Summary Under the proposed Cloud and AI Development Act (CADA), national security clearance is not a blanket requirement for all cloud service personnel. It is strictly mandated only for personnel who are handling classified information when a cloud service is recognized at Union Assurance Level 3 or Level 4. As proposed in Annex II, these personnel must hold the necessary clearance issued by a Member State, defined in Regulation (EU) 2021/697. This requirement applies conditionally ("where appropriate") alongside the mandatory obligation that all such personnel must be Union citizens.

Detail

The CADA proposal establishes a tiered "Union cloud computing sovereignty framework" designed to mitigate risks to public order, national security, and operational autonomy. Central to this framework are four "Union assurance levels" (Levels 1 through 4), each with cumulative criteria that cloud computing service providers must meet to be recognized for specific public sector use cases.

While Level 1 requires a basic conformity self-assessment and Level 2 introduces independent third-party audits with stricter location and citizenship rules, Levels 3 and 4 impose significantly heightened personnel and data sovereignty requirements. It is at these higher tiers that the proposal explicitly intersects with national security clearance protocols.

The Specific Legal Requirements

The requirement for national security clearance is found in Annex II of the CADA proposal, which sets out the criteria for Union assurance levels. The text distinguishes between general personnel requirements (such as Union citizenship) and specific clearance requirements tied to the sensitivity of the data being processed.

1. Union Assurance Level 3 For a cloud computing service to be recognized at Level 3, the provider must meet several cumulative criteria. Regarding personnel, Annex II, Section 3.1(d) states that the personnel involved in the provision of the audited service, including subcontractors, must be Union citizens. Crucially, it adds:

"...and where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information, as defined in Article 2, point (21), of Regulation (EU) 2021/697."

This clause creates a conditional obligation. The clearance is not required for every employee of the cloud provider, but specifically for those who handle "classified information." The definition of "classified information" is imported directly from the EU's classification framework (Regulation (EU) 2021/697), ensuring a harmonized understanding of what constitutes sensitive state data across Member States. The phrase "where appropriate" implies that the necessity of clearance is triggered by the nature of the data being processed; if the service is used for unclassified data, the clearance requirement may not be activated, though the citizenship requirement remains.

2. Union Assurance Level 4 Level 4 represents the highest tier of sovereignty assurance, typically reserved for the most critical public sector activities (e.g., high-level defense, intelligence, or critical infrastructure control). The personnel requirements are reinforced in Annex II, Section 4.1(d), which mirrors the Level 3 requirement:

"...the personnel, including the personnel of the subcontractors, which are involved in the provision of the audited service are Union citizens and, where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information."

At Level 4, the threshold for "where appropriate" is likely to be met more frequently given the level of sensitivity associated with this tier, but the legal mechanism remains the same: clearance is tied to the act of handling classified information.

The Role of Risk Assessments

The application of these clearance requirements is not automatic for all public sector bodies. Under Article 29 of CADA, Member States and Union entities must conduct risk assessments to determine which Union assurance level is appropriate for their specific activities.

If a contracting authority's activity is identified as contributing to the preservation of public order in sectors such as defense, national security, or law enforcement, the risk assessment may determine that Level 3 or Level 4 is required. Once this determination is made, Article 30 mandates that the authority must procure cloud computing services recognized at those specific levels. Consequently, the cloud provider serving that authority must ensure that any personnel accessing the relevant classified data hold the requisite national security clearance. The risk assessment effectively acts as the trigger that determines whether the "where appropriate" condition in Annex II is met for a specific procurement.

Interaction with Subcontractors

CADA explicitly extends these personnel requirements to subcontractors. Both Annex II 3.1(d) and 4.1(d) specify that "personnel of the subcontractors which are involved in the provision of the audited service" must meet the citizenship and clearance criteria. This prevents cloud providers from bypassing security requirements by outsourcing sensitive operations to third-party firms that do not adhere to the same strict vetting standards. The primary provider remains accountable for ensuring that their entire supply chain complies with these personnel vetting rules.

Verification and Audit Evidence

Providers seeking recognition at Levels 3 and 4 must undergo independent third-party audits under Article 20. As detailed in Annex III (Audit Evidence), auditors will request specific evidence to verify compliance with personnel criteria. This includes:

  • Proof that the provider has implemented measures to ensure personnel are Union citizens.
  • Documentation demonstrating that personnel handling classified information hold valid national security clearance issued by a Member State.
  • Access control policies and audit trails showing that only authorized, cleared personnel can access the service's systems and data.

What this means for you

For public-sector procurement officers, cloud service providers, and compliance teams, understanding these personnel and clearance requirements is critical for drafting tender specifications, managing vendor compliance, and structuring service delivery.

1. Align Procurement with Risk Assessments Before issuing a tender for cloud services, you must complete the risk assessment mandated by Article 29. If your organization handles classified information (as defined in Regulation (EU) 2021/697), your risk assessment will likely dictate the need for Union Assurance Level 3 or 4. You cannot procure a Level 1 or 2 service for these use cases. The risk assessment determines the "where appropriate" condition for clearance.

2. Verify Personnel Credentials in Tenders When evaluating tenders for Level 3 or 4 services, ensure that the evaluation criteria explicitly check for the provider's ability to verify personnel clearances. The provider must demonstrate that they have processes in place to:

  • Confirm the Union citizenship of all relevant staff and subcontractor staff.
  • Verify that any personnel who will access classified data hold valid national security clearance issued by the relevant Member State.
  • Maintain records of these clearances and update them as required.

3. Manage Subcontractor Chains CADA holds the primary cloud provider responsible for the compliance of its subcontractors. Ensure that your contracts require the provider to maintain an up-to-date register of subcontractors and proof of their personnel's clearance status. The provider must ensure effective legal, technical, and organizational separation between their Union-based operations and any third-country subsidiaries, as per Annex II criteria 3.1(k) and 4.1(k).

4. Prepare for Audit Evidence Providers seeking recognition at Levels 3 and 4 must undergo independent third-party audits (Article 20). Auditors will request evidence of compliance with personnel criteria. As a procurer, you should expect providers to have robust HR and security protocols in place to generate this evidence, such as access logs, clearance certificates, and employment contracts that specify clearance requirements.

Common misconceptions

Misconception 1: All cloud service employees need security clearance. Correction: CADA does not require national security clearance for all personnel. It is strictly limited to those "handling classified information." General administrative staff or those working on unclassified data at Level 3 or 4 do not need clearance, though they must still be Union citizens (for Levels 3 and 4).

Misconception 2: The EU issues the security clearance. Correction: The clearance must be "issued by a Member State." CADA relies on existing national security clearance frameworks within each EU country. The EU regulation defines the requirement for clearance but does not create a new, centralized EU-wide clearance body.

Misconception 3: Level 2 requires security clearance. Correction: Level 2 requires personnel to be located in the Union and allows for additional screening if determined necessary by the public sector body (Annex II 2.1(d)), but it does not mandate national security clearance for classified information in the same explicit, cumulative manner as Levels 3 and 4. Level 2 is generally for sensitive but unclassified data.

Misconception 4: Clearance requirements apply to Level 1. Correction: Level 1 has no personnel citizenship or clearance requirements. It only requires the provider to be established in the Union and for infrastructure/assets to be located in the Union (unless otherwise required by the public sector body).

Related

This is general information about a draft EU regulation, not legal advice.