What is the role of EU citizenship and staff control in cloud sovereignty?

Summary Under the proposed Cloud and AI Development Act (CADA), EU citizenship and strict control over personnel are critical determinants for achieving the highest levels of cloud sovereignty. While Union Assurance Level 1 focuses on establishment and data location, Levels 2, 3, and 4 introduce escalating requirements for personnel location and citizenship. Specifically, Level 2 requires personnel to be located in the Union, with citizenship requirements conditional on the public body's needs; Level 3 mandates that all personnel involved in service provision be Union citizens; and Level 4 reinforces this alongside the highest cybersecurity standards. These criteria ensure operational autonomy by preventing third-country actors from compelling staff to access data or disrupt services, directly addressing risks posed by extraterritorial laws.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" in Article 16, comprising four assurance levels. The criteria for these levels are detailed in Annex II, where the role of personnel—specifically their location, citizenship, and control—becomes increasingly stringent as the assurance level rises. This structure is designed to guarantee that the individuals with administrative access and operational control are subject to Union jurisdiction, thereby safeguarding the EU's public order and strategic autonomy.

Union Assurance Level 1: Establishment and Data Residency

At the baseline Union Assurance Level 1, the focus is primarily on the legal establishment of the provider and the physical location of infrastructure and data. According to Annex II, Section 1.1, a provider must be established in the Union, and its infrastructure and assets (including those of subcontractors) must be located in the Union. Customer data must remain exclusively within the Union unless explicitly required otherwise by the public sector body.

Crucially, Level 1 does not mandate Union citizenship for personnel. The criteria require the provider to demonstrate compliance with state-of-the-art cybersecurity standards and provide transparency regarding subcontractors. However, if the provider is subject to the control of a third country, it must guarantee that no laws in that third country require reporting software vulnerabilities to foreign authorities before they are known to have been exploited (Annex II, 1.1(g)). The absence of a citizenship requirement at this level reflects its status as a baseline for general public sector use, where the risk of foreign coercion is deemed lower or manageable through other means.

Union Assurance Level 2: Location of Personnel and Conditional Citizenship

Union Assurance Level 2 introduces the requirement for independent third-party audits and stricter controls on personnel. Annex II, Section 2.1(b) mandates that the infrastructure, assets, and personnel of the audited provider and its subcontractors involved in service provision must be located in the Union.

The citizenship requirement at this level is conditional. Annex II, Section 2.1(d) states: "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available." This means that while Level 2 does not automatically require all staff to be Union citizens, the provider must have the operational capacity to deploy Union citizens if the contracting authority deems it necessary for public order or security. Additionally, Level 2 requires that technical and operational support be initiated and performed exclusively within the Union (Annex II, 2.1(h)), ensuring that no remote administrative access originates from outside the EU.

Union Assurance Level 3: Mandatory Union Citizenship

Union Assurance Level 3 represents a significant shift toward strict sovereignty, particularly for services handling sensitive or classified information. Annex II, Section 3.1(d) explicitly states that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." Furthermore, where appropriate, personnel must hold the necessary national security clearance issued by a Member State when handling classified information.

At this level, the prohibition on third-country control is absolute, with a narrow derogation possible only if the Commission has adopted an implementing act under Article 18 (not Article 19, as sometimes mis-cited) confirming the third country provides sufficient safeguards (Annex II, 3.1(g)). Technical support must be performed exclusively within the Union by personnel who are Union residents and by third parties not subject to third-country control (Annex II, 3.1(h)). This ensures that the individuals managing the systems are not only physically present in the EU but also legally bound by Union citizenship, minimizing the risk of foreign coercion.

Union Assurance Level 4: Highest Assurance and Security Clearance

Union Assurance Level 4 maintains the strict personnel requirements of Level 3 regarding location and citizenship (Annex II, 4.1(b) and 4.1(d)). It adds the requirement for a European cybersecurity certificate of at least assurance level 'high' under the European Cybersecurity Certification Scheme (EUCS) (Annex II, 4.1(e)). Note that while Level 2 and 3 require a 'substantial' assurance level certificate, Level 4 requires the 'high' level.

Like Level 3, Level 4 strictly prohibits third-country control over the provider and subcontractors, ensuring the highest degree of operational autonomy. The combination of mandatory Union citizenship, Union residency for support staff, and the highest cybersecurity certification creates a robust barrier against foreign interference.

