: Support staff must be Union residents. This is a stricter requirement than mere physical presence; it implies a legal status of residence within the Union.
  2. Control: Any subcontractors providing support must not be controlled by third-country entities.

Furthermore, Annex II, Section 3.1(d) requires that all personnel involved in the provision of the service, including subcontractors, must be Union citizens. For those handling classified information, national security clearances may also be required.

Important Note on Third-Country Derogations: While Annex II 3.1(g) generally prohibits third-country control, Article 18 of the proposal allows the Commission to adopt implementing acts identifying third countries where providers subject to their control may still be audited for Level 3, provided specific safeguards are met. However, even in such cases, the strict personnel residency and citizenship requirements of Annex II 3.1(d) and 3.1(h) would still apply to the support teams.

Union Assurance Level 4: Highest Assurance with Strict Residency and Control

Union Assurance Level 4 mirrors the strict personnel requirements of Level 3 regarding support. Annex II, Section 4.1(h) requires that support be "initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country."

Like Level 3, Annex II, Section 4.1(d) mandates that all personnel involved in the service provision must be Union citizens, with additional security clearances for classified data. The key distinction between Level 3 and Level 4 lies in other criteria, such as the cybersecurity certification level (Level 4 requires "high" assurance under EUCS, whereas Level 3 requires "substantial") and the specific data sensitivity classifications, but the support team requirements regarding location, residency, and control remain equally stringent.

Audit Evidence for Support Teams

Auditors will verify compliance with these support requirements through specific evidence outlined in Annex III. Annex III, Section 8 (Audit criterion H) details that providers must provide:

  • Binding contractual clauses ensuring all support activities are performed exclusively in the Union.
  • Evidence that no remote access for technical support exists from outside the Union.
  • Proof that help desks, SOCs, and NOCs are provided exclusively from the Union.
  • Evidence of geographically restricted network controls and Union-based administrative infrastructure.

For Levels 3 and 4, auditors will also verify the residency status of support personnel and the absence of third-country control over subcontractors, as detailed in Annex III, Sections 7 (Audit criterion G) and 11 (Audit criterion K).

What this means for you

For CTOs, architects, and compliance officers, CADA's tiered approach necessitates a fundamental restructuring of global support models for EU public sector contracts.

  1. Map Your Support Footprint: If you target Level 1, ensure your offshore support contracts include robust governance clauses that guarantee your operational autonomy. Document these measures meticulously to prove that third-country laws cannot force service disruption or data access.
  2. Relocate for Level 2: If you aim for Level 2, you must cease using offshore support centers for EU clients. All support initiation and execution must move to the EU. This may require establishing new regional support hubs within the Union, even if the staff are not yet Union residents.
  3. Vet Personnel for Levels 3 and 4: For the highest assurance levels, you must ensure your EU-based support staff are Union residents. Additionally, you must vet subcontractors to ensure they are not controlled by third-country entities. This may impact your use of global managed service providers that rely on third-country ownership structures.
  4. Update Contracts and Infrastructure: Review all support contracts to ensure they align with the tier you are pursuing. Implement technical controls, such as geo-fencing for administrative access, to prevent remote support from outside the Union for Levels 2–4.

Common misconceptions

  • "Level 1 allows unlimited offshore support." While support can be offshore, it must not compromise operational autonomy. If a third-country law could force your offshore support team to disrupt service or access data, you may fail the Level 1 test.
  • "Level 2 requires Union citizen support staff." No. Level 2 requires support to be performed in the Union, but does not explicitly mandate Union citizenship or residency for the support personnel, unlike Levels 3 and 4.
  • "Union residents can be non-citizens." Yes. Levels 3 and 4 require support personnel to be Union residents, but also require all personnel involved in service provision to be Union citizens. Ensure your staffing policies reflect both residency and citizenship requirements.
  • "Third-country control is always banned at Level 3." While generally prohibited, Article 18 allows for a derogation if the Commission adopts an implementing act for a specific third country. However, even then, the personnel residency and citizenship rules remain strict.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.