What is the minimum cloud assurance level for an ordinary public body under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), the minimum cloud assurance level for an ordinary public body is Union assurance level 1. This baseline is mandatory for all public sector bodies whose activities have not been identified as contributing to the preservation of public order following a risk assessment under Article 29(1). To be compliant, the cloud service provider must be formally recognised under Article 17 as offering this level. If a public body's activities are deemed public-order relevant, the minimum escalates to levels 2, 3, or 4.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised Union cloud computing sovereignty framework designed to mitigate strategic dependencies on non-European providers. A central pillar of this framework is the tiered system of Union assurance levels, which public procurement authorities must apply when acquiring cloud computing services.

The regulation establishes a clear hierarchy of obligations based on the sensitivity of the public sector activity in question. This distinction ensures that the principle of proportionality is respected: standard administrative functions face a baseline requirement, while critical functions face stricter sovereignty mandates.

The Baseline Obligation: Article 30(2)

The definitive rule for ordinary public bodies is found in Article 30(2) of the proposal. It states:

"Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This provision creates a mandatory floor. Unless a specific risk assessment (conducted under Article 29) determines that an activity contributes to the preservation of public order, the contracting authority is legally bound to procure only services recognised at Union assurance level 1. Procuring services below this level, or services that have not undergone the formal recognition process, would constitute an infringement of the regulation.

What Constitutes Union Assurance Level 1?

The specific criteria for Union assurance level 1 are detailed in Annex II, Section 1 of the proposal. To achieve this level, a cloud computing service provider must meet the following cumulative criteria:

• Union Establishment: The provider must be established in the Union.
• Infrastructure Location: The infrastructure and assets, including those of subcontractors involved in the service, must be located in the Union. An exception applies only if the public sector body explicitly requires otherwise.
• Data Localisation: Customer data (including metadata and telemetry) processed, stored, or transferred must remain exclusively within the Union, unless the public sector body explicitly requires otherwise.
• Cybersecurity: The provider must demonstrate compliance with state-of-the-art cybersecurity standards.
• Subcontractor Transparency: The provider must offer full transparency regarding subcontractors, subjecting them to due diligence and ongoing oversight.
• Third-Country Control Safeguards: If the provider is subject to the control of a third country, they must guarantee that no laws in that country require the reporting of software vulnerabilities to third-country authorities prior to public disclosure.

The Recognition Mechanism: Article 17

A service does not automatically qualify as Level 1 simply by meeting the technical criteria; it must be formally recognised. Article 17 outlines the procedure:

1. Application: The provider submits an application for recognition to the national competent authority of their establishment.
2. Evidence: For Level 1, the provider must submit an EU statement of conformity (issued under Article 19) demonstrating compliance with the Annex II criteria.
3. SME Derogation: Article 17(3) introduces a significant simplification for Small and Medium-sized Enterprises (SMEs). The EU statement of conformity issued by SMEs is directly and automatically recognised in all Member States without the need for prior evaluation by the national competent authority.
4. Central Repository: Once recognised, the service is registered in the central repository maintained by the Commission under Article 22, making it visible to all public buyers across the Union.

The Exception: Public Order Relevance

The baseline of Level 1 applies only where public order is not at stake. Article 29 requires Member States and Union entities to conduct risk assessments to identify activities that contribute to the preservation of public order (e.g., in sectors covered by the NIS2 Directive, national security, defence, justice, or law enforcement).

If a risk assessment identifies an activity as public-order relevant, Article 30(3) applies:

"Contracting authorities... whose activities have been identified as contributing to the preservation of public order... shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

In these cases, Level 1 is insufficient. The contracting authority must procure services at the higher level determined by the risk assessment, which entails stricter requirements regarding personnel (e.g., Union citizenship), cybersecurity certification (e.g., "substantial" or "high" assurance), and the absence of third-country control.

What this means for you

For public procurement officers and legal counsel within public bodies, the proposed CADA introduces a binary compliance check before any tender is launched.

1. The Risk Assessment First Step

Before drafting tender specifications, your entity must verify the outcome of the Article 29 risk assessment.

• If the activity is NOT public-order relevant: You are legally required to set the minimum requirement at Union assurance level 1. You cannot demand Level 2 or higher unless justified by other procurement criteria, but you must demand at least Level 1.
• If the activity IS public-order relevant: You must determine the specific level (2, 3, or 4) required by your risk assessment and mandate that level in the tender.

2. Verify Recognition, Not Just Claims

Do not accept a bidder's self-declaration that they are "EU-based" or "secure." Under Article 30(2), the service must be recognised under Article 17.

• Action: Check the central repository (Article 22) to confirm the service is listed and recognised at the required level.
• SME Check: If the bidder is an SME, verify they have issued a valid EU statement of conformity; this is automatically recognised without a prior national audit.

3. Draft Precise Tender Clauses

Your tender documents must explicitly reference the CADA framework. A compliant clause would state:

"The cloud computing service offered must be recognised under Article 17 of Regulation [CADA] as offering at least Union assurance level 1, as the activity is not identified as contributing to the preservation of public order under Article 29."

4. Monitor for Material Changes

Under Article 23, recognised providers must notify authorities of any material changes that could affect their assurance level. As a buyer, you should monitor the central repository. If a provider's recognition is revoked or amended, you may need to trigger a migration plan, as the service would no longer be compliant for procurement.

Common misconceptions

Misconception 1: "If a provider has servers in the EU, they meet Level 1." Correction: No. Annex II requires a holistic set of criteria, including Union establishment, data localisation, cybersecurity standards, and specific safeguards against third-country control. Furthermore, the provider must undergo the formal recognition process under Article 17. Without this formal recognition, the service is not compliant for public procurement, regardless of where the servers are physically located.

Misconception 2: "Level 1 prohibits all data transfers outside the EU." Correction: Annex II(1)(c) states that data must remain in the Union unless the public sector body explicitly requires otherwise. This means Level 1 allows for cross-border data transfers if the public body explicitly authorises them in the contract. However, the default and safest interpretation for standard compliance is exclusive Union residency.

Misconception 3: "This rule only applies to central government ministries." Correction: Article 30 applies to all "contracting authorities" and "Union entities." This encompasses local municipalities, regional councils, public hospitals, and universities, provided they are procuring cloud services for their exclusive use. The obligation is universal across the public sector unless a specific risk assessment dictates otherwise.

Misconception 4: "A US provider with an EU subsidiary automatically qualifies for Level 1." Correction: Not necessarily. While the subsidiary must be established in the Union, Annex II(1)(g) imposes a strict test on third-country control. If the provider is controlled by a third country, they must guarantee that no laws in that country require them to report software vulnerabilities to foreign authorities before they are publicly known. Many US-based providers may struggle to meet this specific sovereignty criterion without structural changes.

Related

• What is CADA's Union assurance level 1 minimum procurement rule?
• CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
• CADA Procurement Compliance: Who is Responsible in a Public Body?
• When must public buyers procure level 2, 3 or 4 cloud under CADA?
• How do I set the required assurance level for a CADA tender?

This is general information about a draft EU regulation, not legal advice.