Summary Under the proposed Cloud and AI Development Act (CADA), achieving Union Assurance Level 3 imposes strict constraints on how cloud services are supported. As proposed in Annex II, Section 3.1(h), all technical and operational support must be "initiated and performed exclusively within the Union." Crucially, this support must be carried out by personnel who are Union residents and by third parties that are not subject to the control of a third country or a legal entity established in a third country. These rules are designed to eliminate the risk of foreign interference in critical public sector operations, ensuring that support activities cannot be remotely accessed, influenced, or disrupted by non-EU jurisdictions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonized EU-wide sovereignty framework for cloud computing services. This framework is structured around four "Union assurance levels," with Level 3 specifically targeting public sector activities identified through risk assessments as contributing to the preservation of public order. These activities often span sectors falling under the NIS2 Directive (such as energy, transport, and health) or areas of national security, defense, justice, and law enforcement.

To qualify for Union Assurance Level 3, a cloud computing service provider must meet a cumulative set of criteria detailed in Annex II of the proposal. While data localization and infrastructure location are foundational, the rules governing support operations and personnel represent a significant escalation in sovereignty requirements compared to lower levels.

The Core Requirement: Annex II 3.1(h)

The definitive rule for Level 3 support is found in Annex II, Section 3.1(h). The text states:

"the technical and operational support or assistance related to the audited service, including subsequent sub-outsourcing arrangements, are initiated and performed exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country or a legal entity established in a third country."

This provision imposes three distinct, cumulative constraints that must be met simultaneously:

  1. Geographic Performance Constraint: Support activities must be "initiated and performed exclusively within the Union." This is a strict territorial requirement. It means that no support ticket can be opened, no remote diagnostic can be initiated, and no operational assistance can be executed from outside the EU. Effectively, this bans offshore support centers for Level 3 services. The "initiation" of support (e.g., the first point of contact or the trigger for a remote session) must also occur within the Union, preventing "hand-off" models where a request starts in the EU but is routed to a global center.

  2. Personnel Residency Constraint: The individuals performing the support must be Union residents. This is a critical distinction from Level 4. While Level 4 requires personnel to be Union citizens (a higher legal threshold), Level 3 requires residency. This ensures that the individuals have a legal and physical tie to the EU, reducing the risk that they could be compelled by foreign laws to disclose information or disrupt services. It implies that the staff must live and work within the EU, subject to EU labor and jurisdictional laws.

  3. Third-Party Control Constraint: Any third parties involved in the support chain, including sub-contractors, must not be subject to the control of a third country or a legal entity established in a third country. This prevents scenarios where an EU-based support team is employed by a subsidiary that is ultimately controlled by a non-EU parent company. Even if the physical support happens in the EU, if the entity managing the support team is controlled from a third country, the service fails the Level 3 criteria. This ensures that the decision-making power over support operations remains within the EU legal sphere.

Distinction from Level 2 and Level 4

Understanding the gradient between assurance levels is essential for compliance strategy.

  • Compared to Level 2: At Level 2 (Annex II, Section 2.1(h)), technical and operational support must also be "initiated and performed exclusively within the Union." However, Level 2 does not explicitly require that the personnel be Union residents, nor does it explicitly mandate that third parties be free from third-country control in the same cumulative manner. Level 2 focuses primarily on the location of the support activity. Level 3 adds the identity and legal status of the personnel and the control structure of the entities involved, creating a higher barrier to entry.

  • Compared to Level 4: At Level 4 (Annex II, Section 4.1(d)), the rules are even more stringent. Support must be performed by personnel who are Union citizens (a stricter requirement than residency) and by third parties not subject to third-country control. Level 4 is reserved for the most sensitive data, including classified information, where the highest possible degree of autonomy and protection from foreign influence is required. The shift from "resident" (Level 3) to "citizen" (Level 4) reflects the increasing sensitivity of the data being protected.

The Role of Auditing and Evidence

Compliance with these support and personnel rules is not self-declared. Under Article 17 of CADA, providers seeking Level 3 recognition must undergo independent third-party audits. The auditing organization will assess compliance with Annex II criteria using the audit evidence listed in Annex III.

