Summary Under the proposed Cloud and AI Development Act (CADA), Union assurance level 1 would be the baseline tier of the Union cloud computing sovereignty framework. As proposed, the criteria in Annex II, section 1.1 require a provider to be established in the EU, keep its infrastructure and customer data within the Union, run on state-of-the-art cybersecurity, and be transparent about subcontractors. Level 1 is the only tier proven by a provider self-assessment rather than an independent audit: under Article 19 the provider issues, and publishes, an "EU statement of conformity". For public-sector buyers it matters because Article 30(2) would require entities and bodies whose activities are not public-order-relevant to use cloud services recognised at level 1.

Detail

CADA, COM(2026) 502 final, is a proposal — not law in force — so everything here describes what the text would do if adopted unchanged. Chapter I would set up a "Union cloud computing sovereignty framework comprising four Union assurance levels", with the criteria in Annex II, that providers would have to meet to serve Union entities and public sector bodies (Article 16(1)). Union assurance level 1 is the entry tier: a consistent, EU-wide baseline of sovereignty and security for public-sector activities that do not handle the most sensitive material but still need protection against extraterritorial data access and service disruption.

The criteria for Union assurance level 1

The requirements are set out in Annex II, section 1.1, as a set of cumulative criteria — a provider must satisfy all of them. As proposed, they are:

  1. EU establishment. The cloud computing service provider is established in the Union (Annex II, 1.1(a)). This anchors the provider within EU jurisdiction.
  2. EU-located infrastructure. The infrastructure and assets of the provider, including those of subcontractors involved in the service, are located in the Union — "unless the public sector body explicitly requires otherwise" (Annex II, 1.1(b)).
  3. EU data residency. Customer data, "including metadata and telemetry data", processed, stored and transferred by the provider and its subcontractors, remains "exclusively within the Union" — again unless the public sector body explicitly requires otherwise — "at any time, including before, during or after the configuration or use of the service" (Annex II, 1.1(c)).
  4. Controlled outsourcing. Where the provider outsources technical or operational support (including sub-outsourcing) to third-party providers outside the Union, it implements the necessary legal, technical and organisational measures to ensure traceability, security and governance, and those operations must not compromise the provider's operational autonomy (Annex II, 1.1(d)).
  5. Cybersecurity standards. The provider demonstrates that the service complies with state-of-the-art cybersecurity standards (Annex II, 1.1(e)).
  6. Transparency and due diligence. The provider gives full transparency on its use of subcontractors and subjects them to due diligence, contractual obligations and ongoing oversight to meet Union legal obligations (Annex II, 1.1(f)).
  7. Vulnerability-reporting guarantee. Where the provider is under the control of a third country or a legal entity established in a third country, it guarantees — "demonstrated by independent sources" — that no laws or practices in that third country require it to report software-vulnerability information to that country's authorities "prior to those vulnerabilities being known to have been exploited" (Annex II, 1.1(g)).

Note what level 1 does not require. It does not require personnel to be located in the Union, EU citizenship of staff, a formal European cybersecurity certificate, or freedom from third-country control. Those obligations would appear only at the higher tiers (levels 2 to 4), which build cumulatively on level 1 and are proven by independent audit under Article 20.

The self-assessment route under Article 19

Level 1 is unique in how it is demonstrated. Levels 2, 3 and 4 would require independent third-party audits; level 1 would be proven through a conformity self-assessment under Article 19.

Article 19(1) provides that providers seeking recognition as offering level 1 "shall carry out a conformity self-assessment of compliance with the criteria for Union assurance level 1 set out in Annex II". The burden of evaluating the service against the criteria sits with the provider itself.

Following that self-assessment, Article 19(2) requires the provider to issue an "EU statement of conformity" stating that compliance with the level 1 criteria has been demonstrated. By issuing it, the provider would "assume responsibility for the compliance of the cloud computing service with the criteria for Union assurance level 1". The statement is a binding declaration, not a marketing claim.

