What is CADA Union assurance level 2?

Summary Union assurance level 2 is the mid-tier sovereignty standard in the proposed EU Cloud and AI Development Act (CADA). As proposed, it would require both the cloud provider and its subcontractors to be established in the Union, with their infrastructure, assets and the personnel involved in the service located in the Union, and customer data kept exclusively within the Union. Two things set Level 2 apart from the self-assessed Level 1: the service would need a European cybersecurity certificate of at least the "substantial" assurance level, and compliance would have to be confirmed by an independent third-party audit (Article 20) rather than by the provider's own declaration. The criteria sit in Annex II, section 2.1. CADA is a proposal and is not yet in force.

Detail

CADA would create a "Union cloud computing sovereignty framework" with four "Union assurance levels" that cloud providers would have to meet to serve Union entities and public sector bodies (Article 16(1)). The criteria for each level are set out in Annex II. Level 2 is the first level that depends on an external audit, making it the practical entry point for cloud services used by public bodies whose work touches public order.

Where Level 2 sits

Level 1 is demonstrated by a conformity self-assessment, where the provider issues its own "EU statement of conformity" (Articles 19(1)-(2)). Level 2 raises the bar in two ways: the criteria themselves are stricter, and the provider must prove them through an independent audit rather than its own declaration. Levels 3 and 4 then add further requirements — most visibly a blanket Union-citizenship rule for personnel and, at Level 4, a "high" cybersecurity certificate. The framework is cumulative: as proposed, a provider audited at Level 2 must satisfy all the Level 1 criteria as well, and failing any lower-level requirement would preclude conformity with the higher level (Article 20(1)).

The Level 2 criteria (Annex II, section 2.1)

Annex II, section 2.1 lists the cumulative criteria a provider would have to meet for Level 2. In summary, as proposed:

• EU establishment — the audited provider and the subcontractors involved in the service are established in the Union (2.1(a)).
• EU-located infrastructure, assets and personnel — these, including those of the subcontractors involved in the service, are located in the Union (2.1(b)). This is a step up from Level 1, which localises infrastructure and assets but not personnel.
• Data stays in the Union — customer data, including metadata and telemetry, processed, stored or transferred by the provider and the subcontractors involved remains exclusively within the Union, unless the public sector body explicitly requires otherwise, at any time before, during or after use (2.1(c)).
• Conditional personnel screening and citizenship — if the public sector body determines that additional personnel screening and Union-citizenship requirements are necessary, the provider ensures that personnel meeting those requirements are available (2.1(d)). This is a conditional, buyer-driven requirement, not a blanket citizenship rule.
• Cybersecurity certificate ("substantial") — the service obtains a European cybersecurity certificate of at least assurance level "substantial" under a cloud-computing certification scheme to be established under the Cybersecurity Act (Regulation (EU) 2019/881), once such a scheme exists and is available. Until then, national certification schemes apply where they exist; and where no scheme exists, the provider demonstrates that the service meets the highest cybersecurity standards under applicable Union law (2.1(e)).
• No third-country AI training; no transfers out — data generated by using the service is not used to train or fine-tune any AI system operated by a third country or a third-country-established entity, and is not transferred outside the Union in any case (2.1(f)).
• Safeguards against third-country control — if the provider or subcontractors are under third-country control, they demonstrate legal, technical and organisational measures ensuring that the control does not restrain service delivery, that third-country access to customer data is prevented, that disruption or degradation of the service is prevented, and that the provider is not obliged to give effect to a third country's restrictive measures (sanctions, embargoes or equivalent) unless legitimate under Member State or Union law (2.1(g)).
• EU-only support — technical and operational support, including sub-outsourcing, is initiated and performed exclusively within the Union (2.1(h)).
• Software supply-chain controls — a complete, up-to-date software bill of materials (SBOM) and dependency list are documented and made available to the auditing organisation; where software components are owned or licensed by a third-country entity, controls block remote features that could materially tamper with or disrupt systems, security-relevant components are subject to source-code audits, and a migration plan is documented (2.1(i)).
• Open-source controls — where open-source software is used, the provider demonstrates controls preventing remote features that could materially tamper with or disrupt the service (2.1(j)).
• Separation from a third-country subsidiary — a provider operating globally with a third-country subsidiary has measures ensuring effective legal, technical and organisational separation between the Union parent and that subsidiary (2.1(k)).

The independent audit (Article 20)

This is the defining feature of Level 2 and above. As proposed, a provider seeking Level 2 must undergo, at its own expense, an independent third-party audit to obtain an audit report and audit opinion from an auditing organisation (Article 20(1)).

