Summary Under the proposed Cloud and AI Development Act (CADA), the cumulative-criteria rule mandates that cloud computing service providers seeking higher Union assurance levels (2, 3, or 4) must satisfy all requirements of the lower tiers first. Article 20(1) explicitly states that failure to meet any requirement of a lower assurance level precludes conformity with higher levels. This ensures a strict, layered approach to sovereignty, preventing providers from bypassing foundational security and data residency obligations while pursuing advanced trust certifications. As proposed, this rule transforms the audit from a tier-specific check into a holistic validation of the provider's entire operational stack.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tier "Union assurance level" framework to standardize the sovereignty and security of cloud computing services in the EU. A core architectural feature of this framework is the cumulative nature of its criteria. This means that the requirements for Union assurance levels 2, 3, and 4 are not standalone checklists; they are additive. A provider cannot achieve Union assurance level 3 by meeting only the specific criteria listed for level 3; it must simultaneously comply with all criteria set out for Union assurance levels 1 and 2.

The Legal Basis: Article 20(1)

The binding nature of this cumulative approach is established in Article 20(1) of the CADA proposal. The provision states:

"An audited provider undergoing an audit procedure at a higher Union assurance level shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels. Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels."

This clause creates a strict hierarchy of compliance. It transforms the audit process from a series of isolated checks into a comprehensive validation of the provider's entire operational stack against the EU's sovereignty benchmarks. The text leaves no room for interpretation: if a provider fails a criterion at level 1, it is legally impossible for that provider to be recognized at level 2, 3, or 4, regardless of how robust its level 4 controls might be.

How the Cumulative Rule Operates

The cumulative rule functions as a "gatekeeper" mechanism within the audit process defined in Article 20. When an auditing organization assesses a provider for Union assurance level 3, for example, it must verify compliance against three distinct sets of criteria found in Annex II:

  1. Union Assurance Level 1 Criteria: Foundational requirements such as establishment in the Union, location of infrastructure and assets within the Union, and data residency guarantees.
  2. Union Assurance Level 2 Criteria: Enhanced requirements including personnel screening (conditional on public body request), European cybersecurity certification of at least 'substantial' assurance, and strict software supply chain transparency (e.g., Software Bill of Materials).
  3. Union Assurance Level 3 Criteria: The highest tier of autonomy requirements, such as mandatory Union citizenship for personnel, national security clearances where applicable, and absolute exclusion of third-country control over the provider and its subcontractors (subject to the Article 18 derogation).

If the auditing organization identifies a deficiency in any of the Level 1 or Level 2 criteria, the audit for Level 3 fails automatically. The provider cannot argue that its robust Level 3 measures (such as stringent personnel vetting) compensate for a failure in Level 1 measures (such as inadequate data residency controls). The logic is binary: the lower tier is a prerequisite, not an optional baseline.

Rationale Behind the Cumulative Structure

The CADA proposal's explanatory memorandum and recitals highlight that the EU's dependence on non-European cloud providers poses significant risks to operational autonomy and public order. The cumulative criteria rule is designed to address these risks by ensuring that no "weak link" exists in the sovereignty chain.

  1. Preventing Regulatory Arbitrage: Without a cumulative rule, a provider might argue that advanced technical controls (Level 3 or 4) mitigate weaker legal or jurisdictional safeguards (Level 1). The cumulative rule rejects this trade-off, insisting that foundational jurisdictional and data sovereignty controls are non-negotiable prerequisites for higher trust.
  2. Ensuring Consistent Baseline Protection: Union assurance level 1 establishes the minimum baseline for any cloud service interacting with the EU public sector. By making this baseline cumulative, the regulation ensures that even the most highly trusted services (Level 4) adhere to the same fundamental principles of data localization and Union establishment as the entry-level services.
  3. Simplifying Audit Logic: For auditing organizations and national competent authorities, the cumulative rule simplifies the assessment framework. Auditors do not need to weigh the relative importance of different criteria across tiers. The logic is binary: if a lower-tier criterion is not met, the higher-tier certification is impossible. This reduces interpretive ambiguity and legal challenges regarding the weighting of specific safeguards.

