What is CADA Union assurance Level 4?

Summary Union assurance Level 4 would be the highest tier of the proposed Cloud and AI Development Act's (CADA) cloud sovereignty framework, reserved for the most sensitive public-sector activities. As proposed, the provider and its relevant subcontractors must be established in the Union, all infrastructure, assets, and personnel must be located in the Union, sensitive customer data must stay exclusively in the Union, staff must be Union citizens (with security clearance where appropriate), the service must hold a "high"-level cybersecurity certificate, and there is an absolute prohibition on third-country control — with no associated-third-country derogation. Recognition requires an independent third-party audit (Article 20).

Detail

CADA would create a Union cloud computing sovereignty framework of four Union assurance levels, with criteria set out in Annex II (Article 16). Level 4 sits at the top. Which level a public sector body must use is driven by a risk assessment (Article 29): bodies whose activities are identified as contributing to the preservation of public order — in sectors under Annex I or II of Directive (EU) 2022/2555 and in national security, internal security, external border management, defence, justice, or law enforcement — must procure services recognised at Level 2, 3, or 4 (Article 30(3)), with the methodology steering the highest level toward the most critical activities, including defence (Article 29(3)).

To be recognised at Level 4, a provider must meet all of the cumulative criteria in Annex II, point 4.1.

Core criteria for Union assurance Level 4

1. EU establishment and location. The audited provider and the subcontractors involved in providing the service must be established in the Union, and all infrastructure, assets, and personnel involved must be located in the Union (4.1(a)–(b)).

2. Strict data localisation. Customer data — including metadata and telemetry — that a risk assessment identifies as sensitive must remain exclusively within the Union at all times, including before, during, and after configuration or use of the service (4.1(c)). Unlike lower tiers, there is no "unless the public sector body requires otherwise" carve-out for this sensitive data.

3. EU citizenship and clearance. All personnel involved in the service, including subcontractor personnel, must be Union citizens, and where appropriate must hold the national security clearance issued by a Member State for handling classified information (4.1(d)).

4. No third-country control. The provider and its relevant subcontractors must not be subject to the control of a third country or a legal entity established in a third country (4.1(g)). This is absolute: unlike Level 3, there is no derogation for "associated third countries."

5. Highest cybersecurity certification. The service must obtain a European cybersecurity certificate of at least assurance level "high" under a cloud certification scheme to be established under Regulation (EU) 2019/881 (the Cybersecurity Act). Until such a scheme exists, national schemes apply where they exist; absent any scheme, the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law (4.1(e)).

6. No third-country AI training. Data generated by using the service must not be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country, and must not be transferred outside the Union in any case (4.1(f)).

7. Effective control over software. The provider must demonstrate that a third country, or a legal entity established there, does not hold or exercise effective control over the design, development, maintenance, and evolution of software components or products — where "effective control" includes the ability to materially influence technical evolution, maintenance priorities, security remediation, and long-term continuity (4.1(i)). A complete, up-to-date SBOM and dependency list must be made available to the auditor.

8. Union-based support. Technical and operational support, including sub-outsourcing, must be initiated and performed exclusively within the Union, by personnel who are Union residents, and by third parties not subject to third-country control (4.1(h)).

9. Open source and separation. Where open-source software is used, the provider must implement and document controls preventing remote features that could tamper with or disrupt a device, system, or software (4.1(j)). And where the provider serves customers outside the Union via a third-country subsidiary, it must enforce effective legal, technical, and organisational separation between the Union parent and that subsidiary (4.1(k)).

The recognition process

Recognition is sought from the national competent authority of establishment (Article 17). For Level 4, this requires an independent third-party audit at the provider's expense (Article 20(1)) by an independent, competent auditing organisation (Article 20(4)). The auditor issues an audit report and a "positive" opinion if the criteria are met (Article 20(5)). The provider submits the report, the positive opinion, and all evidence given to the auditor (Article 17(4)); the authority then has 60 days to assess and, if satisfied, prepares a draft recognition decision notified to other Member States for a 60-day review (Article 17(5)). Recognised services are listed in a public central repository maintained by the Commission (Article 22).

What this means for you

For public-sector procurement officers, Level 4 is the standard for your most critical operations. If your risk assessment (Article 29) identifies your activities as contributing to the preservation of public order and warranting the highest tier — for example defence or high-end law enforcement — you would be required to procure only from providers recognised at the appropriate level (Article 30(3)).

• Specify it precisely. Your tender documents would need to require Level 4 recognition, and you should confirm current status in the central repository (Article 22).
• Expect a smaller field. The EU-citizenship requirement and the absolute ban on third-country control narrow the pool considerably.
• Plan migrations. Where a risk assessment requires moving to another service, the transition period must not exceed 12 months, taking account of technical feasibility, continuity, and data portability (Article 29(6)).
• Layer, don't replace. Level 4 complements your existing GDPR and NIS2 (Directive (EU) 2022/2555) obligations; it adds a sovereignty layer rather than supplanting data-protection or security duties.

Common misconceptions

"Level 4 is just stronger cybersecurity." It requires the "high" certificate, but sovereignty is distinct from security. A technically secure service can still be subject to foreign law that compels data access or disruption — which Level 4 addresses through Union establishment, EU-citizen staff, and the ban on third-country control.

"Any EU-based provider qualifies easily." Not so. Third-country shareholders, third-country-controlled subsidiaries, or software where the provider lacks effective control can all disqualify a provider.

"Level 4 applies to all public-sector cloud use." No. Bodies not identified as contributing to the preservation of public order need only Level 1 (Article 30(2)). Level 4 is reserved for the most critical activities.

"Third-country-controlled providers can sometimes reach Level 4." No. The associated-third-country derogation (Article 18) applies only to Level 3. Level 4 (Annex II 4.1(g)) permits no third-country control and no such exception.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA assurance level do I need for my cloud workload?
• What must a US hyperscaler do to reach a CADA assurance level?
• CADA Assurance Levels: The Simplest Board-Level Explanation
• CADA Assurance Levels: The Roadmap from Level 1 to Level 4
• What is CADA Union assurance level 3?

This is general information about a draft EU regulation, not legal advice.