Does a company have to be EU-based to be a CSP under CADA?

Summary No. As proposed in Article 2, point (2), a "cloud computing service provider" is simply "a legal entity which provides a cloud computing service." That definition is nationality-neutral and contains no EU-establishment requirement. So a non-EU company can be a CSP under CADA. However, as proposed, the ability to sell to the EU public sector would depend on Union assurance levels whose criteria (in Annex II) require EU establishment and, at the higher levels, freedom from third-country control.

Detail

As proposed, CADA separates two things: what makes you a market participant, and what lets you access specific public-sector contracts. Keeping these apart is the key to the non-EU question.

The definition of a CSP is nationality-neutral

As proposed, Article 2, point (2), defines a "cloud computing service provider" as "a legal entity which provides a cloud computing service." The definition is purely functional. It does not say "established in the Union," "EU-incorporated" or "subject to EU jurisdiction." A company incorporated in the United States, in Asia or anywhere else is therefore a CSP under CADA if it provides cloud computing services as defined.

This follows from the definition of "cloud computing service" itself. As proposed, Article 2, point (1), points to Article 6, point (30), of Directive (EU) 2022/2555 (NIS2), which turns on the technical nature of the service — on-demand administration and broad remote access to scalable, elastic, shareable resources — not on where the provider is headquartered.

Control and third-country status

While the definition is neutral, the proposal places weight on "control" and origin when assessing sovereignty. As proposed, Article 2, point (21), defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697, which concerns the ability to exercise decisive influence over an entity.

As proposed, the sovereignty framework in Title IV establishes four Union assurance levels, with criteria set out in Annex II. Those criteria differentiate providers by establishment and control:

1. Union assurance level 1: As proposed, Annex II requires that the provider be established in the Union, that infrastructure and data be located in and remain within the Union (unless the public body requires otherwise), and includes a specific guarantee where the provider is under third-country control — namely that no third-country law or practice requires it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited. So even at level 1, EU establishment is a criterion.
2. Union assurance levels 2, 3 and 4: As proposed, the criteria tighten. For level 2, the audited provider and the subcontractors involved in the service must be established in the Union. For level 3, in addition to EU establishment and EU-located infrastructure, personnel involved in the service must be Union citizens, and the provider and its relevant subcontractors must not be subject to the control of a third country, subject to a limited derogation for associated third countries under Article 18. Level 4 applies the strictest set of criteria.

So a non-EU company remains a CSP, but lack of EU establishment and third-country control would, as proposed, prevent it from reaching the higher assurance levels needed for sensitive public-sector activities.

Associated third countries

As proposed, Article 18 offers a route for some non-EU providers. The Commission may, by implementing act, identify third countries whose CSPs — even if subject to that country's control — may be audited against the Union assurance level 3 criteria, provided the third country meets cumulative conditions. Those conditions include an adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR); no measures enabling control conflicting with the lawful-access rules in Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act); no measures to compel the provider to degrade or disrupt the service or to apply third-country restrictive measures (unless legitimate under Member State or Union law); no measures impeding the provision of state-of-the-art technologies; an open market to Union cloud services; and equivalent access to its own public procurement. This confirms non-EU providers can participate in the high-assurance market, but only under specific conditions.

What this means for you

If you are a CSP based outside the EU, CADA — as proposed — would not exclude you from the market, but it would segment it.

1. You are still a CSP. You fall within CADA's scope and general obligations when operating in the EU.
2. Public-sector access is tiered. To sell to EU public bodies you would need a Union assurance level. Level 1 requires EU establishment; levels 2–4 require EU establishment and, for levels 3 and 4, generally require freedom from third-country control.
3. Strategic options:
   • Establish in the EU. An EU entity can help meet establishment criteria — though the Annex II criteria also reach location of infrastructure, data and personnel, and control.
   • Seek associated-country status. If your home country meets the Article 18 conditions and is designated, your services may be audited against the level 3 criteria.
   • Private-sector focus. As proposed, the mandatory procurement duties target public-sector buyers (Article 30). Private entities in NIS2 Annex I sectors may carry out similar assessments voluntarily under Article 31.

Common misconceptions

• "CADA bans non-EU cloud providers."
  • Reality: As proposed, it does not. It creates a tiered system; non-EU providers can serve the private sector and may serve the public sector by meeting establishment and control criteria or via the associated-third-country route.
• "Being a CSP requires EU incorporation."
  • Reality: As proposed, Article 2, point (2), defines a CSP as any legal entity providing the service. Incorporation location is irrelevant to the definition, though decisive for assurance levels.
• "Control is only about share ownership."
  • Reality: As proposed, "control" (Article 2, point (21), via Regulation (EU) 2021/697) turns on decisive influence, which can arise beyond a simple majority shareholding.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why does CADA's frontier AI definition have no fixed compute threshold?
• What is a cloud computing service provider (CSP) under CADA?
• Is a state-owned company a public sector body under CADA?
• Does a public sector body that builds its own cloud become a CSP under CADA?
• Why does CADA skip definitions 23 and 24 in Article 2?

This is general information about a draft EU regulation, not legal advice.