Summary Under the proposed Cloud and AI Development Act (CADA), a provider cannot simply "upgrade" from Union assurance level 1 to level 4; each tier represents a distinct, cumulative set of sovereignty requirements that must be met in full. Moving from level 1 to level 4 requires a provider to progressively tighten data localization, restrict personnel to Union citizens, obtain higher cybersecurity certifications, and eliminate third-country control entirely. Crucially, while level 1 relies on self-assessment, levels 2 through 4 mandate independent third-party audits and formal recognition by national competent authorities, as detailed in Article 16 and Article 20 of the proposal. The criteria are strictly cumulative: to qualify for level 4, a provider must satisfy every requirement of levels 1, 2, and 3, plus the additional "high" assurance criteria.

Detail

The CADA proposal establishes a Union cloud computing sovereignty framework comprising four assurance levels. The path from level 1 to level 4 is not a linear progression of minor adjustments but a series of structural overhauls regarding infrastructure, personnel, legal control, and cybersecurity. As proposed, a provider aiming for the highest level of sovereignty (level 4) must satisfy all criteria of the lower levels, as the requirements are cumulative. Article 20(1) explicitly states that an audited provider undergoing an audit procedure at a higher Union assurance level "shall satisfy all the applicable cumulative criteria under Annex II applicable to the lower Union assurance levels." Failure to meet any requirements of a lower assurance level shall preclude conformity with the higher Union assurance levels.

Step 1: Establishing the Baseline (Union Assurance Level 1)

Level 1 serves as the entry point for providers wishing to serve the public sector. It establishes the foundational requirement of Union establishment and data residency.

To achieve level 1, a provider must demonstrate compliance through a conformity self-assessment (Article 19). The provider issues an EU statement of conformity and assumes full responsibility for compliance. The key criteria under Annex II, Section 1 include:

  • Establishment: The provider must be established in the Union.
  • Infrastructure and Assets: Infrastructure and assets, including those of subcontractors, must be located in the Union unless the public sector body explicitly requires otherwise.
  • Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise.
  • Subcontracting Transparency: The provider must provide full transparency around the use of subcontractors and subject them to due diligence.
  • Third-Country Control: If the provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to third-country authorities prior to exploitation.

At this stage, no independent audit is required. The provider self-certifies, and for SMEs, this recognition is automatic across the Union without prior national authority review (Article 17(3)). For non-SMEs, the statement is submitted to the national competent authority of establishment for recognition.

Step 2: Introducing Independent Verification and Stricter Controls (Union Assurance Level 2)

Moving to level 2 introduces a significant operational shift: the requirement for independent third-party audits (Article 20). A provider can no longer self-certify. They must undergo an audit by an accredited auditing organization to obtain a "positive" audit opinion.

The criteria for level 2 build cumulatively on level 1 but add stringent operational and supply chain controls, as outlined in Annex II, Section 2:

  • Personnel Location: Personnel involved in the service provision, including subcontractors, must be located in the Union.
  • Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'substantial' under the EUCS scheme (or national schemes if EUCS is not yet available).
  • AI Training Data: Data generated by using the service cannot be used to train or fine-tune any AI system operated by a third country or a legal entity established in a third country.
  • Software Supply Chain: Providers must maintain a complete and up-to-date Software Bill of Materials (SBOM). If software components are provided by a third country, controls must be implemented to block remote features that could tamper with or disrupt the system.
  • Third-Country Control Mitigation: If the provider is under third-country control, it must demonstrate measures ensuring that the third country cannot restrict service delivery, access customer data, or disrupt service continuity.
  • Support Localization: Technical and operational support must be initiated and performed exclusively within the Union.

Step 3: Enforcing Union Citizenship and Separation (Union Assurance Level 3)

Level 3 is designed for higher-risk public sector activities. It introduces strict personnel nationality requirements and tighter restrictions on third-country influence.

The audit requirement remains, but the criteria under Annex II, Section 3 become more restrictive:

  • Union Citizenship: Personnel involved in the provision of the service, including subcontractors, must be Union citizens. Where appropriate, they must also have national security clearance for handling classified information.
  • Support Personnel Residency: Technical and operational support must be performed by personnel who are Union residents and by third parties not subject to third-country control.
  • Third-Country Control Derogation: Generally, providers and subcontractors must not be subject to third-country control. However, a derogation exists: a provider under third-country control may qualify for level 3 only if the Commission has adopted an implementing act under Article 18 recognizing that specific third country as providing sufficient assurances. Even then, strict legal, technical, and organizational separation measures must be proven.
  • Subcontractor Sensitivity: Subcontractors may require access to classified or sensitive information, requiring heightened scrutiny.

