Does CADA protect EU data from the US CLOUD Act?

Summary The proposed Cloud and AI Development Act (CADA) would not repeal or override the US CLOUD Act — no EU law can. What it would do is build a sovereignty framework that makes a provider exposed to foreign legal compulsion ineligible for the EU's most sensitive public-sector cloud work. Under Article 16, services would be graded across four "Union assurance levels," and for the higher levels Annex II would require providers to show they are not subject to third-country control and that foreign access to data is prevented. Article 18 would allow a narrow exception for providers from a recognised "associated third country," but only up to level 3 and only where that country meets strict cumulative criteria. So CADA would not stop the CLOUD Act from existing — it would aim to keep CLOUD-Act-exposed services out of the workloads that matter most.

Detail

EU reliance on non-European cloud providers has long raised sovereignty concerns. The Commission's reasoning behind CADA is blunt: "three non-EU hyperscalers control over 70% of the European cloud market," and the Union remains "critically dependent" on a limited number of providers subject to third-country jurisdictions where laws with extraterritorial effect apply. As proposed, Recital 46 frames this dependence as a vulnerability and treats retaining control over the Union's own infrastructure, data and assets as having "become an imperative policy objective."

The US CLOUD Act context

To see what CADA responds to, start with the threat. The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) amended the US Stored Communications Act by adding §2713, which requires a provider of electronic communication or remote computing service to preserve, back up or disclose data "within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States." In plain terms: if the provider answers to US jurisdiction, US legal process can reach the data even if it sits in an EU data centre.

CADA's recitals acknowledge that provider-led "sovereign" product tiers do not solve this. Recital 48, as proposed, states that the tailored service versions providers have launched "do not address the core sovereignty issues" that allow for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service. The proposed answer is a harmonised mechanism to strengthen the Union's long-term strategy for technological autonomy, control and resilience.

The four-tier Union assurance framework

At the heart of CADA's protective mechanism is the Union cloud computing sovereignty framework under Article 16, comprising four assurance levels with cumulative criteria in Annex II that tighten as the level rises. As Recital 52 explains, the levels should provide "a proportionate framework to ensure that public order is preserved by maintaining control and agency by public-sector bodies"; most public services "would not require the highest levels of assurance," with the highest levels reserved for the most critical cases.

For the higher levels, Annex II would require providers to demonstrate, through independent third-party audit, that legal, technical and organisational measures are in place so that:

• access by a third country (or an entity established in a third country) to customer data is prevented;
• disruption of service continuity or degradation of service quality by a third country is prevented; and
• the provider is not obliged to give effect to foreign restrictive measures such as sanctions or embargoes, unless those measures are legitimate under Member State or Union law.

For levels 3 and 4, Annex II goes further: the provider and its subcontractors involved in the service must not be subject to third-country control at all (subject only to the Article 18 route at level 3), personnel must be Union citizens, and the cybersecurity certificate must be at least "substantial" (level 3) or "high" (level 4).

Third-country recognition and the Article 18 exception

Article 18 would let the Commission identify "associated third countries" whose providers — even if controlled by that country — may be audited against the criteria for Union assurance level 3. This is not a blanket pass. Under Article 18(1), the third country must meet cumulative criteria, including:

• being subject to a relevant GDPR adequacy decision under Article 45 of Regulation (EU) 2016/679;
• having no measures that enable control over the provider conflicting with lawful access to non-personal data under the Data Act (Regulation (EU) 2023/2854);
• having no measures to compel the provider to degrade or disrupt service, or to give effect to sanctions/embargoes unless legitimate under EU or Member State law;
• not impeding the provision of state-of-the-art technologies and services by the provider;
• maintaining an open market to Union cloud services and granting equivalent procurement access.

This functions like a vetted list of jurisdictions whose legal frameworks are judged compatible with EU sovereignty needs. For a country whose laws provide a basis for extraterritorial data access, qualifying would be demanding — and even then the route reaches level 3, never level 4.

Risk assessments and procurement obligations

CADA would not leave the choice of level to individual buyers. Article 29 requires Member States and Union entities to carry out risk assessments identifying which public-sector activities "contribute to the preservation of public order" — expressly including the sectors under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555) plus national security, internal security, external border management, defence, justice and law enforcement.

Based on those assessments, Article 30 would set procurement rules. Activities not identified as contributing to public order must use services recognised at level 1 (Article 30(2)); activities that are so identified must "only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4" (Article 30(3)). There is a narrow, "exceptional" and "duly justified" derogation in Article 30(4) — for example where no recognised service can meet the need, or only at disproportionate cost. The effect is a direct link between sovereignty and procurement: a provider that cannot prove insulation from foreign legal compulsion through the audit process (Article 20) and the Annex II criteria cannot reach the level needed to serve critical public functions.

What this means for you

For public-sector buyers, CADA would shift the burden of proof from buyer to supplier. You would rely less on your own geopolitical risk assessment of a provider's home country and more on its formal, audited recognition.

1. Risk assessments come first. Carry out (or rely on your Member State's) Article 29 risk assessment to see whether your activities fall under "public order." If they do, you would be required under Article 30 to procure at level 2, 3 or 4.
2. Check the central repository. Under Article 22, the Commission would maintain a public central repository of recognised services, kept up to date by the Commission and national authorities. Verify a service is listed at the right level before awarding.
3. Scrutinise third-country control. An EU-incorporated provider controlled by a third-country parent must, for level 3, either be free of third-country control or qualify via an Article 18 associated-third-country decision and show the required separation measures.
4. Ask for audit evidence. For levels 2 to 4, the audit examines exactly these sovereignty criteria. You can ask the provider for evidence that it demonstrated insulation from foreign access during its audit.

Common misconceptions

"CADA bans US cloud providers." It names no country. But by requiring proof of insulation from foreign compulsion at the higher levels, it would create a practical barrier for any provider exposed to laws like the CLOUD Act — unless that provider can show it is genuinely insulated, structurally and technically.

"GDPR already protects against the CLOUD Act." The GDPR governs personal-data processing and transfers; it does not address operational autonomy, non-personal data or service continuity. The Commission notes that while the EU-US Data Privacy Framework addresses transatlantic transfers, sovereignty "goes beyond data transfers and relates to operational autonomy too." CADA is intended to complement, not replace, the GDPR.

"Level 1 is enough for all public services." Level 1 is the minimum for general public-sector use. For any activity identified as contributing to public order — law enforcement, defence, critical infrastructure — Article 30(3) would require level 2, 3 or 4.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)
• Data Governance Act (Regulation (EU) 2022/868)

Related

• CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
• CADA vs the Digital Networks Act: where is the boundary for data centres?
• CADA vs the Data Governance Act (DGA): how do they compare?
• CADA vs the Data Act: what does each regulate for cloud?
• CADA national competent authority vs a data protection authority

This is general information about a draft EU regulation, not legal advice.