Summary As proposed in the Cloud and AI Development Act (CADA), Union assurance level 3 is a high-tier sovereignty standard for cloud computing services used in public-sector activities critical to public order. To reach it, a provider would have to pass an independent third-party audit showing that infrastructure, personnel and data remain within the Union, that personnel involved in the service are Union citizens, and that the provider is not subject to third-country control โ€” save a narrow derogation where the Commission has identified the third country under Article 18. The cybersecurity certificate required is at least "substantial" (the same as level 2), not "high". Level 3 is one of the levels public bodies must procure for activities identified as contributing to the preservation of public order. CADA is a proposal and is not in force; details could change.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised framework to strengthen Europe's cloud and AI ecosystem and to address the EU's strategic dependence on non-European cloud providers. Central to it are four "Union assurance levels" established under Article 16, with the detailed criteria in Annex II. Union assurance level 3 is a significant step up from the baseline, targeting higher-risk public-sector use cases where the preservation of public order is paramount.

The role of independent audits

Unlike level 1, which relies on a provider's self-assessment (Article 19), Article 20 would require providers seeking levels 2, 3 and 4 to undergo independent third-party audits. For level 3 the audit is rigorous: the provider applies for recognition to the national competent authority of its establishment, submitting an audit report and a "positive" audit opinion from an auditing organisation.

That organisation is not described in the proposal as "accredited". Instead, Article 20(4) requires it to be independent and free of conflicts of interest (for example, no relevant non-audit services to the provider in the 12 months before and after the audit, no audit services to it in the prior 10 years, and no fees contingent on the outcome), to have proven expertise and technical competence in auditing cloud services, and to have proven objectivity and professional ethics. The audit verifies compliance with the cumulative criteria in Annex II ยง3.1, and โ€” because the levels are cumulative โ€” every level 1 and level 2 criterion as well (Article 20(1)).

Key criteria for Union assurance level 3

To be recognised at level 3, a provider would have to satisfy the conditions in Annex II ยง3.1, including:

  1. Union establishment and location. The audited provider and all involved subcontractors are established in the Union, and the infrastructure, assets and personnel involved are located in the Union (ยง3.1(a)-(b)).
  2. Data residency. Customer data, including metadata and telemetry, remains exclusively within the Union at any time (before, during and after configuration or use), unless the public sector body explicitly requires otherwise (ยง3.1(c)).
  3. Union citizenship and security clearance. A defining feature of level 3: personnel, including subcontractor personnel, involved in the service must be Union citizens and, where appropriate, hold the necessary national security clearance issued by a Member State when handling classified information (ยง3.1(d)). Technical and operational support must be performed exclusively within the Union by personnel that are Union residents and by third parties not under third-country control (ยง3.1(h)).
  4. Cybersecurity certification. The service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a cloud-services scheme to be established under Regulation (EU) 2019/881 (the Cybersecurity Act); until such a scheme exists, national schemes apply where they exist, and otherwise the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law (ยง3.1(e)). Note: "substantial", not "high" โ€” "high" is required only at level 4.
  5. No third-country control (default rule). As a rule, the provider and its subcontractors must not be subject to the control of a third country or a third-country-established legal entity (ยง3.1(g)). This is designed to prevent foreign governments from exercising influence, accessing data, or disrupting operations through extraterritorial laws such as the US CLOUD Act.

The exception for third-country providers

CADA recognises that some providers may be subject to third-country control. By way of derogation, Annex II ยง3.1(g) allows a provider under third-country control to be audited for level 3 where the European Commission has adopted an implementing act under Article 18 identifying that third country as an "associated third country".

That decision is available only where the third country fulfils all six cumulative criteria in Article 18(1): (a) it is subject to a relevant adequacy decision under Article 45 GDPR; (b) it has no measures enabling control that would conflict with the lawful-access rules for non-personal data in Article 32(2)-(3) of the Data Act (Regulation (EU) 2023/2854); (c) it has no measures to compel service degradation or disruption, and none obliging the provider to give effect to restrictive measures unless legitimate under Member State or Union law; (d) it has no measures impeding the provision of state-of-the-art technologies and services; (e) it maintains an open market to Union cloud services; and (f) it grants equivalent procurement access to Union-controlled providers. A GDPR adequacy decision is only one of the six. Even where the derogation applies, the provider would additionally have to demonstrate measures preventing third-country data access, preventing disruption or degradation, allowing reasonable access to the code, and ensuring it is not obliged to give effect to third-country restrictive measures.

Procurement implications

The relevance of level 3 becomes clear in Article 30. Public bodies whose activities have been identified as contributing to the preservation of public order โ€” in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) and in national security, internal security, external border management, defence, justice or law enforcement โ€” must procure cloud services recognised at Union assurance level 2, 3 or 4 (Article 30(3)). Which level applies is determined by the risk assessment that Member States and Union entities carry out under Article 29. Level 3 is generally suited to activities whose sensitivity and criticality demand strong autonomy and security short of the top-tier level 4.

What this means for you

For public-sector procurement officers and legal teams, understanding level 3 is essential for compliant, secure cloud procurement. As CADA moves through the legislative process, you would prepare for the following.

  • Conduct risk assessments. Under Article 29(1), your authority would carry out risk assessments โ€” by one year after entry into force and "thereafter every two years, or whenever necessary" โ€” to identify which activities contribute to the preservation of public order and which assurance level (2, 3 or 4) is appropriate. Departments handling sensitive data in defence, justice or critical infrastructure are likely candidates for level 3 or 4.
  • Verify recognition in the central repository. In tenders, require evidence of Union assurance level recognition and check the Commission's central repository of recognised services (Article 22) to confirm a provider's level 3 status.
  • Scrutinise subcontractors. Level 3 requirements extend to involved subcontractors. Require disclosure of all subcontractors and confirm they meet the establishment, location and citizenship criteria.
  • Plan for migration. Where a risk assessment requires moving to another cloud service, Article 29(6) allows a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability. Start planning exit and portability now.
  • Engage with the audit process. You do not conduct the audit, but you may need to review audit reports as part of due diligence. Note the distinction between a "positive" audit opinion and the formal recognition decision adopted by the national competent authority (Article 17).

Common misconceptions

  • "Level 3 is only about cybersecurity." While a "substantial" certificate is required, level 3 is primarily a sovereignty standard: legal jurisdiction, data localisation, personnel citizenship, and freedom from third-country control. A highly secure service can still fail level 3 if it is under third-country control or lets data leave the Union.

  • "Self-assessment is enough for level 3." No. Self-assessment is only for level 1 (Article 19). Levels 2, 3 and 4 require independent third-party audits (Article 20). The proposal does not use the term "accredited"; Article 20(4) instead sets independence, competence and objectivity criteria for the auditing organisation.

  • "Level 3 requires the 'high' cybersecurity certificate." No. Level 3 requires at least "substantial" (ยง3.1(e)), the same as level 2. Only level 4 requires "high".

  • "Providers from third countries are completely excluded." Not entirely. The default rule bars third-country control, but Article 18 and Annex II ยง3.1(g) allow a narrow derogation where the Commission identifies the third country as meeting all six cumulative criteria โ€” a high bar, plus robust technical measures by the provider. At level 4 there is no derogation at all.

  • "Level 3 applies to all public-sector cloud use." No. Level 1 is the minimum for activities not identified as public-order-relevant (Article 30(2)); levels 2, 3 or 4 apply only where the activity is so identified (Article 30(3)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.