Step 4: The Highest Standard of Sovereignty (Union Assurance Level 4)

Level 4 represents the maximum level of Union assurance, intended for the most critical public order activities. It eliminates almost all flexibility regarding third-country influence and raises cybersecurity standards.

The cumulative criteria for level 4, found in Annex II, Section 4, include:

  • No Third-Country Control: The audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. There is no derogation for this criterion at level 4, unlike level 3.
  • High Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'high' under the EUCS scheme.
  • Effective Control Over Software: Providers must demonstrate effective control over software components, ensuring that a third country does not hold or exercise effective control over the design, development, maintenance, and evolution of those components. This includes the ability to influence technical evolution and security remediation.
  • Personnel and Support: All personnel must be Union citizens with necessary security clearances. Support must be provided by Union residents and entities not under third-country control.
  • Data Sensitivity: The framework allows for the secure hosting of EU classified information, requiring the highest levels of data protection and operational autonomy.

The Audit and Recognition Process Across Tiers

The mechanism for validation changes dramatically between level 1 and levels 2–4.

  • Level 1: Governed by Article 19, this is a self-assessment. The provider issues an EU statement of conformity. For SMEs, this is automatically recognized. For larger providers, it is submitted to the national competent authority of establishment for recognition.
  • Levels 2, 3, and 4: Governed by Article 20, these levels require independent audits. The provider must contract an auditing organization that is independent, has no conflicts of interest, and possesses proven expertise. The audit must result in a "positive" opinion. The provider then submits the audit report, the opinion, and all evidence to the national competent authority for recognition (Article 17).

The recognition process involves a 60-day review period by other Member States' competent authorities. If no objections are raised, the service is recognized across the Union. If objections arise, the evaluating authority must assess them, potentially leading to a referral to the Commission for a binding decision (Article 17(10)).

What this means for you

For cloud service providers and data centre operators, the roadmap from level 1 to 4 is a strategic transformation of your business model, not just a compliance checklist.

  1. Invest in Audit Readiness Early: Do not wait until you are ready to apply for level 2 or 3 to prepare for audits. The evidentiary requirements for levels 2–4 (Annex III) are extensive, covering infrastructure location, personnel contracts, SBOMs, and supply chain documentation. Start documenting these processes under your level 1 self-assessment.
  2. Restructure Supply Chains: Moving from level 1 to 2 requires you to bring technical support and operations strictly within the Union. If you currently rely on offshore support centers, you must either relocate these functions or exclude them from the scope of the audited service.
  3. Manage Personnel Nationality: For levels 3 and 4, you must ensure that all personnel involved in service provision are Union citizens. This may require hiring strategies that prioritize Union nationals or obtaining security clearances for existing staff. Note that for Level 2, Union citizenship is only required if the public body explicitly demands it; for Levels 3 and 4, it is mandatory.
  4. Eliminate Third-Country Control for Level 4: If your goal is level 4, you cannot be under the control of a third country. This means reviewing your corporate governance, shareholder structures, and board compositions to ensure no third-country entity can exert strategic control.
  5. Plan for Cybersecurity Certification: Level 2 requires 'substantial' EUCS certification, and level 4 requires 'high'. Begin aligning your security practices with the EUCS scheme requirements now, as the certification process can be time-consuming.

Common misconceptions

  • "Level 1 is just a lighter version of Level 2." While the criteria are cumulative, the validation mechanism is fundamentally different. Level 1 is self-declared; levels 2–4 require rigorous, independent third-party audits. The jump in administrative burden and cost is significant.
  • "I can keep my offshore support team if I only use Union-based staff for the core service." For levels 2–4, the requirement is that technical and operational support must be initiated and performed exclusively within the Union (Annex II, Section 2(h), Section 3(h), Section 4(h)). Offshore support teams cannot be part of the audited service scope for these levels.
  • "Third-country control is acceptable if I have strong contracts." For level 4, third-country control is prohibited entirely. For level 3, it is only permitted if the Commission has specifically recognized the third country under Article 18. For level 2, it is permitted but requires demonstrating that the third country cannot restrict service or access data. Contracts alone are insufficient; legal and technical separation measures must be proven.
  • "The audit is a one-time event." Article 20(8) requires annual reviews. The auditing organization must assess continued compliance every year. The audit report and opinion must be updated or revoked based on this annual review.
  • "Level 3 allows third-country control without conditions." Level 3 allows a derogation for third-country control only if the Commission has adopted an implementing act under Article 18 for that specific third country. Without this specific Commission decision, the provider must not be subject to third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.