Can a non-EU-controlled provider ever reach CADA level 4?

Summary As proposed under the Cloud and AI Development Act (CADA), a cloud computing service provider subject to the control of a third country or a legal entity established in a third country cannot achieve Union assurance level 4. Article 16 and Annex II 4.1(g) explicitly require that providers and their subcontractors at this level be free from third-country control, with no derogation available for "associated third countries" as exists for level 3. Consequently, non-EU-controlled providers are legally excluded from serving the most critical public sector use cases requiring the highest sovereignty assurance.

Detail

The Cloud and AI Development Act (CADA) proposal establishes a harmonised framework for cloud computing sovereignty through four "Union assurance levels." These levels dictate the degree of trust, data localisation, and operational autonomy required for cloud services used by Union entities and public sector bodies. While lower levels allow for certain flexibilities regarding third-country involvement, Union assurance level 4 represents the highest tier of sovereignty, designed specifically for the most sensitive public order activities.

The Absolute Bar on Third-Country Control at Level 4

Under Article 16 of the CADA proposal, the criteria for each assurance level are detailed in Annex II. For a provider to be recognised as offering Union assurance level 4, it must meet strict cumulative criteria outlined in Annex II, Section 4. Specifically, Annex II 4.1(g) states that "the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."

This criterion is absolute and non-negotiable. Unlike Union assurance level 3, which includes a specific derogation allowing providers subject to third-country control to qualify if the third country is designated as an "associated third country" by the Commission (pursuant to Article 18), no such exception exists for level 4.

Article 18 permits the Commission to adopt implementing acts identifying third countries whose providers may be audited against the criteria for Union assurance level 3, provided specific safeguards regarding data access and service continuity are met. However, the text of Article 18 and the structure of Annex II explicitly limit this mechanism to level 3. The criteria for level 4 in Annex II 4.1(g) contain no reference to Article 18 or any potential derogation. Therefore, a provider controlled by a non-EU entity, regardless of the safeguards it implements, the status of its home country, or the existence of an adequacy decision, cannot attain level 4 recognition.

Operational and Personnel Requirements Reinforcing the Bar

Beyond the ownership and control requirement, Annex II 4.1 imposes other stringent conditions that reinforce the exclusion of third-country influence, creating a closed ecosystem for level 4.

• Personnel Citizenship: Annex II 4.1(d) requires that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." While level 2 allows for this requirement only if the public sector body explicitly demands it, level 4 makes it mandatory.
• Operational Support: Annex II 4.1(h) mandates that technical and operational support must be performed "exclusively within the Union, by personnel that are Union residents, and by third parties that are not subject to the control of a third country."
• Cybersecurity Certification: Annex II 4.1(e) requires the service to obtain a European cybersecurity certificate of at least assurance level 'high'. This contrasts with level 2 and 3, which require a certificate of at least assurance level 'substantial'.

These requirements ensure that at level 4, there is no operational pathway for third-country entities to exert influence, access data, or disrupt services. The combination of ownership restrictions (Annex II 4.1(g)), mandatory personnel citizenship (Annex II 4.1(d)), and localised support operations (Annex II 4.1(h)) creates a "sovereign by design" environment intended to guarantee maximum operational autonomy for the EU.

The Role of Risk Assessments and Procurement

The applicability of level 4 is determined by risk assessments conducted by Member States and Union entities under Article 29. These assessments identify public sector activities that contribute to the preservation of public order, such as national security, defence, justice, and law enforcement.

If a risk assessment determines that a specific activity requires level 4 assurance, Article 30(3) mandates that contracting authorities "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4." However, since non-EU-controlled providers cannot achieve level 4 recognition, they are effectively barred from these specific high-stakes public sector contracts where level 4 is deemed necessary.

Implications for Supply Chains

The prohibition on third-country control extends deeply into the supply chain. Annex II 4.1(g) applies to "subcontractors which are involved in the provision of the audited service." This means that even if the primary cloud provider is EU-controlled, it cannot achieve level 4 if its supply chain includes critical subcontractors subject to third-country control.

Annex II 4.2 clarifies that for level 4, subcontractors are "third parties that have a direct contractual relationship to the cloud computing service provider, that contribute to the provision and delivery of the cloud computing service, and that may require access to classified or sensitive information." This necessitates rigorous due diligence across the entire service delivery chain.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the exclusion of non-EU-controlled providers from CADA level 4 has significant strategic and operational implications:

1. Procurement Strategy for Critical Services: If your organisation operates in sectors identified as contributing to public order (e.g., defence, justice, national security), you must ensure your cloud providers are not only EU-established but also free from third-country control. Review current contracts to identify any providers or critical subcontractors with non-EU ownership structures. Migration to compliant providers may be required within 12 months of a risk assessment mandating level 4 (Article 29(6)).
2. Supply Chain Due Diligence: Compliance at level 4 is not just about your primary vendor. You must audit your vendor's subcontractors. Ensure that your service provider can demonstrate, under Annex II 4.1(g), that all involved subcontractors are free from third-country control. Request evidence of ownership structures, cap tables, and control mechanisms as part of your vendor assessment.
3. Personnel Verification: Verify that your provider can guarantee Union citizenship for all personnel involved in service delivery, including support staff. This is a hard requirement under Annex II 4.1(d) and cannot be waived by the provider or the public body.
4. No "Associated Third Country" Loophole: Do not assume that a provider from a country with an adequacy decision or an "associated third country" status under Article 18 can serve level 4 needs. Article 18 explicitly limits its scope to level 3. Providers from these countries may be viable for level 3 use cases but are disqualified from level 4.
5. Penalties and Liability: Failure to procure services at the required assurance level constitutes an infringement. Under Article 24, Member States must impose effective, proportionate and dissuasive penalties. Additionally, recipients of services have the right to seek compensation for damages caused by infringements (Article 24(3)). Ensure your procurement processes align with the risk assessments to mitigate liability.

Common misconceptions

Misconception: An "Associated Third Country" status allows access to all levels. Reality: Article 18 only permits the Commission to designate third countries for audits against Union assurance level 3. There is no provision in the CADA proposal for associated third countries to qualify for level 4. Level 4 remains strictly reserved for providers free from third-country control.

Misconception: Technical safeguards can override ownership requirements. Reality: While levels 1 and 2 allow for certain technical and organisational measures to mitigate third-country influence, level 4 requires the complete absence of third-country control. No amount of encryption, data localisation, or operational separation can compensate for third-country ownership at level 4, as per Annex II 4.1(g).

Misconception: Only the primary provider needs to be EU-controlled. Reality: The requirement extends to subcontractors. Annex II 4.1(g) explicitly includes "subcontractors which are involved in the provision of the audited service." If a critical subcontractor is subject to third-country control, the entire service fails to meet level 4 criteria.

Misconception: Level 4 is optional for all public sector bodies. Reality: Level 4 is mandated where risk assessments under Article 29 determine that an activity contributes to the preservation of public order in sensitive areas like national security or defence. It is not a voluntary best practice but a legal obligation for specified high-risk activities.

Related

• How can a non-EU-controlled provider reach CADA Level 3?
• Can a non-EU-controlled provider qualify for CADA Union assurance level 1?
• Does CADA allow a level 3 provider controlled from a non-associated country?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• Does CADA level 2 allow a third-country-controlled cloud provider?

This is general information about a draft EU regulation, not legal advice.