Operational Autonomy and the Link to Staff Control

The requirement for EU citizenship and Union-based personnel is intrinsically linked to the concept of operational autonomy. The explanatory memorandum notes that dependence on third-country providers exposes the EU to risks such as unauthorized access, service disruption, and data exfiltration due to extraterritorial laws (e.g., the US CLOUD Act). By ensuring that the individuals with administrative access, who perform maintenance, and who manage security incidents are Union citizens located within the EU, CADA minimizes the risk that foreign governments could compel staff to access data or degrade services.

Annex II, Section 2.1(i) requires software supply chain measures, including blocking remote features that could tamper with systems. This technical control is complemented by personnel control: if the staff administering the systems are not subject to foreign jurisdiction, the effectiveness of technical safeguards is significantly enhanced. The audit criteria in Annex III further detail that auditing organizations must verify that personnel involved in service provision are located in the Union and, for Levels 3 and 4, are Union citizens. This verification ensures that the "human element" of the cloud stack is as sovereign as the infrastructure itself.

What this means for you

For CTOs, architects, and compliance officers, the CADA proposal has profound implications for cloud architecture, vendor selection, and workforce planning.

1. Vendor Qualification and Due Diligence: When bidding for public sector contracts, especially those identified as contributing to public order, you must demonstrate compliance with specific Union Assurance Levels. If you are an EU provider with significant third-country ownership or staff located outside the EU, you may be excluded from Levels 3 and 4. For Levels 2-4, you must undergo independent audits verifying that your support staff and administrators are physically located in the EU.
2. HR and Recruitment Strategies: If you aim to offer Level 3 or Level 4 services, you must ensure that all personnel involved in the provision of the service, including subcontractors, are Union citizens. This may require restructuring support teams, relocating remote support functions from outside the EU to within the EU, and verifying citizenship status for every relevant employee. For Level 2, you must have the operational capacity to staff positions with Union citizens if the client requires it.
3. Subcontractor Management: The rules apply not just to your direct employees but to subcontractors involved in service provision. You must ensure that your subcontractors also meet the location and citizenship requirements. This requires rigorous contractual controls and ongoing monitoring of your supply chain to prevent "leakage" of administrative tasks to non-EU entities.
4. Technical Architecture: To support these personnel controls, your technical architecture must enforce geographic restrictions on access. Administrative access paths, security operations center (SOC) functions, and backup handling must be restricted to locations within the Union. This aligns with the requirement in Annex II that technical support be initiated and performed exclusively within the Union.
5. Audit Preparation: Providers seeking Levels 2-4 must prepare for detailed audits. Auditors will request evidence such as employment contracts, payroll records, and timesheets to verify the location and citizenship of personnel. They will also review access logs to ensure that no remote access from outside the Union is possible for administrative tasks.

Common misconceptions

• Misconception: Only non-EU providers are affected by citizenship rules.
  • Reality: EU-based providers are also subject to these rules. If an EU provider has staff located outside the EU who perform administrative or support functions, or if they subcontract such tasks to non-EU entities, they cannot meet the criteria for Levels 2-4. The requirement is about the location and citizenship of the personnel actually providing the service, not just the legal domicile of the company.
• Misconception: Union Assurance Level 1 requires EU citizenship for staff.
  • Reality: Level 1 does not explicitly require Union citizenship for all personnel. It focuses on the provider's establishment in the EU and the location of infrastructure and data. Citizenship becomes a mandatory criterion only at Level 3, and a conditional one at Level 2.
• Misconception: Remote work from outside the EU is acceptable for support staff at higher assurance levels.
  • Reality: For Levels 2-4, technical and operational support must be initiated and performed exclusively within the Union. This effectively prohibits remote administrative access from outside the EU for staff providing these services. Even if the staff member is a Union citizen, if they are physically located outside the EU while performing support tasks, the service would not comply with the assurance level criteria.
• Misconception: The rules only apply to new cloud services.
  • Reality: The CADA applies to cloud computing services provided to Union entities and public sector bodies. While existing contracts may have transition periods, any new procurement or significant modification of existing services will likely require compliance with the appropriate Union Assurance Level determined by the risk assessment.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Level 4: Why EU Control is Mandatory for the Highest Sovereignty Tier
• Cloud vs AI Sovereignty: How CADA Distinguishes Control Over Data, Compute and Models
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider

This is general information about a draft EU regulation, not legal advice.