For the support and personnel criteria, auditors will likely request specific evidence to verify the "Union resident" and "no third-country control" requirements:

  • Proof of Residency: Employment contracts, payroll records, and tax residency documentation demonstrating that support staff are Union residents.
  • Access Logs and Network Controls: Evidence that support sessions are initiated and performed exclusively from within the Union, including geographically restricted network controls and Union-based administrative infrastructure.
  • Ownership and Control Analysis: Detailed cap tables, shareholder agreements, and governance documents proving that third-party support providers are not controlled by third-country entities. As noted in Annex III, Criterion 7, auditors must analyze direct and indirect shareholders up to the ultimate owners to determine if any third-country entity holds strategic decision-making power.

Annex III, Criterion H further specifies that auditors will look for evidence that the provider has implemented binding contractual clauses stating that all support, administration, maintenance, and operational activities must be initiated and performed exclusively in the Union. They will also verify that there is no remote access for technical support from outside the Union.

Integration with Risk Assessments and Procurement

The requirement to use Level 3 services is triggered by the risk assessments mandated under Article 29 of CADA. Member States and Union entities must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. If a risk assessment determines that an activity is sensitive enough to require Level 3 assurance, the contracting authority must only procure services recognized as offering Level 3 (or higher) under Article 30(3).

This creates a direct market incentive for providers to comply with these strict support and personnel rules. Without meeting the Annex II 3.1(h) criteria, a provider is effectively barred from supplying cloud services for critical public sector functions such as law enforcement, defense, or national security operations.

What this means for you

For CTOs, architects, and SMEs evaluating the practical impact of CADA, the Level 3 support and personnel rules represent a significant operational shift.

1. Restructuring Support Operations: If you aim to sell to the EU public sector in high-risk sectors (e.g., healthcare, energy, defense), you cannot rely on global support models. You must establish dedicated support teams physically located in the EU. Furthermore, you must ensure that the individuals in these teams are Union residents. This may require hiring local staff or relocating existing employees, impacting your HR strategy and cost structure. Global "follow-the-sun" support models must be re-engineered to ensure the "night shift" is also performed by Union residents within the EU.

2. Supply Chain Scrutiny: You must audit your subcontractors. If you outsource any part of your support operations, the subcontractor must not be controlled by a third-country entity. This means reviewing ownership structures and control mechanisms of your partners. A subcontractor based in the EU but owned by a non-EU parent may not qualify unless effective legal, technical, and organizational separation is demonstrated (as per Annex II, Section 3.1(k)).

3. Technical Architecture Changes: Your IT infrastructure must enforce geographic restrictions on support access. You need to implement technical controls (e.g., geographically restricted network controls, Union-based administrative infrastructure) to ensure that support sessions cannot be initiated from outside the EU. This may involve redesigning your remote access protocols and identity and access management (IAM) systems to block access from non-EU IP ranges for support functions.

4. Audit Readiness: You must prepare for rigorous audits. Document everything: employment contracts, access logs, and subcontractor agreements. The burden of proof is on you to demonstrate compliance with the "Union resident" and "no third-country control" criteria. Auditors will scrutinize the "chain of control" to ensure no third-country entity can influence your support operations.

5. Market Opportunity for EU-Based SMEs: For EU-based SMEs that already operate with local support teams and are free from third-country control, Level 3 represents a significant market opportunity. Larger global providers may find the compliance costs prohibitive, creating a niche for agile, compliant EU providers who can demonstrate strict adherence to these sovereignty requirements.

Common misconceptions

Misconception 1: "Level 3 just means data stays in the EU." While data localization is a key part of Level 3 (Annex II, Section 3.1(c)), it is not the only requirement. The rules on support and personnel are equally critical. You can have data in the EU but still fail Level 3 if your support team is staffed by non-residents or controlled by a third-country entity.

Misconception 2: "Union citizenship is required for Level 3." No. Union residency is required for Level 3 personnel. Union citizenship is required for Level 4 (Annex II, Section 4.1(d)). This distinction is important for hiring; residency is generally easier to achieve than citizenship, but still requires a legal tie to the EU.

Misconception 3: "We can use offshore support if it's encrypted." No. The rule is that support must be "initiated and performed exclusively within the Union." Encryption does not override the geographic and personnel constraints. Offshore support centers are effectively banned for Level 3 services.

Misconception 4: "Subcontractors don't need to comply if the main provider does." Incorrect. Annex II, Section 3.1(h) explicitly includes "subsequent sub-outsourcing arrangements." All entities in the support chain must comply with the rules regarding location, residency, and control.

Related

This is general information about a draft EU regulation, not legal advice.