CADA vs the US CLOUD Act

Summary The US CLOUD Act and the proposed EU Cloud and AI Development Act (CADA) pull in opposite directions on the same question — who can reach data held by a cloud provider. The CLOUD Act (2018) added §2713 to the US Stored Communications Act, requiring US providers to disclose data "within such provider's possession, custody, or control, regardless of whether" it sits inside or outside the United States. CADA, as proposed, would not override that. Instead, Article 16 would create a four-tier "Union assurance level" framework whose higher tiers (3 and 4) are built precisely so that a provider subject to such foreign compulsion cannot qualify — because Annex II would require, among other things, that the provider is not subject to third-country control and that foreign access to customer data is prevented. Article 18 would carve a narrow path for providers controlled from a "associated third country," but only up to level 3 and only where that country meets strict cumulative criteria.

Detail

The core difference is jurisdictional reach. The CLOUD Act is a law-enforcement access statute; CADA is a market-shaping and risk-mitigation proposal. One asserts reach over data; the other tries to engineer that reach away for the EU's most sensitive public-sector workloads.

What the CLOUD Act does

Enacted in 2018, the CLOUD Act amended chapter 121 of title 18 of the US Code (the Stored Communications Act). Its central provision, §2713, requires a provider of electronic communication or remote computing service to preserve and disclose communications and records "within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States." In short: if the provider is subject to US jurisdiction, US legal process can reach the data wherever it physically sits — including an EU data centre.

The Act is not unqualified. A new §2703(h) lets a provider move to quash or modify process where the customer is not a US person and disclosure would create a material risk of violating the law of a "qualifying foreign government," subject to a judicial comity analysis. And §2523 allows the US to enter executive agreements with foreign governments that meet rule-of-law and privacy criteria. But these are discretionary safety valves, not a structural bar. For an EU public body, the practical exposure remains: a US-controlled provider may face conflicting obligations — US law demanding disclosure, EU law restricting it.

What CADA would do: Article 16 and the Union assurance levels

CADA addresses this not by confronting US law but by defining, in EU law, what a trusted cloud service looks like and tying public procurement to it. Article 16 would establish "a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II." The criteria are cumulative — a provider seeking a higher level must satisfy every criterion of the lower levels too (Article 20(1)). From the Annex II criteria:

• Level 1 — provider established in the Union; infrastructure, assets and customer data in the Union "unless the public sector body explicitly requires otherwise"; state-of-the-art cybersecurity; transparency over subcontractors. A third-country-controlled provider may still reach level 1, but must guarantee there are no laws in that country forcing it to report software vulnerabilities to that country's authorities before they are exploited. Level 1 is the only tier assessed by self-assessment.
• Level 2 — adds independent third-party audit (Article 20); personnel and subcontractors located in the Union; data generated by the service not used to train or fine-tune AI operated by a third country; software supply-chain controls including a complete SBOM; a European cybersecurity certificate of at least "substantial" level; and, for third-country-controlled providers, demonstrated legal, technical and organisational measures preventing foreign access to customer data and foreign-induced service disruption. Union citizenship of personnel is required only "if the public sector body determines" it necessary.
• Level 3 — the sovereignty threshold. Personnel involved in the service must be Union citizens (with national security clearance where classified information is handled); and, critically, the provider and its subcontractors must "not [be] subject to the control of a third country or a legal entity established in a third-country." The cybersecurity certificate remains at least "substantial." The only exception is the Article 18 route described below.
• Level 4 — the highest tier, for the most sensitive workloads. It requires a "high"-level European cybersecurity certificate and an absolute prohibition on third-country control — there is no Article 18 derogation at level 4.

So the CLOUD Act's premise (the provider can be compelled despite EU data location) collides head-on with CADA's level 3 and 4 premise (the provider must demonstrate it cannot be so compelled). A US hyperscaler with data centres in Frankfurt does not, on that fact alone, satisfy level 3 or 4.

Article 18: the associated-third-country route

CADA's one structural concession is Article 18. The Commission "may adopt decisions, by means of implementing acts, identifying third countries for which cloud computing service providers subject to the control of that third country... may be audited against the criteria for Union assurance level 3," provided the country meets six cumulative criteria, including:

1. It is "subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679" (the GDPR).
2. It has no measures enabling control over the provider that would conflict with lawful access to non-personal data under Article 32(2)–(3) of Regulation (EU) 2023/2854 (the Data Act).
3. It has no measures to compel the provider to degrade or disrupt service continuity, and none obliging it to give effect to sanctions/embargoes unless legitimate under Member State or Union law.
4. It does not impede the provision of state-of-the-art technologies by the provider.
5. It maintains an open market to Union cloud services.
6. It grants equivalent access to its public-procurement procedures for Union-controlled providers.

