Summary Under the proposed Cloud and AI Development Act (CADA), a public-sector buyer procuring cloud services at Union assurance level 2 has the discretion to impose additional personnel screening and Union citizenship requirements. As proposed in Annex II, point 2.1(d), if a public sector body determines these measures are necessary, the provider must ensure that personnel meeting those specific requirements are available. This stands in contrast to level 3, where Union citizenship and security clearances are mandatory for all personnel regardless of the buyer's specific determination.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a four-tier Union cloud computing sovereignty framework. These "Union assurance levels" define the criteria cloud computing service providers must meet to be recognized as offering a specific degree of trust, autonomy, and resilience to Union entities and public sector bodies.

For public-sector procurement officers and compliance teams, understanding the nuances of personnel requirements at each level is critical for risk management and supply chain planning. While higher assurance levels (3 and 4) impose strict, non-negotiable rules regarding staff nationality and security clearance, level 2 offers a flexible, risk-based approach. This flexibility allows buyers to tailor security measures to the specific sensitivity of their data or the criticality of their operations without triggering the full operational constraints of the highest assurance tiers.

The Legal Basis: Annex II 2.1(d)

The specific provision governing personnel screening at level 2 is found in Annex II, point 2.1(d) of the CADA proposal. This clause explicitly states that for Union assurance level 2:

"if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary, the audited provider should ensure that personnel meeting those requirements are available;"

This provision establishes two fundamental principles for level 2 engagements:

  1. Buyer Discretion: The obligation to screen personnel or verify citizenship is not automatic for all level 2 contracts. It is a conditional requirement triggered only if the specific public sector body (the buyer) determines that such measures are necessary for their specific use case.
  2. Provider Obligation: Once the buyer makes this determination, the cloud provider is legally obligated to ensure that personnel who meet those specific screening and citizenship criteria are available to support the service. The provider cannot refuse to supply the service on the grounds that they cannot meet these buyer-imposed conditions if they wish to be recognized at level 2 for that specific contract.

Comparison with Other Assurance Levels

To fully grasp the significance of level 2's flexibility, it is essential to compare it with the other assurance levels defined in Annex II:

  • Level 1 (Baseline): This level relies on a self-assessment by the provider. It requires the provider to be established in the Union and for infrastructure to be located in the Union (unless the public body explicitly requires otherwise). It does not explicitly mandate Union citizenship for all personnel, nor does it contain the specific "screening if determined necessary" clause found in level 2.
  • Level 3 (Mandatory): At this higher tier, the rules become mandatory and stricter. Annex II, point 3.1(d) states that personnel, including those of subcontractors, must be Union citizens. Furthermore, where appropriate, personnel must have the necessary national security clearance issued by a Member State when handling classified information. There is no discretion for the buyer to "determine if necessary"; it is a blanket requirement for the level.
  • Level 4 (Highest): Similar to level 3, Annex II, point 4.1(d) mandates that all personnel involved in the service provision must be Union citizens and possess necessary national security clearances when handling classified information.

Therefore, level 2 serves as a strategic middle ground. It is more robust than level 1 but less rigid than levels 3 and 4. It allows public bodies to tailor security requirements to the sensitivity of the data or the criticality of the function without triggering the full resource and operational constraints of the highest assurance levels.

Implementation in Procurement and Risk Assessment

When drafting tenders for level 2 services, procurement officers must explicitly state their personnel requirements in the contract specifications if they wish to invoke the clause in Annex II 2.1(d). Because the regulation places the onus on the public body to "determine" necessity, this determination should be documented as part of the broader risk assessment process required by Article 29 of CADA.

Article 29 requires Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which assurance level is appropriate for specific activities. If a risk assessment concludes that while level 2 is sufficient for the overall service architecture, specific support roles (such as database administration or security operations) pose a higher risk, the buyer can then invoke the personnel screening clause in Annex II 2.1(d) for those specific roles.

The risk assessment must consider factors such as the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by a third country. If the assessment identifies a risk that can be mitigated by ensuring only Union citizens with specific screening access the system, the buyer can mandate this under level 2.

Audit and Verification

Since level 2 requires an independent third-party audit (unlike level 1, which is a self-assessment), the auditor will verify compliance with these personnel requirements. If the buyer has stipulated in the contract that Union citizenship is required for all on-site support staff, the auditor will check that the provider can demonstrate that such personnel are available and that the provider has processes to ensure compliance.

The audit evidence requirements, outlined in Annex III, guide the auditor on what documentation to request. For personnel criteria, this includes valid official government-issued documents (e.g., passports or national identity cards), organizational charts, job descriptions, and access control policies. The auditor must verify that the provider has procedures describing how citizenship is verified before assignment and how compliance is maintained throughout employment.

What this means for you

For public-sector procurement officers, legal teams, and cloud service providers, the level 2 personnel clause offers a strategic tool for managing sovereignty risks without over-engineering contracts.

  • Conduct a Granular Risk Assessment: Do not assume level 2 means "no citizenship requirements." Instead, use the risk assessment mandated by Article 29 to evaluate whether specific support functions require Union citizens. If your risk assessment concludes that specific roles pose a higher risk, explicitly write this requirement into the tender documents.
  • Clarify Requirements in Tenders: To invoke Annex II 2.1(d), you must clearly communicate your determination. Vague references to "high security" may not be sufficient. Specify which roles require screening and what type of screening (e.g., criminal record checks, Union citizenship verification, or specific security clearances).
  • Monitor Provider Capability: Ensure that potential bidders have the capacity to provide Union citizen staff. Some international providers may have limited local EU staff pools. Requesting these capabilities early in the tender process helps avoid supply chain bottlenecks later.
  • Document the Decision: Keep a record of why you determined additional screening was necessary. This documentation supports the proportionality of your procurement decision and may be reviewed during audits or by national competent authorities.
  • For Providers: If you are a cloud provider seeking level 2 recognition, be prepared to demonstrate that you can mobilize Union citizen personnel if a buyer determines it necessary. This may require maintaining a pool of qualified staff within the Union or establishing clear subcontracting arrangements that meet these criteria.

Common misconceptions

Misconception 1: Level 2 automatically requires Union citizens. Reality: No. Annex II 2.1(d) makes it conditional. It only requires Union citizens if the public sector body determines it is necessary. If the buyer does not impose this requirement, the provider is not obligated to use Union citizens for all staff, though the provider must still be established in the Union.

Misconception 2: You can demand Level 3 standards for Level 2 contracts. Reality: You cannot simply impose the blanket mandatory requirements of Level 3 (such as mandatory security clearances for all personnel) onto a Level 2 contract. You can only impose the specific additional screening and citizenship requirements you deem necessary under the Level 2 framework. If you need the mandatory, non-negotiable guarantees of Level 3, you should procure a Level 3 service instead.

Misconception 3: The provider decides who gets screened. Reality: The provider does not decide whether screening is needed. The public sector body (the buyer) makes that determination based on their risk assessment. The provider's role is to ensure that personnel meeting the buyer's specified requirements are available.

Related

This is general information about a draft EU regulation, not legal advice.