Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 1 serves as the mandatory minimum procurement baseline for all public-sector bodies whose activities are not deemed critical to public order. As proposed in Article 30(2), these entities must exclusively use cloud computing services that have been formally recognised as meeting Level 1 criteria. This baseline ensures a consistent, EU-wide standard of data confidentiality and operational autonomy, preventing the use of unvetted services while reserving stricter Levels 2, 3, and 4 for high-risk sectors like defence and law enforcement.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a harmonised sovereignty framework designed to reduce the European Union's dependence on third-country cloud providers and protect public order. Central to this framework is a tiered system of "Union assurance levels" (Levels 1 through 4), each representing a progressively higher degree of sovereignty, security, and operational autonomy. For the vast majority of public-sector procurement, the regulation establishes a clear floor: Union Assurance Level 1.

The Legal Baseline: Article 30(2)

The core obligation is set out in Article 30(2) of the proposed Regulation. It states that Union entities and public-sector bodies whose activities have not been identified as contributing to the preservation of public order under the risk assessments described in Article 29 must use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1.

This provision creates a binary distinction in public procurement:

  1. Public-Order Critical Activities: Entities involved in national security, defence, justice, law enforcement, or critical infrastructure (as defined in Annexes I and II of the NIS2 Directive) must conduct risk assessments. If these assessments determine that public order is at risk, they must procure services recognised as Union Assurance Levels 2, 3, or 4 (Article 30(3)).
  2. Non-Public-Order Activities: All other public-sector bodiesβ€”such as local municipal administrations, educational institutions, or standard healthcare providers not handling sensitive national security dataβ€”fall into the first category. They are legally required to procure only services that meet the Level 1 baseline.

Why a Minimum Baseline?

The rationale for this mandatory minimum is explicitly explained in Recital 64 of the explanatory memorandum. The recital notes that while the Union maintains an open and non-discriminatory framework for market access, preserving public order requires a "prudent but firm political, legal and operational response."

Recital 64 explicitly states that a minimum assurance level, by mandating Union assurance level 1 across the Union, is "necessary to establish a consistent baseline of safeguards for the public sector." This baseline aims to reduce vulnerabilities in the public sector to third-country access to Union data and potential disruptions of services. By setting Level 1 as the floor, the EU ensures that even non-critical public services are not hosted on infrastructure that lacks fundamental guarantees regarding data residency, provider establishment, and cybersecurity standards.

The recital further clarifies that identifying and addressing risks such as critical dependencies, unauthorised access to Union data, technology leakage, sabotage and espionage by third-country actors is fundamental for preserving Union public order. Therefore, the Level 1 baseline is not merely a technical preference but a strategic necessity to prevent the erosion of the Union's digital sovereignty in everyday administrative functions.

What Does Level 1 Entail?

To be recognised as offering Union Assurance Level 1, a cloud computing service provider must meet specific cumulative criteria outlined in Annex II of the proposal. These include:

  • Establishment: The provider must be established in the Union.
  • Data Residency: Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public-sector body explicitly requires otherwise.
  • Infrastructure Location: The provider's infrastructure and assets must be located in the Union.
  • Cybersecurity: The service must comply with state-of-the-art cybersecurity standards.
  • Transparency: The provider must provide full transparency regarding the use of subcontractors and subject them to due diligence.
  • Third-Country Control: If the provider is subject to third-country control, they must guarantee that no laws in that country require reporting software vulnerabilities prior to exploitation.

For Level 1, providers demonstrate compliance through a self-assessment process, issuing an EU statement of conformity (Article 19). This is less burdensome than the independent third-party audits required for Levels 2, 3, and 4, making Level 1 accessible to a wider range of providers while still enforcing strict sovereignty boundaries.

Exceptions and Derogations

While Article 30(2) is strict, Article 30(4) provides limited derogations. Contracting authorities may decide not to procure a recognised Level 1 service on an exceptional basis and where duly justified if:

  • The subject matter of the tender cannot be supplied by recognised services available in the central repository (Article 22), and no adequate or reasonable alternative or comparable cloud computing service exists, provided this absence is not the result of an artificial narrowing down of the parameters of the public procurement procedure.
  • The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
  • Applying the requirements of this Regulation would require the contracting authority to procure services at disproportionate cost.

