Summary Yes, the proposed Cloud and AI Development Act (CADA) Union Assurance Level 4 effectively requires providers to eliminate the legal exposure to foreign laws like the US CLOUD Act that the GDPR currently permits under adequacy decisions or transfer safeguards. While the GDPR allows data transfers to third countries if appropriate safeguards are in place, CADA Level 4 mandates that providers and subcontractors are not subject to the control of a third country, ensuring no risk of unauthorized foreign access or service disruption. This creates a sovereignty baseline that goes significantly beyond the GDPR's focus on data protection, prioritizing operational autonomy and public order. Consequently, a provider subject to the US CLOUD Act cannot qualify for Level 4, even if it holds an EU-US Data Privacy Framework adequacy decision.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a four-tiered "Union Assurance Levels" framework to classify cloud computing services based on their sovereignty and resilience against third-country interference. To understand why Level 4 effectively excludes providers exposed to the US CLOUD Act, one must distinguish between the GDPR's data-centric transfer rules and CADA's infrastructure-centric sovereignty requirements.

The GDPR Approach: Managing Transfer Risk

Under the General Data Protection Regulation (GDPR), the primary concern is the protection of personal data. The GDPR does not prohibit transfers to third countries where laws like the US CLOUD Act exist. Instead, it permits these transfers if specific conditions are met:

  • Adequacy Decisions: The European Commission has issued an adequacy decision for the US under the EU-US Data Privacy Framework, recognizing that US law provides a level of protection essentially equivalent to that of the EU.
  • Appropriate Safeguards: In the absence of adequacy, transfers can occur using Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), provided a Transfer Impact Assessment confirms that supplementary measures mitigate the risk of government access.

Consequently, a US-based hyperscaler can legally process EU personal data under the GDPR, even though it is subject to the US CLOUD Act, which allows US authorities to compel the disclosure of data stored abroad if the provider is subject to US jurisdiction. The GDPR focuses on whether the outcome for the data subject is protected, not on the structural independence of the provider from foreign legal systems.

The CADA Approach: Eliminating Sovereignty Risk

CADA, by contrast, addresses "operational autonomy" and "public order." Article 16 of the CADA proposal establishes the Union cloud computing sovereignty framework, comprising four assurance levels. These levels are cumulative; a provider meeting Level 4 must also meet the criteria for Levels 1, 2, and 3.

Union Assurance Level 4 Criteria According to Annex II, Section 4 of the CADA proposal, Level 4 imposes the strictest sovereignty requirements. Key criteria include:

  1. No Third-Country Control: Criterion 4.1(g) explicitly states that "the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."
  2. Strict Data Localization: Criterion 4.1(c) requires that sensitive customer data "remain exclusively within the Union and at any time, including before, during or after the configuration or use of the service."
  3. Union Citizenship and Clearance: Criterion 4.1(d) mandates that personnel involved in the service are Union citizens and, where appropriate, hold national security clearance.
  4. No Third-Country Support: Criterion 4.1(h) requires that technical and operational support be initiated and performed exclusively within the Union by personnel who are Union residents and not subject to third-country control.
  5. High Cybersecurity Certification: Criterion 4.1(e) requires a European cybersecurity certificate of at least assurance level "high" (distinct from the "substantial" level required for Levels 2 and 3).

The CLOUD Act Conflict

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a prime example of the "third-country control" and "unauthorized access" risks CADA Level 4 seeks to eliminate. Under the CLOUD Act, US authorities can issue orders to any provider subject to US jurisdiction to produce data in their possession, custody, or control, regardless of where the data is stored.

Because US hyperscalers are subject to US jurisdiction, they are inherently "subject to the control of a third country" for the purposes of CADA Annex II. Even if a US provider establishes an EU subsidiary, the parent company's exposure to the CLOUD Act and other extraterritorial laws (such as FISA Section 702) means the provider cannot satisfy Criterion 4.1(g). The risk that a third country could compel access to data or disrupt service continuity remains, disqualifying the service from Level 4 recognition. The CADA framework treats the existence of such legal leverage as a disqualifying factor for the highest assurance level, regardless of whether the data is actually accessed.

