Can a non-EU-controlled provider qualify for CADA Union assurance level 1?

Summary Yes, a cloud computing service provider subject to the control of a third country or a legal entity established in a third country can qualify for CADA Union assurance level 1, as proposed in COM(2026) 502 final. However, this qualification is conditional on meeting a specific, high-bar evidentiary requirement regarding software vulnerabilities. The provider must guarantee that no existing laws or practices in the controlling third country require the reporting of software vulnerabilities to foreign authorities prior to those vulnerabilities being known to have been exploited. Crucially, this absence of law must be demonstrated by independent sources; a self-declaration by the provider is insufficient. This rule is designed to prevent "vulnerability hoarding" by foreign intelligence services, ensuring that critical security flaws are disclosed to the vendor and patched before they can be weaponized against EU users.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised Union cloud computing sovereignty framework comprising four assurance levels (Article 16). These levels serve as the basis for public procurement decisions, ensuring that cloud services used by the public sector meet specific sovereignty and security criteria. While the framework generally prioritises EU-established entities, it does not impose an absolute ban on providers controlled by non-EU entities for the baseline level of assurance.

The Specific Hurdle: Annex II 1.1(g)

The decisive criterion for third-country-controlled providers seeking Union assurance level 1 is found in Annex II, Section 1.1(g). This provision creates a specific exception to the general presumption of EU control, allowing foreign-controlled entities to participate in the public market only if they can prove their home jurisdiction does not compromise EU security through mandatory vulnerability disclosure.

The text of Annex II, 1.1(g) states:

"Where the cloud computing service provider is subject to the control of a third country or a legal entity established in a third-country, the cloud computing service provider guarantees that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."

This clause addresses a critical national security risk: the potential for foreign governments to compel providers to hand over information about security flaws (zero-days) before those flaws are publicly known or exploited. If a third country possesses such laws, the provider cannot achieve Union assurance level 1. The regulation explicitly requires that the guarantee be demonstrated by independent sources. This prevents providers from relying on internal legal opinions or self-certifications that might be biased or incomplete. The evidence must come from external, verifiable entities such as independent legal firms, academic research bodies, or international monitoring organisations.

Cumulative Criteria for Level 1

Meeting the vulnerability disclosure rule is necessary but not sufficient. To qualify for Union assurance level 1, a provider must satisfy all cumulative criteria listed in Annex II, Section 1.1:

1. Union Establishment: The provider must be established in the Union (Annex II, 1.1(a)).
2. Infrastructure Location: The infrastructure and assets, including those of subcontractors involved in the service, must be located in the Union, unless the public sector body explicitly requires otherwise (Annex II, 1.1(b)).
3. Data Localisation: Customer data (including metadata and telemetry) must remain exclusively within the Union at all times, unless the public sector body explicitly requires otherwise (Annex II, 1.1(c)).
4. Operational Autonomy: If technical support is outsourced to third parties outside the Union, the provider must implement measures to ensure traceability, security, and governance, ensuring that operational autonomy is not compromised (Annex II, 1.1(d)).
5. Cybersecurity Standards: The service must comply with state-of-the-art cybersecurity standards (Annex II, 1.1(e)).
6. Subcontractor Transparency: The provider must provide full transparency on subcontractor use and subject them to due diligence and contractual obligations (Annex II, 1.1(f)).
7. Vulnerability Disclosure (The Third-Country Test): As detailed above, the guarantee regarding no mandatory pre-exploitation disclosure laws (Annex II, 1.1(g)).

The Recognition Process

For Union assurance level 1, the conformity assessment is a self-assessment procedure. Under Article 19, the provider carries out the assessment and issues an EU statement of conformity stating that compliance with the criteria has been demonstrated (Article 19(2)). This statement must be made publicly available (Article 19(3)).

The recognition mechanism differs based on the size of the provider:

• SMEs: For small and medium-sized enterprises, the EU statement of conformity is directly and automatically recognised in all Member States without the need for prior recognition by a national competent authority (Article 17(3)).
• Non-SMEs: For larger providers, the statement is submitted to the national competent authority of establishment. The authority assesses the evidence, including the independent sources for the vulnerability disclosure guarantee, and notifies other Member States for a review period before granting Union-wide recognition (Article 17(3) and Article 17(5)).

