Does CADA Level 3 bar control by a non-EU company?

As proposed, Union assurance level 3 under the Cloud and AI Development Act (CADA) generally bars cloud computing services from providers or subcontractors

Summary As proposed, Union assurance level 3 under the Cloud and AI Development Act (CADA) generally bars cloud computing services from providers or subcontractors that are subject to the control of a third country or a legal entity established in a third country (Annex II, point 3.1(g)). The prohibition is not absolute: a derogation would apply where the Commission has designated the relevant third country as an "associated third country" by implementing act under Article 18. Absent such a designation, a provider subject to third-country control could not achieve level 3 recognition.

Detail

CADA would establish a Union cloud computing sovereignty framework comprising four "Union assurance levels", the criteria for which are set out in Annex II (Article 16(1)). Level 3 sits near the top of that scale and is one of the levels (2, 3 or 4) that a risk assessment under Article 29 may require for public sector activities that contribute to the preservation of public order.

The general rule: no third-country control

To qualify for level 3, a provider would have to meet all of the cumulative criteria in Annex II, point 3.1. On ownership and control, the default position is restrictive.

Annex II, point 3.1(g) provides that, for Union assurance level 3, "the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."

This criterion is one of several cumulative requirements that, as proposed, also include:

Establishment of the provider and its subcontractors in the Union (Annex II, point 3.1(a)).
Infrastructure, assets and personnel located in the Union (Annex II, point 3.1(b)).
Customer data, including metadata and telemetry, remaining exclusively within the Union unless the public sector body explicitly requires otherwise (Annex II, point 3.1(c)).
Personnel who are Union citizens, with national security clearance from a Member State where appropriate when handling classified information (Annex II, point 3.1(d)).

"Control" is defined by reference to Article 2, point (6), of Regulation (EU) 2021/697 (Article 2, point (21) of CADA). This is a substantive, effects-based concept of control rather than a mere shareholding threshold.

The derogation: associated third countries

Annex II, point 3.1(g) contains a derogation. By way of derogation from the no-control criterion, a provider and its subcontractors that are subject to third-country control may be audited for level 3 where the Commission has adopted an implementing act designating that country (the substantive mechanism is Article 18, "Associated third countries").

This means a provider controlled by a non-EU entity is not automatically and permanently barred from level 3. But it cannot reach level 3 on its own merits or through bilateral arrangements alone: it depends on a Commission-level designation of the controlling country.

The mechanism: Article 18 designations

Article 18 would empower the Commission, by implementing act, to identify third countries for which providers subject to that country's control may be audited against the level 3 criteria. As proposed, the third country would have to fulfil all of the following cumulative criteria (Article 18(1)):

It is subject to a relevant adequacy decision adopted under Article 45 of the GDPR (Regulation (EU) 2016/679).
It has no measures enabling it to exercise control over the provider in a way that would conflict with the lawful-access requirements for non-personal data in Article 32(2)-(3) of the Data Act (Regulation (EU) 2023/2854).
It has no measures to compel the provider to degrade or disrupt service continuity or provision, and no measures obliging the provider to implement or comply with restrictive measures such as sanction regimes or embargoes, unless those measures are legitimate under Member State or Union law.
It has no measures to impede the provision of state-of-the-art technologies and services by the provider.
It maintains an open market to Union cloud computing services.
It grants equivalent access to public procurement procedures for cloud services subject to the control of a Union Member State, Union entity or legal entity established in the Union.

Where the Commission has adopted such an implementing act, the provider and its subcontractors must still demonstrate that the necessary legal, technical and organisational measures are in place so that third-country control does not restrain service delivery, that access to customer data by the third country is prevented, that service disruption or degradation is prevented, and that the provider is not obliged to comply with illegitimate restrictive measures (Annex II, point 3.1(g)(i)-(iv)). Where such a decision is repealed, amended or suspended because the country no longer meets the criteria, the basis for the derogation falls away (Article 18(2)). The Commission would publish a list of qualifying and non-qualifying countries on its website (Article 18(3)).

