What is the difference between CADA level 2 and level 3?

Summary As proposed in the Cloud and AI Development Act (CADA), the primary difference between Union assurance level 2 and level 3 lies in personnel and control requirements. Under Annex II, level 3 would require that personnel involved in service provision be Union citizens and would bar any provider or subcontractor from being subject to third-country control (save a narrow Article 18 derogation), whereas level 2 would allow third-country control if specific safeguards are met and would require Union citizenship only where the public sector body determines it necessary. Both levels require infrastructure and data to remain within the Union, and both require an independent third-party audit (Article 20). The cybersecurity certificate threshold is the same at both levels — at least "substantial". CADA is a proposal and is not in force; details could change.

Detail

CADA, COM(2026) 502 final, would introduce a harmonised sovereignty framework comprising four Union assurance levels (Article 16), each with criteria in Annex II that providers must meet to serve public sector bodies. While levels 2 and 3 share foundations on data and infrastructure location, level 3 would impose significantly stricter rules on personnel nationality and corporate control to address higher risks to public order. Both levels are verified by independent third-party audit under Article 20 (level 1, by contrast, uses self-assessment under Article 19), and both are cumulative — a level 3 candidate must also satisfy every level 1 and level 2 criterion (Article 20(1)).

Shared foundations: data and infrastructure

Both levels share core requirements on data and infrastructure location. Under Annex II §2.1(c) (level 2) and §3.1(c) (level 3), customer data — including metadata and telemetry — must remain exclusively within the Union at any time (before, during and after configuration or use), unless the public sector body explicitly requires otherwise. Likewise, for both levels the infrastructure, assets and personnel of the provider and its involved subcontractors must be located within the Union (§2.1(b) and §3.1(b)).

Key difference 1: personnel nationality and clearance

The most distinct operational difference concerns the nationality of staff managing the service.

Level 2 (conditional citizenship). Under Annex II §2.1(d), level 2 does not automatically require Union citizenship. If the public sector body determines that additional personnel screening and Union-citizenship requirements are necessary, the provider should ensure that personnel meeting those requirements are available. Union citizenship is therefore conditional, triggered only by the contracting authority's determination.

Level 3 (mandatory citizenship and clearance). Annex II §3.1(d) imposes a blanket requirement: personnel, including subcontractor personnel, involved in the provision of the audited service must be Union citizens and, where appropriate, must hold the necessary national security clearance issued by a Member State when handling classified information. This removes the contracting authority's discretion — a level 3 service must inherently meet these criteria.

Key difference 2: third-country control

The second major divergence is ownership and control.

Level 2 (control permitted with safeguards). Annex II §2.1(g) allows a level 2 provider to be subject to the control of a third country or third-country-established legal entity, provided it demonstrates the necessary legal, technical and organisational measures — ensuring the control does not restrict service delivery, that third-country access to customer data is prevented, that disruption or degradation of the service is prevented, and that the provider is not obliged to give effect to third-country restrictive measures unless legitimate under Member State or Union law. In effect, level 2 permits third-country control if robust "ring-fencing" is proven effective. Notably, level 2 does not require any Commission decision on the third country.

Level 3 (no third-country control). Annex II §3.1(g) establishes a prohibition: the audited provider and its subcontractors must not be subject to the control of a third country or a third-country-established legal entity. The only exception is a narrow derogation where the Commission has adopted an implementing act under Article 18 (associated third countries) identifying the relevant third country — available only where that country meets all six cumulative criteria in Article 18(1). Without such a decision, third-country control disqualifies a provider from level 3.

Key difference 3: technical and operational support

The location and status of support teams also differ.

Level 2. Annex II §2.1(h) requires that technical and operational support, including sub-outsourcing, be initiated and performed exclusively within the Union. It does not mandate the nationality or residency of support personnel — only that the activity occur in the Union.

Level 3. Annex II §3.1(h) tightens this: support must be initiated and performed exclusively within the Union and carried out by personnel that are Union residents and by third parties that are not subject to third-country control. This adds residency and control verification to the support chain that level 2 lacks.

Key difference 4: cybersecurity certification

Here the levels are at parity. Level 2 requires a European cybersecurity certificate of at least assurance level "substantial" (Annex II §2.1(e)); level 3 also requires at least "substantial" (§3.1(e)). The stricter personnel and control rules of level 3 may drive higher operational security in practice, but the baseline certification tier is identical. Only level 4 requires "high" (§4.1(e)).

What this means for you

For in-house counsel and compliance officers, distinguishing level 2 from level 3 is critical for procurement strategy and vendor management.

Procurement strategy. When conducting the risk assessments required by Article 29(1) — carried out by one year after entry into force and "thereafter every two years, or whenever necessary" — you must determine whether your activities are identified as contributing to the preservation of public order in the relevant NIS2 sectors or in national security, internal security, external border management, defence, justice or law enforcement. If so, Article 30(3) requires you to procure only services recognised at level 2, 3 or 4. You must then decide whether level 2's conditional safeguards suffice or whether the mandatory barriers of level 3 are required.

Vendor due diligence. For level 3, your due diligence must extend beyond technical audits to corporate governance. Verify:

1. Ownership structures — no ultimate beneficial owner is a third-country entity or state, unless a Commission implementing act under Article 18 applies.
2. Personnel — all staff involved in the service hold Union citizenship, and for classified data verify national security clearances.
3. Support chains — subcontractors are not under third-country control and their support staff are Union residents.

Penalties and liability. Article 24 requires Member States to lay down penalties that are "effective, proportionate and dissuasive", assessed against non-exhaustive factors (including the nature, gravity and duration of the infringement and the provider's annual Union turnover). A provider that intentionally or negligently supplies incorrect or misleading information can have its recognition revoked (Article 17(11)), and recipients have a right to seek compensation for damage from an infringement (Article 24(3)).

Transition periods. Where a risk assessment requires migration to another cloud service, Article 29(6) allows a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability. Plan vendor transitions accordingly.

Common misconceptions

"Level 2 and level 3 have different data localisation rules." No. Both require customer data to remain exclusively within the Union (§2.1(c) and §3.1(c)). The difference lies in who handles the data and who controls the company handling it.

"Third-country-owned providers can never reach level 3." Not entirely. While §3.1(g) generally bars third-country control, a derogation exists where the Commission adopts an implementing act under Article 18 identifying the third country (meeting all six cumulative criteria of Article 18(1)). This is exceptional and tightly controlled.

"Level 3 requires every employee of the provider to be an EU citizen." No. The requirement applies to personnel "involved in the provision of the audited service" (§3.1(d)). Staff in unrelated functions are not the target of that criterion, though providers often extend checks more broadly in practice.

"Level 2 requires EU citizenship by default." No. Under §2.1(d), Union citizenship is required only where the public sector body explicitly determines it necessary — conditional, not a baseline of the certification itself.

"Level 2 needs a Commission decision on the third country, like level 3." No. The Article 18 decision is part of the level 3 derogation. At level 2, third-country control is addressed through the §2.1(g) safeguards alone.

Related

• What is the difference between CADA Level 3 and Level 4?
• What is the difference between CADA level 1 and level 2?
• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• Why is CADA Level 4 the highest sovereignty tier?

This is general information about a draft EU regulation, not legal advice.