Will EUCS levels map directly to CADA Union assurance levels?

Summary No, as proposed, the European Cybersecurity Certification Scheme for Cloud Services (EUCS) assurance levels do not map directly or automatically to the Cloud and AI Development Act (CADA) Union assurance levels. While CADA explicitly leverages EUCS certificates as a component of its higher tiers, the two frameworks serve distinct purposes. EUCS focuses on technical cybersecurity with three levels ("basic", "substantial", "high"), whereas CADA's four Union assurance levels (1–4) address broader sovereignty risks, including data localisation, personnel citizenship, and freedom from third-country control. Holding an EUCS certificate is a necessary condition for CADA levels 2, 3, and 4, but it is insufficient on its own. CADA's audit criteria in Annex II are significantly broader than EUCS, requiring independent verification of ownership structures, supply chain resilience, and operational autonomy.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a "Union cloud computing sovereignty framework" comprising four Union assurance levels to mitigate risks to public order, operational autonomy, and data sovereignty. This framework is legally distinct from the EUCS, which is a cybersecurity certification scheme developed under the Cybersecurity Act (Regulation (EU) 2019/881). Although both instruments aim to increase trust in cloud services, they are not interchangeable, nor does one automatically confer compliance with the other.

Distinct Objectives and Structures

The EUCS is primarily a technical cybersecurity certification. It assesses a cloud service provider's ability to protect data and systems against cyber threats, ensuring confidentiality, integrity, and availability. It operates on three assurance levels: "basic", "substantial", and "high". These levels correspond to the severity of the threats the service is designed to withstand.

In contrast, CADA's Union assurance levels (defined in Article 16 and detailed in Annex II) address "sovereignty" in a broader sense. As stated in the explanatory memorandum, sovereignty goes beyond data transfers and relates to "operational autonomy" and protection from the extraterritorial reach of third-country laws. CADA's four tiers evaluate a comprehensive set of sovereignty criteria:

• Union Assurance Level 1: Focuses on basic establishment in the Union and data localisation.
• Union Assurance Levels 2–4: Introduce increasingly strict requirements regarding personnel citizenship, the absence of third-country control, software supply chain transparency, and cybersecurity certification.

How EUCS Fits into CADA

CADA explicitly envisages leveraging EUCS, but not as a one-to-one mapping. Under Annex II of the CADA proposal, achieving a specific Union assurance level requires meeting a set of cumulative criteria. One of these criteria is often the possession of a specific EUCS certificate, but it is merely one pillar of the assessment.

• For Union Assurance Level 1: The provider must demonstrate that the service complies with "state-of-the-art cybersecurity standards" (Annex II, Section 1.1(e)). The proposal does not explicitly mandate an EUCS certificate as the sole proof here, though obtaining one would likely satisfy this requirement. The primary focus at Level 1 is on the provider's establishment in the Union and the location of infrastructure and data.
• For Union Assurance Levels 2 and 3: The provider must obtain a European cybersecurity certificate of at least assurance level "substantial" under a scheme established under Regulation (EU) 2019/881 (Annex II, Sections 2.1(e) and 3.1(e)). This directly references the EUCS. However, this is just one of many cumulative criteria. The provider must also prove that all personnel are Union citizens (Level 3) or available upon request (Level 2), that infrastructure and assets are located exclusively in the Union, and that there is no third-country control over the provider.
• For Union Assurance Level 4: The provider must obtain a certificate of at least assurance level "high" under the same scheme (Annex II, Section 4.1(e)). Again, this is a component of a much stricter set of requirements, including mandatory Union citizenship for all personnel involved and strict prohibitions on third-country control.

