CADA Subcontractor Rules

Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers seeking Union assurance level 1 must provide full transparency regarding their use of subcontractors. As explicitly stated in Annex II, Section 1, Paragraph 1(f), providers are required to subject these subcontractors to due diligence, bind them through contractual obligations, and maintain ongoing oversight to ensure compliance with Union legal obligations. This declaration is a mandatory component of the conformity self-assessment process for Union assurance level 1, serving as a critical safeguard for data sovereignty and operational autonomy. Failure to demonstrate these measures would preclude recognition at the baseline assurance level.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a strict sovereignty framework designed to mitigate risks associated with dependence on third-country cloud providers and to safeguard the Union's public order. Central to this framework is the concept of "Union assurance levels," which categorize cloud services based on their compliance with specific sovereignty, security, and operational criteria. For providers aiming for Union assurance level 1—the baseline requirement for most public sector procurement under Article 30(2)—CADA imposes specific, non-negotiable obligations regarding the management, declaration, and oversight of subcontractors.

Unlike higher assurance levels (Levels 2, 3, and 4), which require independent third-party audits to verify compliance, Union assurance level 1 relies on a conformity self-assessment conducted by the provider itself, as outlined in Article 19. Consequently, the provider's declaration of subcontractor management practices is the primary evidence submitted to the national competent authority to demonstrate compliance. The accuracy and completeness of this declaration are therefore paramount.

The Transparency Requirement in Annex II

The core obligation is found in Annex II, Section 1, Paragraph 1(f) of the CADA proposal. This provision sets out the cumulative criteria that a cloud computing service provider must meet to be recognized as offering Union assurance level 1. Specifically, it states:

"the cloud computing service provider provides full transparency around the use of subcontractors. The cloud computing service provider subjects subcontractors to due diligence, contractual obligations and ongoing oversight to meet Union legal obligations;"

This requirement is not merely administrative; it is a substantive condition for recognition. The text mandates three distinct but interconnected actions:

1. Full Transparency: The provider must disclose the use of subcontractors.
2. Due Diligence: The provider must actively vet these entities.
3. Contractual Obligations & Ongoing Oversight: The provider must legally bind subcontractors and continuously monitor them to ensure they meet Union legal obligations.

This criterion applies to all subcontractors involved in the provision of the service. The requirement ensures that the "sovereign" nature of the service is not compromised by opaque supply chains where third parties might introduce risks related to data access, operational continuity, or third-country control.

Components of the Declaration

To satisfy the requirement for "full transparency" and the associated obligations, a provider's declaration and internal processes must effectively cover three distinct pillars:

1. Due Diligence

Before engaging a subcontractor, the provider must conduct thorough checks to ensure the subcontractor is capable of meeting the relevant Union legal obligations. This includes assessing the subcontractor's technical capabilities, security posture, and legal status. The provider must verify that the subcontractor does not introduce risks that would compromise the sovereignty or security of the service. Under the proposed framework, this diligence is a prerequisite for the "ongoing oversight" mentioned in the text. The provider must be able to demonstrate that they have evaluated the subcontractor's ability to comply with CADA's sovereignty criteria before entering into an agreement.

2. Contractual Obligations

The provider must have binding legal agreements with all subcontractors involved in the provision of the service. These contracts must explicitly transfer the necessary obligations to the subcontractor, ensuring they adhere to the same standards required by CADA. This includes clauses related to data protection, security standards, and the prohibition of unauthorized access or data transfer outside the Union unless explicitly permitted by the public sector body. The text in Annex II 1.1(f) explicitly links "contractual obligations" to the goal of meeting "Union legal obligations," implying that the contract must be the vehicle through which these obligations are enforced.

3. Ongoing Oversight

Transparency is not a one-time event. The text mandates "ongoing oversight." Providers must demonstrate mechanisms for continuous monitoring of subcontractor performance and compliance. This includes regular audits, incident reporting procedures, and the ability to terminate contracts if a subcontractor fails to meet the required standards. The "ongoing" nature of this requirement suggests that the provider must have active processes in place to detect changes in the subcontractor's status, such as a change in ownership, a new third-country control risk, or a security breach.

Scope of "Subcontractors"

It is crucial to understand who qualifies as a subcontractor under CADA to ensure the declaration is accurate. According to Annex II, Section 1, Paragraph 1.2, subcontractors are defined as "third parties that have a direct contractual relationship with the cloud computing service provider and that contribute to the provision and the delivery of the cloud computing service."