However, these exceptions are narrow and require justification. They do not allow public bodies to simply revert to non-compliant, third-country-controlled services without demonstrating that the market failure is genuine and not the result of artificially narrow procurement parameters.

What this means for you

For public-sector procurement officers, the introduction of the Union Assurance Level 1 baseline fundamentally changes how you evaluate and select cloud computing vendors. You can no longer treat cloud sovereignty as an optional "nice-to-have" or a niche requirement for only the most sensitive data. Instead, it becomes a mandatory gatekeeping criterion for almost all cloud procurements.

1. Update Your Technical Specifications

When drafting tenders for cloud services, you must now include a mandatory requirement for the provider to hold a valid recognition of Union Assurance Level 1 (or higher). You should reference the specific criteria in Annex II of the CADA proposal. This ensures that bidders are pre-qualified based on their sovereignty status before you evaluate their technical or financial proposals.

2. Verify Recognition Status

Once the CADA is adopted and operational, the Commission will maintain a central repository of recognised cloud computing services (Article 22). As a procurement officer, your first step in any tender evaluation should be to verify that the bidder's service is listed in this repository with a valid Level 1 (or higher) status. Relying solely on a provider's self-declaration without checking the central repository may not be sufficient for compliance.

3. Distinguish Between "Public Order" and Standard Operations

You must determine whether your specific department or entity's activities fall under the "public order" definition in Article 29. If your activities do not involve national security, defence, justice, or critical infrastructure, you are bound by Article 30(2) to use Level 1. Do not over-engineer your procurement by demanding Level 3 or 4 criteria unless a formal risk assessment dictates it. Level 1 is designed to be proportionate for standard administrative, educational, and local government functions.

4. Prepare for the Transition Period

CADA will likely include a transition period (one year from entry into force for many provisions, per Article 48). Use this time to audit your current cloud contracts. Identify any services that do not meet Level 1 criteria (e.g., data stored outside the EU, providers not established in the EU). Begin planning migration strategies to recognised providers to ensure you are compliant when the regulation becomes applicable.

5. Leverage the "Open Source First" Principle

While not directly part of the assurance level, Chapter V of CADA encourages the use of open-source solutions (Article 41). Combining Level 1 sovereignty requirements with open-source software can enhance transparency and reduce vendor lock-in, aligning with the broader goals of the Act.

Common misconceptions

Misconception 1: "Level 1 is only for low-risk, non-sensitive data." While Level 1 is the baseline for non-public-order activities, it still imposes strict requirements. Data must remain in the EU, and providers must be EU-established. It is not a "wild west" category for unregulated services. It is a baseline of sovereignty, not necessarily a measure of data sensitivity alone. High-volume, non-sensitive public data (e.g., library records, local tax data) still requires Level 1 protection to prevent third-country access.

Misconception 2: "I can use any EU-based provider for Level 1." Being based in the EU is necessary but not sufficient. The provider must formally undergo the recognition process under Article 17 and issue an EU statement of conformity. A provider might be EU-established but fail to meet the cybersecurity or subcontractor transparency criteria. Only services listed in the central repository as recognised for Level 1 are compliant.

Misconception 3: "Level 1 allows data to leave the EU freely." No. Annex II, Section 1.1(c) explicitly requires that customer data remain exclusively within the Union unless the public-sector body explicitly requires otherwise. The default is strict data residency. Any transfer outside the EU must be a deliberate, documented decision by the contracting authority, not a standard feature of the service.

Misconception 4: "This only applies to large central government bodies." Article 30 applies to all "contracting authorities" and "Union entities." This includes local municipalities, regional agencies, and public universities. If you are a public-sector body procuring cloud services, you are subject to the Level 1 baseline unless your specific activities are classified as public-order critical.

Related

This is general information about a draft EU regulation, not legal advice.