Interaction with Audit Procedures

Article 20 outlines the independent third-party audit process required for Union assurance levels 2, 3, and 4. The cumulative rule directly impacts the scope and depth of these audits. Auditors must be equipped to assess the full spectrum of criteria from the lowest applicable tier up to the target tier. This increases the complexity and cost of audits for higher tiers, as providers must maintain compliance evidence for a broader range of requirements.

Furthermore, the rule affects the "audit opinion" issued by the auditing organization. As per Article 20(5), the audit report must include a positive or negative opinion. A negative opinion can be triggered by a failure at any level. For instance, if a provider seeking Level 3 fails to provide a complete Software Bill of Materials (a Level 2 requirement), the auditor must issue a negative opinion for the Level 3 application, regardless of how well the provider meets Level 3-specific requirements.

What this means for you

For in-house counsel and compliance officers overseeing cloud strategy, the cumulative-criteria rule has several critical implications for procurement, vendor management, and internal compliance programs.

1. Rigorous Vendor Due Diligence

When evaluating cloud providers for public sector contracts or critical infrastructure, you cannot accept a provider's claim of "high sovereignty" based solely on their top-tier features. You must verify that they have a clean compliance record across all lower tiers. Request audit reports that explicitly confirm compliance with Union assurance levels 1, 2, and 3 (if applicable) before accepting a Level 3 certification. A provider recognized at Level 4 is, by definition, compliant with Levels 1, 2, and 3.

2. Risk of Certification Loss

The cumulative rule creates a fragile certification status. A provider certified at Union assurance level 4 can lose that status not only by failing Level 4 criteria but also by failing a Level 1 criterion. For example, if a provider moves a subset of its backup infrastructure outside the Union (violating Level 1 data residency rules), it automatically loses its Level 4 status. Compliance officers must monitor providers for changes in infrastructure location, subcontractor arrangements, and personnel composition, as these are Level 1 and 2 triggers.

3. Audit Preparation and Costs

If your organization is a cloud provider seeking recognition, prepare for the increased cost and complexity of audits. You must maintain documentation and controls for all lower-tier criteria even if you are only targeting a higher tier. This means investing in robust data residency monitoring, software supply chain transparency, and personnel vetting processes simultaneously. Failure to allocate resources to lower-tier compliance will block your path to higher assurance levels.

4. Contractual Safeguards

Include clauses in your cloud service agreements that require providers to maintain compliance with all cumulative criteria. Specify that any breach of lower-tier criteria constitutes a material breach of the sovereignty requirements, triggering rights to terminate or migrate. Given the penalties outlined in Article 24 for infringements, ensuring your vendor is fully compliant across all tiers mitigates your own regulatory and operational risks.

5. Deadlines and Transitions

Be aware of the transition periods outlined in CADA. Member States must conduct risk assessments (Article 29) to determine the required assurance level for their activities. If your organization's activities are deemed to require Union assurance level 3, you must migrate to a provider that meets all Level 1, 2, and 3 criteria. The cumulative rule means you cannot temporarily use a provider that meets Level 3 but has pending Level 2 remediation; the certification is all-or-nothing.

Common misconceptions

Misconception 1: Higher tiers replace lower tiers. Many assume that achieving Union assurance level 3 exempts a provider from Level 1 or 2 requirements. This is incorrect. Article 20(1) explicitly states that higher-tier conformity requires satisfying all lower-tier criteria. The tiers are additive, not substitutive.

Misconception 2: Technical controls can compensate for jurisdictional gaps. Some providers believe that advanced encryption or technical sovereignty measures (often associated with higher tiers) can offset weaknesses in legal jurisdiction or data residency (Level 1 criteria). The cumulative rule rejects this. A failure in data residency (Level 1) precludes higher-level certification, regardless of technical robustness.

Misconception 3: Audits only check the target tier. It is a common error to assume that an audit for Union assurance level 4 only examines Level 4 criteria. In reality, the audit must validate compliance against Levels 1, 2, 3, and 4. Auditors will review evidence for data localization, Union establishment, and personnel citizenship in addition to Level 4-specific requirements like absolute exclusion of third-country control.

Misconception 4: Partial compliance is acceptable. Providers may think they can achieve a "partial" Level 3 certification if they meet most criteria. CADA does not allow for partial recognition. As per Article 20, the audit opinion is positive or negative. A single failure at any lower tier results in a negative opinion for the higher tier application.

Related

This is general information about a draft EU regulation, not legal advice.