Why is CADA Level 4 the highest sovereignty tier?

Summary Under the proposed Cloud and AI Development Act (CADA), Union Assurance Level 4 is the highest sovereignty tier because it imposes the strictest cumulative criteria to protect the most sensitive public-order activities, such as national security and defence. As proposed, this tier mandates that providers and subcontractors have no foreign control, require Union citizenship for all personnel, and demonstrate effective control over the entire software lifecycle to prevent third-country interference. Crucially, it requires a European cybersecurity certificate of at least 'high' assurance, distinguishing it from the 'substantial' level required for lower tiers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on non-European cloud providers. This framework consists of four "Union assurance levels," with Level 4 representing the highest standard of trust, autonomy, and security. Understanding why Level 4 is the apex of this hierarchy requires examining the specific legal obligations outlined in Article 16 of the proposal and the detailed technical criteria in Annex II.

The Legal Foundation: Article 16 and Risk-Based Procurement

Article 16 of the CADA proposal establishes the scope of the sovereignty framework. It creates a tiered system where cloud computing service providers must meet specific criteria to be recognized at Levels 1 through 4. The proposal links these levels to public procurement obligations. According to Article 30, contracting authorities whose activities are identified as contributing to the preservation of public order—such as those in national security, defence, or justice—must procure services recognized at Level 2, 3, or 4, depending on the outcome of a risk assessment conducted under Article 29.

Level 4 is reserved for the most critical use cases where the risk of unauthorized access, service disruption, or loss of operational autonomy is deemed highest. It is not merely a "premium" security package but a fundamental requirement for activities where a breach could undermine public order. The proposal ensures that Level 4 is not easily attainable; it requires independent third-party audits (Article 20) and rigorous verification of ownership, data localization, and supply chain integrity.

The Strictest Cumulative Criteria: Annex II, Section 4

The distinction of Level 4 as the highest tier is defined by the cumulative criteria set out in Section 4 of Annex II to the CADA proposal. To achieve this status, a provider must satisfy every single requirement without exception. These criteria are significantly more restrictive than those for Levels 1–3, particularly regarding personnel, control, and software supply chain management.

1. Absolute Prohibition of Foreign Control While lower levels may allow for services controlled by third-country entities if specific safeguards are met (particularly at Level 3 under certain conditions via Article 18 derogations), Level 4 is uncompromising. Annex II, Section 4(g) explicitly states that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." This means that even if a provider is legally established in the EU, if it is ultimately controlled by a foreign government or foreign legal entity, it cannot qualify for Level 4. This criterion addresses the core sovereignty concern of extraterritorial data access laws, such as the US CLOUD Act, by ensuring that no foreign jurisdiction can legally compel the provider to hand over data or disrupt service.

2. Union Citizenship and Security Clearance for Personnel Level 4 imposes strict requirements on the human element of service delivery. Annex II, Section 4(d) requires that all personnel involved in the provision of the service, including subcontractors, must be Union citizens. Furthermore, where appropriate, these personnel must hold the necessary national security clearance issued by a Member State when handling classified information. This goes beyond the requirements of lower levels:

• Level 2: Personnel requirements are conditional; Union citizenship is only required if the public sector body explicitly determines it is necessary.
• Level 3: Personnel must be Union citizens, but the "effective control" over software lifecycle is less stringent than Level 4.
• Level 4: Union citizenship is mandatory for all personnel involved, ensuring that those with physical or logical access to the infrastructure are subject to EU jurisdiction and loyalty obligations.

3. Effective Control Over the Software Lifecycle One of the most significant additions in the Level 4 criteria is the requirement for "effective control" over the software supply chain. Annex II, Section 4(i)(ii) mandates that the provider must demonstrate that a third country or a legal entity established in a third country "does not hold or exercise effective control over the design, development, maintenance, and evolution of those components or products."

The proposal defines "effective control" as the ability to materially influence technical evolution, maintenance priorities, security remediation, and long-term continuity. This criterion is crucial for preventing "kill switches" or remote tampering features that could be embedded by foreign software manufacturers. It requires providers to prove that they, not a foreign vendor, have the final say in how the software is updated, patched, or modified. This is a step up from Level 3, which requires source code audits and migration plans but does not explicitly demand the same level of proof regarding the absence of foreign effective control over the product's lifecycle.

