Summary Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission has the explicit powerβ€”and obligationβ€”to suspend, amend, or repeal the status of an "associated third country." Article 18(2) of the proposal mandates that "where available information reveals that the third country no longer fulfils the requirements," the Commission shall take action. This mechanism ensures that the derogation allowing third-country-controlled providers to qualify for Union assurance level 3 remains conditional on continuous compliance with strict sovereignty, data access, and operational continuity criteria. The Commission must also maintain a public list of countries that no longer meet these requirements, providing real-time transparency for market participants.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sophisticated sovereignty framework designed to reduce the EU's strategic dependence on non-European cloud providers. A critical component of this framework is the concept of "associated third countries." This mechanism creates a narrow, conditional pathway for cloud computing services controlled by entities in specific non-EU jurisdictions to be audited for Union assurance level 3. This level is essential for public sector bodies and Union entities conducting activities that contribute to the preservation of public order, such as law enforcement, national security, and justice.

However, this status is not a permanent grant of immunity. It is a dynamic regulatory instrument subject to continuous verification. The proposal explicitly anticipates that geopolitical landscapes and national laws in third countries may shift, potentially undermining the safeguards required for EU public order. Consequently, the legislation embeds a robust suspension and review mechanism to ensure that the "associated third country" status reflects current realities, not historical agreements.

The Legal Basis for Suspension: Article 18(2)

The authority to suspend or revoke this status is grounded in Article 18 of the CADA proposal. While Article 18(1) sets out the cumulative criteria a third country must meet to be recognized (including GDPR adequacy, absence of extraterritorial data access laws, and guarantees against service disruption), Article 18(2) provides the enforcement mechanism for when those conditions fail.

The text of Article 18(2) is mandatory and leaves no discretion to the Commission once a failure is identified:

"Where available information reveals that the third country no longer fulfils the requirements under paragraph 1, the Commission shall repeal, amend or suspend the decision referred to in paragraph 1."

This provision creates a "fail-safe" for the sovereignty framework. It transforms the list of associated third countries from a static registry into a living instrument of EU policy. The trigger for action is the availability of information indicating non-compliance. This could stem from new legislation in the third country, judicial rulings, executive orders, or evidence of actual data access by third-country authorities that conflicts with EU law.

The use of the word "shall" imposes a legal duty on the Commission. It cannot ignore evidence that a third country has introduced laws granting its intelligence services broad access to data held by local subsidiaries of cloud providers, or laws that compel providers to disrupt service continuity. Upon such a revelation, the Commission is obligated to act by repealing the decision entirely, amending it to restrict the scope of the recognition, or suspending it temporarily while further assessment is conducted.

The Criteria at Risk

To understand the scope of a potential suspension, one must examine the specific criteria listed in Article 18(1) that, if violated, would trigger Article 18(2). A third country must cumulatively satisfy the following conditions to maintain its status:

  1. GDPR Adequacy: The country must be subject to a relevant adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR). The Commission must assess whether this adequacy applies generally or is limited to specific sectors.
  2. No Conflicting Control Measures: The country must have no measures enabling it to exercise control over cloud providers in a way that conflicts with lawful access rules for non-personal data under Article 32(2) and (3) of the Data Act (Regulation (EU) 2023/2854).
  3. No Service Disruption: The country must not have measures compelling providers to degrade or disrupt service continuity or provision.
  4. No Forced Compliance with Sanctions: The country must not oblige providers to implement, enforce, or comply with restrictive measures (such as sanction regimes or embargoes) unless those measures are legitimate under EU or Member State law.
  5. Market Openness and Reciprocity: The country must maintain an open market to Union cloud services and grant equivalent levels of access to its own public procurement procedures.

If "available information" reveals that a third country has enacted a new national security law that overrides these protectionsβ€”for example, by mandating that local subsidiaries of foreign cloud providers must hand over data to domestic authorities without judicial oversightβ€”the criteria in Article 18(1) are no longer met. In such a scenario, Article 18(2) compels the Commission to repeal, amend, or suspend the recognition decision.

Ongoing Monitoring and Transparency

The proposal establishes a system of ongoing monitoring and public transparency to support this dynamic framework. The Commission is not merely a passive administrator; it is required to actively assess the scope and application of adequacy decisions and other relevant measures in third countries.

Article 18(3) reinforces this by mandating public visibility:

"The Commission shall publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so."

