Why would a public body require CADA Level 4 over Level 3?

Summary A public body would require CADA Union Assurance Level 4 over Level 3 only when its risk assessment identifies that the cloud service handles the most sensitive data—such as classified information—or supports activities critical to public order where the highest possible protection against third-country control and service disruption is mandatory. While Level 3 already prohibits third-country control and requires 'substantial' cybersecurity certification, Level 4 raises the bar significantly: it mandates a European cybersecurity certificate of at least assurance level 'high' and demands effective control over the software supply chain, ensuring no third country holds sway over the design, evolution, or maintenance of the underlying technology. This tier is reserved strictly for the most critical public sector use cases, such as national security, defence, and the processing of classified information.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised EU-wide sovereignty framework to reduce dependence on non-European cloud providers and safeguard the Union's public order. Central to this framework are four "Union Assurance Levels" (UALs), ranging from Level 1 (baseline) to Level 4 (highest). As set out in Article 16, these levels define the cumulative criteria cloud computing service providers must meet to be recognised as offering services to Union entities and public sector bodies.

While both Level 3 and Level 4 represent high-sovereignty tiers with strict prohibitions on third-country control, Level 4 is engineered for the most extreme risk scenarios. Understanding why a public body would require Level 4 over Level 3 requires a close examination of the specific criteria in Annex II and the risk assessment obligations in Article 29.

The Role of Risk Assessment

Under Article 29, Member States and Union entities are obligated to conduct risk assessments to determine the appropriate Union Assurance Level for their specific public sector activities. These assessments must consider the sensitivity, criticality, and magnitude of the data processed, as well as the potential impact on public order.

Most public services do not require the highest levels of assurance. However, for activities contributing to the preservation of public order in sectors such as national security, internal security, external border management, defence, justice, or law enforcement, higher assurance levels are necessary. Article 30 mandates that contracting authorities whose activities are identified as contributing to the preservation of public order must procure services recognised as offering Union Assurance Levels 2, 3, or 4. The choice between Level 3 and Level 4 is not a matter of preference but a direct consequence of the risk assessment: if the data is classified or highly sensitive, and the risk of third-country interference or service disruption poses a severe threat to public order, Level 4 becomes the required standard.

Key Differences: Annex II Criteria

The technical and operational distinctions between Level 3 and Level 4 are detailed in Annex II. Both levels share foundational requirements: the provider and subcontractors must be established in the Union; infrastructure, assets, and personnel must be located in the Union; and customer data must remain exclusively within the Union. However, Level 4 introduces two critical enhancements that fundamentally alter the security posture:

1. Higher Cybersecurity Certification

The most immediate differentiator is the required level of cybersecurity certification under the European cybersecurity certification scheme (EUCS) established under Regulation (EU) 2019/881.

• Level 3: Requires the audited service to obtain a European cybersecurity certificate of at least assurance level 'substantial'. This ensures robust security but allows for a degree of flexibility in the certification tier.
• Level 4: Raises this bar significantly, requiring a certificate of at least assurance level 'high'. This ensures that the most critical public sector systems are protected by the highest available cybersecurity standards, addressing the most severe threat models.

2. Effective Control Over Software Supply Chains

While both levels address third-country influence, Level 4 imposes a stricter standard regarding the control of software components.

• Level 3: Requires providers to demonstrate that necessary legal, technical, and organisational measures are in place to prevent third-country control from restricting service delivery or accessing customer data. It mandates a Software Bill of Materials (SBOM) and controls to block remote features that could tamper with the service. Crucially, Level 3 allows for a derogation: a provider subject to third-country control may still qualify if the Commission has adopted an implementing act under Article 18 (formerly mis-referenced as Article 19 in some drafts) identifying that third country as providing sufficient assurances.
• Level 4: Removes this flexibility for the highest tier. It requires the provider to demonstrate effective control over software components and products. Specifically, the provider must prove that a third country or a legal entity established in a third country does not hold or exercise effective control over the design, development, maintenance, and evolution of those components. This includes the ability to materially influence technical evolution, maintenance priorities, security remediation, and long-term continuity. This criterion ensures that even if software components are involved, the strategic direction and security of the software remain firmly under Union control, eliminating the risk of "backdoor" influence via third-country ownership or licensing.

Why Choose Level 4?

A public body would select Level 4 over Level 3 when the risk assessment indicates that the data processed is of such high sensitivity that any potential vulnerability, even if mitigated by Level 3 measures, could still pose an unacceptable risk to public order. This typically includes:

• Processing classified information as defined in Union law.
• Supporting critical national security functions where service disruption could compromise state security.
• Handling data where the consequence of a breach or service disruption would be catastrophic for the Union or a Member State.

In these cases, the additional guarantees of Level 4—particularly the 'high' cybersecurity certification and the strict requirement for effective control over software evolution—provide the necessary layer of protection to ensure operational autonomy and data confidentiality.

What this means for you

For public-sector procurement officers and compliance teams, choosing between Level 3 and Level 4 is a compliance imperative driven by your risk assessment.

• Conduct Thorough Risk Assessments: Ensure your risk assessments under Article 29 clearly document why Level 4 is necessary. If you handle classified data or critical national security functions, Level 4 is likely the only compliant option. Do not default to Level 3 for high-risk activities.
• Verify Provider Credentials: When procuring cloud services, check the central repository (established under Article 22) to confirm that the provider is recognised as offering Union Assurance Level 4. Do not accept Level 3 providers for Level 4 use cases, as they will lack the 'high' certification and effective software control guarantees.
• Understand the Cost-Benefit: Level 4 services may be more expensive due to the stricter requirements (e.g., 'high' EUCS certification and rigorous supply chain audits). However, the cost of a security breach in high-sensitivity contexts far outweighs the procurement cost.
• Plan for Migration: If your current services do not meet Level 4 criteria, start planning migration early. Article 29 allows for a reasonable transition period (not exceeding 12 months) for migration to a compliant service, but the timeline is tight for critical infrastructure.

Common misconceptions

"Level 3 is sufficient for all sensitive data." This is incorrect. While Level 3 is a high-assurance tier, Level 4 is specifically designed for the most sensitive data, particularly classified information. The risk assessment will dictate the appropriate level, and for the highest-risk scenarios, Level 4 is mandatory.

"Level 4 is just Level 3 with more paperwork." No. Level 4 introduces substantive technical differences, particularly the requirement for 'high' cybersecurity certification and effective control over software supply chains. These are critical safeguards against advanced threats and third-country influence that Level 3 does not mandate.

"Any EU-based provider can offer Level 4." Not necessarily. Providers must undergo independent third-party audits (under Article 20) and meet the strict criteria in Annex II. Only providers recognised by national competent authorities (under Article 17) can offer Level 4 services. The barrier to entry is significantly higher than for Level 3.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Can a public body require extra personnel screening under CADA?
• Can a public body require data outside the EU under CADA?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?

This is general information about a draft EU regulation, not legal advice.