Summary The easiest Cloud and AI Development Act (CADA) tier to explain to non-technical stakeholders is Union Assurance Level 1. As proposed in Article 16 of COM(2026) 502 final, this level functions as a clear, verifiable baseline of sovereignty. It requires that the cloud provider is established in the EU and that its infrastructure and assets are located within the Union. While Levels 2 through 4 offer graded, increasing levels of sovereignty up to maximum protection at Level 4, Level 1 serves as the most accessible entry point. It translates complex legal requirements into a simple "EU-based" standard, ensuring data remains under EU jurisdiction and operational autonomy is maintained for general public sector procurement.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a Union cloud computing sovereignty framework designed to reduce the EU's dependence on non-European providers and safeguard public order. As outlined in Article 16, this framework consists of four distinct "Union assurance levels." For procurement officers, board members, and non-technical stakeholders, the technical depth of these levels can initially seem daunting. However, the structure is intentionally graded and verifiable, allowing for a clear narrative that moves from basic compliance to maximum sovereignty.

Union Assurance Level 1: The EU-Based Baseline Level 1 is the most straightforward to explain because it establishes a fundamental geographic and legal boundary. Under Article 16, this level sets the minimum criteria for cloud computing services to be recognised as providing Union assurance. The core requirements, detailed in Annex II, Section 1, are binary and easy to verify:

  • Establishment: The cloud computing service provider must be established in the Union.
  • Infrastructure Location: The infrastructure and assets of the provider, including those of its subcontractors involved in the service, must be located in the Union.
  • Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union.

For a non-technical stakeholder, this translates to a simple concept: "EU-based." It ensures that the entity holding the data is subject to EU law and that the physical servers are within EU borders. This level acts as a baseline safeguard, ensuring that data is not held by entities subject to extraterritorial laws from third countries that might conflict with EU fundamental rights. It is the default requirement for public sector bodies whose activities have not been identified as contributing to the preservation of public order in high-risk sectors.

Crucially, Level 1 allows for a degree of flexibility regarding subcontractors. As per Annex II, Section 1(d), if a provider outsources technical support to third parties outside the Union, they must implement necessary legal, technical, and organisational measures to ensure traceability and security without compromising operational autonomy. This distinction is vital: the primary provider and infrastructure are EU-based, even if some support functions are managed globally under strict controls.

Levels 2, 3, and 4: Graded Sovereignty As the assurance levels increase, the requirements become stricter, offering graded sovereignty. These levels are not just about location; they involve independent audits, stricter personnel controls, and deeper restrictions on third-country influence.

  • Level 2 introduces independent third-party audits. It requires that the provider and its subcontractors are established in the Union, and that all infrastructure, assets, and personnel are located in the Union. It also mandates that data generated by the service cannot be used to train AI systems operated by third countries. A key differentiator is the cybersecurity requirement: the service must obtain a European cybersecurity certificate of at least assurance level "substantial" (Annex II, Section 2(e)).
  • Level 3 tightens these controls further, particularly regarding personnel. It requires that personnel involved in the provision of the service are Union citizens (Annex II, Section 3(d)). It also addresses the risk of third-country control more rigorously. While Level 3 generally prohibits third-country control, Article 18 provides a derogation mechanism where the Commission may recognise a third country as providing sufficient assurances, allowing services controlled from that country to qualify for Level 3 if specific safeguards are met.
  • Level 4 represents the maximum sovereignty. It is designed for the most critical public sector activities, such as those involving national security or classified information. At this level, the requirements are the most stringent. Personnel must be Union citizens with necessary national security clearances (Annex II, Section 4(d)). The cybersecurity requirement escalates to a certificate of at least assurance level "high" (Annex II, Section 4(e)). Furthermore, the provider must demonstrate that no third country holds effective control over the software or infrastructure, ensuring the highest degree of operational autonomy.

Why Level 1 is the Easiest to Explain Level 1 is the easiest to communicate because it relies on binary, easily understood concepts: "Is the company based in the EU?" and "Are the servers in the EU?" In contrast, explaining Level 4 requires discussing complex concepts like "effective control," "source code audits," "security clearances," and "high" cybersecurity certification, which are less intuitive for non-technical audiences. Level 1 provides a solid foundation for the conversation, establishing that CADA is about ensuring EU jurisdiction and control over digital infrastructure. It is the "floor" of the framework, as proposed in Article 30(2), which mandates that all public sector bodies procure at least Level 1 services.

What this means for you

For public-sector procurement officers and strategic planners, understanding the CADA tiers is crucial for compliance and risk management. The proposal obliges Member States and Union entities to conduct risk assessments to determine which Union assurance level is appropriate for their specific activities (Article 29).

  • Default Procurement: If your public sector activities have not been identified as contributing to the preservation of public order in high-risk sectors (such as national security, defense, or law enforcement), you must procure cloud computing services that have been recognised as offering Union Assurance Level 1. This means you need to verify that the provider is EU-established and that their infrastructure is within the EU. This is the baseline for all public procurement under Article 30(2).
  • High-Risk Procurement: If your activities are identified as contributing to public order in sensitive sectors, you must procure services recognised at Level 2, 3, or 4, depending on the risk assessment (Article 30(3)). This requires engaging with providers who can demonstrate compliance through independent audits and stricter operational controls.
  • Verification: The proposal establishes a central repository of recognised services (Article 22). As a procurement officer, you will rely on this repository to verify that a provider meets the required assurance level. You do not need to conduct the technical audits yourself; you rely on the recognition granted by national competent authorities.

By starting with Level 1, you can ensure basic compliance while understanding the pathway to higher levels if your risk assessment demands it. The graded nature of the framework allows for proportionate procurement, ensuring that you are not over-investing in maximum sovereignty for low-risk activities.

Common misconceptions

"All cloud services must be Level 4." No. Level 4 is reserved for the most critical activities involving classified information or national security. Most public sector bodies will operate at Level 1 or 2. The framework is proportionate, ensuring that only high-risk activities require the most stringent and costly controls.

"Level 1 means no third-country involvement at all." Not exactly. Level 1 allows for subcontractors outside the Union, provided that necessary legal, technical, and organisational measures are implemented to ensure traceability, security, and governance (Annex II, Section 1(d)). It does not ban all third-country involvement, but it ensures that the primary provider and the core infrastructure are EU-based.

"CADA replaces existing cybersecurity standards." No. CADA complements existing cybersecurity frameworks like the Cybersecurity Act. The assurance levels include cybersecurity requirements (e.g., state-of-the-art standards for Level 1, "substantial" for Levels 2-3, and "high" for Level 4), but they also address broader sovereignty concerns like operational autonomy, data residency, and third-country control, which are not covered by cybersecurity certifications alone.

"Level 3 is the same as Level 4 regarding personnel." While both require Union citizens, Level 4 adds the requirement for national security clearances when handling classified information. Additionally, Level 4 requires a "high" cybersecurity certificate, whereas Level 3 requires a "substantial" one.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.