CADA assurance levels are a four-tier sovereignty classification for cloud and AI services, defined under the proposed CADA Regulation COM(2026) 502. They give procurement teams a structured, criteria-based method for scoring providers against jurisdictional risk, operational independence, and data-access exposure, moving the conversation from vague “sovereign cloud” marketing claims to verifiable technical and legal controls. For regulated private-sector organisations in finance, healthcare, and legal services, this framework matters because the residual exposure left open by GDPR transfer tools is precisely what the upper assurance levels are designed to close.
The Four CADA Assurance Levels and What Differentiates Them
Each level builds cumulatively on the controls of the level below, with the key differentiator at each step being the degree to which a third-country government can compel the provider to disclose, intercept, or suspend access to data.
| CADA Level | Core Criteria | Residual Third-Country Risk | Comparable Standard |
|---|---|---|---|
| Level 1 | Standard contractual data-processing terms, GDPR-compliant DPA | High: US CLOUD Act and FISA 702 apply if provider has US parent | EUCS Basic / SEAL-1 |
| Level 2 | EU data residency guaranteed; some access controls on non-EU staff | Significant: parent-company jurisdiction can still compel disclosure | EUCS Substantial / SEAL-2 |
| Level 3 | EU-controlled legal entity, EU-resident key management, no third-country law enforcement access path, technical access controls audited annually | Low: no contractual or legal mechanism for third-country compelled access | EUCS High / SEAL-3 |
| Level 4 | All Level 3 controls plus on-premises or air-gapped deployment, hardware-level isolation, post-quantum cryptographic protections | Near zero: physical and cryptographic separation from any network-accessible vector | EUCS High with sovereignty add-on (under ENISA review) |
For most regulated private-sector entities, Level 3 is the operationally realistic target. It requires no physical air-gap, remains compatible with managed cloud services, and delivers the legal and technical independence that regulators under NIS-2, DORA, and GDPR expect as evidence of appropriate organisational measures.
Private-Sector Basis for Using CADA Levels as a Due-Diligence Tool
CADA Article 29 makes risk assessments formally mandatory only for public bodies, but that does not make the levels irrelevant to the private sector.
Regulated financial institutions subject to DORA (Regulation EU 2022/2554, applicable from January 2025) must document ICT third-party risk and demonstrate concentration risk management. The European Banking Authority’s ICT risk guidelines explicitly require that outsourcing contracts for critical functions include audit rights, data access controls, and evidence of regulatory-equivalent protections. A provider recognised at CADA Level 3 by a Member State competent authority satisfies those requirements in a directly auditable, externally validated form.
Similarly, under NIS-2 (Directive EU 2022/2555), essential and important entities must implement supply-chain security measures proportionate to the risk. Using a CADA-level recognition as a supplier-scoring input is a defensible, standards-referenced approach that compliance officers can document and produce during a supervisory inspection.
“The concentration of critical data in a small number of hyperscaler platforms creates systemic risk that no single organisation’s contractual safeguards can fully neutralise.” (European Data Protection Board, Guidelines 05/2021)
The practical basis, then, is this: CADA assurance levels translate an abstract sovereignty claim into a set of verifiable criteria. Even where the Regulation does not legally compel private organisations to use them, they function as a ready-made due-diligence checklist that maps directly onto existing regulatory obligations.
Why CADA Level 3 Closes the Gap That the EU-US Data Privacy Framework Leaves Open
The EU-US Data Privacy Framework (adequacy decision adopted July 2023) allows personal data transfers from the EU to certified US organisations without requiring separate GDPR Article 46 transfer tools such as Standard Contractual Clauses. That removes one compliance layer, but it does not remove the underlying legal exposure.
“Transfer impact assessments under Article 46 GDPR cannot substitute for the absence of legal exposure to third-country surveillance law; they assess risk, they do not eliminate it.” (Andrea Jelinek, former Chair, European Data Protection Board, 2021)
The US CLOUD Act (2018) allows US law enforcement to compel a US-controlled provider to produce data held anywhere in the world, regardless of where the data physically resides. FISA Section 702 authorises the collection of communications of non-US persons from US electronic communications service providers without individualised warrants. The ODNI Annual Statistical Transparency Report for 2023 reported that FISA Section 702 orders covered approximately 246,073 foreign targets in the 2022 calendar year: a concrete illustration of scale, not a theoretical risk.
A CADA Level 3 provider eliminates this exposure structurally. The criteria require that the legal entity controlling the service is established and governed under EU law, that cryptographic keys are managed exclusively by EU-resident personnel, and that no contractual or technical pathway exists through which a non-EU authority can compel access. A transfer impact assessment conducted under GDPR Article 46 can document residual risk; a CADA Level 3 recognition removes the underlying cause of that risk.
The Recognition and Verification Process
Under COM(2026) 502, formal CADA assurance-level recognition is issued by the competent national supervisory authority of the Member State in which the provider is established. The process involves a conformity assessment carried out by an accredited third-party auditor, followed by a recognition decision that is published in the Member State’s official cloud registry.
For procurement teams, verification involves three steps. First, request the recognition decision reference number and the name of the issuing authority. Second, cross-reference that reference against the public registry, which CADA requires Member States to maintain and keep current. Third, confirm the scope of the recognition: some decisions cover specific service lines or geographic zones rather than the provider’s entire catalogue.
