Summary The specific criteria for the four Union assurance levels under the proposed Cloud and AI Development Act (CADA) are defined in Annex II of the regulation, as explicitly established by Article 16(1). To demonstrate compliance, cloud computing service providers must submit audit evidence aligned with the standards set out in Annex III. The European Commission is required to review these criteria at least every 18 months to ensure they remain current with technological and legal developments, as mandated by Article 16(3).

Detail

Under the proposed Cloud and AI Development Act (CADA), the European Union is introducing a harmonised framework to assess the sovereignty and trustworthiness of cloud computing services. For in-house counsel and compliance officers, understanding the precise location of these rules within the legislative text is critical for mapping obligations and preparing for the upcoming recognition procedures.

The legal anchor for this framework is Article 16(1), which states that the Chapter establishes a "Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II." This provision makes Annex II the primary source document for determining exactly what a provider must achieve to qualify for Level 1, Level 2, Level 3, or Level 4. These levels are cumulative and increasingly stringent, ranging from basic establishment and data localisation requirements (Level 1) to stringent controls on third-country influence, mandatory Union citizenship for personnel, and specific cybersecurity certification levels (Levels 2–4).

However, criteria alone are not sufficient for compliance; providers must prove they meet these standards through a structured assessment process. The evidence required to substantiate these claims is defined in Annex III. As noted in Article 21(1), auditing organisations shall assess the compliance of an audited service against the criteria set out in Annex II "on the basis of the audit evidence listed in Annex III." This annex provides indicative but detailed checklists for auditors, covering critical areas such as proof of Union establishment, verification of infrastructure and personnel location, data localisation logs, and software supply chain transparency (including Software Bills of Materials).

Because the cloud and AI landscape evolves rapidly, CADA includes a dynamic mechanism to keep these standards relevant. Article 16(3) mandates that the Commission shall review Annex II and Annex III at least every 18 months. Furthermore, the Commission is empowered under Article 16(2) to adopt delegated acts to amend these annexes if necessary to reflect new legal or technical developments. This ensures that the assurance levels do not become obsolete as new threats or technologies emerge.

For public sector bodies, the choice of assurance level is not arbitrary. Article 29 requires Member States and Union entities to conduct risk assessments to determine which assurance level (2, 3, or 4) is appropriate for activities that contribute to the preservation of public order. Article 30 then dictates procurement rules based on these assessments, mandating that contracting authorities procure only services recognised at the appropriate assurance level.

What this means for you

For compliance officers and in-house legal teams, the location of these criteria dictates your immediate action plan:

  1. Map Your Current Stack to Annex II: You must conduct a gap analysis against the specific criteria in Annex II corresponding to the assurance level you aim to achieve or are required to provide. For example, if you are targeting Level 3, you must verify that your personnel are Union citizens and that your service is not subject to third-country control, as per Annex II, Section 3.
  2. Prepare Audit Evidence per Annex III: Do not wait for an audit to gather documentation. Annex III lists the specific evidence auditors will request, such as lease contracts for infrastructure, payroll records for personnel location, and software bills of materials (SBOMs). Ensure these documents are organised and accessible.
  3. Monitor Commission Reviews: Mark your calendar for the Commission's 18-month review cycle under Article 16(3). Changes to Annex II or III could alter your compliance obligations. Subscribe to official EU updates to track any delegated acts that amend these annexes.
  4. Align Procurement with Risk Assessments: If you are a public sector buyer, ensure your risk assessments under Article 29 are up to date. You cannot procure a Level 1 service for an activity deemed to require Level 3 protection for public order reasons.

Common misconceptions

  • "The criteria are static." Many assume the assurance level criteria are fixed for the life of the regulation. In reality, Article 16(3) requires a review every 18 months, and the Commission can amend the criteria via delegated acts.
  • "Annex II is the only document that matters." While Annex II defines what you must achieve, Annex III defines how you prove it. Ignoring Annex III can lead to failed audits even if you believe you meet the high-level criteria.
  • "Level 1 is optional for all public sector use." Article 30(2) establishes Union assurance level 1 as the minimum requirement for all public sector bodies whose activities have not been identified as contributing to the preservation of public order. It is not optional; it is the baseline.

Related

This is general information about a draft EU regulation, not legal advice.