Broader Audit Criteria in CADA

The audit criteria for CADA Union assurance levels 2, 3, and 4 (detailed in Annex II) are significantly broader than EUCS. While EUCS focuses on security controls, CADA audits (conducted by independent auditing organisations under Article 20) must verify a wide range of sovereignty-specific factors:

• Establishment and Control: Proof that the provider is established in the Union and not subject to the control of a third country or legal entity established in a third country (Annex II, Sections 2.1(g), 3.1(g), 4.1(g)). This includes analyzing ownership structures, voting rights, and strategic decision-making power to ensure no third-country entity can compel service disruption or data access.
• Personnel: Verification that personnel involved in service provision are Union citizens (Annex II, Sections 3.1(d), 4.1(d)). This is a mandatory requirement for Levels 3 and 4, and conditional for Level 2 if the public body requires it. EUCS does not assess personnel nationality.
• Software Supply Chain: Requirements for a complete Software Bill of Materials (SBOM), source code audits for third-country components, and documented migration plans if a vendor fails (Annex II, Sections 2.1(i), 3.1(i), 4.1(i)).
• Data Localisation: Evidence that customer data, including metadata and telemetry, remains exclusively within the Union (Annex II, Sections 2.1(c), 3.1(c), 4.1(c)).

Therefore, a provider holding an EUCS "high" certificate would still need to undergo a separate, comprehensive audit under CADA to prove compliance with these sovereignty-specific criteria to achieve Union Assurance Level 4. The EUCS certificate serves as evidence for the cybersecurity pillar, but the CADA audit validates the entire sovereignty framework.

What this means for you

For CTOs, architects, and SMEs evaluating their cloud strategy, the lack of a direct mapping has several practical implications:

1. Dual Compliance Pathways: If you aim to serve public sector clients requiring Union Assurance Levels 2–4, you cannot rely solely on your EUCS certificate. You must prepare for a separate CADA recognition process under Article 17. This involves submitting an application to the national competent authority of your establishment, providing evidence of sovereignty criteria (e.g., personnel contracts, ownership structures, SBOMs) that go beyond cybersecurity.
2. Strategic Investment in Sovereignty: Achieving higher CADA tiers requires structural changes that EUCS does not address. For example, to reach Union Assurance Level 3, you must ensure that all personnel involved in the service provision are Union citizens. If your current support or engineering teams include non-EU nationals, you will need to restructure your workforce or operational boundaries to comply, regardless of your EUCS status.
3. Audit Readiness: Independent audits for CADA levels 2–4 (Article 20) will scrutinize your supply chain and third-country dependencies more deeply than a typical EUCS audit. Ensure your SBOMs are up-to-date, your software dependencies are mapped, and you have documented plans for migrating away from third-country software components if restrictions arise.
4. SME Considerations: For Union Assurance Level 1, SMEs benefit from a streamlined process. Under Article 17(3), the EU statement of conformity issued by SMEs is directly and automatically recognised in all Member States without prior recognition by the evaluating national competent authority. This lowers the barrier to entry for smaller European providers seeking to demonstrate basic sovereignty compliance.

Common misconceptions

"EUCS High equals CADA Level 4" This is incorrect. EUCS "high" is a cybersecurity assurance level. CADA Level 4 is a sovereignty assurance level. While Level 4 requires an EUCS "high" (or equivalent) certificate, it also demands strict personnel citizenship rules and absolute freedom from third-country control, which EUCS does not assess.

"CADA replaces EUCS" CADA does not replace EUCS; it complements it. EUCS remains the primary instrument for technical cybersecurity certification under the Cybersecurity Act. CADA uses EUCS certificates as evidence within its broader sovereignty framework. Both regimes will coexist.

"One audit covers both" The audits are distinct. EUCS audits are conducted by conformity assessment bodies notified under the Cybersecurity Act. CADA audits for levels 2–4 are conducted by independent auditing organisations selected by the provider, under the supervision of national competent authorities designated under CADA Article 25. The scope, criteria, and legal basis differ.

"Level 1 requires EUCS" Union Assurance Level 1 does not explicitly mandate an EUCS certificate. It requires demonstration of compliance with state-of-the-art cybersecurity standards. While EUCS "basic" would likely satisfy this, other national or industry certifications might also be acceptable until EUCS is fully established and available for all providers.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• If my cloud is EUCS-high certified, what extra does CADA Tier 3 demand?
• EUCS vs CADA: Does cybersecurity certification guarantee sovereignty tiers?
• How CADA uses GDPR adequacy decisions for assurance level 3
• CADA and EUCS: How the Cloud Certification Scheme Fits the Sovereignty Framework
• How do EUCS and DORA cloud audits combine with a CADA tier audit?

This is general information about a draft EU regulation, not legal advice.