Who must meet CADA Union assurance levels?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers must meet specific Union assurance levels if they wish to offer services to Union entities and public sector bodies. As proposed in Article 16(1), the framework establishes four assurance levels with criteria set out in Annex II. While the regulation does not mandate private sector procurement, Article 31 allows private entities in critical sectors to conduct similar impact assessments, creating a market pull for sovereign compliance. Providers must undergo formal recognition (self-assessment for Level 1; independent audit for Levels 2–4) to be eligible for public contracts.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised EU-wide framework to address strategic dependencies and safeguard public order. A core component of this framework is the Union cloud computing sovereignty framework, which categorises cloud services into four "Union assurance levels" (UALs). These levels reflect increasing degrees of operational autonomy, data sovereignty, and resistance to third-country interference.

The Scope of the Obligation

The primary obligation falls on cloud computing service providers. Specifically, any provider aiming to supply cloud computing services to Union entities (EU institutions, bodies, offices, and agencies) and public sector bodies (national, regional, or local authorities) must comply with the framework.

Article 16(1) of the CADA proposal establishes the framework, stating:

"This Chapter establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II to the Regulation for cloud computing services to be considered as providing Union assurance across level 1 to level 4."

While Article 16(1) defines the framework, the operational obligation for providers is clarified in Annex II, which sets out the criteria "to be met by cloud computing service providers and their cloud computing services in order to be recognised as offering services at Union assurance levels 1, 2, 3 and 4." Consequently, providers cannot simply claim sovereignty; they must undergo a formal recognition process to demonstrate compliance with the cumulative criteria of a specific level. Without this recognition, they are generally ineligible to participate in public procurement procedures for cloud services, subject to limited derogations.

The Criteria in Annex II

The substantive requirements are detailed in Annex II. The criteria are cumulative: a provider seeking Level 3 must meet all requirements for Levels 1 and 2. Key pillars include:

• Establishment and Control: Providers must be established in the Union. Higher levels impose stricter rules on ownership. For Level 3, providers subject to third-country control may qualify only if the Commission has adopted an implementing act under Article 18 (despite a drafting slip in Annex II referencing Article 19, the mechanism is defined in Article 18). Level 4 strictly prohibits control by third-country entities.
• Data Localisation: Customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise.
• Personnel: For Levels 3 and 4, personnel involved in service provision must be Union citizens. For Level 2, Union citizenship is conditional: it is required only "if the public sector body determines that imposing additional personnel screening and Union citizenship requirements are necessary."
• Cybersecurity: Providers must obtain a European cybersecurity certificate (e.g., under the EUCS scheme) at specific assurance levels. Levels 2 and 3 require at least a "substantial" assurance level, while Level 4 requires a "high" assurance level.
• Software Supply Chain: Providers must maintain a complete Software Bill of Materials (SBOM) and ensure no remote features exist that could tamper with or disrupt the service.

The Recognition Process

The path to recognition varies by level:

• Level 1: Providers perform a conformity self-assessment and issue an EU statement of conformity. For SMEs, this statement is directly and automatically recognised across the Union without prior national authority review (Article 17(3)).
• Levels 2, 3, and 4: Providers must undergo independent third-party audits by an auditing organisation to obtain a "positive" audit opinion. This report is then submitted to the national competent authority of establishment for recognition (Article 17(4)).

Indirect Impact on the Private Sector

While CADA directly mandates public sector procurement rules, it also influences the private sector. Article 31 allows private sector entities operating in sectors of high criticality (as defined in Annex I of the NIS2 Directive) to carry out impact assessments similar to those required of public bodies. Although not strictly mandatory for all private firms, the Commission may issue guidance or adopt delegated acts requiring such assessments for specific high-criticality entities. This creates a "spillover" effect, where private demand for sovereign services rises, pressuring providers to meet these standards to remain competitive.

What this means for you

If you are a cloud service provider, data centre operator, or a public sector buyer, the proposed CADA framework requires immediate strategic alignment.

For Cloud Service Providers

1. Audit Your Architecture: Review your infrastructure, data flows, and subcontracting agreements. Ensure data residency, personnel location, and ownership structures align with your target assurance level. If you have a parent company in a third country, you must demonstrate effective legal and technical separation to qualify for Level 2, and potentially Level 3 (subject to an Article 18 decision).
2. Prepare for Recognition: You cannot self-certify for Levels 2, 3, and 4. You must engage an independent auditing organisation. For Level 1, prepare your EU statement of conformity. Gather documentation (SBOMs, security policies, personnel records) well in advance of applying for recognition via your national competent authority.
3. Monitor Procurement Requirements: Public sector clients will conduct risk assessments (Article 29) to determine their required assurance level. If your client operates in defence, justice, or critical infrastructure, they will likely require Level 3 or 4. Ensure your service portfolio can meet these higher tiers.
4. Update Subcontractor Contracts: Your subcontractors must also meet the relevant criteria. Ensure your contracts enforce data localisation, personnel screening, and security standards required by the specific Union assurance level you are targeting.

For Public Sector Bodies

1. Conduct Risk Assessments: You must carry out risk assessments to identify which public sector activities contribute to the preservation of public order (Article 29). This determines whether you must procure Level 1, or the higher Levels 2, 3, or 4.
2. Enforce Procurement Rules: Under Article 30, you must procure only services recognised at the appropriate level. For activities contributing to public order, this means Level 2, 3, or 4. For other activities, Level 1 is the minimum baseline.

Common misconceptions

"Only EU-owned companies can qualify." This is incorrect. Providers controlled by third-country entities can qualify for Level 2 and, under specific conditions and a Commission implementing act under Article 18, Level 3. However, they must demonstrate that third-country control does not compromise operational autonomy, data access, or service continuity. Level 4 strictly prohibits control by third-country entities.

"Meeting the GDPR is enough." The GDPR focuses on data protection and privacy. CADA's Union assurance levels go further, addressing operational sovereignty, supply chain security, personnel citizenship, and resistance to extraterritorial legal reach. A service can be GDPR-compliant but fail to meet Level 2 or 3 sovereignty criteria due to ownership structures or software supply chain vulnerabilities.

"Private companies are forced to buy sovereign cloud." CADA mandates public sector procurement rules. Private sector entities are not legally forced by CADA to buy services with a specific Union assurance level, though they may be encouraged to conduct risk assessments under Article 31. However, market dynamics and spillover effects from public sector requirements may make sovereign services the preferred or default choice for many private enterprises, especially in regulated industries.

"Level 1 is the highest standard." The levels are tiered. Level 1 is the baseline minimum for all public sector procurement. Levels 2, 3, and 4 offer progressively higher guarantees of sovereignty and security, with Level 4 being the most stringent, allowing for the hosting of classified information and requiring the highest degree of operational autonomy and "high" cybersecurity certification.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• What criteria must a provider meet for CADA assurance level 1?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels

This is general information about a draft EU regulation, not legal advice.