What is a 'Union entity' for the purpose of CADA assurance levels?

Summary Under the proposed Cloud and AI Development Act (CADA), a "Union entity" is strictly defined as an EU institution, body, office, or agency established by the EU Treaties. As proposed in Article 16(1), the Union cloud computing sovereignty framework applies specifically to cloud services provided to these entities and to national "public sector bodies." While both groups are protected by the framework, Union entities face distinct obligations regarding risk assessments and procurement of specific "Union assurance levels" (1–4) to safeguard the Union's public order. In-house counsel for EU bodies must note that their procurement is governed by Article 30, which mandates minimum assurance levels based on the results of mandatory risk assessments under Article 29.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework to address strategic dependencies in cloud computing. A critical component of this framework is the precise definition of the beneficiaries it protects. The regulation distinguishes between "Union entities" and national "public sector bodies," though both fall under the sovereignty umbrella.

The Legal Definition of "Union Entity"

The term "Union entity" is not a generic reference to any government body within the EU. It is a term of art defined in Article 2(7) of the proposal. It refers exclusively to:

"the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community."

This definition encompasses the centralised administrative and political organs of the European Union. Examples include the European Commission, the European Parliament, the Council of the European Union, the Court of Justice of the European Union, the European Central Bank, and decentralized agencies such as Europol, the European Medicines Agency (EMA), or Frontex.

This stands in contrast to "public sector bodies," defined in Article 2(6) by reference to Directive (EU) 2019/1024. Public sector bodies typically refer to national, regional, and local authorities within the Member States. While the sovereignty framework protects both, the specific governance and procurement obligations for Union entities are tailored to the Union's own institutional structure.

Scope of the Sovereignty Framework (Article 16)

The core of the CADA sovereignty regime is Article 16, which establishes the "Union cloud computing sovereignty framework." Article 16(1) explicitly sets the scope of application:

"This Chapter establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II to the Regulation for cloud computing services to be considered as providing Union assurance across level 1 to level 4."

Crucially, Article 16(1) states that these criteria are requirements that cloud computing service providers "shall meet in order to provide their cloud computing services to Union entities and public sector bodies."

This provision creates a dual-track protection mechanism:

1. For Union Entities: The framework ensures that the EU's own institutions can procure cloud services that guarantee operational autonomy and data sovereignty, shielding the Union's internal decision-making from third-country interference.
2. For Public Sector Bodies: The framework ensures that Member State authorities can access sovereign cloud services for activities critical to national public order.

The framework is designed to mitigate risks associated with dependence on third-country providers, specifically addressing risks of extraterritorial access, service disruption, and the inability to enforce EU law.

Assurance Level Obligations for Union Entities

The specific assurance level a Union entity must procure is not arbitrary; it is determined by a mandatory risk assessment process.

1. The Baseline: Union Assurance Level 1 Under Article 30(2), Union entities whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1. This level serves as the minimum baseline for all public sector procurement under CADA, ensuring a consistent standard of sovereignty across the Union.

2. Public Order Activities: Levels 2, 3, and 4 For activities that do contribute to the preservation of public order, the requirements are stricter. Article 29(1) obliges Union entities to carry out risk assessments to identify such activities. These assessments must consider sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement.

If a risk assessment determines that an activity contributes to the preservation of public order, Article 30(3) mandates that the Union entity "shall only procure and use services that have been recognised as offering Union assurance levels 2, 3, or 4."

The distinction between levels 2, 3, and 4 depends on the severity of the risk and the specific criteria in Annex II:

• Level 2: Requires substantial cybersecurity certification and strict data localisation.
• Level 3: Adds requirements for Union citizenship of personnel (conditional on public body requirement) and stricter controls on third-country influence.
• Level 4: The highest tier, requiring "high" cybersecurity certification, mandatory Union citizenship for all personnel, and a complete absence of third-country control.

Provider Obligations and Recognition

Cloud computing service providers wishing to serve Union entities must undergo a formal recognition process. Article 17 requires providers to submit an application to the national competent authority of their establishment.

• For Level 1, the provider submits a self-assessment and an EU statement of conformity (Article 19).
• For Levels 2, 3, and 4, the provider must undergo independent third-party audits and obtain a "positive" audit opinion (Article 20).

Once recognised, the service is entered into a central repository maintained by the Commission (Article 22). Union entities are legally restricted to procuring only from services listed in this repository that meet the assurance level dictated by their risk assessment.

What this means for you

For legal and compliance teams within EU institutions, agencies, and bodies, the definition of "Union entity" triggers specific, non-delegable obligations under the proposed CADA.

1. Mandatory Risk Assessments: You must conduct a risk assessment under Article 29 to determine if your cloud usage supports "public order" activities. This assessment must be updated every two years or whenever necessary. Failure to identify a public-order-relevant activity could lead to procuring a lower assurance level than required, creating a compliance breach.
2. Procurement Restrictions: You cannot procure cloud services that are not recognised in the central repository. If your risk assessment identifies a public-order activity, you are legally barred from using a Level 1 service; you must procure Level 2, 3, or 4.
3. Transition Management: If your current provider does not meet the required assurance level, Article 29(6) provides a transition period. You must migrate to a compliant service within a "reasonable transition period that shall not exceed 12 months," taking into account technical feasibility and continuity.
4. Open Source and Federation: As a Union entity, you are encouraged to prioritise open-source solutions (Article 41) and may participate in the EuroCloud Federation (Article 34) to share capacity with other public sector bodies, potentially accessing sovereign infrastructure more efficiently.

Common misconceptions

"Union entities" includes all government bodies in the EU. This is incorrect. "Union entities" refers strictly to EU-level institutions (e.g., the Commission, Parliament, Agencies). National governments, ministries, and local authorities are "public sector bodies." While both are subject to CADA, the legal basis for their procurement and the specific governance structures differ.

CADA replaces the GDPR. No. CADA complements the GDPR. The GDPR governs the processing of personal data and fundamental rights. CADA addresses sovereignty, operational autonomy, and the risk of third-country interference. A service can be fully GDPR-compliant but still fail to meet CADA's Union assurance levels if it cannot guarantee that a third country cannot compel access to the infrastructure or disrupt the service.

All cloud services for Union entities must be Level 4. No. The framework is risk-based. Article 30(2) explicitly states that activities not contributing to public order only require Level 1. Level 4 is reserved for the most critical activities (e.g., handling classified information or critical defence functions) where the highest degree of personnel screening and infrastructure control is necessary.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Who must meet CADA Union assurance levels?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Which CADA assurance levels require an independent audit?
• Where are the criteria for the CADA assurance levels defined?
• CADA Assurance Levels: The Simplest Board-Level Explanation

This is general information about a draft EU regulation, not legal advice.