Even on that route, the provider must additionally demonstrate the legal, technical and organisational separation measures (preventing foreign data access and service disruption). Article 18 reaches level 3 only — never level 4. And the Commission must repeal, amend or suspend a decision if the country stops meeting the criteria, and must publish the list of qualifying countries.

Immunity from foreign law as the dividing line

For counsel, the key insight is that cybersecurity is not sovereignty. The CLOUD Act shows that a perfectly secured service can still be lawfully compelled to hand over data. CADA's higher tiers target that gap directly. Under Annex II, a third-country-controlled provider seeking level 2 or 3 must demonstrate measures ensuring that:

• foreign control is not exercised so as to restrain the provider's ability to deliver the service;
• access by a third country to customer data is prevented;
• disruption or degradation of the service by a third country is prevented; and
• the provider is not obliged to give effect to foreign restrictive measures unless legitimate under Member State or Union law.

This is a far higher bar than data localisation. A provider that remains subject to the CLOUD Act would, in practice, struggle to satisfy it without genuine structural and technical separation — which is exactly the point.

What this means for you

For in-house counsel and procurement teams, the CLOUD Act/CADA tension would turn cloud sourcing into a sovereignty-graded exercise.

1. Procurement strategy and risk assessment

Under Article 29, Member States and Union entities would carry out risk assessments to identify which activities "contribute to the preservation of public order" — expressly including the sectors in Annex I or II of the NIS2 Directive plus national security, internal security, external border management, defence, justice and law enforcement. Where they do, Article 30(3) would require procurement only of services recognised at level 2, 3 or 4. You cannot default to the cheapest global hyperscaler for those workloads if it cannot meet the third-country-control prohibitions.

2. Vendor due diligence

Scrutinise corporate structure, not branding. An "EU-based" subsidiary of a US parent is exposed to US jurisdiction. For level 3, the provider would need to show it is not subject to third-country control (or qualifies via Article 18), and Annex II expressly requires effective legal, technical and organisational separation between a Union parent and any third-country subsidiary. Ask for evidence of that separation, of prevention of parent-company access, and of governance independence.

3. Contractual safeguards

Build in audit and notification rights. Under Article 23, a recognised provider must, on becoming aware of any material change in circumstances that may affect its audit opinion or recognition, notify the auditing organisation and the national competent authority — a trigger you will want mirrored in your contract so you learn if a provider's assurance level is at risk.

4. Migration planning

If a current provider cannot reach the tier your activity requires, plan ahead. Article 29(6) provides that where a risk assessment requires migration, it must occur "within a reasonable transition period that shall not exceed 12 months," taking account of technical feasibility, continuity and data portability. Scope EU-controlled alternatives now to avoid a rushed migration later.

Common misconceptions

"Data localisation equals sovereignty." No. The CLOUD Act reaches data in the provider's "possession, custody, or control" regardless of location. Storing data in Ireland does not, by itself, place it beyond US process if the provider is US-controlled. CADA's higher tiers require legal and technical insulation from foreign control, not just an EU postcode.

"CADA bans all non-EU cloud providers." It does not. It is a tiered system. Non-EU-controlled providers can reach level 1 and, with the right measures, level 2; and a provider controlled from an Article 18 "associated third country" can be audited up to level 3. Only the most sensitive workloads (and level 4) would be effectively closed to third-country-controlled providers.

"The CLOUD Act only affects US companies." Its compulsion targets US-jurisdiction providers, but the ripple effects reach EU subsidiaries of US groups and the wider market. The legal uncertainty it created is part of the policy backdrop CADA's sovereignty framework responds to.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CADA vs the Data Governance Act (DGA): how do they compare?
• CADA vs the Cybersecurity Act review (CSA2): how are they paired?
• CADA vs the Chips Act review: how do they connect?
• CADA central repository vs a Gaia-X catalogue: how do they differ?
• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?

This is general information about a draft EU regulation, not legal advice.