This public list serves as a critical compliance tool. It allows cloud providers, auditing organisations, and public sector contracting authorities to instantly verify the current status of a third country. If a country is removed from the "fulfil" list or added to the "no longer do so" list, it signals an immediate change in the regulatory landscape. This transparency ensures that market participants are not relying on outdated information when making procurement decisions or conducting risk assessments.

Impact on Cloud Providers and Public Sector

The suspension of a third country's status under Article 18(2) has immediate and severe operational consequences for the cloud ecosystem.

For Cloud Computing Service Providers: If a third country loses its associated status, cloud providers subject to the control of that country immediately lose the ability to be audited for Union assurance level 3 under the derogation provided in Article 18. They can no longer claim the specific sovereignty recognition that allows third-country control to coexist with Level 3 requirements.

  • Remediation: Providers may need to restructure their operations to demonstrate that they are no longer subject to third-country control, potentially by establishing a legally and operationally separate entity within the Union that is fully independent.
  • Downgrading: Alternatively, they might attempt to qualify for Union assurance level 1 or 2, though Level 2 still requires the provider to be established in the Union and generally precludes third-country control unless specific safeguards are met (which the suspension would have invalidated).

For Public Sector Contracting Authorities: The suspension triggers a compliance crisis for public bodies relying on these providers. Under Article 30(3), contracting authorities whose activities contribute to the preservation of public order (e.g., law enforcement, defence) must procure only cloud services recognised at Union assurance levels 2, 3, or 4.

  • Loss of Eligibility: If a provider loses its Level 3 eligibility due to a suspension, it can no longer be used for these critical public order activities.
  • Migration Obligations: Article 29(6) mandates that where a risk assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period not exceeding 12 months. A suspension of a third country's status would likely trigger this migration clock, forcing public bodies to find alternative sovereign providers quickly to avoid breaching Article 30.

What this means for you

For legal counsel, compliance officers, and procurement managers, the "associated third country" status must be treated as a high-risk variable, not a stable asset. Relying on a provider's current jurisdictional status without active monitoring exposes your organisation to significant regulatory and operational risk.

Key Action Items:

  1. Monitor the Commission's List: Establish a routine to check the Commission's website for the list published under Article 18(3). Any removal of a country from the "fulfil" list is an immediate red flag requiring a supply chain review.
  2. Review Contractual Clauses: Audit your cloud service agreements for "change of law" or "sovereignty status" clauses. Ensure you have the right to terminate or renegotiate if the provider loses eligibility for Union assurance levels due to changes in third-country law or Commission decisions under Article 18(2).
  3. Assess Migration Risks: If your organisation relies on a provider controlled by a third country currently recognised under Article 18, develop a contingency plan. If that recognition is suspended, you may face a mandatory migration within 12 months under Article 29(6). Proactive planning is essential to avoid service disruption or non-compliance with Article 30.
  4. Understand the Thresholds: Recognise that Union assurance level 3 is often the minimum required for public order-relevant activities (Article 30(3)). If your sector falls under Annex I or II of the NIS2 Directive, or involves national security, a suspension of the third country's status could render your current provider non-compliant for these critical use cases, forcing an immediate switch to a fully EU-controlled provider.

Common misconceptions

Misconception 1: Associated third country status is permanent once granted. Reality: Article 18(2) explicitly states that the Commission shall repeal, amend, or suspend the decision if criteria are no longer met. The status is conditional and revocable based on ongoing geopolitical and legal developments.

Misconception 2: GDPR adequacy is sufficient for CADA recognition. Reality: While an adequacy decision under GDPR Article 45 is a prerequisite (Article 18(1)(a)), it is not sufficient. The third country must also meet specific sovereignty criteria regarding service disruption, data access, and reciprocity. A country can have GDPR adequacy but still fail CADA's stricter sovereignty tests, leading to suspension.

Misconception 3: Suspension only affects new contracts. Reality: Suspension affects the provider's eligibility for Union assurance levels. If a public sector body is already using a service that requires Union assurance level 3, and the provider loses that eligibility due to a suspension, the public sector body may be in breach of Article 30. This triggers the migration obligation under Article 29(6).

Misconception 4: The Commission can suspend recognition arbitrarily. Reality: The suspension is conditional and evidence-based. It occurs only "where available information reveals that the third country no longer fulfils the requirements." This implies a factual assessment of legal and operational conditions, not arbitrary political action.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.