Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 4 imposes the most stringent personnel requirements for cloud services safeguarding the Union's public order. As proposed in Annex II, Section 4, point 4.1(d), all personnelβ€”including those of subcontractorsβ€”must be Union citizens. Furthermore, any personnel handling classified information must hold the necessary national security clearance issued by a Member State. These rules are mandatory for providers seeking recognition at this highest tier and apply to anyone involved in the provision of the audited service who may require access to classified or sensitive information.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tiered Union cloud computing sovereignty framework. This framework is designed to mitigate risks related to data sovereignty, operational continuity, and the protection of public order. Union Assurance Level 4 represents the apex of this framework, intended for the most critical public sector activities where the preservation of public order is paramount, such as defence, law enforcement, and the handling of EU classified information.

For cloud service providers and data centre operators seeking recognition at Level 4, the personnel requirements are cumulative, non-negotiable, and strictly enforced. They are not optional add-ons but fundamental criteria that must be met to achieve recognition under Article 17.

The Core Mandate: Union Citizenship and Security Clearance

The definitive personnel rule for Level 4 is codified in Annex II, Section 4, point 4.1(d) of the CADA proposal. It mandates that:

"the personnel, including the personnel of the subcontractors, which are involved in the provision of the audited service are Union citizens and, where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information."

This provision establishes two distinct, mandatory layers of personnel eligibility:

  1. Union Citizenship as a Baseline: Every individual involved in the provision of the service must hold citizenship of a European Union Member State. This requirement applies universally to the direct employees of the cloud computing service provider and extends explicitly to the personnel of any subcontractors involved in the service delivery. The proposal does not provide exceptions for long-term residents, permanent residents, or holders of other forms of legal status; citizenship is the explicit and exclusive threshold.
  2. National Security Clearance for Classified Data: For personnel who will handle classified information, Union citizenship is a necessary prerequisite but not a sufficient condition. These individuals must also possess the "necessary national security clearance issued by a Member State." The specific level and type of clearance required will depend on the classification level of the information being processed (e.g., RESTREINT UE, CONFIDENTIEL UE, SECRET UE) and the national laws of the Member State issuing the clearance. The phrase "where appropriate" in the text implies that not every Level 4 service will necessarily involve classified data, but if it does, the clearance is mandatory.

Scope of "Personnel" and the Subcontractor Chain

The definition of "personnel" in the context of Level 4 is intentionally broad to prevent loopholes. It encompasses any individual who supports the delivery, administration, security, availability, or operation of the audited service. This includes:

  • Direct Employees: Staff working directly for the cloud provider.
  • Subcontractor Personnel: Staff working for third-party entities that have a direct contractual relationship with the provider and contribute to the service delivery.

Crucially, Annex II, Section 4, point 4.2 clarifies the specific scope of subcontractors relevant to Level 4. It defines these subcontractors as those who "may require access to classified or sensitive information in order to carry out the service provision." This means that if a subcontractor's role involves touching, processing, or having potential access to classified or sensitive data, their personnel must meet the full Level 4 criteria. The requirement flows down the entire supply chain; a provider cannot outsource the handling of sensitive data to a subcontractor whose staff are non-EU citizens or lack the requisite clearances.

Geographic Location of Personnel

In addition to citizenship and clearance status, the physical location of these personnel is strictly regulated. Annex II, Section 4, point 4.1(b) requires that the infrastructure, assets, and personnel of the audited provider, including subcontractors, are located in the Union. This geographic constraint ensures that personnel are physically present within the EU, facilitating effective oversight, ensuring they are subject to EU jurisdiction, and preventing remote access from third countries that could compromise operational autonomy.

Interaction with Risk Assessments and Procurement

The obligation to apply Level 4 standards is not automatic for all public sector cloud use. It is triggered by risk assessments conducted by Member States and Union entities under Article 29. These assessments identify public sector activities that contribute to the preservation of public order. If an activity is deemed to require Level 4 assurance based on the sensitivity of the data or the criticality of the function, the contracting authority must, under Article 30(3), procure only cloud computing services that have been formally recognised as offering Union Assurance Level 4.

Audit and Verification Mechanisms

Compliance with these personnel rules is not self-declared. Level 4 requires an independent third-party audit under Article 20. Auditing organisations will verify compliance with the Annex II criteria. According to Annex III, Audit Criterion D, auditors will request specific proof of Union citizenship, such as valid passports or national identity cards. They will also review organisational charts and job descriptions to confirm that only authorised Union citizens have access to the service's operation, management, and maintenance. Furthermore, auditors will verify the procedures for maintaining compliance throughout employment and how citizenship is verified before assignment. The audit report must include a "positive" opinion for the service to be recognised.

What this means for you

If you are a cloud service provider or data centre operator aiming to serve the EU public sector at the highest sovereignty tier, you must fundamentally overhaul your HR, subcontracting, and operational practices:

  1. Strict Citizenship Vetting: You must ensure every employee involved in the Level 4 service chain holds EU citizenship. Non-EU nationals, even those with long-term residency or permanent residence status, cannot be part of the Level 4 service delivery team. This applies to developers, system administrators, support staff, and security personnel.
  2. Subcontractor Due Diligence: You must conduct thorough due diligence on all subcontractors. Ensure their staff also meet the citizenship and clearance requirements. Your contractual obligations must explicitly flow down these requirements, and you must have the right to audit your subcontractors' personnel records.
  3. Security Clearance Management: Establish robust processes to obtain and maintain national security clearances for staff handling classified data. This is a national-level process, so you must coordinate closely with the relevant Member State authorities. You cannot assume a clearance from one Member State automatically applies in another; the clearance must be issued by a Member State.
  4. Geographic Enforcement: Ensure all relevant personnel are physically located within the EU. Remote work arrangements outside the EU for Level 4 personnel are prohibited. You must verify that administrative access and operational support are initiated and performed exclusively within the Union.
  5. Documentation and Evidence: Maintain rigorous, up-to-date records of citizenship and clearance status for every individual involved. Auditors will request this evidence, and failure to provide it can lead to a negative audit opinion, loss of Level 4 recognition, and ineligibility for public contracts.

Common misconceptions

  • "Permanent residency is enough." No. The proposal explicitly requires Union citizenship. Permanent residence or long-term stay status does not satisfy the Level 4 criterion.
  • "Only direct employees are affected." Incorrect. The rules explicitly include personnel of subcontractors who are involved in the provision of the service and may access classified or sensitive information. The supply chain is fully covered.
  • "Clearance is only for government employees." No. Any personnel involved in the cloud service delivery who handle classified information must hold the necessary national security clearance, regardless of whether they are employed by a private provider or a subcontractor.
  • "Level 4 is optional for all public sector use." No. Level 4 is mandatory only for activities identified through risk assessments as critical to public order. However, if you want to compete for these high-value contracts, you must meet these standards.
  • "Level 4 personnel rules are the same as Level 3." While similar, Level 4 is distinct. Level 3 allows for a derogation where a third-country controlled provider can qualify if the Commission adopts an implementing act under Article 18. Level 4, by contrast, strictly prohibits third-country control (Annex II 4.1(g)) and imposes the highest cybersecurity certification level ("high" rather than "substantial").

Related

This is general information about a draft EU regulation, not legal advice.