Does CADA apply to non-EU cloud providers?

Summary As proposed, the Cloud and AI Development Act (CADA) does not ban non-EU cloud providers, but its sovereignty framework would heavily limit their access to the EU public-sector market. Level 1 requires the provider to be established in the Union; the higher levels turn on third-country control, which is restricted at Levels 2-4 and prohibited at Levels 3 (subject to a narrow derogation) and 4. Under Article 18, the Commission may recognise an "associated third country" whose controlled providers may then be audited at Level 3. CADA is a proposal (COM(2026) 502 final), not yet in force.

Detail

Whether CADA "applies" to a non-EU provider turns on distinguishing the regulation's scope from the operational requirements of its sovereignty framework. CADA aims to reduce EU dependence on non-European providers by building a framework for sovereign cloud services.

Scope and definitions

CADA defines a "cloud computing service provider" as a legal entity that provides a cloud computing service (Article 2(2)). The sovereignty framework applies to providers wishing to offer services to Union entities and public sector bodies. Central to the analysis is "control": under Article 2(21), "control" is defined by reference to Article 2, point (6), of Regulation (EU) 2021/697, broadly the ability to exercise decisive influence over an entity.

A provider subject to the control of a third country or a third-country entity faces additional scrutiny. This is core to CADA's aim of mitigating risks from the extraterritorial application of third-country laws — the kind of foreign-access concern often associated with instruments such as the US CLOUD Act.

The sovereignty framework and assurance levels

CADA establishes the Union cloud computing sovereignty framework of four Union assurance levels (Article 16), with criteria in Annex II. The required level for a given public-sector activity depends on the Article 29 risk assessment.

• Union assurance level 1: the baseline. The provider must be established in the Union and its infrastructure and assets located in the Union (unless the public sector body requires otherwise). A provider under third-country control can still qualify, provided it guarantees that no laws or practices in that country require it to report software vulnerabilities to that country's authorities before they are known to have been exploited (Annex II, 1.1(g)).
• Union assurance levels 2, 3 and 4: these require independent third-party audits and impose stricter data-localisation, personnel and supply-chain rules. At Level 2, providers under third-country control must demonstrate safeguards (preventing foreign access and service disruption). At Level 3, third-country control is in principle excluded, subject to the Article 18 derogation. At Level 4, third-country control is prohibited with no derogation.

Article 18: associated third countries

The pivotal provision for non-EU providers is Article 18. Under Article 18(1), the Commission may adopt implementing acts identifying third countries whose controlled providers "may be audited against the criteria for Union assurance level 3," provided the third country meets cumulative criteria:

1. it is subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679);
2. it has no measures enabling control over the provider that would conflict with the lawful-access requirements in Article 32(2)-(3) of Regulation (EU) 2023/2854;
3. it has no measures to compel the provider to degrade or disrupt service continuity (and no measures to compel compliance with illegitimate restrictive measures such as sanctions or embargoes);
4. it has no measures impeding the provision of state-of-the-art technologies and services;
5. it maintains an open market to Union cloud computing services; and
6. it grants equivalent access to public-procurement procedures for cloud services controlled by a Union Member State or entity.

If the Commission recognises a third country, providers controlled from it can potentially be audited at Level 3 (and must also demonstrate the legal, technical and organisational separation and other safeguards in Annex II). Without recognition, providers under third-country control are effectively confined to Level 1, sharply limiting their EU public-sector opportunities. The Commission must repeal, amend or suspend a recognition if the country no longer qualifies (Article 18(2)) and publish a list of qualifying countries (Article 18(3)).

Impact on public procurement

Under Article 30(3), contracting authorities whose activities contribute to the preservation of public order must procure services recognised at Levels 2, 3 or 4. Because providers under third-country control are excluded from Levels 2 and 4, and can reach Level 3 only via Article 18 recognition, their ability to serve critical public-sector needs is constrained. This creates a de facto barrier unless the home country secures a favourable recognition decision.

What this means for you

If you are a non-EU provider, or have ties to non-EU entities, CADA as proposed would create real market-access and compliance challenges.

1. Assess your control structure. Determine whether you are under "control" by a third country or third-country entity (Article 2(21)). If so, you face higher barriers for EU public contracts.
2. Monitor Article 18 developments. Your access to high-assurance contracts depends on whether the Commission recognises your home country. Engage your national government on the cumulative criteria (adequacy, open market, reciprocal procurement access, no restrictive access laws).
3. Prepare for audits. For Level 3 (where your country is recognised), you must pass rigorous independent audits proving compliance with the Annex II criteria, including that third-country control does not compromise continuity or data confidentiality.
4. Consider EU establishment. Without Article 18 recognition, a genuinely independent EU subsidiary not subject to third-country control could potentially qualify for higher levels, provided it meets all other criteria (data localisation, personnel and supply-chain rules).

Common misconceptions

• "CADA bans non-EU providers." No. It creates a tiered system; providers under third-country control are limited to lower levels unless their country is recognised under Article 18.
• "GDPR adequacy is enough for CADA compliance." No. An adequacy decision is a prerequisite for Article 18 recognition but is not sufficient on its own — the country must also meet the additional criteria (market openness, non-interference with continuity, reciprocal procurement access).
• "All non-EU providers are excluded from Level 3." No. Providers from a recognised associated third country (Article 18) may be audited at Level 3 even if under third-country control — the key is the Commission's recognition decision.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why is the EU dependent on non-EU cloud providers?
• Does CADA discriminate against non-EU cloud providers?
• Does CADA apply to cloud service providers?
• Does CADA apply to AI systems and AI providers, not just cloud?
• Who does the Cloud and AI Development Act (CADA) apply to?

This is general information about a draft EU regulation, not legal advice.