Associated third country vs full EU provider under CADA

Summary Under the proposed Cloud and AI Development Act (CADA), an EU-established provider that is not under third-country control can in principle reach the highest sovereignty tier, Union assurance level 4, if it meets the Annex II criteria. A provider that is subject to third-country control faces a structural ceiling: it cannot reach level 4 at all, and can reach level 3 only where the Commission has recognised its home country as an "associated third country" under Article 18 — which lets such a provider be audited against the level 3 criteria, not granted full equivalence. (Level 2 is also open to third-country-controlled providers, with safeguards and without an Article 18 decision, provided the provider is EU-established.) CADA is a proposal, not yet in force.

Detail

CADA proposes a four-tier Union cloud computing sovereignty framework (Article 16), with cumulative criteria for each level set out in Annex II. The key distinction between an EU-controlled provider and a third-country-controlled one is the maximum level attainable and the route to get there. A foundational point: every level in Annex II requires the provider to be established in the Union — so a provider with no EU establishment cannot hold any Union assurance level for serving public-sector customers. "Third-country control" therefore concerns EU-established providers that are ultimately controlled from outside the Union.

Levels 1 and 2: open to third-country-controlled (EU-established) providers, with conditions

• Level 1 (Annex II, point 1) is the self-assessed baseline. It requires EU establishment, EU data location and other criteria; where the provider is under third-country control, it must guarantee that no third-country law requires it to report software vulnerabilities to that country before they are known to be exploited (Annex II, 1.1(g)). Recognition at level 1 is by EU statement of conformity (Article 19), and for SMEs that statement is "directly and automatically recognised in all Member States" (Article 17(3)).
• Level 2 (Annex II, point 2) is audited. Notably, it permits providers under third-country control: where the provider and relevant subcontractors are subject to such control, they must demonstrate safeguards so that the control cannot restrict service delivery, allow access to customer data, disrupt continuity, or force compliance with third-country sanctions (Annex II, 2.1(g)). Citizenship of personnel is required at level 2 only "if the public sector body determines" it is necessary (Annex II, 2.1(d)). No Article 18 decision is needed for level 2.

Level 3: third-country control allowed only via Article 18

At level 3 (Annex II, point 3), the default is strict: the provider and its relevant subcontractors must "not [be] subject to the control of a third country or a legal entity established in a third-country" (Annex II, 3.1(g)). Level 3 also requires personnel to be Union citizens (Annex II, 3.1(d)).

A derogation exists: a third-country-controlled provider "may be audited for Union assurance level 3 where the Commission has adopted an implementing act" recognising the country (Annex II, 3.1(g)). The operative mechanism for that recognition is Article 18 ("Associated third countries"). Even then, the provider must additionally demonstrate legal, technical and organisational measures so that the third-country control cannot restrict service delivery, allow access to customer data, or disrupt continuity (Annex II, 3.1(g)(i)–(iv)).

Note: the Annex II level 3 text cross-refers to "an implementing act under Article 19," whereas the operative associated-third-country mechanism — and the implementing-act power — sits in Article 18; Article 19 governs the level 1 self-assessment. This appears to be a drafting inconsistency in the proposal. The substantive route to level 3 for a recognised third country is Article 18.

Level 4: no third-country control, no derogation

At level 4 (Annex II, point 4), the provider and relevant subcontractors must "not [be] subject to the control of a third country or a legal entity established in a third-country" (Annex II, 4.1(g)) — and there is no derogation. Level 4 also requires Union-citizen personnel (Annex II, 4.1(d)) and effective control over the software supply chain, including that no third country exercises effective control over the components used (Annex II, 4.1(i)). Therefore, even a provider from an associated third country cannot reach level 4; it is effectively capped at level 3.

