Summary Under the proposed Cloud and AI Development Act (CADA), the "cumulative criteria" rule means that cloud providers seeking higher Union assurance levels must satisfy all requirements of that level plus every lower level. As proposed, a provider cannot achieve Union assurance level 3 or 4 unless it has first met the strict conditions for levels 1 and 2. This hierarchical structure, explicitly codified in Article 20(1), ensures that higher sovereignty tiers build upon a foundational baseline of EU establishment, data localization, and cybersecurity, rather than replacing them. Failure to meet any single requirement at a lower level precludes conformity with any higher level.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tier Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on non-European providers. Central to this framework is the concept of cumulative compliance, which dictates the logical progression through the assurance levels.

The Legal Basis for Cumulative Compliance

The hierarchical nature of the framework is not merely implied; it is explicitly mandated by the text of the proposal. Article 16 establishes the framework comprising four Union assurance levels, with specific criteria detailed in Annex II. The mechanism for stacking these requirements is found in Article 20(1), which governs independent third-party audits.

The provision states:

"An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

This creates a strict dependency chain where higher levels are additive, not substitutive.

The Four-Tier Stack: A Cumulative Breakdown

To understand the practical application of Article 20(1), one must examine how the criteria in Annex II layer upon one another.

1. Union Assurance Level 1: The Baseline Level 1 serves as the entry point for the sovereignty framework. As proposed, providers must meet the following cumulative criteria:

  • Establishment: The provider must be established in the Union.
  • Infrastructure & Data: Infrastructure, assets, and customer data must remain exclusively within the Union, unless a public sector body explicitly requires otherwise.
  • Subcontracting: If technical support is outsourced to third parties outside the Union, strict legal and technical measures must ensure operational autonomy is not compromised.
  • Cybersecurity: The service must comply with state-of-the-art cybersecurity standards.
  • Transparency: Full transparency regarding the use of subcontractors is required.
  • Third-Country Control: If the provider is subject to third-country control, it must guarantee that no laws in that country require reporting software vulnerabilities prior to exploitation.

2. Union Assurance Level 2: Adding Cybersecurity and Personnel To reach Level 2, a provider must satisfy all Level 1 criteria plus additional requirements:

  • Personnel Location: All personnel involved in the service must be located in the Union.
  • Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under a scheme established under Regulation (EU) 2019/881 (or demonstrate equivalent highest standards if no scheme exists).
  • AI Data Usage: Data generated by the service cannot be used to train or fine-tune AI systems operated by third countries or entities established in third countries.
  • Support Location: Technical and operational support must be initiated and performed exclusively within the Union.
  • Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and implement controls to block remote tampering features in third-country software components.

3. Union Assurance Level 3: Personnel Citizenship and Control Restrictions Level 3 adds a layer of personnel and control restrictions on top of Levels 1 and 2:

  • Union Citizenship: All personnel involved in the service provision must be Union citizens. Where appropriate, they must hold national security clearances for handling classified information.
  • Third-Country Control: Generally, the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country.
    • Derogation: A critical drafting nuance exists here. Annex II, Section 3.1(g) references an implementing act under Article 19 for a derogation allowing third-country control. However, Article 19 of the proposal governs "Conformity self-assessment" for Level 1. The correct legal basis for third-country recognition is Article 18 ("Associated third countries"). This appears to be a drafting inconsistency in the proposal text; legally, the mechanism for recognizing third-country safeguards resides in Article 18.
  • Support Personnel: Technical support must be performed by Union residents and third parties not subject to third-country control.

4. Union Assurance Level 4: The Highest Sovereignty Level 4 represents the strictest tier, requiring all previous criteria plus:

  • High Cybersecurity: The service must obtain a European cybersecurity certificate of at least assurance level 'high'.
  • Software Control: The provider must demonstrate that no third country holds effective control over the design, development, maintenance, or evolution of software components. This includes the ability to materially influence technical evolution and security remediation.
  • Sensitive Data: Customer data identified as sensitive following a risk assessment must remain exclusively within the Union.

