CADA and the International Digital Strategy

Summary As proposed, the Cloud and AI Development Act (CADA) is explicitly designed to be compatible with the EU's June 2025 Communication on an International Digital Strategy. Rather than isolating the EU, the proposal establishes a "transparent, non-discriminatory blueprint for digital autonomy" that allows the Union to build resilient infrastructure while maintaining trusted international partnerships. Crucially, entities from partner countries retain access to the EU internal market provided they meet specific Union assurance levels. For providers subject to third-country control, Article 18 provides a specific mechanism to qualify for Union assurance level 3, ensuring that sovereignty goals do not preclude cooperation with compliant non-EU partners.

Detail

The Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, addresses a critical policy tension: how to strengthen the EU's technological sovereignty and reduce dependencies on non-European providers without severing ties with international partners. The proposal's explanatory memorandum explicitly frames CADA as a complement to the EU's broader digital diplomacy, stating that the regulation "creates a transparent, non-discriminatory blueprint for digital autonomy that allows the EU to build resilient, sovereign tech infrastructures at home while providing a trusted, legally sound model for international partnerships and multilateral governance abroad."

This alignment is not merely rhetorical; it is embedded in the legal architecture of the proposal. CADA respects the Union's international commitments, including the World Trade Organization (WTO) Agreement on Government Procurement (GPA). While the proposal affirms the free flow of data and open market access, it reserves the right to adopt necessary and proportionate restrictions to protect public morals, order, or safety. This ensures that the EU can address risks such as critical dependencies or unauthorized access to data without violating its trade obligations.

The Article 18 Mechanism: Associated Third Countries

The cornerstone of CADA's approach to third-country partners is Article 18, titled "Associated third countries." This provision creates a derogation pathway for cloud computing service providers that are subject to the control of a third country or a legal entity established in a third country. Without this mechanism, such providers would generally be excluded from the highest tiers of the sovereignty framework.

Under Article 18(1), the Commission may adopt implementing acts to identify third countries that fulfill a strict set of cumulative criteria. If a third country meets these criteria, providers controlled by that country may be audited against the requirements for Union assurance level 3. This is significant because Union assurance levels 2, 3, and 4 are mandatory for public sector activities identified as contributing to the preservation of public order (e.g., national security, defense, justice) under Article 29 and Article 30.

To qualify for this designation, a third country must satisfy the following cumulative conditions:

1. Adequacy Decision: The country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR). The Commission must assess whether this decision applies generally or is limited to specific sectors, and whether it covers the specific processing activities involved in the cloud service.
2. No Conflicting Control: The country must have no measures enabling it to exercise control over the provider in a way that conflicts with the requirements for lawful access to non-personal data under Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act).
3. No Service Disruption: The country must have no measures compelling the provider to degrade or disrupt service continuity. It must also not oblige the provider to implement restrictive measures (e.g., sanctions, embargoes) unless those measures are legitimate under Member State or Union law.
4. No Technology Impediment: The country must not impede the provision of state-of-the-art technologies and services.
5. Open Market: The country must maintain an open market to Union cloud computing services.
6. Reciprocal Access: The country must grant equivalent levels of access to public procurement procedures for cloud services controlled by Union entities or Member States.

If these criteria are met, the Commission adopts an implementing act. This act allows providers from that third country to undergo the independent audit process required for Union assurance level 3 under Article 20. This ensures that even providers with non-EU ownership can participate in high-risk public sector markets if their home jurisdiction offers sufficient legal safeguards.

Dynamic Monitoring and Transparency

The framework is not static. Article 18(2) mandates that if information reveals a third country no longer fulfills the requirements, the Commission shall repeal, amend, or suspend the decision. This allows the EU to respond dynamically to geopolitical shifts. Furthermore, Article 18(3) requires the Commission to publish a list of third countries that fulfill the requirements and those that no longer do so, ensuring transparency for market participants and legal certainty for providers.

Interaction with Public Order and Procurement

The sovereignty framework established in Article 16 and detailed in Annex II sets four assurance levels. While Union assurance level 1 serves as a baseline for general public sector procurement, Article 30(3) requires that contracting authorities whose activities contribute to public order procure only services recognized at levels 2, 3, or 4.

