Does CADA allow a level 3 provider controlled from a non-associated country?

Summary As proposed, the Cloud and AI Development Act (CADA) generally prohibits cloud computing service providers controlled by a third country or a legal entity established in a third country from achieving Union assurance level 3. The default rule, set out in Annex II, paragraph 3.1(g), is an absolute exclusion. However, Article 18 establishes a specific, narrow derogation: the Commission may recognize certain "associated third countries" as providing sufficient safeguards. If a third country is not on this list, providers subject to its control are permanently ineligible for Union assurance level 3, regardless of any technical or organizational measures they might implement.

Detail

The proposed CADA establishes a Union cloud computing sovereignty framework comprising four Union assurance levels (Article 16). These levels determine the degree of sovereignty and trust required for cloud computing services used by Union entities and public sector bodies. Union assurance level 3 is specifically designed for high-risk public sector activities where preserving public order requires strict control over data, operational autonomy, and the absence of foreign interference.

The General Rule: No Third-Country Control at Level 3

Under Annex II, paragraph 3.1(g), the cumulative criteria for Union assurance level 3 explicitly state that the audited provider and its subcontractors involved in the provision of the service must not be subject to the control of a third country or a legal entity established in a third country. This is a binary, structural requirement: if the provider is controlled by a non-EU entity, it fails this specific criterion and cannot achieve Union assurance level 3.

This prohibition is significantly stricter than the rules for Union assurance level 2. At level 2 (Annex II, paragraph 2.1(g)), providers subject to third-country control may still qualify if they demonstrate that necessary legal, technical, and organizational measures are in place to prevent unauthorized access, service disruption, or the imposition of restrictive measures (such as sanctions or embargoes) by the third country. At level 3, however, the default position is exclusion. The structural risk of third-country control is deemed incompatible with the sovereignty requirements of level 3 unless a specific derogation applies.

The Derogation: Associated Third Countries

Article 18 provides the only pathway for a provider subject to third-country control to achieve Union assurance level 3. This mechanism relies on the Commission's power to identify "associated third countries" through implementing acts.

Under Article 18(1), the Commission may adopt decisions identifying third countries for which cloud computing service providers subject to their control may be audited against the criteria for Union assurance level 3. This recognition is not automatic; the third country must fulfill a strict set of cumulative criteria, including:

• Being subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR).
• Having no measures that enable the third country to exercise control over the provider in a way that conflicts with lawful access to non-personal data rules (specifically Article 32(2) and (3) of the Data Act).
• Having no measures to compel the provider to degrade or disrupt service continuity.
• Having no measures to impede the provision of state-of-the-art technologies.
• Maintaining an open market to Union cloud computing services.
• Granting equivalent levels of access to public procurement procedures for Union-controlled providers.

If a third country is recognized under Article 18, providers subject to its control may still be audited for Union assurance level 3. However, even in these cases, the provider must demonstrate that the control of the third country is not exercised in a manner that restrains the provider's ability to perform the service, prevents access to customer data, or prevents service disruption (Annex II, paragraph 3.1(g), derogation clause).

Non-Associated Countries

If a third country is not recognized as an "associated third country" under Article 18, the derogation does not apply. Consequently, any cloud computing service provider subject to the control of that non-associated third country is permanently excluded from Union assurance level 3. This exclusion applies regardless of whether the provider implements robust technical safeguards, localizes data within the Union, or undergoes rigorous independent audits. The structural risk of third-country control is deemed incompatible with the sovereignty requirements of level 3 in the absence of a Commission decision recognizing the third country.

It is important to note that Article 18 is the sole legal basis for this derogation. There is no provision in the proposal allowing for case-by-case exemptions based on specific technical architectures or bilateral agreements outside the scope of Article 18.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the distinction between associated and non-associated third countries is critical for long-term cloud strategy and procurement planning.

1. Procurement Restrictions Public sector bodies and Union entities must conduct risk assessments under Article 29 to determine the required Union assurance level for their activities. If an activity is deemed to require Union assurance level 3 (e.g., certain national security, justice, or critical infrastructure functions), contracting authorities are prohibited from procuring services from providers controlled by non-associated third countries (Article 30(3)). There is no derogation for "disproportionate cost" or lack of alternatives that would allow the use of a non-compliant level 3 service in these high-risk contexts.

2. Supply Chain Due Diligence Organizations must perform deep supply chain due diligence to identify ultimate control. "Control" is defined in Article 2(21) by reference to Regulation (EU) 2021/697. This requires looking beyond direct ownership to include indirect shareholders, voting rights, and strategic decision-making power. If a provider is headquartered in the EU but has significant equity or board representation from a non-associated third country, it may be deemed "controlled" and thus ineligible for level 3.

3. Monitoring Commission Decisions The list of associated third countries is not static. The Commission must publish a list of third countries that fulfill the requirements under Article 18(3). Compliance teams must monitor this list. If a country loses its associated status (e.g., due to changes in its legal framework or data access laws), providers subject to its control will immediately lose their eligibility for Union assurance level 3. Conversely, if a new country is added, providers may become eligible, provided they meet the remaining criteria.

4. Penalties and Enforcement National competent authorities designated under Article 25 have enforcement powers under Article 26. Infringements of the sovereignty framework, including providing services at a falsely claimed assurance level, are subject to penalties under Article 24. These penalties must be effective, proportionate and dissuasive. For providers, misrepresenting compliance with Annex II criteria can lead to significant fines and revocation of recognition. For public procurers, failing to adhere to the mandatory assurance levels in Article 30 can result in administrative sanctions and breach of public procurement obligations.

Common misconceptions

Misconception: Technical safeguards can override third-country control at level 3. Incorrect. Unlike level 2, where technical and organizational measures can mitigate the risks of third-country control, level 3 has a structural bar. Unless the third country is explicitly recognized under Article 18, no amount of encryption, data localization, or audit evidence can compensate for the fact that the provider is controlled by a non-associated third country.

Misconception: "Associated third country" status is automatic for adequacy decisions. Incorrect. While an adequacy decision under the GDPR is a prerequisite (Article 18(1)(a)), it is not sufficient. The third country must also meet five additional criteria related to market access, non-disruption of services, and reciprocity. A country may have an adequacy decision but still fail to qualify as an "associated third country" under CADA if it does not meet these broader sovereignty and market access conditions.

Misconception: Level 3 is required for all public sector cloud use. Incorrect. Union assurance level 1 is the minimum requirement for all public sector procurement (Article 30(2)). Levels 2, 3, and 4 are only mandatory where a risk assessment under Article 29 determines that the activity contributes to the preservation of public order in sensitive sectors (e.g., national security, defense, justice). Most public services will not require level 3, meaning providers controlled by non-associated third countries may still serve the public sector at levels 1 or 2, provided they meet the respective criteria.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Does CADA level 2 allow a third-country-controlled cloud provider?
• How can a non-EU-controlled provider reach CADA Level 3?
• Can a non-EU-controlled provider qualify for CADA Union assurance level 1?
• Can a non-EU-controlled provider ever reach CADA level 4?
• Why does CADA only allow associated third countries at Level 3?

This is general information about a draft EU regulation, not legal advice.