Article 18: associated third country recognition

Article 18(1) lets the Commission, by implementing act, identify third countries whose controlled providers may be audited against the level 3 criteria, provided the country meets six cumulative criteria:

1. it is subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679);
2. it has no measures enabling control over the provider conflicting with the lawful-access-to-non-personal-data rules in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854);
3. it has no measures to compel the provider to degrade or disrupt service, or to enforce sanctions/embargoes, unless legitimate under Member State or Union law;
4. it does not impede the provision of state-of-the-art technologies and services;
5. it maintains an open market to Union cloud services;
6. it grants equivalent access to its cloud-services public procurement for Union-controlled providers.

If satisfied, the Commission publishes a list of qualifying (and no-longer-qualifying) third countries on its website (Article 18(3)).

Market access and procurement

Procurement consequences flow from the risk assessment (Article 29) and the rules in Article 30:

• Where activities are not identified as contributing to public order, buyers use level 1 services (Article 30(2)).
• Where activities are so identified, buyers procure only level 2, 3 or 4 services (Article 30(3)). A third-country-controlled provider can compete at level 2 (with safeguards) and at level 3 (only if its home country is associated under Article 18), but never at level 4.

Penalties and enforcement

Member States set penalties that must be "effective, proportionate and dissuasive" (Article 24(1)), guided by non-exhaustive criteria including turnover (Article 24(2)). National competent authorities have investigative and enforcement powers, including inspections and periodic penalty payments (Article 26). A provider that "intentionally or negligently, supplied incorrect or misleading information" risks revocation of recognition (Article 17(11)).

What this means for you

For in-house counsel and compliance officers, CADA would create a tiered market-access strategy driven by corporate control and jurisdiction.

1. EU-controlled providers.

• Opportunity: exclusive access to level 4 contracts. Focus compliance on Annex II point 4 — EU establishment and data location, Union-citizen personnel, no third-country control, and effective control over the software supply chain.
• Action: map your ownership and control. Even an EU-based parent should ensure no third-country entity holds control as defined in CADA (Article 2(21), referring to Regulation (EU) 2021/697) that could disqualify you from level 4.

2. Third-country-controlled providers.

• Reach: you can pursue level 2 (with the Annex II 2.1(g) safeguards) if EU-established, and level 3 only if your home country is recognised under Article 18. Level 4 is closed to you.
• Geopolitical dependency: level 3 eligibility depends on your government securing GDPR adequacy and offering reciprocal market access — not on your compliance alone.
• Audit rigour: for levels 2–4 expect independent third-party audits (Article 20) verifying, against the Annex III evidence, that your third-country parent cannot access EU customer data or disrupt service.

3. Public-sector buyers.

• Conduct thorough risk assessments (Article 29). Where a level 3 requirement can be justified instead of level 4, your supplier pool widens to include associated third-country providers; for the most critical functions, level 4 effectively locks you into providers with no third-country control.

Common misconceptions

Misconception 1: "Associated third country" means full equivalence with EU providers. No. Article 18 recognition only opens the door to being audited for level 3. It does not grant level 4. EU providers retain the advantage in the most sensitive segments.

Misconception 2: GDPR adequacy alone gets a country recognised. No. Adequacy is just one of six cumulative criteria in Article 18(1). A country can have adequacy yet fail on reciprocal market access or on laws that could compel service disruption.

Misconception 3: Third-country-controlled providers are shut out of everything above level 1. No. Level 2 is open to them (with safeguards) if they are EU-established; the Article 18 gate applies to level 3. Only level 4 categorically excludes third-country control.

Misconception 4: CADA bans all third-country cloud services. No. CADA does not regulate private-sector use this way, and level 1 remains available. It creates a tiered system in which higher assurance levels demand stronger sovereignty guarantees.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Third-country recognition vs Union assurance level 4 under CADA: what is the ceiling?
• CADA self-assessment vs NCA recognition: how the two paths differ
• CADA conformity self-assessment vs third-party assessment: cost and credibility compared
• CADA vs the US CLOUD Act: how do they differ?
• CADA vs NIS2: how do the cloud sovereignty and security rules differ?

This is general information about a draft EU regulation, not legal advice.