IBM’s Cost of a Data Breach Report 2024 recorded an average total breach cost of USD 4.88 million, the highest figure in the report’s history. Against that benchmark, the due-diligence cost of verifying a CADA recognition decision is negligible.
Cross-Referencing CADA, SEAL, and EUCS for Multi-Framework Procurement
Regulated buyers often encounter all three frameworks simultaneously, particularly in public-private procurement processes or when benchmarking a shortlist of providers across different EU jurisdictions. The mapping is consistent enough to permit cross-referencing, with important caveats.
The EU Cloud Sovereignty Framework SEAL-2 and SEAL-3 scores, developed as part of the European Commission’s cloud certification preparatory work, correspond broadly to CADA Levels 2 and 3 respectively. SEAL-3 requires EU-controlled legal entities, localised key management, and documented exclusion of third-country access paths, criteria that are structurally identical to CADA Level 3. The EUCS High assurance tier, maintained by ENISA, adds a formal conformity assessment methodology with accredited bodies and is the technical backbone on which both SEAL-3 and CADA Level 3 recognition processes are built.
A provider holding an EUCS High-tier certificate from an accredited EU conformity assessment body is therefore well-positioned to achieve CADA Level 3 recognition, but the two remain formally distinct: EUCS certification is a cybersecurity assurance, while CADA recognition is a sovereignty assurance. Procurement scorecards should treat them as complementary rather than interchangeable.
IDC’s European Cloud Pulse survey (2023) found that 67 percent of organisations identified regulatory compliance as a primary driver for adopting sovereign cloud: a figure that underscores why a unified cross-framework scoring approach reduces duplicated assessment effort.
Swiss-Hosted Providers and CADA Level 3 Equivalent Positioning
Switzerland is not an EU Member State and therefore falls outside the formal CADA recognition process administered by Member State authorities. However, Swiss-hosted providers can credibly claim an equivalent positioning through a combination of four demonstrable controls.
First, the revised Swiss Federal Act on Data Protection (revFADP), in force from 1 September 2023, aligns Swiss data protection law closely with the GDPR, including mandatory data-breach notification, data-protection-by-design obligations, and a strengthened role for the Federal Data Protection and Information Commissioner (FDPIC). The European Commission has maintained Switzerland’s adequacy status under GDPR Article 45, which means transfers to Switzerland do not require Article 46 tools.
Second, a Swiss provider can obtain EUCS High-tier certification through an accredited EU conformity assessment body. Because EUCS is a technical standard, not a territorial one, the certification is achievable regardless of the provider’s national location.
Third, the provider’s legal entity structure must ensure that no Swiss state actor, and no actor under a mutual legal assistance treaty with a third country, can compel access to data through the provider. This requires that the service is operated by an EU-incorporated subsidiary with autonomous governance over encryption keys, staff access, and operational decisions, rather than by the Swiss parent entity.
Fourth, contractual controls must go beyond standard DPA language to include explicit audit rights, technically enforced access logs, and a documented incident-response procedure that requires notification to the customer before any government access request is fulfilled, where legally permissible. Together, these four elements constitute the substantive content of CADA Level 3, even if formal recognition under COM(2026) 502 cannot be issued by a Member State for a non-EU entity.
FAQ
Is CADA compliance mandatory for private-sector organisations?
No. The mandatory risk-assessment obligation under CADA Article 29 applies to public bodies. Regulated private-sector entities in finance, healthcare, and legal services can voluntarily adopt the assurance levels as a structured due-diligence and supplier-scoring methodology. Regulators under NIS-2, DORA, and GDPR may treat demonstrated alignment as evidence of appropriate technical and organisational measures.
Does the EU-US Data Privacy Framework fully resolve the jurisdictional risk of using a US-controlled cloud provider?
No. The EU-US Data Privacy Framework enables personal data transfers without Article 46 GDPR transfer tools, but it does not remove the risk of compelled disclosure under the US CLOUD Act, FISA Section 702, or PATRIOT Act. Those statutes allow US government access to data held by US-controlled entities regardless of where the data is physically stored, a risk that CADA Level 3 and Level 4 are specifically designed to eliminate at its structural root.
How does a procurement team verify that a provider holds a recognised CADA assurance level?
Request the formal recognition decision reference number issued by the competent national supervisory authority of the Member State where the provider is established, cross-reference it against the public registry that CADA mandates Member States to maintain, and confirm the scope and expiry date. Certificates from EUCS High tier or SEAL-3 assessments corroborate the claim but do not substitute for a formal CADA recognition decision.
Can a Swiss-hosted provider credibly be positioned at CADA Level 3 equivalent?
Yes, with qualifications. Switzerland falls outside the formal CADA recognition process, but a Swiss provider can demonstrate equivalent controls by obtaining EUCS High-tier certification through an accredited EU conformity assessment body, operating under the revFADP (in force September 2023), and committing contractually to EU-jurisdiction governance and technical controls that prevent access by non-EU authorities, including through mutual legal assistance treaty mechanisms.
How do CADA assurance levels relate to EUCS and SEAL?
CADA Levels 1 and 2 correspond broadly to the EUCS Basic and Substantial tiers and SEAL-1 and SEAL-2 scores. CADA Level 3 maps onto EUCS High and SEAL-3, requiring EU-controlled legal entities, EU-resident key management, and auditable exclusion of third-country law enforcement access. CADA Level 4 adds physically isolated or air-gapped deployment and is analogous to EUCS High with sovereignty add-ons currently under active ENISA review.
