What is 'sensitive data' under CADA Level 4?

Summary Under the proposed Cloud and AI Development Act (CADA), "sensitive data" for Union Assurance Level 4 is not a static, predefined list but is dynamically identified through a mandatory risk assessment conducted by Member States and Union entities. As proposed in Annex II, Section 4.1(c), Level 4 requires that this sensitive data remain exclusively within the Union at all times, with no exceptions for external transfer. This strict residency rule ensures the highest level of operational autonomy and confidentiality for critical public sector activities, distinguishing it sharply from lower assurance levels.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tiered sovereignty framework to mitigate dependencies on non-European cloud providers and safeguard the Union's public order. The highest tier, Union Assurance Level 4, is reserved for the most critical public sector activities where risks to public order, national security, or fundamental rights are significant. Understanding the specific definition and handling of "sensitive data" under this level is crucial for procurement officers, IT directors, and public sector bodies, as it dictates the strictest technical and organizational requirements for cloud service providers.

How "Sensitive Data" is Identified: The Risk Assessment Mechanism

CADA does not provide a rigid, exhaustive list of what qualifies as "sensitive data" for Level 4. Instead, it establishes a risk-based approach anchored in Article 29. Under this article, Member States and Union entities are required to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments must explicitly consider the "sensitivity, criticality, and magnitude" of the personal and non-personal data processed.

The risk assessment acts as the trigger for Level 4 requirements. It identifies which specific data sets within a public sector activity are deemed "sensitive" and therefore require the highest assurance level. The Commission is empowered to provide guidance to assist Member States in these assessments, ensuring consistency across the Union while allowing for national discretion in classifying specific data types based on local security contexts. Once an activity is identified as requiring Level 4 assurance, the data associated with it is legally classified as "sensitive" for the purposes of the sovereignty framework.

The Absolute Residency Requirement: Annex II 4.1(c)

Once data is classified as sensitive within the context of a Level 4 service, Annex II, Section 4.1(c) imposes an absolute and non-derogable residency requirement. The text of the proposal states:

"the customer data, including metadata and telemetry data, which, following a risk assessment, is identified as sensitive, that is processed, stored and transferred by the audited provider and the subcontractors which are involved in the provision of the service, remain exclusively within the Union and at any time, including before, during or after the configuration or use of the service;"

This provision is notable for its lack of exceptions. Unlike lower assurance levels, which may allow for data transfers outside the Union if explicitly required by the public sector body, Level 4 mandates that sensitive data never leaves the Union. This applies to all phases of the data lifecycle: processing, storage, transfer, and even during service configuration, maintenance, or backup. The phrase "at any time" reinforces that there is no window of opportunity for data to cross the Union's digital borders, ensuring continuous sovereignty.

Cumulative Criteria for Level 4

The sensitive data residency rule is just one of several cumulative criteria for Level 4. As outlined in Annex II, Section 4, a provider must simultaneously demonstrate compliance with a rigorous set of conditions:

• Establishment and Location: The provider and its subcontractors must be established in the Union, and all infrastructure, assets, and personnel involved in the service must be located in the Union.
• Personnel Citizenship: All personnel involved in the provision of the service must be Union citizens. Where appropriate, they must also hold necessary national security clearances issued by a Member State when handling classified information.
• No Third-Country Control: The provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country. Unlike Level 3, there is no derogation for associated third countries at Level 4.
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'high' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established.
• Software Supply Chain: Providers must retain effective control over software components, ensuring no third country holds effective control over their design, development, or maintenance.

Distinction from Lower Assurance Levels

The definition and handling of data at Level 4 differ significantly from Levels 1, 2, and 3, particularly regarding the flexibility of data residency.

• Level 1: Requires data to remain in the Union unless the public sector body explicitly requires otherwise. This allows for significant flexibility.
• Level 2 & 3: Also require data to remain in the Union unless the public sector body explicitly requires otherwise. Additionally, Levels 2 and 3 prohibit the use of customer data to train or fine-tune AI systems operated by third countries.
• Level 4: Removes the "unless explicitly required otherwise" clause for data identified as sensitive. This creates a hard boundary for the most critical data sets. Even if a public sector body theoretically wanted to transfer data outside the Union for operational reasons, the Level 4 framework prohibits it to maintain sovereignty and security. The risk assessment itself determines the sensitivity, and once that threshold is crossed, the "no-exception" rule applies.

What this means for you

For public-sector procurement officers, IT directors, and compliance teams, the identification of "sensitive data" under CADA Level 4 is a pivotal step in your cloud strategy. Here is how you should prepare for the proposed regulation:

1. Conduct Rigorous Risk Assessments: You must initiate or update your risk assessments as required by Article 29. Clearly document why specific data sets are classified as sensitive and why they require Level 4 assurance. This documentation will be scrutinized by national competent authorities and forms the legal basis for the strict residency requirement.
2. Map Your Data Flows: Ensure you have a complete inventory of data flows for critical systems. Identify any current practices that involve transferring sensitive data outside the Union, even for backup or disaster recovery. These practices will need to be halted or migrated to compliant Level 4 providers that guarantee exclusive intra-Union residency.
3. Verify Provider Compliance: When procuring Level 4 services, ensure providers can demonstrate compliance with Annex II, Section 4.1(c). This includes verifying that their subcontractors and personnel are also located in the Union and that their infrastructure does not allow for any external data leakage, including metadata and telemetry.
4. Plan for Migration: If your current cloud services do not meet Level 4 criteria, plan for migration. The transition period will be determined by technical feasibility and continuity requirements, but the end state must be strict intra-Union residency for sensitive data.
5. Engage with Competent Authorities: Work closely with your national competent authority to ensure your risk assessment aligns with Commission guidance. This will help avoid delays in recognition and ensure that your procurement decisions are legally sound under the proposed framework.

Common misconceptions

Misconception 1: "Sensitive data" is defined solely by the GDPR. While the GDPR defines "special categories of personal data," CADA's concept of "sensitive data" for Level 4 is broader and context-dependent. It includes any data identified as sensitive through the national risk assessment, which may encompass non-personal data, operational data, or data that is not necessarily "special category" under GDPR but is critical for public order or national security.

Misconception 2: Level 4 allows data transfers if the public sector body agrees. This is incorrect. Unlike Levels 1, 2, and 3, which include a clause allowing data to leave the Union if the public sector body explicitly requires it, Level 4 has no such exception for data identified as sensitive. The residency requirement is absolute and cannot be waived by the customer.

Misconception 3: Only EU-based providers can offer Level 4 services. While the provider must be established in the Union and not subject to third-country control, the key factor is the absence of third-country control. A provider established in the EU but controlled by a non-EU entity cannot offer Level 4 services. Additionally, all subcontractors and personnel must meet the same strict criteria, including Union citizenship.

Misconception 4: Level 4 is only for classified information. While Level 4 is suitable for classified information (as it allows for personnel with national security clearances), it is not limited to it. Any data identified as sensitive through the risk assessment, including high-criticality non-classified data, can trigger Level 4 requirements.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Level 4: Sensitive Data Risk Assessment & Strict Residency Rules
• CADA Level 4 Data Residency: Strict Rules for Sensitive Data
• Can a CADA Level 1 provider serve sensitive government data?
• CADA Level 1 Data Residency: What the Proposal Requires
• What data rule applies at CADA Level 3? Residency & AI Training

This is general information about a draft EU regulation, not legal advice.