What this means for you

For legal counsel, compliance officers, and procurement teams, the implications of Annex II 1.1(g) are profound. It shifts the burden of proof onto the provider to demonstrate the absence of a specific type of foreign law.

For Cloud Providers with Third-Country Ownership

If your provider is controlled by a non-EU entity, you cannot simply assert that your parent company respects EU security norms. You must undertake a rigorous evidence-gathering exercise:

1. Conduct a Jurisdictional Audit: Perform a deep-dive legal analysis of the controlling third country's laws. Look specifically for statutes related to national security, cybercrime, intelligence gathering, or export controls that mandate the reporting of software vulnerabilities to government authorities.
2. Secure Independent Verification: You must obtain evidence from independent sources. This could include:
   • Legal opinions from reputable international law firms specializing in the third country's jurisdiction.
   • Reports from academic institutions or think tanks monitoring digital rights and surveillance laws in that country.
   • Publicly available government documents or transparency reports that explicitly confirm the absence of such mandates.
   • Note: Internal memos or self-declarations by the provider's legal department will likely be rejected as they do not meet the "independent sources" standard.
3. Document the Guarantee: The EU statement of conformity must explicitly reference Annex II 1.1(g) and cite the specific independent sources used to demonstrate the absence of mandatory disclosure laws.
4. Monitor for Change: Sovereignty landscapes are dynamic. If the third country enacts new legislation requiring vulnerability disclosure, your Level 1 status would be immediately jeopardised. You must establish a continuous monitoring mechanism to detect such legislative changes and update your conformity statement accordingly.

For Public Sector Bodies and Contracting Authorities

When procuring cloud services, you must verify that the provider's EU statement of conformity includes robust evidence for the third-country control criterion.

• Due Diligence: Do not accept a Level 1 claim at face value if the provider is third-country controlled. Request the supporting documentation proving the "independent sources" requirement.
• Risk Assessment: Even if a provider qualifies for Level 1, remember that Article 30(2) mandates Level 1 only for activities not identified as contributing to the preservation of public order. If your risk assessment under Article 29 identifies public order relevance (e.g., law enforcement, critical infrastructure), you must procure services at Level 2, 3, or 4, where the criteria for third-country control are significantly stricter (often requiring no third-country control at all, unless a derogation under Article 18 applies).

Penalties for Non-Compliance

Failure to meet these criteria, or providing incorrect information, carries significant risks. Under Article 24, Member States must lay down rules for penalties that are "effective, proportionate and dissuasive." If a provider is found to have intentionally or negligently supplied incorrect or misleading information (e.g., claiming independent sources exist when they do not), the national competent authority can revoke the recognition (Article 17(11)). Loss of recognition means immediate exclusion from public sector procurement, which could be catastrophic for a provider relying on the EU market.

Common misconceptions

Misconception 1: "Third-country control automatically disqualifies a provider from CADA Level 1." Reality: This is incorrect. Annex II 1.1(g) explicitly contemplates the scenario where a provider is subject to third-country control. It provides a pathway for qualification, provided the specific vulnerability disclosure guarantee is met. The regulation focuses on the risk posed by foreign laws, not the ownership itself.

Misconception 2: "A provider can use its own legal team to prove no vulnerability laws exist." Reality: The text of Annex II 1.1(g) is explicit: the absence of laws must be "demonstrated by independent sources." Self-declarations or internal legal advice do not satisfy this requirement. The provider must rely on external, objective verification.

Misconception 3: "Level 1 is a 'soft' standard that doesn't require strict evidence." Reality: While Level 1 is the baseline, the evidence requirements for third-country-controlled providers are strict. The requirement for independent verification of foreign laws is a high bar designed to prevent regulatory arbitrage.

Misconception 4: "If a provider is Level 1, they can be used for any public sector activity." Reality: Article 30(2) limits Level 1 to activities not contributing to the preservation of public order. For activities involving national security, law enforcement, or critical infrastructure, Article 30(3) requires procurement at Level 2, 3, or 4. Furthermore, Level 2 and above have much stricter criteria regarding third-country control (often prohibiting it entirely unless a specific derogation under Article 18 is granted).

Related

• How can a non-EU-controlled provider reach CADA Level 3?
• Can a non-EU-controlled provider ever reach CADA level 4?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• Does CADA allow a level 3 provider controlled from a non-associated country?
• What criteria must a provider meet for CADA assurance level 4?

This is general information about a draft EU regulation, not legal advice.