Which CADA tier suits defence and intelligence workloads?

Summary As proposed, the Cloud and AI Development Act (CADA) designates Union assurance level 4 as the exclusive tier for defence, intelligence, and classified workloads where the preservation of public order is paramount. Unlike lower tiers, Level 4 mandates that all personnel involved in service provision be Union citizens (with national security clearance where appropriate), requires a European cybersecurity certificate of at least 'high' assurance, and strictly prohibits any third country from holding effective control over the software supply chain. Contracting authorities must rely on risk assessments under Article 29 to identify these critical activities and procure only services recognised at Level 4 under Article 30(3).

Detail

The Cloud and AI Development Act (CADA), as set out in proposal COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework with four distinct assurance levels. While Levels 1 through 3 address varying degrees of data localisation and operational autonomy, Union assurance level 4 is specifically engineered for the most sensitive use cases: defence, intelligence, national security, and the handling of classified information.

The Legal Trigger: Risk Assessment and Public Order

The pathway to Level 4 begins with a mandatory risk assessment. Under Article 29, Member States and Union entities must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments must explicitly evaluate the sensitivity, criticality, and magnitude of the data processed, including the risk of unlawful access by third countries or service disruption.

For activities falling within sectors such as defence, national security, internal security, and law enforcement, the risk assessment will almost invariably determine that only the highest assurance levels are proportionate. Consequently, Article 30(3) imposes a strict procurement obligation: contracting authorities whose activities are identified as contributing to public order must procure only cloud computing services recognised as offering Union assurance levels 2, 3, or 4. However, for workloads involving classified information or high-sensitivity defence data, the specific criteria of Annex II, Section 4 (Level 4) become the de facto minimum standard to ensure operational autonomy and data confidentiality.

The Four Pillars of Union Assurance Level 4

To be recognised at Level 4, a cloud computing service provider and its subcontractors must satisfy the cumulative criteria set out in Annex II, Section 4.1. These requirements are significantly more stringent than those for Level 3, particularly regarding personnel, software control, and cybersecurity certification.

1. Personnel: Union Citizenship and Security Clearance

A defining feature of Level 4 is the absolute requirement for personnel sovereignty. Annex II, Section 4.1(d) stipulates that all personnel, including those of subcontractors involved in the provision of the service, must be Union citizens. Furthermore, the text explicitly adds that "where appropriate, the personnel must also have the necessary national security clearance issued by a Member State when handling classified information."

This contrasts with Level 3, where citizenship is required but the text allows for a more conditional application regarding clearance, and Level 2, where citizenship is only required if the public sector body explicitly demands it. For defence and intelligence, Level 4 removes this conditionality, ensuring that no non-EU national can access the operational environment of classified workloads.

2. Software Supply Chain: Effective Control Prohibition

Perhaps the most critical distinction for defence workloads is the requirement regarding third-country control over software. While Level 3 allows for a derogation where a third country is subject to an implementing act under Article 18 (associated third countries), Annex II, Section 4.1(g) for Level 4 states unequivocally that the provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country.

Crucially, Annex II, Section 4.1(i)(ii) defines "effective control" in the context of the software supply chain. The provider must demonstrate that a third country does not hold or exercise effective control over the design, development, maintenance, and evolution of software components. This includes the ability to materially influence technical evolution, maintenance priorities, security remediation, and long-term continuity. This provision is designed to prevent scenarios where a foreign entity could remotely introduce vulnerabilities, backdoors, or "kill switches" into critical defence infrastructure, even if the code is open source or the entity is a minority shareholder.

3. Cybersecurity Certification: The 'High' Assurance Threshold

Level 4 elevates the cybersecurity bar significantly. Annex II, Section 4.1(e) requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'high' under a scheme established under Regulation (EU) 2019/881 (the Cybersecurity Act).

This is a specific upgrade from Level 3, which requires a certificate of at least 'substantial' assurance. The 'high' assurance level is intended to cover the most critical infrastructure and services where the consequences of a breach would be catastrophic for public order. Until such a Union-level scheme is fully operational, providers may rely on national schemes or demonstrate compliance with the highest cybersecurity standards under applicable Union law, but the target remains the 'high' assurance benchmark.

