What evidence does CADA require for personnel citizenship and clearance?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union Assurance Level 3 or 4 must prove that all personnel involved in the provision of the service are Union citizens. Additionally, for Level 3 and 4, personnel handling classified information must hold national security clearances issued by a Member State. These criteria are mandatory in Annex II and verified through specific audit evidence protocols detailed in Annex III, which auditors use to assess compliance under Article 21. Unlike Level 2, where citizenship is conditional on public-sector requests, Levels 3 and 4 impose an absolute requirement on the provider's workforce.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a tiered sovereignty framework to mitigate risks of third-country control and unauthorized access. A cornerstone of this framework is the verification of personnel identity and loyalty. The requirements escalate significantly as the assurance level increases, moving from conditional availability at Level 2 to a mandatory, verifiable status at Levels 3 and 4.

Citizenship and Clearance Requirements by Level

The specific personnel obligations are codified in Annex II of the CADA proposal. The distinction between the levels is critical for compliance planning:

• Union Assurance Level 2 (Conditional): The requirement is not a blanket mandate for all staff. Under Annex II, Section 2.1(d), the audited provider must ensure that personnel meeting additional screening and Union citizenship requirements are available only if the public sector body determines these measures are necessary. The text states: "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available." This is a "best effort" or "on-demand" obligation.
• Union Assurance Level 3 (Mandatory): The requirement becomes absolute for all relevant staff. Annex II, Section 3.1(d) explicitly mandates that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." Furthermore, it specifies that "where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information, as defined in Article 2, point (21), of Regulation (EU) 2021/697."
• Union Assurance Level 4 (Mandatory with Broader Scope): The requirements mirror Level 3 but apply to a broader scope of sensitive data. Annex II, Section 4.1(d) mandates that "the personnel, including the personnel of the subcontractors, which are involved in the provision of the audited service are Union citizens and, where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information."

Audit Evidence and Verification (Annex III)

How do regulators and auditors verify these claims? The CADA proposal provides detailed guidance on the evidence required in Annex III, specifically under Audit Criterion D – Union citizenship. This annex guides auditing organizations in assessing compliance with the criteria set out in Annex II for Levels 2, 3, and 4.

According to Annex III, Section 4, the audited provider must supply the following evidence to the auditing organization to prove compliance:

1. Proof of Citizenship Implementation: The provider must provide proof that it has implemented measures to ensure that, if a public sector body requests Union citizenship, the personnel involved are Union citizens. The annex explicitly states this can be demonstrated through "valid official government issued documents (e.g. valid passport and national identity card)."
2. Organizational Structure and Access Control: Providers must submit organizational charts and job descriptions confirming that they can ensure, where requested, that only personnel with Union citizenship have access to the audited service's operation, management, maintenance, and support.
3. Access Logs and Audit Trails: Providers must provide documents demonstrating access control policies and audit trails showing that only authorized personnel who are Union citizens can access the service's systems and data.
4. Procedural Documentation: Providers must demonstrate that they have put in place procedures describing how citizenship is verified before assignment and how compliance with this audit criterion is maintained throughout employment.

The NB (Note Bene) in Annex III, Section 4 clarifies the scope of "personnel": it includes individuals who have "logical or physical access to infrastructure and assets used to operate the cloud computing service, as well as those who are responsible for customer support, and all personnel who have management control of the cloud computing service provider."

The Role of the Auditing Organization

The verification of these criteria is part of the independent third-party audit process mandated for Levels 2, 3, and 4 under Article 20. The auditing organization must assess the compliance of the audited service against the criteria in Annex II based on the audit evidence listed in Annex III (as referenced in Article 21).

For Level 3 and 4, the auditor does not merely check a box; they must verify the robustness of the provider's HR and IT security processes. This includes reviewing whether the provider has effective legal, technical, and organizational separation between Union-based operations and any third-country subsidiaries, ensuring that non-Union citizen staff in third-country entities cannot access Union customer data or systems. The auditor must confirm that the provider can demonstrate the "effective legal, technical and organisational separation" required to prevent unauthorized access.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the personnel citizenship and clearance requirements represent a significant operational and legal hurdle, particularly for providers aiming for Level 3 or 4 recognition.

• HR and Recruitment Overhaul: You must audit your current workforce and subcontractor agreements. If you employ non-Union citizens in roles that provide logical or physical access to infrastructure, or even in customer support roles that could access system configurations, you may be non-compliant for Level 3/4. This may require restructuring teams, reassigning staff, or terminating contracts where compliance cannot be achieved.
• Subcontractor Due Diligence: The requirement extends to subcontractors. You cannot outsource maintenance or support to a third party that does not meet the same citizenship and clearance standards. Your vendor risk management program must include rigorous verification of subcontractor staff identities.
• Audit Readiness: You must maintain up-to-date records of passports, ID cards, and security clearance certificates for all relevant personnel. Your IT systems must generate audit trails that link system access to specific Union citizen identities. Be prepared to provide organizational charts and job descriptions to auditors to prove that access rights are strictly controlled based on citizenship status.
• Level 2 Flexibility: If you are targeting Level 2, you have more flexibility, as citizenship requirements are only triggered if the public sector customer explicitly demands them. However, you must still have the capability to provide such personnel on demand.

Common misconceptions

• "Only engineers need to be Union citizens." Incorrect. Annex III defines personnel broadly to include anyone with logical or physical access to infrastructure, as well as those responsible for customer support and management control. A customer support agent who can reset passwords or view system logs may need to be a Union citizen for Level 3/4.
• "Citizenship is only required for Level 4." Incorrect. While Level 4 has strict data localization and clearance rules, Annex II, Section 3.1(d) mandates Union citizenship for all relevant personnel at Level 3 as well. The key difference is often the scope of data sensitivity and the mandatory nature of security clearances for classified information.
• "We can use third-country staff if they are highly skilled." No. For Levels 3 and 4, the requirement is absolute for personnel involved in the provision of the audited service. There is no exception for skill shortages. If you cannot staff the role with a Union citizen, you cannot offer that service at Level 3 or 4.
• "Security clearances are optional for all levels." Incorrect. For Level 3 and 4, if the personnel handle classified information, national security clearances are mandatory. For Level 2, they are conditional on customer request.

Related

• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
• CADA Personnel Rules: When is National Security Clearance Required?
• CADA personnel requirements: How Union citizenship and support location escalate across tiers
• Does CADA level 3 require personnel to be EU citizens?
• Can a public body require extra personnel screening under CADA?

This is general information about a draft EU regulation, not legal advice.