If the Commission has not adopted such an act for the country in question, the provider remains barred from level 3 by the unmet criterion in Annex II, point 3.1(g).

Audit and verification

For Union assurance levels 2, 3 and 4, recognition requires an independent third-party audit (Article 20). Annex III sets out the audit evidence, including "Audit criterion G - Absence of third-country control or third-country entity". Auditors would examine, among other things, all direct and indirect shareholders up to the ultimate owners, the capital and voting structure, the rules for appointing governing bodies, quorums and majorities for strategic decisions, and commercial or financial links capable of conferring control. Where the auditor concludes that the provider is subject to third-country control, a positive level 3 opinion would be possible only if the Commission has designated that country under Article 18.

What this means for you

For in-house counsel and compliance teams, particularly at providers with non-EU parents or significant non-EU shareholders, the level 3 control rule is structural rather than something that can be drafted around at the contract layer.

1. Map your control structure against the legal test

Assess your ownership and control against the definition of "control" in Article 2, point (6), of Regulation (EU) 2021/697. Even a legally separate EU subsidiary may be "controlled" if a non-EU parent can exercise decisive influence over strategic decisions, appoint or veto board members, or otherwise materially direct the entity. If so, you would, as proposed, be ineligible for level 3 unless the parent's country is designated under Article 18.

2. Track Article 18 implementing acts

Your level 3 eligibility may turn on EU-level decisions rather than on technical changes you control. Watch the Commission's published list. Designation requires GDPR adequacy plus the further cumulative criteria in Article 18(1), and it is neither automatic nor guaranteed for any particular jurisdiction.

3. Prepare for deep audit evidence

If you pursue level 3, expect auditors to probe corporate governance under Annex III criterion G, including shareholder agreements, articles of association and ultimate beneficial ownership. If you rely on the Article 18 derogation, you must also evidence the safeguards in Annex II, point 3.1(g)(i)-(iv).

4. Procurement consequences

Member States and Union entities determine the required assurance level through risk assessments under Article 29, and contracting authorities procure accordingly under Article 30. Where an activity contributes to public order and no Article 18 decision covers your controlling country, you would be excluded from contracts requiring level 3 - a significant barrier for globally controlled providers absent restructuring or an Article 18 designation.

5. Subcontractor due diligence

The no-control criterion applies to subcontractors involved in the provision of the service as well as to the provider. Extend diligence across your supply chain so that no in-scope subcontractor is subject to third-country control outside an associated third country.

Common misconceptions

"An EU subsidiary means we are not under third-country control." Not necessarily. CADA looks at effective control, not just place of establishment. Annex III criterion G expressly examines ultimate ownership and governance rights, so a non-EU parent able to dictate strategic decisions or appoint management can leave the EU subsidiary controlled by a third country.

"GDPR adequacy is enough for level 3." No. Adequacy is one prerequisite for an Article 18 designation, but the Commission must also verify the other cumulative criteria (no conflicting access powers, no disruption powers, no illegitimate restrictive-measure obligations, no technology-supply barriers, open market and reciprocal procurement access) and then formally adopt the implementing act. Without that act, the derogation in Annex II, point 3.1(g) does not apply.

"We can negotiate level 3 directly with a Member State." No. Recognition is harmonised. A provider applies to the national competent authority of its establishment (Article 17), against EU-wide Annex II criteria. A single Member State cannot waive the third-country control requirement; the only route for a controlled provider is an EU-level Article 18 decision.

"Level 3 is only for classified data." Level 4 is the tier most associated with classified information, but level 3 applies to public sector activities contributing to public order, which can involve sensitive but unclassified data. The control restrictions apply regardless of whether you handle EU classified information.

Official sources

This is general information about a draft EU regulation, not legal advice.