4. Data Localisation and Operational Autonomy

Consistent with the higher tiers, Level 4 mandates that customer data identified as sensitive following a risk assessment must remain exclusively within the Union at all times. This includes metadata and telemetry data. Additionally, Annex II, Section 4.1(h) requires that all technical and operational support, including sub-outsourcing, be initiated and performed exclusively within the Union by personnel who are Union residents and by third parties not subject to third-country control.

Strategic Context: Data Centres and Infrastructure

While the sovereignty framework governs the service layer, the physical infrastructure supporting defence workloads is addressed under Title III of the proposal. Article 14 allows the Commission to designate data centre projects as "strategic" if they support essential public sector functions, including defence. However, the designation of a strategic project does not automatically confer sovereignty status; the cloud service running on that infrastructure must still undergo the rigorous audit and recognition process under Article 17 to achieve Level 4 status.

What this means for you

For public-sector procurement officers, legal counsel, and defence agencies, the CADA proposal introduces a non-negotiable compliance framework for classified and high-sensitivity workloads.

• Mandatory Risk Assessment: You must initiate or update the risk assessment required by Article 29 for all cloud-based defence and intelligence activities. This assessment is the legal trigger that determines whether Level 4 is required. If the activity involves classified information or is deemed critical to public order, the assessment must conclude that Level 4 is the appropriate assurance level.
• Strict Procurement Specifications: When drafting tender documents, you cannot simply ask for "sovereign cloud." You must explicitly require recognition at Union assurance level 4. Under Article 30(3), procuring a Level 3 service for a Level 4-identified workload would be a breach of the Regulation.
• Verification of Personnel and Software: Due diligence must go beyond checking the central repository under Article 22. You must verify that the provider's audit report explicitly confirms:
  • That all personnel (including subcontractors) are Union citizens.
  • That personnel handling classified data hold valid national security clearances.
  • That the provider has demonstrated effective control over its software supply chain, proving no third country can influence design or maintenance.
• Cybersecurity Validation: Ensure the provider holds a valid certificate at the 'high' assurance level (or equivalent national standard pending the Union scheme). A 'substantial' certificate, while sufficient for Level 3, is insufficient for Level 4 defence workloads.
• Migration Planning: If your current provider cannot meet Level 4 criteria (e.g., they are subject to third-country control or lack Union-citizen staff with clearance), you must plan a migration. Article 29(6) provides a transition period of up to 12 months to migrate to a compliant provider, provided technical feasibility and data portability are considered.

Common misconceptions

"Level 3 is sufficient for defence if the third country has an adequacy decision." No. While Article 18 allows for a derogation at Level 3 where a third country has specific safeguards (including an adequacy decision), Level 4 explicitly prohibits any third-country control over the provider or its software supply chain. For classified defence workloads, the risk of foreign influence is too high to rely on the Level 3 derogation. Level 4 is the only tier that guarantees the absence of such control.

"Cybersecurity certification alone guarantees sovereignty." Incorrect. A 'high' assurance cybersecurity certificate (required for Level 4) addresses technical vulnerabilities and operational security. However, it does not address sovereignty risks such as third-country legal access to data or control over software evolution. CADA's Level 4 combines the 'high' cybersecurity certificate with strict legal and operational autonomy criteria, including Union citizenship and effective software control. A service can be technically secure but fail Level 4 if it is subject to foreign control.

"Level 4 requires data to be stored in a single Member State." Not necessarily. Annex II, Section 4.1(c) requires that sensitive data remain exclusively within the Union. It does not mandate storage within a single Member State. Data can be processed and stored across multiple Member States, provided that all infrastructure, personnel, and subcontractors involved are located within the Union and meet the citizenship and clearance requirements.

"Open-source software automatically satisfies the software control requirement." No. While open source is encouraged, Annex II, Section 4.1(i)(ii) requires the provider to demonstrate that no third country holds effective control over the design, development, and maintenance of the software. Even if the code is open source, if a third-country entity controls the repository, the maintenance priorities, or the evolution of the component, the service cannot be recognised at Level 4.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA tier suits a financial services workload?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Which CADA tier protects against foreign sanction compulsion?
• CADA Level 4: The Sovereign Standard for Defence and Classified Workloads
• Why is CADA Level 4 the highest sovereignty tier?

This is general information about a draft EU regulation, not legal advice.