CADA Third-Country Control

Summary As proposed, the Cloud and AI Development Act (CADA) would require cloud computing service providers to disclose granular details of their third-country control structures to qualify for Union assurance levels 2, 3, and 4. Unlike broader EU transparency regimes, CADA ties this disclosure directly to market access for public procurement. Union assurance level 4 strictly prohibits third-country control, while level 3 allows it only conditionally via a Commission decision under Article 18. Failure to disclose or misrepresenting control structures can lead to the revocation of recognition under Article 17 and penalties under Article 24. This regime goes significantly beyond the ownership transparency found in other EU laws.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a rigorous sovereignty framework designed to mitigate risks associated with dependencies on non-European cloud providers. Central to this framework is the requirement for cloud computing service providers to disclose their ownership and control structures, particularly regarding any influence from third-country entities. This obligation is not merely informational; it is a gatekeeper mechanism for accessing the EU public sector market.

The Sovereignty Framework and Assurance Levels

CADA establishes four "Union assurance levels" under Article 16. To provide services to Union entities and public sector bodies, providers must be recognised as meeting one of these levels. The criteria for these levels, set out in Annex II, escalate in strictness regarding third-country influence:

• Union Assurance Level 1: Requires the provider to be established in the Union. If the provider is subject to third-country control, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to third-country authorities prior to exploitation.
• Union Assurance Levels 2, 3, and 4: These higher tiers require independent third-party audits. A core criterion for Levels 2 and 3 is that the provider and its subcontractors must demonstrate measures ensuring that third-country control does not restrict service delivery, access customer data, or disrupt service continuity.
• Union Assurance Level 4: This highest tier explicitly requires that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country.

The Role of Article 18: Conditional Third-Country Control

A critical nuance in CADA is found in Article 18, which addresses "Associated third countries." Generally, providers subject to third-country control are excluded from the highest assurance levels. However, Article 18 allows the Commission to adopt implementing acts identifying specific third countries whose providers may be audited for Union assurance level 3.

This is a conditional exception, not a general right. For a third country to qualify, it must meet cumulative criteria, including:

1. Having an adequacy decision under the GDPR (Article 45 of Regulation (EU) 2016/679).
2. Having no measures enabling control over the provider that conflicts with lawful access to non-personal data.
3. Having no measures to compel the degradation or disruption of service continuity.
4. Maintaining an open market to Union cloud services.

If a provider is subject to control from a third country that does not meet these Article 18 criteria, they cannot achieve Union assurance level 3 or 4.

Disclosure as a Core Audit Requirement

The disclosure of control structures is not a standalone filing but is embedded within the audit process defined in Article 20 and the criteria in Annex II. Auditing organisations must assess "Audit criterion G – Absence of third-country control" (detailed in Annex III). This requires providers to provide:

• A complete list of direct and indirect shareholders up to ultimate owners.
• Capital tables and details of governing bodies.
• Evidence of commercial or financial links that confer control.
• Documentation proving that third-country control does not enable access to customer data or disruption of services.

This goes significantly beyond standard corporate transparency. It requires a deep dive into the operational and legal mechanisms of control, ensuring that even if equity ownership is European, effective control does not reside abroad in a way that compromises sovereignty.

Comparison with Other EU Laws

While other EU laws require transparency, CADA's approach is distinct in its linkage to market access:

• GDPR: Focuses on data protection and lawful transfers (adequacy decisions, SCCs). It does not assess operational control or supply chain sovereignty.
• NIS2 Directive: Requires cybersecurity risk management but does not mandate sovereignty audits or prohibit third-country control for market participation.
• AI Act: Regulates AI systems based on risk categories but does not include a sovereignty framework for cloud infrastructure providers.

CADA uniquely combines data protection, cybersecurity, and operational sovereignty into a single procurement barrier.

What this means for you

For in-house counsel and compliance officers, CADA introduces a new layer of due diligence that extends beyond traditional corporate governance.

1. Map Ultimate Beneficial Owners: You must be prepared to disclose not just direct shareholders, but the entire chain of control up to ultimate owners. This includes identifying any third-country entities that may exert control through commercial agreements, veto rights, or board appointments.
2. Audit Readiness: Ensure your internal controls can withstand an independent audit under Article 20. This includes maintaining up-to-date capital tables, shareholder agreements, and documentation of any third-country links.
3. Assess Tier Eligibility: If your provider is subject to third-country control, you must determine if that third country is listed under Article 18. If not, you cannot achieve Union assurance level 3 or 4, limiting your ability to serve critical public sector clients.
4. Penalties and Revocation: Under Article 24, Member States must impose effective, proportionate, and dissuasive penalties for infringements. Additionally, under Article 17(11), recognition can be revoked if a provider intentionally or negligently supplied incorrect or misleading information regarding control structures.

Common misconceptions

"Only EU-owned providers can qualify." Incorrect. Providers subject to third-country control can qualify for Union assurance levels 1, 2, and potentially 3 (if Article 18 criteria are met). Only Level 4 strictly prohibits third-country control.

"GDPR adequacy is enough." Incorrect. While an adequacy decision is a prerequisite for Article 18, it is not sufficient. The third country must also meet additional sovereignty criteria, such as not having laws that compel service disruption.

"Disclosure is a one-time filing." Incorrect. Under Article 23, providers must notify auditing organisations and competent authorities of any material changes in circumstances that may affect their recognition, including changes in ownership or control structures.

"CADA only affects data transfers." Incorrect. CADA addresses "operational autonomy" and "control," which are distinct from data transfer mechanisms. It regulates the provider's ability to be controlled by a third country, regardless of where the data physically resides.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• CADA vs Sectoral EU Laws: How Conflicting Cloud Rules Are Resolved
• How should an SME plan compliance across CADA and the other EU digital laws?
• Does complying with all other EU digital laws make CADA automatic?
• CADA and the International Digital Strategy: Third-Country Partners & Market Access
• Does CADA affect non-EU cloud providers differently from other EU laws?

This is general information about a draft EU regulation, not legal advice.