Summary As proposed, the Cloud and AI Development Act (CADA) does not impose a blanket reciprocity requirement on all third-country cloud providers. However, for providers controlled by a third country to qualify for Union assurance level 3, the Commission may only designate that country as "associated" if it meets strict reciprocity conditions. Specifically, Article 18(1)(e) requires the third country to "maintain an open market to Union cloud computing services," and Article 18(1)(f) mandates that it "grants equivalent levels of access to public procurement procedures" for Union providers. These conditions ensure that the EU's market openness is matched by comparable access for European providers in the third country.
Detail
The CADA proposal establishes a comprehensive Union cloud computing sovereignty framework to mitigate strategic dependencies and protect public order. Central to this framework are the Union assurance levels (1 through 4), which categorize cloud services based on their security, data sovereignty, and control credentials. While providers established within the Union can seek recognition for all four levels, providers subject to the control of a third country or a legal entity established in a third country face a distinct and higher barrier.
Generally, under Annex II, cloud providers subject to third-country control are excluded from Union assurance levels 2, 3, and 4. However, Article 18 provides a specific derogation mechanism. It empowers the Commission to adopt implementing acts identifying "associated third countries" whose providers may be audited against the criteria for Union assurance level 3. This designation is not automatic; it is contingent upon the third country fulfilling a set of cumulative criteria designed to ensure that the partner country offers safeguards equivalent to those required within the Union.
Two of these cumulative criteria, found in Article 18(1)(e) and (f), directly address market access and reciprocity. These provisions act as a gatekeeper, ensuring that the EU does not grant access to its sensitive public sector cloud market to countries that restrict European providers in return.
1. Open Market to Union Cloud Services
Article 18(1)(e) stipulates that the third country must "maintain an open market to Union cloud computing services." This criterion is designed to prevent market fragmentation and ensure that the EU's single market for digital services is not exploited by third countries that restrict European competition. It requires the third country to refrain from measures that would unjustifiably block, limit, or discriminate against cloud computing services originating from the Union. The objective is to foster a reciprocal environment where European providers can compete on merit without facing artificial barriers erected by the third country.
2. Equivalent Access to Public Procurement
Article 18(1)(f) imposes a more specific and critical condition regarding government contracts. It requires that the third country "grants equivalent levels of access to public procurement procedures of cloud computing services subject to the control of a Union Member State or entity or a legal entity established in the Union."
This provision is particularly significant because CADA's sovereignty framework is heavily demand-side driven, mandating that public sector bodies procure specific assurance levels based on risk assessments (Article 29 and Article 30). If a third country allows its providers to bid for sensitive public cloud contracts in the EU (up to level 3), it must, in turn, allow Union providers to bid for similar public cloud contracts within its own jurisdiction. The term "equivalent levels of access" implies a functional parity in opportunity, rather than necessarily identical regulatory frameworks. It ensures that European public procurement leverage is not used to open foreign markets that remain closed to EU providers.
The Cumulative Nature of the Criteria
It is crucial to understand that the reciprocity requirements in Article 18(1)(e) and (f) are part of a cumulative list. A third country must also satisfy:
- Article 18(1)(a): Existence of a relevant adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR).
- Article 18(1)(b): Absence of measures enabling control over the provider that conflicts with lawful access rules under the Data Act.
- Article 18(1)(c): Absence of measures compelling service disruption or compliance with restrictive measures (sanctions/embargoes) unless legitimate under EU law.
- Article 18(1)(d): Absence of measures impeding the provision of state-of-the-art technologies.
If a third country fails to meet any of these criteria, including the market access and procurement reciprocity conditions, the Commission cannot designate it as an associated third country. Consequently, cloud providers from that country would be ineligible for Union assurance level 3, effectively barring them from serving EU public sector activities identified as contributing to the preservation of public order.
Procedural Mechanisms and Review
The Commission adopts decisions identifying associated third countries by means of implementing acts, following the examination procedure referred to in Article 46(2) of CADA. This ensures that the assessment of reciprocity is conducted with the oversight of Member States.
