Does CADA affect non-EU cloud providers differently from other EU laws?

Summary Yes, the proposed Cloud and AI Development Act (CADA) affects non-EU cloud providers differently than existing EU laws by introducing a tiered sovereignty framework that imposes strict, conditional limits on third-country control for higher assurance levels. While laws like the GDPR, NIS2, and DORA already regulate non-EU providers serving the EU market through data protection and cybersecurity standards, CADA adds a specific procurement barrier: public sector bodies generally cannot procure from non-EU controlled providers for critical activities unless the provider qualifies for Union Assurance Level 3, which requires a specific Commission decision and GDPR adequacy ties. Union Assurance Level 4 is effectively reserved for EU-controlled providers, as it prohibits third-country control entirely.

Detail

To understand how CADA differentiates non-EU providers from the status quo, it is necessary to contrast its proposed sovereignty framework with the existing extraterritorial reach of EU digital legislation.

Existing EU Laws: Broad Extraterritoriality

Current EU regulations already extend beyond EU borders when non-EU providers offer services to EU entities or process data of EU residents. These frameworks focus on conduct and risk management rather than ownership or sovereignty.

• GDPR: The General Data Protection Regulation applies to any controller or processor not established in the EU if their processing activities relate to offering goods or services to, or monitoring the behavior of, data subjects in the Union. Compliance is achieved through mechanisms like Standard Contractual Clauses (SCCs) or adequacy decisions, allowing non-EU providers to operate if they respect EU data rights.
• NIS2: The Directive on the Security of Network and Information Systems applies to providers of essential and important entities in the EU. While primarily focused on EU entities, it creates obligations for critical third-party ICT suppliers, including those outside the EU, that support these entities. The focus is on cybersecurity risk management and incident reporting.
• DORA: The Digital Operational Resilience Act applies to financial entities in the EU and explicitly extends to critical third-party providers of ICT services, regardless of where those providers are established. It mandates ICT risk management frameworks and testing but does not prohibit third-country ownership.

In these frameworks, the primary mechanism for compliance is adherence to EU standards (data protection, cybersecurity resilience, risk management). A non-EU provider can often comply by implementing equivalent technical and organizational measures, appointing an EU representative, or relying on adequacy decisions.

CADA's Distinct Approach: The Sovereignty Framework

CADA introduces a new layer of regulation focused on technological sovereignty and public order, rather than just data protection or cybersecurity. It establishes a "Union cloud computing sovereignty framework" with four assurance levels (Article 16). The impact on non-EU providers is defined by the strictness of these levels, which act as a gatekeeper for public procurement.

Union Assurance Level 1: Self-Assessment with Conditions

At the lowest tier, Union Assurance Level 1, cloud computing service providers can self-assess compliance. The criteria in Annex II, Section 1 require that the provider is established in the Union and that infrastructure and assets are located in the Union. However, it allows for outsourcing technical support to third-country providers if necessary legal, technical, and organizational measures are implemented to ensure traceability, security, and governance, and that these operations do not compromise operational autonomy. This level remains accessible to some non-EU controlled entities if they maintain significant operational presence in the EU, though the criteria are stringent regarding data localization.

Union Assurance Level 2: Conditional Third-Country Control

Union Assurance Level 2 represents a critical threshold where the rules for third-country control become more nuanced than often assumed. Annex II, Section 2, Criterion 2.1(g) explicitly states that if the audited provider and its subcontractors are subject to the control of a third country or a legal entity established in a third country, they must demonstrate that specific legal, technical, and organizational measures have been implemented. These measures must ensure that:

• Control is not exercised in a manner that restricts the provider's ability to perform the service or undermines necessary capabilities.
• Access by a third country to customer data is prevented.
• The possibility of disruption of service continuity or degradation of service quality is prevented.
• The provider is not obliged to comply with restrictive measures (e.g., sanctions) adopted by a third country, unless legitimate under EU law.

Unlike Level 3, Article 18 (which allows Commission decisions for third-country eligibility) is not referenced in Annex II for Level 2. This means there is no "country designation" mechanism for Level 2. However, the text does not impose a blanket prohibition on third-country control. Instead, it allows for third-country control if the provider can demonstrate the specific safeguards listed in 2.1(g)(i-iv). The absence of an Article 18 mechanism means the country is not pre-designated, but the provider can still qualify if they meet the specific criteria. This distinguishes Level 2 from Level 4, where control is strictly prohibited.

Union Assurance Level 3: Conditional Access via Article 18

The most significant change for non-EU providers lies in Union Assurance Level 3. Under Annex II, Section 3, Level 3 generally requires that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country.

However, Article 18 introduces a critical derogation. The Commission may adopt implementing acts identifying specific third countries whose cloud computing service providers may be audited against the Level 3 criteria. This is conditional on several strict factors, including:

• The third country being subject to a relevant GDPR adequacy decision (Article 18(1)(a)).
• The absence of measures enabling the third country to exercise control over the provider in ways that conflict with EU data laws (specifically Article 32 of Regulation (EU) 2023/2854 regarding lawful access to non-personal data).
• No measures compelling the provider to degrade or disrupt service continuity.
• No measures obliging the provider to comply with restrictive measures (sanctions, embargoes) unless legitimate under EU law.