Article 19(3) then requires the provider to make the EU statement of conformity publicly available — so buyers and other stakeholders can see the declaration directly.

Recognition and the SME shortcut

The self-assessment feeds into the recognition mechanism in Article 17. A provider applies to the national competent authority of its establishment; for level 1, the application consists of the EU statement of conformity referred to in Article 19(2) plus all necessary evidence (Article 17(3)).

Article 17(3) also contains an important shortcut for smaller providers. An EU statement of conformity issued by a provider that is an SME would be "directly and automatically recognised in all Member States without the need for prior recognition by the evaluating national competent authority". "SME" takes the meaning in Article 2(8), which refers to the definition in Annex I to Commission Recommendation 2003/361/EC. The aim, as proposed, is to lower the barrier for smaller EU providers to reach the public-sector market.

Why level 1 matters for public procurement

Level 1 is not a voluntary badge. Article 30(2) provides that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order "shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1". For that broad category of everyday public-sector activity, level 1 is the mandatory baseline. Whether an activity is public-order-relevant is determined through the risk assessments that Member States and Union entities would carry out under Article 29; where an activity is identified as public-order-relevant in the sensitive sectors listed in Article 30(3), the buyer would instead have to procure at level 2, 3 or 4.

What this means for you

If you are a public-sector procurement officer or IT decision-maker, level 1 would be your default starting point under the proposed CADA.

  • Treat level 1 as the baseline for ordinary activities. For activities not identified as public-order-relevant, Article 30(2) would require you to use a service recognised at Union assurance level 1. Standard administrative, communications and general IT workloads typically fall here.
  • Ask for the EU statement of conformity. Under Article 19(3) it must be publicly available. In a tender, request it and check that it declares compliance with the criteria in Annex II, section 1.1 — and confirm the service appears in the central repository of recognised services that the Commission would maintain under Article 22.
  • Confirm data residency in writing. Annex II, 1.1(c) keeps customer data, metadata and telemetry within the Union. The only carve-out is where you explicitly require otherwise — so be deliberate before invoking it.
  • Scrutinise the subcontractor chain. The provider bears the responsibility, but Annex II, 1.1(d) and 1.1(f) require transparency, due diligence and that out-of-Union support does not compromise operational autonomy. Ask to see the disclosure.
  • Use the SME route knowingly. An SME's level 1 statement of conformity would be automatically recognised across the Union under Article 17(3), widening your potential supplier pool. The SME definition is the one in Article 2(8) (Annex I to Recommendation 2003/361/EC).
  • Re-check your risk assessment. Level 1 is the floor, not a ceiling. If an Article 29 risk assessment flags your activity as public-order-relevant, Article 30(3) would push you up to level 2, 3 or 4.

Common misconceptions

  • "Level 1 is optional for public bodies." As proposed, Article 30(2) requires entities and bodies whose activities are not public-order-relevant to use a service recognised at level 1. It is the mandatory baseline for those activities, not a best practice.
  • "Level 1 needs an independent audit." No. Level 1 is proven by the provider's own conformity self-assessment and EU statement of conformity under Article 19. Independent third-party audits under Article 20 would apply only to levels 2, 3 and 4.
  • "An EU-based provider can store the data anywhere." Annex II, 1.1(c) requires customer data — including metadata and telemetry — to remain "exclusively within the Union", unless the public sector body itself explicitly requires otherwise.
  • "Level 1 covers every public-sector activity." It covers activities that are not public-order-relevant. Activities identified as contributing to the preservation of public order in the sectors listed in Article 30(3) would require level 2, 3 or 4.
  • "Level 1 means no third-country involvement at all." Level 1 permits a provider under third-country control, subject to the vulnerability-reporting guarantee in Annex II, 1.1(g), and permits out-of-Union support under the safeguards in 1.1(d). Excluding third-country control entirely is a feature of the higher tiers, not level 1.

Related

This is general information about a draft EU regulation, not legal advice.