Summary No. As proposed under the Cloud and AI Development Act (CADA), establishing an EU subsidiary would not automatically render a US cloud provider's services "sovereign" or exempt from third-country risks. CADA would assess sovereignty by reference to effective control and the extraterritorial reach of foreign laws, not merely legal incorporation. If a US parent retains control, the service would remain exposed to third-country risk regardless of the subsidiary's structure β and the highest assurance levels would be out of reach without removing that control.
Detail
The proposed CADA would introduce a "Union cloud computing sovereignty framework" designed to mitigate dependence on non-European providers. A central pillar is the assessment of "control" and the extraterritorial application of third-country laws. For in-house counsel, the key question is whether an EU subsidiary of a US hyperscaler can be treated as a trusted, sovereign entity for public sector procurement. Grounded in the proposal's text, the answer is generally no, unless strict conditions of legal and operational separation are met and verified by independent audit.
The definition of control and third-country risk
CADA would not define sovereignty solely by where a legal entity is incorporated. Instead, it focuses on "control." CADA's Article 2, point (21), defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697. This concept looks beyond the corporate registry to the power to influence strategic decisions.
Recital 46 addresses the risk profile of entities controlled by third countries. It states the Union "still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries," exposing it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws." Even where the contract is with an EU subsidiary, the risk that a third-country law could compel data access or service disruption would remain if the parent exercises control.
Recital 48 reinforces this: providers have launched "tailored versions of their service offerings," but those versions "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." Local structures alone would therefore be insufficient to ensure autonomy or control over data and infrastructure.
The Union assurance levels and audit criteria
CADA would establish four "Union assurance levels" (Article 16). For levels 2, 3, and 4, providers must undergo independent third-party audits (Article 20). The Annex II criteria impose strict requirements on entities subject to third-country control.
For Union assurance level 2 (Annex II, point 2.1(g)), where the provider and its subcontractors are subject to third-country control, they must demonstrate that:
- control is not exercised in a manner that restrains the provider's ability to perform the service (2.1(g)(i));
- third-country access to customer data is prevented (2.1(g)(ii));
- disruption or degradation of the service by the third country is prevented (2.1(g)(iii)); and
- the provider is not obliged to enforce restrictive measures such as sanction regimes or embargoes, unless legitimate under EU or Member State law (2.1(g)(iv)).
For Union assurance level 3 (Annex II, point 3.1(g)), the default is that the provider and its subcontractors must not be subject to third-country control. A derogation exists only where the Commission has adopted an implementing act under Article 18 recognising the third country as providing sufficient assurances; even then, the provider must demonstrate effective legal, technical, and organisational measures preventing third-country interference.
For Union assurance level 4 (Annex II, point 4.1(g)), the provider and subcontractors must not be subject to third-country control, with no derogation. This highest level would be reserved for the most sensitive public order activities.
The role of the US CLOUD Act
The US CLOUD Act illustrates why EU subsidiaries of US companies are viewed with caution. Section 2713 provides that a provider of electronic communication service or remote computing service "shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."
This extraterritorial reach means a US parent may be compelled to access data held by its EU subsidiary where that subsidiary is deemed within the parent's "control." CADA's framework would be designed to counteract this by requiring providers to prove such legal compulsion cannot effectively reach EU customer data.
Procurement obligations for public authorities
Under Article 30, contracting authorities would procure cloud services based on the assurance level set by their risk assessments (Article 29):
- Activities not identified as contributing to the preservation of public order would use services recognised as at least Union assurance level 1 (Article 30(2)).
- Activities identified as contributing to public order β in sectors under Annex I or II of the NIS2 Directive and in national security, internal/external security, defence, justice, or law enforcement β would only procure services recognised as Union assurance level 2, 3, or 4 (Article 30(3)).
If a US company's EU subsidiary cannot demonstrate insulation from US legal compulsion, it would likely fail the criteria for levels 2, 3, or 4, rendering it ineligible for those public sector contracts.
What this means for you
For US cloud providers:
- Subsidiary structure is insufficient. Hosting data in the EU or incorporating an EU subsidiary would not earn a "sovereign" label. You must prove effective legal and operational separation (Annex II, point 2.1(k); 3.1(k); 4.1(k)).
- Audit readiness. To compete for level 2, 3, or 4 contracts you must prepare for independent audits under Article 20, which would examine governance and the ability to refuse data requests from third-country authorities.
- Article 18 recognition. Monitor whether the Commission recognises the US as an associated third country under Article 18. Without it, your services would be barred from level 3 (and level 4 is closed to third-country-controlled providers regardless).
For EU public authorities:
- Risk assessments are mandatory. You would conduct risk assessments under Article 29 to determine whether your activities contribute to public order; if so, you could not procure services below the corresponding assurance level.
- Due diligence on control. When evaluating a US-owned EU subsidiary, look beyond the contract. Require evidence of the "effective legal, technical and organisational separation" in Annex II.
- Penalties for misleading information. Providers that intentionally or negligently supply incorrect or misleading information could have recognition revoked (Article 17(11)) and face penalties (Article 24).
Common misconceptions
"GDPR compliance equals sovereignty." The proposal's explanatory memorandum notes that while the EU-US Data Privacy Framework addresses transatlantic data transfers, it "does not remove sovereignty concerns about dependence on third-country providers," because sovereignty "goes beyond data transfers and relates to operational autonomy too." GDPR compliance would not, by itself, satisfy CADA's sovereignty criteria.
"An EU subsidiary is a separate legal entity, so US laws don't apply." The CLOUD Act's "possession, custody, or control" test is functional, not purely formal. Where a US parent retains the ability to access data, US law may reach it. CADA's audit criteria (Annex II) specifically target this by requiring proof that such access is technically and legally prevented.
"All cloud services are treated equally." CADA would introduce a tiered system. Level 1 can admit some third-country control subject to transparency conditions, while levels 2, 3, and 4 progressively restrict or prohibit it. Hosting data in the EU does not, by itself, place a service at any particular level.
Official sources
Related
- Does holding your own encryption keys make a cloud sovereign under CADA?
- Why are Member State sovereign cloud labels fragmented? CADA's answer
- What makes a cloud service truly sovereign under CADA?
- Sovereign cloud vs air-gapped cloud: the difference under CADA
- Sovereign cloud vs ordinary cloud: the difference under CADA
This is general information about a draft EU regulation, not legal advice.