4. Highest Cybersecurity Certification ('High' vs 'Substantial') A critical differentiator for Level 4 is the cybersecurity certification requirement. Annex II, Section 4(e) requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'high' under a European cybersecurity certification scheme covering cloud computing services (to be established under Regulation (EU) 2019/881, the Cybersecurity Act).

This is a vital distinction often confused in earlier drafts:

• Levels 2 and 3: Require a certificate of at least assurance level 'substantial'.
• Level 4: Requires a certificate of at least assurance level 'high'.

If such a scheme is not yet available, national schemes or demonstration of compliance with the highest cybersecurity standards under applicable Union law apply. This ensures that the technical security measures are robust enough to protect the most sensitive data.

5. Strict Data Localization and No Third-Country AI Training Like Levels 2 and 3, Level 4 requires that customer data, including metadata and telemetry, remain exclusively within the Union. Additionally, Annex II, Section 4(f) prohibits the use of data generated by the service to train or fine-tune any AI system operated by a third country or a legal entity established in a third country. This ensures that sensitive public-sector data cannot be used to improve foreign AI models, protecting both privacy and strategic technological advantages.

Why These Criteria Make Level 4 the Highest Tier

Level 4 is the highest tier because it eliminates the possibility of "backdoor" access or influence from non-EU jurisdictions. While Level 1 focuses on basic establishment and data residency, and Level 2 introduces supply chain transparency and 'substantial' cybersecurity, Level 3 allows for some flexibility regarding third-country control if specific derogations apply under Article 18. Level 4 is absolute. It is designed for environments where any external influence is considered an unacceptable risk to public order. The combination of Union-only personnel, no foreign control, and effective control over software evolution creates a "sovereign bubble" around the service, ensuring that the EU retains full operational autonomy.

What this means for you

For public-sector procurement officers, understanding why Level 4 is the highest tier is essential for conducting accurate risk assessments under Article 29. You are required to identify which of your activities contribute to the preservation of public order in sectors such as defence, national security, and justice. If your risk assessment determines that an activity is highly critical, you must procure services that have been formally recognized at Level 4.

When evaluating tenders, you cannot rely solely on a provider's claim of being "EU-based." You must verify that the provider has undergone the independent audit process described in Article 20 and has been registered in the central repository established under Article 22. Specifically, you should look for evidence that the provider has demonstrated:

1. No foreign control: Legal structures that prevent third-country entities from influencing strategic decisions.
2. Personnel clearance: Proof that all staff with access are Union citizens and hold necessary security clearances.
3. Software autonomy: Documentation showing effective control over the design and maintenance of the software stack, ensuring no foreign vendor can remotely disable or alter the service.
4. 'High' Cybersecurity Certification: Verification of the specific 'high' assurance level certificate, distinct from the 'substantial' level required for lower tiers.

Failure to procure a Level 4 service for a high-criticality use case could leave your organization vulnerable to operational disruption or unauthorized data access by foreign actors, potentially violating the sovereignty requirements of the CADA proposal.

Common misconceptions

• "Level 4 is just about data staying in the EU." While data localization is required, it is a baseline for all higher levels. Level 4 is distinguished by who controls the infrastructure and software. A provider could store data in an EU data center but still be controlled by a foreign parent company; such a provider would not qualify for Level 4.
• "Level 4 is only for military use." While defence is a key use case, Level 4 applies to any public-sector activity identified as critical to public order, including certain justice, law enforcement, and national security functions. The specific classification depends on the Member State's risk assessment under Article 29.
• "Open-source software automatically meets Level 4." Using open-source software helps with transparency, but it does not automatically satisfy Level 4 criteria. The provider must still demonstrate effective control over the software's evolution and ensure that no third country exercises control over the components. If the open-source project is maintained by a foundation controlled by a third country, it may not meet the strict "no foreign control" requirement.
• "Level 4 requires the same cybersecurity level as Level 3." This is incorrect. Level 3 requires a 'substantial' cybersecurity certificate, whereas Level 4 requires a 'high' cybersecurity certificate, representing a stricter technical security standard.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why does CADA create a four-tier cloud sovereignty framework?
• What is the four-tier sovereignty framework in CADA in plain English?
• CADA Level 3: Sovereignty Requirements for Public Sector Buyers
• How does a cloud provider move up a CADA sovereignty tier?
• Does CADA Level 3 require source code access? Sovereignty criteria explained

This is general information about a draft EU regulation, not legal advice.