Does CADA require GDPR adequacy for associated third countries?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) strictly requires a GDPR adequacy decision as one of six cumulative criteria for a third country to be recognized as an "associated third country." Under Article 18(1)(a), the Commission may only allow cloud computing services controlled by entities in that third country to qualify for Union assurance level 3 if the country is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR). This is a mandatory precondition that cannot be satisfied by alternative safeguards, such as Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, unless the latter is formalized as a full adequacy decision.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. While Levels 1 and 2 generally require establishment and infrastructure within the Union, Article 18 creates a specific, narrow derogation pathway. It allows the Commission to identify "associated third countries" whose cloud providers, despite being subject to third-country control, may still be audited against the criteria for Union assurance level 3.

This mechanism is critical because Union assurance level 3 is often the minimum requirement for public sector activities identified as contributing to the preservation of public order (e.g., national security, defense, law enforcement) under Article 29. However, access to this level is gated by a rigorous set of conditions.

The Mandatory Role of GDPR Adequacy

Article 18(1) explicitly lists six cumulative criteria that a third country must fulfill to be designated as an "associated third country." The first criterion, Article 18(1)(a), states that the third country must be:

"subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679."

Regulation (EU) 2016/679 is the General Data Protection Regulation (GDPR). Article 45 empowers the European Commission to determine that a third country, a territory, or one or more specified sectors within a third country ensures an adequate level of data protection. By embedding this requirement directly into CADA's sovereignty framework, the proposal ensures that any third-country provider seeking to serve sensitive EU public sector functions at Level 3 must operate within a jurisdiction already vetted by the EU for its data protection standards.

This is not a suggestion or a best practice; it is a statutory condition. As Article 18(1) states, the criteria are cumulative. This means that even if a third country satisfies the other five criteria—such as having no measures enabling extraterritorial data access, no powers to disrupt service continuity, and an open market to EU cloud services—it cannot qualify as an associated third country without an existing GDPR adequacy decision.

The Six Cumulative Criteria of Article 18

To be recognized as an associated third country, the Commission must adopt an implementing act confirming that the country meets all six conditions listed in Article 18(1):

1. GDPR Adequacy (Art. 18(1)(a)): The country is subject to a relevant adequacy decision under GDPR Article 45.
2. No Conflicting Control (Art. 18(1)(b)): The country has no measures enabling it to exercise control over the provider in a way that conflicts with lawful access to non-personal data under Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act).
3. No Service Disruption or Coercion (Art. 18(1)(c)): The country has no measures to compel the provider to degrade or disrupt service continuity, or to enforce restrictive measures (such as sanction regimes or embargoes), unless these measures are legitimate under the national laws of Member States or Union law.
4. No Impediment to Technology (Art. 18(1)(d)): The country has no measures impeding the provision of state-of-the-art technologies and services.
5. Open Market (Art. 18(1)(e)): The country maintains an open market to Union cloud computing services.
6. Reciprocal Access (Art. 18(1)(f)): The country grants equivalent levels of access to its public procurement procedures for cloud services controlled by a Union Member State or entity.

If the Commission determines that a third country no longer fulfills these requirements, Article 18(2) mandates that the Commission shall repeal, amend, or suspend the decision.

The Scope of the Derogation: Level 3 Only

It is vital to note the limited scope of Article 18. The derogation applies only to Union assurance level 3.

• Level 3: Allows for third-country control if the country is "associated" under Article 18.
• Level 4: Under Annex II, point 4.1(g), the criteria for the highest assurance level explicitly state that the provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." There is no derogation for Level 4. Even if a country has GDPR adequacy and meets all Article 18 criteria, its providers cannot qualify for Level 4. This effectively reserves the highest sovereignty tier for providers with no third-country control whatsoever.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the Article 18 adequacy requirement has profound strategic implications.

1. The "Gatekeeper" Effect on Vendor Selection

If your organization is procuring cloud services for activities identified under Article 29 as requiring Union assurance level 3 (e.g., law enforcement, critical infrastructure), you must verify the status of the provider's controlling jurisdiction.

