Does CADA Level 1 require the cloud provider to be established in the EU?

Summary Yes, as proposed in the Cloud and AI Development Act (CADA), a cloud computing service provider must be established in the European Union to achieve Union assurance level 1. Annex II, Section 1.1(a) explicitly lists this as a mandatory, cumulative criterion. This requirement acts as the foundational gatekeeper for the sovereignty framework, ensuring the provider is subject to EU jurisdiction. While Annex II, Section 1.1(g) addresses providers already established in the EU but controlled by third countries, it does not allow non-EU established providers to bypass the establishment requirement.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised "Union cloud computing sovereignty framework" to safeguard the Union's public order and reduce strategic dependencies. This framework, introduced in Article 16, defines four distinct Union assurance levels (1 through 4). Cloud computing service providers seeking to serve Union entities and public sector bodies must be formally recognised as meeting the criteria for one of these levels.

For Union assurance level 1, which serves as the minimum baseline for public procurement under Article 30(2), the criteria are cumulative. This means a provider must satisfy every single condition listed in Annex II, Section 1 to qualify. The very first condition sets a strict legal threshold regarding the provider's corporate domicile.

The Mandatory Establishment Requirement

Annex II, Section 1.1(a) states unequivocally:

"(a) the cloud computing service provider is established in the Union;"

This provision is the primary filter for Level 1 recognition. As proposed, a provider cannot achieve Level 1 status if its legal establishment is outside the European Union. The term "established" in this context refers to the provider having a registered office, central administration, or main establishment within a Member State. This ensures that the entity is subject to EU law, the jurisdiction of EU courts, and the supervisory powers of national competent authorities designated under Article 25.

Without this legal anchor in the Union, the provider falls outside the immediate reach of the enforcement mechanisms and legal oversight that the CADA framework relies upon. Consequently, a provider incorporated in a third country, even if it operates data centres within the EU, fails to meet the fundamental prerequisite of Section 1.1(a).

The Nuance of Third-Country Control

While establishment is the primary gatekeeper, the proposal acknowledges that many EU-established providers may have foreign ownership. Annex II, Section 1.1(g) addresses this specific scenario, but it operates as a supplementary safeguard, not a substitute for establishment.

The text of Annex II, Section 1.1(g) reads:

"(g) Where the cloud computing service provider is subject to the control of a third country or a legal entity established in a third-country, the cloud computing service provider guarantees that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."

This clause creates a two-step logic for Level 1 eligibility:

1. Step 1 (Establishment): The provider must first satisfy Section 1.1(a) by being established in the Union.
2. Step 2 (Control Safeguard): If the provider is established in the Union but is subject to third-country control, it must then satisfy Section 1.1(g) by guaranteeing that no third-country laws compel premature disclosure of software vulnerabilities.

Crucially, Section 1.1(g) only applies "Where the cloud computing service provider is subject to the control of a third country..." It presupposes that the provider has already passed the establishment test. It does not offer a derogation for providers established outside the EU. A non-EU provider cannot argue that it has no third-country control issues (or that it is not controlled by a third country) to bypass the requirement of being established in the Union. The establishment requirement is absolute for Level 1.

Contrast with Higher Assurance Levels

The strictness of the establishment requirement for Level 1 contrasts with the evolving nature of control rules in higher levels:

• Level 1: Requires EU establishment. If controlled by a third country, a specific guarantee regarding vulnerability reporting is needed.
• Level 2: Requires EU establishment and introduces stricter controls on data usage (no training of third-country AI) and personnel screening (conditional on public body requirements).
• Level 3 & 4: These levels generally require that the provider and subcontractors are not subject to third-country control, with a specific derogation mechanism in Article 18 (not Article 19, as sometimes mis-cited) allowing for third-country control only if the Commission has adopted an implementing act identifying that third country as providing sufficient assurances.

For Level 1, the focus remains on the legal establishment and the specific vulnerability reporting guarantee, making it the most accessible tier while still ensuring a baseline of EU legal jurisdiction.

What this means for you

For cloud service providers, data centre operators, and legal counsel, the establishment requirement in Annex II 1.1(a) has immediate strategic implications for market access.

For Non-EU Providers

If your company is incorporated and legally established outside the EU, you cannot currently qualify for Union assurance level 1 under the CADA proposal. To participate in the EU public sector market under this framework, you would need to establish a legal entity within the EU. This entity must be the one providing the cloud computing service and seeking recognition. Merely having a sales office, a subsidiary that does not constitute the main provider, or physical infrastructure (data centres) in the EU is insufficient. The provider itself must be established in the Union.

For EU Providers with Foreign Ownership

If you are already established in the EU but are owned or controlled by a third-country entity, you can still achieve Level 1, provided you meet the specific safeguard in Annex II 1.1(g). You will need to prepare evidence, likely through independent sources, demonstrating that your third-country owners cannot compel you to report software vulnerabilities to their national authorities before those vulnerabilities are publicly known or exploited. This may require robust legal opinions, technical separation measures, and contractual firewalls between your EU operations and your foreign parent company.

For Public Sector Buyers

Contracting authorities must verify that any cloud service procured for general public sector use (where no specific risk assessment mandates Level 2, 3, or 4) holds a valid Level 1 recognition. This verification must confirm that the provider is established in the EU. If a provider claims Level 1 status but is established outside the EU, the procurement would be non-compliant with Article 30(2).

Common misconceptions

Misconception 1: "If I have data centres in the EU, I am considered established in the EU." This is incorrect. Having physical infrastructure (data centres) in the EU is not the same as legal establishment. Annex II 1.1(a) requires the provider to be established in the Union. This is a legal status related to incorporation, registration, and jurisdiction, not merely a physical presence. A non-EU company with servers in Ireland is not "established" in the EU for CADA purposes unless it has a legal entity there that acts as the provider.

Misconception 2: "Third-country providers can reach Level 1 if they sign a contract guaranteeing data protection." No. The establishment requirement in Annex II 1.1(a) is absolute for Level 1. Contractual guarantees cannot override the statutory requirement that the provider be established in the Union. While the Data Act and GDPR have mechanisms for data transfers, CADA's sovereignty framework introduces a distinct, stricter hurdle for cloud service recognition based on corporate domicile.

Misconception 3: "The third-country control rule (1.1(g)) allows non-EU providers to qualify if they are not controlled by third countries." This is a critical error. The control rule in 1.1(g) applies only to providers who are already established in the Union (satisfying 1.1(a)) but happen to be controlled by third-country entities. It is not a backdoor for non-EU established providers. If you are not established in the EU, you fail at criterion 1.1(a) regardless of your ownership structure or lack of third-country control.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why would a public body require CADA Level 4 over Level 3?
• Why choose a CADA Level 1 provider? The baseline for public procurement
• CADA Level 2 Personnel: Can a Buyer Require EU Citizenship?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• What does CADA Level 4 mean for a CTO choosing a provider?

This is general information about a draft EU regulation, not legal advice.