What is a Union assurance level under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), a Union assurance level is a standardized, graded guarantee of sovereignty and trust for cloud computing services. As defined in Article 16(1), the framework establishes four distinct levels that providers must meet to offer services to Union entities and public sector bodies. These levels ensure data confidentiality, operational autonomy, and protection against third-country interference, moving beyond vague marketing claims to a harmonized, auditable certification system.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a "Union cloud computing sovereignty framework" to address the EU's critical reliance on non-European cloud providers. At the heart of this framework are the Union assurance levels, which act as a tiered certification system. They allow public authorities to procure cloud services based on verified, auditable criteria rather than subjective assertions of "sovereignty."

What is a Union Assurance Level?

A Union assurance level is a formal classification indicating that a cloud computing service meets specific, cumulative criteria regarding data location, personnel citizenship, cybersecurity, and freedom from third-country control. As proposed, the framework comprises four levels, ranging from basic data residency requirements to strict prohibitions on foreign ownership and access.

Article 16(1) of the CADA proposal states that the framework establishes these four Union assurance levels, with the specific criteria for each set out in Annex II of the Regulation. The purpose is to provide a "harmonised and auditable set of criteria" that ensures public order is preserved by maintaining control and agency for public-sector bodies. The levels are cumulative; meeting a higher level requires satisfying all requirements of the lower levels.

The Four Levels of Assurance

The criteria in Annex II define the specific obligations for each tier.

• Union Assurance Level 1 (Basic): This is the entry-level baseline. Providers must be established in the Union, and their infrastructure and assets (including those of subcontractors) must be located in the Union. Crucially, customer data—including metadata and telemetry—must remain exclusively within the Union unless the public sector body explicitly requires otherwise. Providers must also demonstrate compliance with state-of-the-art cybersecurity standards and provide full transparency regarding subcontractors.
• Union Assurance Level 2 (Enhanced): This level introduces stricter controls. It requires that the audited provider and its subcontractors are established in the Union, and that their infrastructure, assets, and personnel are located in the Union. It mandates a European cybersecurity certificate of at least "substantial" assurance level under a scheme established under the Cybersecurity Act (Regulation (EU) 2019/881). Additionally, data generated by using the service cannot be used to train or fine-tune AI systems operated by third countries. Providers must also implement software supply chain measures, such as maintaining a complete Software Bill of Materials (SBOM).
• Union Assurance Level 3 (High): This level is designed for services handling sensitive data. It requires that all personnel involved in providing the service are Union citizens. If national security clearance is required for handling classified information, personnel must hold such clearance. The provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country, unless the Commission has adopted a specific implementing act under Article 18 allowing it for an "associated third country" that meets strict safeguards (e.g., no laws enabling unauthorized access to Union data). The cybersecurity requirement remains at the "substantial" level.
• Union Assurance Level 4 (Maximum): This is the highest tier, intended for the most critical public order activities. It includes all Level 3 requirements but adds a requirement for a European cybersecurity certificate of at least "high" assurance level. It also imposes stricter measures on software supply chains, requiring providers to demonstrate that no third country holds effective control over the design, development, or maintenance of the software components used.

How Recognition Works

Achieving a Union assurance level is not self-declared for levels 2–4. Article 17 outlines the recognition mechanism. For Level 1, providers can issue a self-declared EU statement of conformity. For Levels 2, 3, and 4, providers must undergo independent third-party audits by accredited auditing organizations. The national competent authority of the provider's establishment then reviews the audit report and, if satisfied, recognizes the service at the appropriate level. This recognition is valid across all Member States, creating a single market for trusted cloud services.

Why It Matters for Public Order

The framework is directly linked to public procurement. Article 29 requires Member States and Union entities to conduct risk assessments to determine which of their activities contribute to the preservation of public order. Article 30 then mandates that contracting authorities must procure, as a minimum, services recognized at Union assurance level 1. If a risk assessment identifies an activity as having public order relevance (e.g., in defense, justice, or critical infrastructure), the authority must only procure services recognized at Union assurance levels 2, 3, or 4.

What this means for you

For public-sector procurement officers, cloud providers, and compliance teams, the Union assurance levels simplify vendor evaluation and risk management. Instead of navigating disparate national sovereignty standards, you will rely on a single, EU-wide benchmark.

1. Conduct Risk Assessments: You must carry out risk assessments for your cloud usage, as required by Article 29. Determine which services handle sensitive data or support critical public order functions.
2. Check the Central Repository: The Commission will maintain a central repository of recognized services (Article 22). Before issuing a tender, verify that potential providers hold the necessary Union assurance level for your specific use case.
3. Update Tender Requirements: Your procurement documents must specify the required Union assurance level. For general administrative tasks, Level 1 may suffice. For sensitive operations, you must mandate Levels 2, 3, or 4 based on your risk assessment.
4. Plan for Transition: If your current provider does not meet the required level, you must migrate within a reasonable transition period (not exceeding 12 months), as per Article 29(6).

Common misconceptions

• "Assurance levels replace cybersecurity certifications." No. While Levels 2–4 require European cybersecurity certificates (under the Cybersecurity Act), the assurance levels cover broader sovereignty risks, such as data residency, personnel citizenship, and freedom from third-country legal control. Cybersecurity is one component of a larger trust framework.

• "Level 1 is just about where servers are located." Not entirely. While data and infrastructure must be in the Union, Level 1 also requires transparency on subcontractors, state-of-the-art cybersecurity compliance, and guarantees against third-country laws requiring vulnerability reporting before exploitation.

• "Third-country providers can never qualify." They can, but only under strict conditions. For Level 3, the Commission may recognize "associated third countries" (Article 18) that provide equivalent safeguards, such as adequacy decisions under GDPR and laws preventing unauthorized data access. However, for Level 4, providers must not be subject to third-country control.

• "I can choose any level I want." No. Your choice is constrained by your risk assessment. If your activity is deemed to preserve public order, you are legally required to procure at least Level 2. You cannot opt for a lower level if the risk assessment dictates higher protection.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA assurance level do I need for my cloud workload?
• What must a US hyperscaler do to reach a CADA assurance level?
• CADA Assurance Levels: The Simplest Board-Level Explanation
• CADA Assurance Levels: The Roadmap from Level 1 to Level 4
• What is CADA Union assurance Level 4?

This is general information about a draft EU regulation, not legal advice.