Recital 61 of the CADA proposal explicitly ties this assessment to GDPR adequacy, stating: "The Commission should assess whether the third country is covered by an adequacy decision adopted pursuant to Article 45 of Regulation (EU) 2016/679." This creates a direct linkage between data protection adequacy and cloud sovereignty eligibility. If a country lacks GDPR adequacy, its providers are effectively barred from Level 3 recognition unless the Commission makes a specific, exceptional decision (which the text implies is tied to adequacy).

Union Assurance Level 4: The EU-Controlled Barrier

For the highest tier, Union Assurance Level 4, the criteria are absolute. Annex II, Section 4, Criterion 4.1(g) states that the audited provider and subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." There is no derogation or Commission decision mechanism for Level 4. This effectively reserves Level 4 services for providers that are entirely under EU control.

Procurement Implications

The practical impact of these tiers is felt in public procurement. Article 30 mandates that contracting authorities whose activities are identified as contributing to the preservation of public order (e.g., defense, justice, critical infrastructure) through risk assessments under Article 29 must only procure cloud services recognized as offering Union Assurance Levels 2, 3, or 4.

For a non-EU provider:

1. Level 4 is inaccessible. They cannot bid for contracts requiring Level 4 assurance.
2. Level 3 is conditional. They can only bid if their home country has been designated by the Commission under Article 18, which requires GDPR adequacy and strict sovereignty safeguards.
3. Level 2 is restricted but possible. While Level 2 does not have an Article 18 "country designation," providers subject to third-country control can still qualify if they demonstrate the specific safeguards in Annex II 2.1(g). However, without a pre-designated country status, the burden of proof is higher, and the risk of rejection is significant if the safeguards are deemed insufficient.

What this means for you

For in-house counsel and compliance officers at non-EU cloud providers, CADA introduces a bifurcated compliance strategy:

1. Assess Your Control Structure: You must map your ownership and control chains. If your entity is controlled by a third-country government or entity, you are likely barred from Union Assurance Level 4 and potentially Level 3 unless a specific derogation is granted. For Level 2, you must be prepared to prove that your third-country control does not compromise service continuity or data access.
2. Monitor Article 18 Designations: Eligibility for Level 3 is not automatic. It depends on a Commission implementing act. You must monitor whether your home country is designated as providing "sufficient assurances." This designation is closely linked to your country's GDPR adequacy status. If your country loses GDPR adequacy, it is highly likely you will lose eligibility for CADA Level 3.
3. Prepare for Enhanced Audits: For Levels 2-4, independent third-party audits are mandatory (Article 20). Auditors will scrutinize your supply chain, software bills of materials (SBOM), and the absence of remote access features that could be used to tamper with systems (Annex II, criterion i).
4. Public Sector Strategy: If your target market includes EU public sector bodies, you must determine the assurance level required for their specific activities. If they require Level 4, you cannot serve them. If they require Level 3, you must ensure your country is on the Commission's approved list. If they require Level 2, you must demonstrate the specific safeguards against third-country control.
5. Penalties and Compensation: Non-compliance with Title IV, Chapter I of CADA can lead to penalties imposed by Member States (Article 24). These penalties are designed to be effective, proportionate and dissuasive, taking into account the nature, gravity, and duration of the infringement, as well as the provider's turnover in the Union. Recipients of services also have the right to seek compensation for damage.

Common misconceptions

• "GDPR Adequacy is enough for all EU cloud rules."
  • Correction: While GDPR adequacy is a prerequisite for CADA Level 3 eligibility (Recital 61, Article 18), it is not sufficient on its own. CADA adds sovereignty, operational autonomy, and supply chain security requirements that go beyond data protection. A country can have GDPR adequacy but still fail to meet CADA's criteria if it has laws allowing service disruption or unauthorized access to non-personal data.
• "Non-EU providers are banned from the EU market."
  • Correction: Non-EU providers are not banned. They can still offer services at Level 1 (if they meet the strict establishment and infrastructure criteria) or potentially Level 3 if their country is designated. They may also qualify for Level 2 if they can demonstrate specific safeguards against third-country control. However, they are excluded from the highest security tiers (Level 4) and may be excluded from Level 3 if no derogation is granted.
• "CADA replaces NIS2 or DORA."
  • Correction: CADA complements, not replaces, existing laws. A non-EU cloud provider serving EU financial institutions must comply with DORA's ICT risk management requirements and CADA's sovereignty framework if procuring for public sector or critical infrastructure clients. The obligations are cumulative.
• "Level 2 prohibits all third-country control."
  • Correction: Annex II 2.1(g) explicitly allows for third-country control in Level 2 if the provider demonstrates specific legal, technical, and organizational measures to prevent data access, service disruption, and compliance with restrictive measures. The absence of an Article 18 "country designation" mechanism does not mean a blanket ban; it means the provider must prove compliance on a case-by-case basis.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How should an SME plan compliance across CADA and the other EU digital laws?
• Does complying with all other EU digital laws make CADA automatic?
• CADA Third-Country Control: Disclosure Rules vs. Other EU Laws
• Does CADA affect AI Act GPAI model providers using EU cloud?
• Which EU laws does CADA stack on top of? A guide to the new sovereignty layer

This is general information about a draft EU regulation, not legal advice.