Furthermore, the framework includes a dynamic review mechanism. Article 18(2) obliges the Commission to repeal, amend, or suspend a decision if available information reveals that the third country no longer fulfills the requirements. This could occur if a country subsequently restricts market access or alters its public procurement rules to exclude Union providers. Article 18(3) requires the Commission to publish a list of third countries that fulfill the requirements and those that no longer do so, ensuring transparency for market participants.
What this means for you
For legal counsel, compliance officers, and public procurement specialists, the reciprocity conditions in Article 18 represent a strategic lever and a compliance checkpoint.
For Non-EU Cloud Providers
If your company is established in a third country and seeks to serve EU public sector bodies requiring Union assurance level 3, your home country's status is the primary determinant of your eligibility. You cannot unilaterally achieve level 3 recognition if your country is not designated as "associated."
- Action: Monitor the Commission's implementing acts and the published list of associated third countries.
- Strategy: Engage with your national government to ensure that domestic market regulations and public procurement laws remain open to EU providers. If your country faces scrutiny regarding market access, your ability to serve EU clients at level 3 is at risk.
- Risk: If your country loses its associated status due to a change in reciprocity conditions, your existing recognition may be suspended. You must have a migration plan for EU clients who require level 3 assurance.
For EU Cloud Providers
Article 18(1)(e) and (f) provide a formal mechanism to advocate for fair market access globally.
- Advocacy: If you face barriers to entry in a third country that is seeking or maintaining associated status, you can formally highlight these discrepancies to EU policymakers and the Commission.
- Leverage: The requirement for "equivalent levels of access" means that a third country cannot restrict EU providers from bidding on local government cloud contracts while simultaneously allowing its providers to bid on sensitive EU contracts. This reciprocity can be a powerful tool in trade negotiations and regulatory dialogues to level the playing field.
For Public Sector Procurement Officers
When procuring cloud services, your ability to engage with non-EU providers at Union assurance level 3 is strictly dependent on the Commission's designation.
- Compliance: You cannot independently assess whether a third country meets the reciprocity criteria. You must rely on the official list published by the Commission under Article 18(3).
- Procurement Rules: Under Article 30(3), if your risk assessment (Article 29) identifies your activity as contributing to the preservation of public order, you must procure only services recognized at level 2, 3, or 4. If a non-EU provider is the only viable option, you must verify that their country is currently listed as an associated third country. If the list changes, your procurement strategy must adapt immediately.
Common misconceptions
"Reciprocity applies to all cloud providers from third countries." This is incorrect. The reciprocity requirements in Article 18(1)(e) and (f) apply only to the designation of "associated third countries" for the specific purpose of granting Union assurance level 3. Providers from non-associated third countries are generally excluded from levels 2, 3, and 4 unless they meet strict conditions that typically require them to be established in the Union and not subject to third-country control. The reciprocity test is a country-level gatekeeper, not a direct contractual obligation for every individual provider.
"Reciprocity means identical market rules." No. The requirement is for "equivalent levels of access" to public procurement and an "open market" to Union services. This does not mean the third country must have identical regulatory frameworks, tax structures, or market definitions to the EU. It means that the practical opportunities for EU providers to compete for public contracts and sell services must be comparable to those afforded to the third country's providers in the EU. The Commission assesses this equivalence on a case-by-case basis, focusing on the outcome (access) rather than the specific regulatory method.
"Private sector entities are directly bound by these reciprocity rules." While private sector entities in critical sectors (as defined in Annex I of the NIS2 Directive) may conduct impact assessments similar to public sector risk assessments (Article 31), the formal recognition of associated third countries and the associated reciprocity requirements are primarily driven by public procurement rules. Private entities may choose to follow the assurance levels voluntarily, but the legal obligation to procure from recognized services based on these criteria falls on Union entities and public sector bodies (Article 30).
Official sources
Related
- CADA Article 18: Lawful Access Conditions for Associated Third Countries
- Does CADA require GDPR adequacy for associated third countries?
- Why does CADA only allow associated third countries at Level 3?
- Where is the list of CADA associated third countries published?
- CADA Article 18: How the Commission designates associated third countries
This is general information about a draft EU regulation, not legal advice.