Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 2, 3, or 4 must ensure that their infrastructure, assets, and personnel are located exclusively within the Union. Unlike Level 1, which permits exceptions if a public body explicitly requires otherwise, Levels 2–4 impose strict, cumulative location requirements for all operational elements, including those of subcontractors. There is no "public-body exception" for these higher tiers. These rules are designed to guarantee operational autonomy and prevent third-country interference with critical cloud services.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. While Level 1 allows for some flexibility regarding data and infrastructure location, Levels 2, 3, and 4 introduce progressively stricter cumulative criteria. For CTOs and architects, the most critical distinction lies in the absolute requirement for physical and human presence within the Union, without the flexibility found in Level 1.

Strict Location Requirements for Infrastructure, Assets, and Personnel

The core of the sovereignty framework for Levels 2–4 is the requirement that the entire operational stack remains within EU jurisdiction. This is not merely a data residency rule but a comprehensive operational localization mandate covering physical hardware, software assets, and the human workforce.

  • Union Assurance Level 2: According to Annex II, Section 2.1(b), providers must ensure that "the infrastructure, assets, and personnel of the audited provider, including those of its subcontractors which are involved in the provision of the service are located in the Union." This criterion is cumulative, meaning it must be met alongside other requirements, such as obtaining a European cybersecurity certificate of at least 'substantial' assurance level.
  • Union Assurance Level 3: The requirement remains absolute. Annex II, Section 3.1(b) states that "the infrastructure, assets, and personnel of the audited provider, including those of the subcontractors which are involved in the provision of the service, are located in the Union." Additionally, Level 3 introduces strict personnel criteria: all personnel, including subcontractor staff, must be Union citizens, and must hold necessary national security clearances when handling classified information (Annex II, Section 3.1(d)).
  • Union Assurance Level 4: The highest level maintains the strict location mandate. Annex II, Section 4.1(b) requires that "the infrastructure, assets, and personnel of the audited provider, including the subcontractors, which are involved in the provision of the service, are located in the Union." Like Level 3, it mandates Union citizenship for all personnel and national security clearances for those handling classified information (Annex II, Section 4.1(d)).

No Public-Body Exception

A crucial distinction for architects designing multi-cloud strategies is the absence of the "public body exception" present in Level 1. Under Annex II, Section 1.1(b), Level 1 allows infrastructure and assets to be located outside the Union if "the public sector body explicitly requires otherwise." This flexibility does not exist for Levels 2, 3, or 4. The text for these higher levels contains no such proviso.

This means that even if a public authority explicitly requests or requires infrastructure to be located outside the EU, a provider cannot legally offer a Level 2, 3, or 4 service under those conditions. This ensures that high-assurance services maintain a baseline of operational autonomy and legal jurisdiction within the Union, regardless of specific client preferences or short-term operational needs. The strictness of these tiers is intended to safeguard public order and prevent any potential third-country interference.

Scope of "Infrastructure, Assets, and Personnel"

The CADA proposal and its annexes provide clarity on what constitutes these elements, which is vital for compliance audits. The definitions in Annex III, Audit Criterion B are exhaustive:

  • Infrastructure: This includes physical infrastructure such as data centre infrastructure, colocation infrastructure, network, cooling, and IT systems that allow for the management of the data centre. The audit evidence must demonstrate that all elements remain within the Union for the provision of the audited service. This explicitly includes the location for primary, backup, disaster recovery, and log storage.
  • Assets: This includes hardware and software, such as libraries, internal networks needed for software components to communicate, and cryptographic materials that enable the provision of the cloud computing service.
  • Personnel: This includes individuals who support the delivery, administration, security, availability, or operation of the audited service. For Levels 2–4, this extends to personnel managed by subcontractors. The audit must verify that personnel involved in provision are located in the Union, evidenced by employment contracts, payroll records, and timesheets.

Subcontractor Inclusion

A significant operational impact for providers is the inclusion of subcontractors. The location requirement applies not just to the primary provider but to "subcontractors which are involved in the provision of the service." This means that if a provider uses a third-party for technical support, maintenance, or security operations, that third-party's personnel and infrastructure must also be located within the Union.

For Levels 3 and 4, the requirement is even more stringent: the subcontractors' personnel must not only be located in the Union but must also be Union citizens. This creates a "clean chain" of sovereignty where every entity touching the service stack is physically and legally anchored in the EU.

Audit and Verification

Compliance with these location requirements is verified through independent third-party audits for Levels 2–4 (Article 20). Auditing organizations will request specific evidence to prove compliance, including:

  • Infrastructure Location: Lists of infrastructure locations with precise addresses (number, street, city, postal code, and country) to demonstrate exclusive Union location (Annex III, Audit Criterion B(1)).
  • Network Architecture: Network diagrams and architecture documents illustrating the exclusive use of Union-based infrastructure for data storage and processing, including backup and replicated data.
  • Personnel Evidence: Evidence of personnel location, such as employment contracts, payroll records, and timesheets showing Union-based staff with operational responsibilities (Annex III, Audit Criterion B(3)).

Failure to meet any of these cumulative criteria precludes conformity with the higher assurance levels. A provider cannot claim Level 3 status if, for example, their disaster recovery site is located in a third country, even if all primary processing occurs in the EU. The audit opinion will be "negative" if any part of the infrastructure, asset, or personnel chain falls outside the Union.

What this means for you

For CTOs, architects, and compliance officers, these rules necessitate a fundamental review of your cloud architecture and supply chain if you intend to serve the EU public sector with high-assurance services.

  1. Map Your Entire Stack: You must map every component of your service delivery, including backup sites, log storage, and third-party support tools. If any element resides outside the EU, you cannot qualify for Levels 2–4. This includes "cold" storage and disaster recovery sites.
  2. Review Subcontractor Agreements: Ensure that any subcontractors involved in service provision (e.g., managed service providers, security operations centers) have their personnel and infrastructure located within the EU. For Levels 3 and 4, verify their citizenship status and security clearances.
  3. No "Client-Requested" Offshoring: Unlike Level 1, you cannot offload infrastructure or personnel to a third country even if a client requests it. This removes a common commercial flexibility lever for high-assurance contracts. The sovereignty requirement is absolute.
  4. Audit Readiness: Prepare for rigorous audits. You will need to provide granular evidence of location, including lease agreements, utility bills, and detailed personnel records for all staff and subcontractors involved in the service. The audit will verify that no "remote access" or "logical access" from outside the Union compromises the physical location of the assets.

Common misconceptions

  • "If my data stays in the EU, my infrastructure can be elsewhere." Incorrect. Levels 2–4 require the infrastructure itself (servers, networks, cooling) to be physically located in the Union, not just the data.
  • "I can use third-country support staff if they are remote." Incorrect. Personnel involved in the provision of the service must be located in the Union. Remote support from outside the EU is not permitted for Levels 2–4.
  • "Public sector clients can waive these location rules." Incorrect. The "public body exception" applies only to Level 1. Levels 2–4 have no such waiver, ensuring a consistent baseline of sovereignty for critical services.
  • "Disaster recovery sites can be outside the EU." Incorrect. Audit evidence must show that backup, disaster recovery, and log storage locations are also within the Union.
  • "Level 2 allows for some flexibility like Level 1." Incorrect. Level 2 removes the public-body exception entirely. The requirement for infrastructure, assets, and personnel to be in the Union is strict and unconditional.

Related

This is general information about a draft EU regulation, not legal advice.