• If the country lacks GDPR adequacy: The provider is automatically ineligible for Level 3, regardless of their technical security certifications, contractual safeguards, or "sovereign cloud" branding.
• Current Landscape: Currently, only a limited number of countries hold full GDPR adequacy decisions (e.g., Japan, the UK, Canada for commercial organizations, Argentina, etc.). Major providers like US hyperscalers operate under the EU-US Data Privacy Framework (DPF), which is a specific adequacy mechanism for transfers but does not automatically satisfy the broad "associated third country" status for sovereignty purposes unless the Commission explicitly confirms the DPF covers the necessary scope under Article 45. Until a formal, comprehensive adequacy decision is adopted for the US under Article 45, US-based providers may fail the Article 18(1)(a) test.

2. Procurement Planning and Risk Assessment

Under Article 29, Member States and Union entities must conduct risk assessments to determine the required assurance level. If your assessment concludes that Level 3 is necessary, you must filter your vendor pool based on Article 18.

• Screening: Do not rely on a provider's self-declaration of "sovereignty." Check the Commission's list of associated third countries (to be published under Article 18(3)).
• Contingency: If your preferred provider is from a non-associated country, you must either:
  • Accept a lower assurance level (Level 1 or 2), which may not be legally permissible for your specific public-order activity; or
  • Switch to a provider established in the Union with no third-country control (eligible for Level 3 and 4).

3. Dynamic Compliance and Monitoring

Adequacy decisions are not static. The Commission can repeal or suspend them if a country's data protection laws change or if the country fails to uphold its commitments.

• Trigger for Migration: If the Commission suspends an adequacy decision for a country, that country immediately ceases to meet Article 18(1)(a). Consequently, any cloud service relying on that country's "associated" status for Level 3 recognition would lose its eligibility.
• Action: Compliance teams must monitor Commission decisions on adequacy. A change in status could trigger an immediate need to migrate data or re-audit services to ensure continued compliance with Article 30 procurement obligations.

4. Distinction from Data Transfer Mechanisms

Do not confuse CADA's sovereignty requirements with GDPR data transfer mechanisms.

• GDPR: Focuses on the transfer of personal data. SCCs or BCRs can facilitate transfers to non-adequate countries.
• CADA: Focuses on the sovereignty of the infrastructure and the provider's control structure. For Level 3, CADA does not accept SCCs as a substitute for the Article 18(1)(a) adequacy requirement. The country itself must be "adequate."

Common misconceptions

Misconception 1: "Standard Contractual Clauses (SCCs) are enough." Some stakeholders believe that robust contractual clauses between the public body and the cloud provider can substitute for the GDPR adequacy requirement in Article 18. This is incorrect. Article 18(1)(a) is a condition on the third country itself, not the contract. Private contractual safeguards cannot override the statutory requirement that the country be subject to an Article 45 adequacy decision.

Misconception 2: "The EU-US Data Privacy Framework (DPF) automatically qualifies US providers." While the DPF is an adequacy decision for the purpose of data transfers under the GDPR, CADA's Article 18 requires the Commission to assess whether the adequacy decision applies generally to the third country or is limited to specific sectors. Furthermore, the DPF does not address the other five cumulative criteria in Article 18 (e.g., no measures to disrupt service continuity, reciprocal procurement access). Even if the DPF is deemed sufficient for Article 18(1)(a), US providers must still meet the remaining five criteria to be designated as an "associated third country."

Misconception 3: "Level 3 is the highest level, so third countries can reach the top." This is false. Union assurance level 4 is the highest level. As noted in Annex II, point 4.1(g), Level 4 strictly prohibits third-country control. Article 18 is a derogation only for Level 3. Therefore, no third-country provider, regardless of their country's adequacy status, can ever qualify for Level 4.

Misconception 4: "All third-country providers are banned." CADA does not ban third-country providers. Providers from non-associated third countries can still offer services at Union assurance level 1 (via self-assessment) or level 2 (via audit), provided they meet the criteria in Annex II (which generally require EU establishment and infrastructure, but Level 2 allows for some third-country control if specific safeguards are met, though not the Article 18 derogation). However, they cannot reach Level 3 without their country being designated under Article 18.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Associated Third Countries vs. GDPR Adequacy: Key Differences
• CADA Associated Third Countries: Why GDPR Adequacy Is Not Enough
• CADA Associated Third Country: What if GDPR Adequacy is Lost?
• Does CADA require reciprocal market access from associated third countries?
• Why does CADA only allow associated third countries at Level 3?

This is general information about a draft EU regulation, not legal advice.