The proposal does not describe these organisations as "accredited." Instead, Article 20(4) sets independence, competence and objectivity conditions: the auditing organisation must be independent and free of conflicts of interest (for example, no non-audit services to the provider in the 12 months before and a commitment not to provide them for 12 months after, no audit services to that provider in the previous 10 years, and no contingent fees), must have proven technical competence in auditing cloud services, and must demonstrate objectivity and professional ethics.

The auditing organisation assesses compliance with the Annex II criteria on the basis of the audit evidence listed in Annex III (Article 21(1)), which must be relevant, sufficient and reliable (Article 21(2)). The written audit report records the aspects audited, the methodology, the main findings and, crucially, a "positive" or "negative" opinion; a "positive" opinion identifies the assurance level to be recognised (Article 20(5)). A "positive" opinion is the gateway to recognition.

Audits are not a one-off. As proposed, the provider must submit the report and "positive" opinion for review every year, by the same or a different auditing organisation, which may confirm, update or revoke it (Article 20(8)).

From audit to recognition

With a "positive" opinion, the provider applies for recognition to the national competent authority of its establishment, submitting the audit report, the "positive" opinion and all evidence given to the auditing organisation (Articles 17(1) and 17(4)). Once recognised, the service is recognised throughout the Union and registered in a central repository the Commission would maintain (Article 22) — a public, regularly updated list that lets buyers identify recognised services.

What this means for you

For public-sector buyers and IT decision-makers, Level 2 is where procurement obligations begin to bite, so a few points are worth keeping in mind.

• When Level 2 is required. As proposed, bodies whose activities have not been identified as contributing to the preservation of public order "shall use" services recognised at Union assurance level 1 (Article 30(2)). Where a risk assessment does identify your activity as contributing to public order — in the sectors covered by Annexes I or II of the NIS2 Directive (Directive (EU) 2022/2555), or in national security, internal security, external border management, defence, justice or law enforcement — you would have to procure services recognised at Level 2, 3 or 4 (Article 30(3)). Level 2 would be the floor for many of these contracts.
• You can rely on recognition. Rather than running a bespoke sovereignty audit per contract, you would be able to check the central repository (Article 22). A Level 2 listing signals that an independent auditor confirmed EU establishment, data localisation, personnel location and the "substantial" cybersecurity certificate.
• Some controls are in your hands. The personnel screening and Union-citizenship requirement at Level 2 only applies if you determine it necessary (Annex II 2.1(d)). If your use case warrants tighter personnel controls, you would need to specify that — otherwise Level 2 does not impose citizenship requirements by default.
• Match the level to the data, not the habit. Level 2 is aimed at public-order-relevant work that does not need the citizenship and "high"-certificate requirements of Levels 3 and 4. Mandating a higher level than your risk assessment supports may narrow the supplier field and raise cost without a proportionate benefit.

Common misconceptions

• "Level 2 is a self-declaration." No. Level 1 is self-assessed (Article 19). Level 2 requires an independent third-party audit and a "positive" audit opinion (Article 20).
• "The auditors are accredited bodies." The proposal does not use "accredited." It sets independence, competence and objectivity conditions instead (Article 20(4)).
• "Level 2 requires all staff to be EU citizens." No. Level 2 requires personnel involved in the service to be located in the Union (Annex II 2.1(b)); citizenship and extra screening apply only if the buyer determines them necessary (2.1(d)). The blanket Union-citizenship rule is a Level 3 and Level 4 requirement (Annex II 3.1(d) and 4.1(d)).
• "Level 2 needs a 'high' cybersecurity certificate." No. Level 2 requires at least "substantial" (Annex II 2.1(e)). Only Level 4 requires "high"; Level 3 also uses "substantial."
• "The certificate exists today, so providers can get it now." Not yet. As proposed, the certificate would come from a cloud-computing scheme to be established under the Cybersecurity Act; until then national schemes apply where they exist (Annex II 2.1(e)).
• "Encrypted data can sit outside the EU." No. Customer data, including metadata and telemetry, must remain exclusively within the Union unless the buyer explicitly requires otherwise (Annex II 2.1(c)). Encryption does not create a transfer exception.
• "Level 2 is only for EU-owned companies." Provider and subcontractors must be established in the Union (2.1(a)), but a provider under third-country control may qualify if it demonstrates the safeguards in 2.1(g). In practice that is a demanding bar.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA assurance level do I need for my cloud workload?
• What must a US hyperscaler do to reach a CADA assurance level?
• CADA Assurance Levels: The Simplest Board-Level Explanation
• CADA Assurance Levels: The Roadmap from Level 1 to Level 4
• What is CADA Union assurance Level 4?

This is general information about a draft EU regulation, not legal advice.