Does CADA level 2 allow a third-country-controlled cloud provider?

Summary Yes — as proposed in the Cloud and AI Development Act (CADA), a cloud computing service provider subject to third-country control could qualify for Union assurance level 2, provided it implements specific legal, technical and organisational safeguards. Under Annex II, criterion 2.1(g), the provider would have to demonstrate that the third country cannot exercise control in a way that restricts service delivery, accesses customer data, disrupts service continuity, or compels compliance with foreign restrictive measures. These safeguards are cumulative with all other level 2 requirements, including EU data residency and an independent third-party audit under Article 20. Importantly, unlike level 3, level 2 would not require a Commission decision on the third country — the safeguards in 2.1(g) are the gating test. CADA is a proposal and is not in force; details could change.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, would establish a Union cloud computing sovereignty framework comprising four Union assurance levels, with criteria set out in Annex II (Article 16). A common question for compliance officers is whether providers controlled by third-country entities are automatically excluded. The answer depends on the level sought. While level 4 would prohibit third-country control outright, Union assurance level 2 would explicitly permit providers subject to third-country control, subject to rigorous conditional safeguards.

The legal basis for third-country control at level 2

The criteria for level 2 are set out in Annex II, section 2.1 of the proposal. Annex II §2.1(g) addresses the scenario where the audited provider and its subcontractors are subject to the control of a third country or a legal entity established in a third country.

Unlike level 4, which would require that providers not be subject to third-country control (Annex II §4.1(g)), level 2 would allow such control if the provider demonstrates that necessary legal, technical and organisational measures are in place to ensure four specific outcomes:

1. No restriction on service performance: the third-country control is not exercised in a manner that restrains or restricts the provider's ability to perform and deliver the service, imposes limitations on the infrastructure, assets and personnel required, or undermines the capabilities and standards necessary to perform the audited service (Annex II §2.1(g)(i)).
2. Prevention of data access: access by a third country or a third-country-established legal entity to customer data is prevented (Annex II §2.1(g)(ii)).
3. Prevention of service disruption: the possibility of disruption of service continuity and/or degradation of service quality by a third country or third-country entity is prevented (Annex II §2.1(g)(iii)).
4. No compulsion to give effect to foreign restrictive measures: the control is not exercised in a manner that obliges the audited provider to implement, enforce, give effect to, or comply with restrictive measures "such as sanction regimes, embargoes, or any equivalent legal or administrative measures adopted by a third country", unless such measures are legitimate under the national laws of Member States or Union law (Annex II §2.1(g)(iv)).

Cumulative requirements and interplay with other criteria

Satisfying §2.1(g) is not a standalone pass. The provider would have to meet all the cumulative criteria for level 2, and — because the levels are cumulative — every level 1 criterion as well (Article 20(1)). Key interacting requirements include:

• Establishment and location: the audited provider and its involved subcontractors must be established in the Union, and their infrastructure, assets and personnel must be located in the Union (Annex II §2.1(a)-(b)).
• Data residency: customer data, including metadata and telemetry, must remain exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II §2.1(c)).
• AI-training and transfer ban: data generated by using the service may not be used to train or fine-tune any AI system operated by a third country or third-country entity, and may not be transferred outside the Union "in any case" (Annex II §2.1(f)) — note the absence of a customer carve-out here.
• Cybersecurity certification: the service must obtain a European cybersecurity certificate of at least assurance level "substantial" under a cloud-services scheme to be established under Regulation (EU) 2019/881 (the Cybersecurity Act); until such a scheme exists, national schemes apply where they exist, and otherwise the provider must demonstrate compliance with the highest cybersecurity standards under applicable Union law (Annex II §2.1(e)).
• Software supply chain: the provider must maintain a complete, up-to-date software bill of materials (SBOM) and document controls to block remote features that could materially tamper with or disrupt the service; where it is under third-country control, it must also give the vulnerability-reporting guarantee that no law or practice in that country requires it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited (Annex II §2.1(i)(ii)-(iii)).
• Third-country subsidiary separation: to the extent the provider operates globally and maintains a third-country subsidiary, it must enforce effective legal, technical and organisational separation between the Union parent and that subsidiary (Annex II §2.1(k)).

The audit and recognition process

To achieve recognition at level 2, a provider would undergo an independent third-party audit under Article 20, at its own expense, producing an audit report and a "positive" or "negative" audit opinion (Article 20(1), (5)). The auditing organisation would assess compliance with the Annex II criteria, including the §2.1(g) safeguards, on the basis of the audit evidence listed in Annex III (Article 21(1)).