For third-country providers, the path to these higher levels is distinct:

• Levels 2 and 4: Generally require that the provider and its subcontractors are not subject to third-country control (Annex II, Sections 2.1(g) and 4.1(g)).
• Level 3: Offers the specific derogation in Article 18. As noted in Annex II, Section 3.1(g), providers subject to third-country control may be audited for level 3 only where the Commission has adopted an implementing act under Article 18. In such cases, the provider must also demonstrate that specific legal, technical, and organisational measures prevent third-country control from restricting service delivery, accessing data, or disrupting continuity.

This structure ensures that the "non-discriminatory blueprint" functions on merit: any provider, regardless of origin, can access the market if they can demonstrate compliance with the assurance criteria. However, the criteria for third-country controlled entities are stricter, reflecting the higher risks associated with extraterritorial legal access.

What this means for you

For legal counsel, compliance officers, and strategic planners, the alignment between CADA and the International Digital Strategy has several practical implications:

1. Verify Article 18 Status Early: If your organization is controlled by a non-EU entity, you must determine if that country is on the Commission's list of "associated third countries." Without an implementing act under Article 18, you cannot qualify for Union assurance level 3, effectively barring you from public sector contracts involving public order (e.g., defense, law enforcement).
2. Prepare for Reciprocity Checks: The Article 18 criteria include a requirement for reciprocal market access. If your home country restricts EU providers, your eligibility for the EU market may be jeopardized. Legal teams should assess their home jurisdiction's procurement laws against this criterion.
3. Audit Readiness for Level 3: Even with an Article 18 designation, providers must undergo independent third-party audits under Article 20. Prepare your governance structures, data flow diagrams, and technical controls to demonstrate that third-country control does not compromise service continuity or data confidentiality.
4. Public Sector Procurement Strategy: If you are a public body, ensure your risk assessments under Article 29 correctly identify activities requiring higher assurance levels. When procuring, verify the provider's status in the central repository under Article 22. Do not assume that a GDPR adequacy decision alone is sufficient; the specific Article 18 implementing act is required for level 3 eligibility.
5. Trade Compliance Defense: While CADA allows for restrictions to protect public order, these must be "necessary and proportionate." Document the risk assessments and the specific public order concerns that necessitate the application of higher assurance levels to defend against potential challenges under the WTO GPA.

Common misconceptions

"CADA bans all third-country cloud providers from the EU." Reality: CADA does not ban third-country providers. It establishes a tiered assurance framework. Third-country providers can access the EU market, including the public sector, provided they meet the relevant assurance levels. For level 3, this requires a specific Commission decision under Article 18.

"A GDPR adequacy decision automatically qualifies a country for CADA Article 18." Reality: While an adequacy decision under Article 45 of the GDPR is a prerequisite, it is not sufficient. The third country must also meet five additional cumulative criteria, including reciprocal market access, no measures for service disruption, and no conflicting control measures. The Commission must explicitly adopt an implementing act.

"Union assurance level 1 is enough for all government contracts." Reality: Level 1 is the minimum baseline. However, for activities contributing to the preservation of public order (e.g., national security, defense, justice), Article 30(3) mandates the use of services recognized at levels 2, 3, or 4. Third-country providers seeking these contracts must navigate the Article 18 process for level 3.

"CADA contradicts the EU's open digital strategy." Reality: The proposal explicitly states it creates a "transparent, non-discriminatory blueprint for digital autonomy." It is designed to be consistent with the EU's International Digital Strategy, allowing for international partnerships while safeguarding against risks that could undermine public order.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA and the Preparedness Union Strategy: How Article 29 Secures Digital Resilience
• CADA Third-Country Control: Disclosure Rules vs. Other EU Laws
• What single checklist covers CADA plus the main EU digital laws?
• CADA and the Apply AI Strategy: How the EU's Cloud Law Underpins AI Adoption
• How should an SME plan compliance across CADA and the other EU digital laws?

This is general information about a draft EU regulation, not legal advice.