Does CADA discriminate against non-EU cloud providers?

Summary No — as proposed, the Cloud and AI Development Act (CADA) does not discriminate against non-EU providers on nationality alone. The explanatory memorandum frames CADA as a "transparent, non-discriminatory blueprint for digital autonomy." Cloud services from third countries can qualify for Union assurance levels if they meet defined sovereignty and security criteria, and Article 18 offers a pathway to level 3 for "associated third countries." Providers subject to third-country control face stricter hurdles at higher levels, but the framework is designed to be consistent with WTO commitments. CADA is a proposal and not yet in force.

Detail

A common concern is whether CADA is protectionist. The proposal explicitly rejects that characterisation, framing its measures as necessary to protect public order and operational autonomy rather than to ban non-EU entities.

The non-discriminatory blueprint

The memorandum describes CADA as creating "a transparent, non-discriminatory blueprint for digital autonomy" that lets the EU build resilient, sovereign infrastructure while offering a trusted, legally sound model for international partnerships. Access for entities from partner countries is tied to meeting the required Union assurance levels rather than to geographic origin.

The four Union assurance levels (1–4), with criteria in Annex II, turn on technical and operational factors — EU establishment, data residency, cybersecurity, control, personnel, and supply-chain transparency — rather than country of incorporation alone.

Third countries can qualify: Article 18

A key non-discrimination provision is Article 18 ("Associated third countries"). The Commission may, by implementing act, identify third countries whose providers — despite being subject to that country's control or to a legal entity established there — may be audited against the criteria for Union assurance level 3.

To qualify, a third country must meet cumulative criteria, including:

• a relevant adequacy decision under Article 45 GDPR;
• no measures enabling control over the provider in ways conflicting with lawful access to non-personal data (under Article 32(2)-(3) of Regulation (EU) 2023/2854);
• no measures to compel the provider to degrade or disrupt service continuity, nor to enforce restrictive measures unless legitimate under Member State or Union law;
• no measures impeding provision of state-of-the-art technologies and services;
• maintaining an open market to Union cloud services;
• granting equivalent access to public-procurement procedures for Union-controlled services.

If met, providers from associated third countries can undergo independent audit and potentially achieve level 3 recognition, competing for sensitive public-sector contracts. The Commission would publish the list of qualifying countries.

Tiers are about assurance, not nationality bans

The four levels mitigate risks of data access, service disruption, and technology leakage:

• Level 1 requires the provider to be established in the Union and infrastructure and data to remain in the Union (unless the public-sector body requires otherwise). It does not strictly ban third-country control, provided there are no laws requiring premature reporting of software vulnerabilities to third-country authorities (Annex II, 1.1(g)).
• Levels 2 and 3 add stricter requirements on establishment, data localisation, personnel, and supply-chain transparency.
• Level 4 is the most stringent, reserved for the most critical public-order activities, generally requiring that the provider and subcontractors are not subject to third-country control.

The framework is risk-based: Member States conduct risk assessments (Article 29) to set the appropriate level. Non-EU providers can still serve the EU public sector where the activity does not require the highest assurance, or via the Article 18 pathway for level 3.

Consistency with WTO and international commitments

The proposal addresses trade obligations directly. Recital 64 records that the Union maintains an open, non-discriminatory framework for market access in accordance with the TFEU and international commitments, including the WTO Agreement on Government Procurement (GPA) and bilateral trade agreements. It adds that, where necessary and duly justified, the Union retains the right under Article III:2(a) of the WTO GPA to adopt measures necessary to protect public morals, order, or safety, allowing proportionate restrictions on procurement access. The sovereignty requirements are framed as proportionate measures to address risks such as critical dependencies, unauthorised access to Union data, technology leakage, sabotage, and espionage.

What this means for you

For in-house counsel at non-EU cloud providers, CADA would offer a structured compliance pathway rather than a blanket ban.

1. Map your assurance level: Determine which level your services need for the EU public-sector contracts you target. Many general public services would require only level 1, achievable for many non-EU providers that can show their home-country laws do not force premature vulnerability disclosure.
2. Evaluate Article 18 eligibility: For level 3, assess whether your home country is likely to be designated an associated third country — which requires an EU adequacy decision and the other cumulative criteria.
3. Prepare for audits: Levels 2, 3, and 4 require independent third-party audits (Article 20). Make data-localisation, personnel, and supply-chain documentation audit-ready.
4. Monitor designations: The Commission would publish the Article 18 list; track updates, as they directly affect market access for sensitive contracts.

Common misconceptions

• "CADA bans all non-EU cloud providers." False. The proposal restricts specific high-risk public-sector use cases unless strict assurance levels are met; general commercial markets remain open.
• "Only EU-owned companies can get level 1." False. Level 1 requires the provider to be established in the Union but does not prohibit third-country ownership or control, provided there are no laws requiring premature reporting of software vulnerabilities to third-country authorities (Annex II, 1.1(g)).
• "The Act violates the WTO GPA." The proposal argues it does not, relying on the public morals/order/safety exception in Article III:2(a) of the WTO GPA and applying criteria-based, proportionate measures rather than nationality bans.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why is the EU dependent on non-EU cloud providers?
• Does CADA apply to non-EU cloud providers?
• What does CADA mean for cloud service providers?
• Does CADA require companies to use EU-only cloud providers?
• Does CADA apply to cloud service providers?

This is general information about a draft EU regulation, not legal advice.