Summary No. As proposed, setting up an EU-incorporated subsidiary would not automatically take a hyperscaler outside the Cloud and AI Development Act's (CADA) "control" test. CADA assesses whether a provider is "subject to the control of a third country or a legal entity established in a third country," looking past where the service-providing entity is registered. That determination is decisive for the top Union assurance levels: level 4 requires no third-country control at all, and level 3 prohibits it save for a narrow derogation tied to a Commission decision on associated third countries.

Detail

CADA, as proposed, would build a sovereignty framework that distinguishes providers that are autonomous within the Union from those that remain subject to external control. For in-house counsel, the question is whether EU incorporation alone passes the test, or whether the assessment reaches the ultimate owners and strategic decision-makers.

The definition of control

CADA does not rely on place of incorporation. Article 2(21) defines "control" by cross-reference: "'control' means control as defined in Article 2, point (6), of Regulation (EU) 2021/697." (Regulation (EU) 2021/697 is the regulation establishing the European Defence Fund.) The CADA text itself does not reproduce the substance of that definition, so it should be applied as it stands in the referenced instrument rather than paraphrased here.

What matters for the present question is how CADA uses control: throughout Annex II, the operative phrase is whether a provider (and its subcontractors involved in the service) is "subject to the control of a third country or a legal entity established in a third country." An EU-incorporated subsidiary can still fall within that phrase if it is controlled by a third-country parent — so EU incorporation, by itself, is not a shield.

Impact on Union assurance levels

Whether a provider is subject to third-country control feeds directly into the cumulative criteria in Annex II.

  • Union assurance level 1 (Annex II, point 1.1(g)): where the provider is subject to third-country control, it must guarantee — demonstrated by independent sources — that there are no laws or practices in that third country requiring it to report software-vulnerability information to that country's authorities before the vulnerabilities are known to have been exploited. Level 1 is verified by self-assessment (Article 19).
  • Union assurance level 2 (Annex II, point 2.1(g)): where the provider and its subcontractors are subject to third-country control, they must demonstrate that legal, technical and organisational measures ensure the control does not restrain the provider's ability to perform the service, that third-country access to customer data is prevented, that service disruption or quality degradation by the third country is prevented, and that the control does not compel the provider to give effect to third-country restrictive measures except where legitimate under Member State or Union law.
  • Union assurance level 3 (Annex II, point 3.1(g)): the provider and its subcontractors must not be subject to third-country control. By derogation, a controlled provider may be audited for level 3 where the Commission has adopted the relevant implementing act on associated third countries (Article 18 of the proposal; the Annex II cross-reference reads "Article 19"). Even then, the provider must also demonstrate the same legal, technical and organisational safeguards described for level 2, including allowing reasonable access to the code.
  • Union assurance level 4 (Annex II, point 4.1(g)): the provider and its subcontractors must not be subject to third-country control. There is no derogation.

So a hyperscaler's EU subsidiary that remains under the strategic control of a non-EU parent could not claim levels 3 or 4 on the strength of incorporation alone. Level 4 would be closed to it; level 3 would be available only if its parent's country has been recognised under Article 18 and the separation safeguards are demonstrated.

Associated third countries (Article 18)

Article 18 lets the Commission adopt implementing acts identifying third countries whose controlled providers may be audited against the level 3 criteria, provided the country meets cumulative conditions — including being covered by a GDPR adequacy decision (Article 45 of Regulation (EU) 2016/679), having no measures conflicting with the lawful-access rules in Article 32(2)-(3) of Regulation (EU) 2023/2854 (the Data Act), and not being able to compel service disruption or impose certain restrictive measures.

The audit and evidence process

For levels 2, 3 and 4, the control test is examined under independent third-party audit (Article 20). Annex III, Audit criterion G ("Absence of third-country control or third-country entity control"), directs auditors to identify and analyse, among other things:

  • all direct and indirect shareholders, up to the ultimate owners;
  • the cap table and ownership structure;
  • the bodies empowered to take strategic decisions;
  • the rules for appointing, electing and removing governing bodies;
  • the quorums and majorities for strategic decisions, including veto and other blocking rights;
  • influence over strategic decisions through commercial or financial links.

The audited provider must obtain this information from its subcontractors and make it available to the auditing organisation.

Penalties and procurement consequences

Article 24 requires Member States to lay down effective, proportionate and dissuasive penalties for infringements by providers, and provides for compensation. And for buyers, Article 30(3) requires contracting authorities whose activities contribute to the preservation of public order to procure only services recognised at Union assurance level 2, 3 or 4 — so a subsidiary that cannot clear the control test for those levels would be ineligible for that work.

What this means for you

For counsel and compliance teams at multinational providers, EU incorporation is not a shield.

  1. Map your control structures. Review board-appointment rights, veto powers and strategic decision-making. If the non-EU parent can exercise control as defined via Article 2(21), the subsidiary is likely "subject to control."
  2. Prepare for audit, not self-assessment. Levels 2-4 require independent audit under Article 20. Document the legal, technical and organisational separation measures the Annex II criteria require.
  3. Assess realistic level eligibility. Level 4 would be unavailable while under third-country control. Level 3 would depend on an Article 18 decision for the parent's country plus demonstrated safeguards. Level 2 would require demonstrating that the control does not compromise data security or service continuity.
  4. Track Article 18 decisions. The Commission's list of associated third countries will determine whether the level 3 derogation is even open to you.

Common misconceptions

  • "A German-incorporated subsidiary is automatically an EU provider." Incorrect. The Annex II criteria turn on control, not incorporation; a subsidiary can still be subject to third-country control.

  • "A contract limiting parent access is enough." Contracts are part of the evidence, but Annex III, Audit criterion G directs auditors to the reality of ownership and decision-making power — board control, veto rights and financial links included.

  • "Level 1 covers most public-sector work." Article 30(3) requires levels 2, 3 or 4 for activities contributing to the preservation of public order in the listed sectors and areas. Level 1 is the baseline only where activities are not so identified (Article 30(2)).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.