The "Preclusion" Mechanism

The most critical operational aspect of Article 20(1) is the preclusion rule: "Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

This means an audit for Level 4 is not a standalone check of Level 4 criteria. It is a comprehensive audit of Levels 1, 2, 3, and 4.

  • If a provider fails the Level 1 requirement of "establishment in the Union," it cannot be recognized at Level 2, 3, or 4, regardless of how robust its Level 4 software controls are.
  • If a provider fails the Level 2 requirement of a "substantial" cybersecurity certificate, it cannot achieve Level 3 or 4, even if it has Union citizen staff.
  • If a provider fails the Level 3 requirement of Union citizen personnel, it cannot achieve Level 4.

This structure prevents "level skipping" and ensures that the most sensitive public sector use cases (requiring Level 3 or 4) are underpinned by the foundational sovereignty guarantees of the lower tiers.

Enforcement and Transparency

The cumulative nature of the criteria extends to ongoing compliance and enforcement.

  • Transparency (Article 23): Providers must notify their auditing organization and the national competent authority of any material change in circumstances that may affect their recognition. If a provider loses its Level 1 status (e.g., a subcontractor moves infrastructure outside the EU), it automatically loses its Level 4 status.
  • Penalties (Article 24): Member States must lay down rules on penalties for infringements of the sovereignty framework. These penalties must be "effective, proportionate and dissuasive." Criteria for penalties include the nature, gravity, and duration of the infringement. Recipients of services also have the right to seek compensation for damage caused by a provider's failure to meet these obligations.

What this means for you

For in-house counsel, compliance officers, and cloud providers, the cumulative criteria mandate a holistic compliance strategy rather than a siloed approach.

  1. Baseline Compliance is Non-Negotiable: Before investing in the complex requirements of Level 3 or 4 (such as security clearances for all staff or high-level cybersecurity certification), ensure your organization is fully compliant with Level 1 and 2. A gap in Level 1 data localization or Level 2 cybersecurity certification will invalidate any higher-level certification immediately.
  2. Audit Preparation: Prepare for audits that scrutinize the entire stack. When seeking recognition under Article 17, you must submit evidence for all applicable lower-level criteria alongside the target level's specific evidence. Auditing organizations are legally required to verify the full chain of compliance.
  3. Supply Chain Due Diligence: The criteria apply to the audited provider and its subcontractors involved in service provision. If a subcontractor fails to meet Level 1 location requirements, the entire service fails to meet Level 1, and thus cannot claim Level 2, 3, or 4 status. Review contracts to enforce these standards downstream.
  4. Change Management: Implement robust monitoring systems to detect any changes that might affect lower-level compliance. As per Article 23, any material change must be reported. Failure to report a breach of a lower-level criterion can lead to the revocation of your higher-level status, potentially disrupting public sector contracts.

Common misconceptions

"Higher levels replace lower levels." Some providers assume that achieving Level 3 exempts them from Level 1 data localization rules. This is incorrect. Article 20(1) explicitly states that failure to meet any lower-level requirement precludes conformity with higher levels. All criteria are additive.

"Cumulative criteria only apply to the initial audit." The cumulative nature applies to the ongoing provision of services, not just the initial audit. Continuous compliance with all lower-level criteria is required to maintain recognition. If a provider slips on a Level 1 criterion, its Level 4 status is immediately compromised.

"Subcontractors are exempt from cumulative rules." The criteria in Annex II explicitly apply to the audited provider and its subcontractors involved in the provision of the service. If a subcontractor fails to meet Level 1 location requirements, the entire service fails to meet Level 1, and thus cannot claim Level 2, 3, or 4 status.

"The reference to Article 19 in Annex II is the correct legal basis for third-country derogations." While Annex II, Section 3.1(g) references an implementing act under Article 19, this is a drafting inconsistency in the proposal text. Article 19 governs "Conformity self-assessment" for Level 1. The correct legal basis for third-country recognition and associated safeguards is Article 18 ("Associated third countries"). Providers and auditors should be aware that the mechanism for third-country derogations legally resides in Article 18.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.