For the third-country-control criterion, the audit evidence in Annex III would require the auditing organisation to identify and analyse direct and indirect shareholders up to the ultimate owners and to assess ownership structures, corporate governance, and commercial and financial links that may confer control (Annex III, audit criterion G). A "positive" opinion supports recognition under Article 17, and the provider must resubmit the report and opinion annually for review (Article 20(8)).

Why level 2 differs from level 3 here

This is the crucial nuance. The additional Annex III step that requires evidence of a Commission decision on the third country — and of effective legal, technical and organisational separation — is the path tied to the level 3 third-country derogation, not level 2. At level 2, third-country control is addressed directly through the §2.1(g) safeguards; the proposal does not condition level 2 on a Commission decision identifying the third country.

By contrast, Annex II §3.1(g) provides that, at level 3, providers subject to third-country control may be audited only where the Commission has adopted an implementing act under Article 18 (associated third countries). Level 2 therefore offers a more accessible pathway for third-country-controlled providers, provided they can prove robust operational separation and data protection.

What this means for you

For in-house counsel and compliance officers at providers with global parent companies or significant third-country shareholding, the following actions would be advisable.

1. Conduct a control analysis

Map your ownership structure, corporate governance, and commercial and financial links to determine whether you are subject to third-country control. This includes assessing veto rights, board composition and long-term supply agreements that could confer control — the elements the audit evidence in Annex III directs auditors to examine.

2. Implement and document safeguards

If third-country control is identified, implement and document the legal, technical and organisational measures needed to satisfy Annex II §2.1(g):

• Legal: contracts and governance documents that prevent the controller from restricting service delivery or compelling you to give effect to foreign restrictive measures (unless legitimate under Member State or Union law).
• Technical: architecture that keeps customer data in the Union and prevents third-country access — network segmentation, encryption and access controls.
• Organisational: policies that prevent third-country personnel from accessing Union infrastructure or customer data.

3. Prepare for the independent audit

Engage an auditing organisation early. The audit will be rigorous and evidence-driven. Ensure your SBOM is current and that you can show controls blocking remote tampering features (Annex II §2.1(i)). Budget for the annual review (Article 20(8)).

4. Do not over-read the Article 18 requirement at level 2

Unlike level 3, level 2 does not require a Commission decision under Article 18. Treat the §2.1(g) safeguards as the operative test. Monitoring Commission activity on associated third countries is still useful if you may later seek level 3.

5. Account for penalties and compensation

Non-compliance could trigger penalties under Article 24 — Member States must lay down rules that are "effective, proportionate and dissuasive", assessed against non-exhaustive factors including the nature, gravity and duration of the infringement. Recipients would also have a right to seek compensation for damage from an infringement (Article 24(3)).

Common misconceptions

"Third-country-controlled providers are banned from all assurance levels." Incorrect. Level 4 would prohibit third-country control (Annex II §4.1(g)), but levels 1, 2 and 3 would allow it under conditions. Level 2 permits it where the §2.1(g) safeguards are demonstrated.

"Level 2 requires a Commission decision on the third country." No. The Article 18 decision is part of the level 3 derogation (Annex II §3.1(g)). Level 2 turns on the §2.1(g) safeguards alone.

"Data localisation is optional for level 2." No. Annex II §2.1(c) requires customer data — including metadata and telemetry — to remain exclusively within the Union unless the public sector body explicitly requires otherwise, and §2.1(f) bars transfer of service-generated data outside the Union in any case.

"Level 2 does not require independent auditing." It does. Level 2 requires an independent third-party audit under Article 20; only level 1 uses a conformity self-assessment (Article 19).

"GDPR compliance is sufficient for level 2." No. CADA's sovereignty framework goes beyond data protection to operational autonomy, service continuity and protection against foreign coercion. The §2.1(g) safeguards are distinct from, and additional to, GDPR requirements.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Does CADA allow a level 3 provider controlled from a non-associated country?
• Why does CADA only allow associated third countries at Level 3?
• CADA Level 2: Third-Country Control Safeguards Explained
• CADA Level 3: SBOM, Source Code Audits & Third-Country Controls
• CADA software supply chain: Third-country components, audits & Level 4 control

This is general information about a draft EU regulation, not legal advice.