This definition is specific. It focuses on entities with a direct contractual relationship with the provider. While the definition does not explicitly exclude sub-subcontractors (those contracted by the primary subcontractor) from the scope of the service provision, the declaration requirement in 1.1(f) specifically targets the relationship between the provider and the subcontractor. However, the provider remains responsible for the overall service. If a primary subcontractor uses sub-subcontractors, the provider's "due diligence" and "contractual obligations" must ensure that the primary subcontractor manages its own supply chain in a way that protects the provider's compliance with CADA. The "full transparency" requirement implies that the provider must be aware of the entire chain of entities contributing to the service delivery.

Integration with the Conformity Self-Assessment

Under Article 19, cloud computing service providers seeking Union assurance level 1 must carry out a conformity self-assessment. Following this assessment, they issue an "EU statement of conformity." The declaration of subcontractor management is an integral part of this self-assessment. The provider must document how they have fulfilled the criteria in Annex II, including the transparency, due diligence, and oversight measures for subcontractors.

This documentation must be available for review by national competent authorities. While the authority does not perform an independent audit for Level 1 (unlike for Levels 2-4 under Article 20), the provider assumes full responsibility for the accuracy of the statement. If the authority finds that the provider has not subjected subcontractors to due diligence or ongoing oversight, the recognition of the service at Union assurance level 1 could be rejected or revoked.

What this means for you

For cloud service providers and data centre operators subject to CADA, the declaration of subcontractors is a critical compliance step. Here is what you need to do to ensure your Level 1 recognition is secure:

1. Audit Your Subcontractor Landscape: Identify all third parties that have a direct contractual relationship with you and contribute to the provision of your cloud services. Ensure you have a clear, up-to-date inventory of these entities. Do not rely on legacy lists; verify that every entity contributing to the service is captured.
2. Review Contracts for Specificity: Ensure your contracts with these subcontractors include explicit clauses that bind them to the relevant Union legal obligations, including data sovereignty, security, and transparency requirements. Vague or generic clauses may not suffice to meet the "contractual obligations" requirement of Annex II 1.1(f).
3. Document Due Diligence Processes: Establish and document a formal process for vetting new subcontractors. This should include checks on their security certifications, data handling practices, and legal compliance. Keep records of these assessments to prove that "due diligence" was performed.
4. Implement Oversight Mechanisms: Develop a system for ongoing monitoring of subcontractor performance. This could include regular security audits, incident response testing, and compliance reviews. Document these activities thoroughly to demonstrate "ongoing oversight."
5. Prepare for Self-Assessment: When preparing your EU statement of conformity for Union assurance level 1, ensure you have comprehensive evidence of your subcontractor management practices. This evidence will be scrutinized by national competent authorities during the recognition process. The statement must explicitly reference how you meet the criteria in Annex II 1.1(f).

Common misconceptions

• "Only Level 2, 3, and 4 providers need to worry about subcontractors." Incorrect. While higher levels require more rigorous independent audits, Level 1 providers must still demonstrate full transparency, due diligence, and ongoing oversight. The criteria in Annex II 1.1(f) apply specifically to Level 1 as a cumulative requirement.
• "I only need to declare my primary subcontractors." Partially correct, but misleading. At Level 1, the definition in Annex II 1.2 focuses on direct contractual relationships. However, you remain responsible for the overall security and sovereignty of your service. If your primary subcontractors use sub-subcontractors, you must ensure your contracts with the primary subcontractors require them to manage their own supply chains in a way that protects your compliance. The "full transparency" requirement implies visibility into the chain.
• "A simple list of subcontractors is enough for transparency." No. "Full transparency" implies more than just a list. It requires demonstrating the due diligence, contractual binding, and ongoing oversight mechanisms. Authorities will expect to see evidence of these processes, not just names. The text explicitly links transparency to the actions of due diligence and oversight.
• "CADA only applies to public sector providers." Incorrect. While the procurement obligations fall on public bodies, the sovereignty framework (including the subcontractor rules) applies to any cloud computing service provider seeking recognition to serve the public sector.

Related

• What are the subcontractor rules for CADA Level 1?
• CADA Level 3 Support & Personnel Rules: Residents, Location & Control
• CADA Level 4 Personnel Rules: Union Citizens, Clearances & Subcontractors
• What must a US hyperscaler do to reach a CADA assurance level?
• CADA foreign-control safeguards: What providers must prove for UAL 2 & 3

This is general information about a draft EU regulation, not legal advice.