Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union Assurance Levels 2, 3, or 4 must prove that all customer dataβ€”including metadata and telemetryβ€”remains exclusively within the European Union. This is not a self-declaration but a verified obligation. Article 21 mandates that independent auditing organisations assess compliance based on specific evidence listed in Annex III. Auditors must verify data residency through rigorous documentation of data flows, access logs, and contractual safeguards, ensuring that even auxiliary data generated by service operations cannot be routed outside the EU without explicit public sector approval.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereignty framework designed to eliminate risks associated with third-country access to data and operational disruption. A cornerstone of this framework is the strict requirement for cloud computing service providers to demonstrate that customer data remains physically and logically within the Union. This obligation is enforced through a robust audit mechanism that moves beyond contractual promises to verifiable technical and legal proof.

The Legal Baseline: Article 16 and Assurance Levels

Article 16 establishes the Union cloud computing sovereignty framework, comprising four distinct assurance levels. The requirement for data localisation is a cumulative criterion for Union Assurance Levels 2, 3, and 4, as detailed in Annex II of the proposal.

For Union Assurance Level 2, Annex II(2)(c) mandates that "customer data, including metadata and telemetry data, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union." This strict residency requirement is identical for Level 3 (Annex II(3)(c)) and Level 4 (Annex II(4)(c)).

Crucially, these provisions explicitly include metadata and telemetry data. This ensures that auxiliary data generated by the service's operationβ€”such as logs, usage statistics, and diagnostic informationβ€”cannot be routed outside the EU for analysis, storage, or support purposes. An exception exists only if the public sector body explicitly requires otherwise, a condition that must be documented.

The Audit Mechanism: Article 21 and the Role of Evidence

The proof of compliance with these residency criteria is governed by Article 21, titled "Content and quality of audit evidence." This article serves as the bridge between the high-level criteria in Annex II and the practical evidence required to verify them.

Article 21(1) states that the auditing organisation shall assess the compliance of the audited service against the criteria set out in Annex II "on the basis of the audit evidence listed in Annex III." Furthermore, Article 21(2) specifies that this evidence must be:

  • Relevant and sufficient to enable the auditing organisation to prepare an audit report and provide an audit opinion; and
  • Reliable, according to the auditing organisation's professional judgment and scepticism.

This provision empowers the Commission to amend Annex III via delegated acts, ensuring the evidence requirements can evolve with technological developments. However, the current proposal sets out a comprehensive baseline for what constitutes sufficient proof of data residency. The auditor's role is not merely to collect documents but to actively verify that the evidence demonstrates the service's compliance with the "exclusively within the Union" standard.

Specific Evidence Requirements: Annex III

Annex III provides the granular technical and legal evidence that auditors must request to verify data residency. Specifically, Section 3 (Audit criterion C – Data localisation in the Union) outlines the mandatory evidence providers must supply. This evidence is designed to prove that third parties or subcontractors that do not meet the criteria are technically and operationally unable to access, obtain, or process customer data outside the Union.

Key evidence categories under Annex III include:

  1. Data Flow Diagrams: Providers must submit comprehensive diagrams showing the flows of data between the cloud computing service provider and customer data, as well as with third-party services and subcontractors. These diagrams must clearly identify the source and destination of data and demonstrate that the data does not leave the Union. The diagram must cover the entire lifecycle, including ingestion, storage, processing, and deletion.
  2. Access Logs and Monitoring Records: Auditors require logs and monitoring records demonstrating that all data are stored and processed exclusively within the Union. This includes evidence of access logs, support access policies, privileged access records, and backup retention policies. The evidence must show that no data is transferred to any third party other than subcontractors involved in the service or recipients expressly authorised by the public sector body.
  3. Contractual Agreements: Providers must produce contractual agreements with subcontractors that demonstrate compliance with Union law (such as the GDPR) and data residency requirements. This includes master service agreements, data processing agreements, and specific data residency contractual agreements. These contracts must explicitly state that no customer data, including encrypted data, is transferred outside the Union without public sector body approval.
  4. Technical Safeguards: Evidence must show that no customer data, including encrypted data, is transferred outside the Union without public sector body approval. This involves demonstrating technical measures that prevent unauthorized transfer or access by non-compliant third parties.

The scope of "customer data" under Annex III is broad. It includes any data under the control of the cloud service customer, whether by legal, contractual, or other means. This encompasses:

  • Data input into the cloud computing service by or on behalf of the customer (including authentication credentials).
  • Data produced through the customer's use of the cloud computing service.
  • Cloud computing service derived data, which includes log data containing records of who used the service, at what times, which functions were accessed, and the types of data involved. It also includes information about the numbers of authorised users and their identities, as well as any configuration or customisation data.

Subcontractor Oversight and Residency

Article 16 and Annex II impose strict requirements on subcontractors. For Levels 2, 3, and 4, the data residency requirement extends to all subcontractors involved in the provision of the service. Annex III requires auditors to verify that subcontractors do not have the technical or operational ability to access, obtain, or process customer data outside the Union without prior authorization.

Providers must therefore provide evidence of:

  • Subcontractor Registers: Up-to-date lists of all subcontractors involved in the service.
  • Contractual Clauses: Binding clauses that prohibit data transfer outside the EU and enforce the same data residency obligations on the subcontractor.
  • Technical Separation: Evidence that subcontractors are technically unable to access data stored outside the Union, even if they are involved in the service provision.

What this means for you

For CTOs, architects, and SMEs evaluating cloud providers for public sector contracts, the CADA proposal shifts the burden of proof from marketing claims to verifiable technical evidence.

  • Audit Readiness: Providers must maintain up-to-date data flow diagrams and access logs that explicitly trace data paths. If your architecture relies on global load balancing or third-country analytics services, you must implement strict geo-fencing and contractual blocks to ensure no data, including telemetry, leaves the EU.
  • Metadata and Telemetry: Do not overlook metadata. Many providers inadvertently route telemetry data to global support centers for analysis. Under CADA, this is a compliance failure for Levels 2-4. You must architect your systems to process and store telemetry exclusively within EU data centers.
  • Subcontractor Management: You are responsible for your subcontractors. Ensure your supply chain contracts explicitly prohibit data transfer outside the EU and provide auditors with the necessary documentation to prove this. Auditors will verify that subcontractors are listed in the register and bound by the same residency rules.
  • Evidence Quality: Auditors will apply professional scepticism. Simple declarations are insufficient. You must provide granular evidence, such as network architecture documents, privileged access management logs, and data processing agreements that align with Annex III requirements. The evidence must be "relevant and sufficient" to support the auditor's opinion.

Common misconceptions

  • "Data Residency is only about storage." CADA explicitly includes processing and transfer. Data cannot be temporarily routed through a third country for encryption, load balancing, or analytics unless the public sector body explicitly requires it.
  • "Metadata is not customer data." Annex III defines customer data to include metadata and telemetry. If your provider uses your metadata for global service improvement, you are non-compliant with Levels 2-4.
  • "Encryption allows data to leave the EU." Annex III requires evidence that no customer data, including encrypted data, is transferred outside the Union without approval. Encryption alone does not satisfy the residency requirement.
  • "Level 1 has the same residency rules." Union Assurance Level 1 has different criteria (Annex II(1)). While it requires infrastructure and assets to be located in the Union unless otherwise required, the strict "exclusively within the Union" language for data processing and transfer is a hallmark of Levels 2, 3, and 4. Level 1 allows for more flexibility regarding data transfer if explicitly required by the public sector body, whereas higher levels demand absolute exclusivity.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.