Article 18 and Associated Third Countries

CADA does provide a limited mechanism for third-country providers through Article 18, which allows the Commission to identify "associated third countries." However, this provision is strictly limited to Union Assurance Level 3, not Level 4.

Article 18(1) permits cloud computing service providers subject to the control of a third country to be audited against Level 3 criteria only if that third country fulfills cumulative criteria, including:

  • Having an adequacy decision under Article 45 of the GDPR.
  • Having no measures that enable control over the provider in a way that conflicts with EU data access rules (specifically referencing Article 32 of the Data Act).
  • Having no measures to compel the provider to degrade or disrupt service continuity.

Crucially, Annex II Section 4 (Level 4) contains no such derogation. Level 4 requires absolute absence of third-country control. Therefore, even if the US were deemed an "associated third country" under Article 18 (which is currently unlikely given the complexities of US surveillance laws), US providers could only qualify for Level 3, not Level 4. The draft explicitly separates the "high" assurance of Level 4 from the "substantial" assurance of Level 3, reserving the former for entities entirely free from third-country legal reach.

Why CADA Goes Beyond GDPR

The GDPR's adequacy decisions focus on the outcome of data protection. CADA's assurance levels focus on the structural independence of the infrastructure.

  • GDPR: Allows US access if safeguards mitigate harm to privacy rights.
  • CADA Level 4: Prohibits the possibility of US access or control, regardless of safeguards, to protect public order and critical infrastructure.

This distinction is critical for public sector bodies. Under Article 30 of CADA, contracting authorities whose activities contribute to the preservation of public order (e.g., defense, justice, critical infrastructure) must procure services recognized at Level 2, 3, or 4. For the most sensitive activities, Level 4 is the only option that guarantees no third-country influence. The proposal explicitly states in the explanatory memorandum that the AI Act "does not cover aspects of sovereignty," and CADA is designed to fill this gap by addressing "operational autonomy" and "public order" risks that data protection laws alone cannot resolve.

What this means for you

For in-house counsel and compliance officers, the implications of CADA's Level 4 requirements are significant for procurement strategies and vendor management.

1. Re-evaluating Current Cloud Contracts

If your organization is a public sector body or a critical entity in the private sector (as defined in Annex I of the NIS2 Directive), you must assess whether your current cloud providers can meet Level 4. Most US-based hyperscalers will not qualify for Level 4 due to their exposure to the CLOUD Act. If your use case is classified as requiring Level 4 (e.g., handling classified information or critical national infrastructure), you will need to migrate to an EU-based provider that is not subject to third-country control. The existence of an EU-US Data Privacy Framework adequacy decision will not suffice to meet the "no third-country control" criterion of Level 4.

2. Conducting Sovereignty Risk Assessments

Article 29 requires Member States and Union entities to conduct risk assessments to determine the appropriate assurance level for their cloud activities.

  • Deadline: These assessments must be carried out by the date of entry into force plus one year, and then every two years.
  • Action: You must map your data sensitivity and criticality against the CADA criteria. If your data is "sensitive" and your activity is "critical," you may be mandated to use Level 4 services. The risk assessment must explicitly consider the "risk and consequent impact on public order of unlawful access under Union law to such data by a third country."

3. Procurement Adjustments

Article 30 mandates that public sector bodies procuring cloud services must, as a minimum, use services recognized at Level 1. For activities contributing to public order, you must procure Level 2, 3, or 4 services.

  • Tender Specifications: Update your tender documents to explicitly require CADA Union Assurance Level recognition.
  • Vendor Due Diligence: Request evidence from vendors that they meet the criteria in Annex II. For Level 4, this includes proof that no third country has control over the provider or its subcontractors. Note that Article 18 derogations are not available for Level 4.

4. Monitoring for Changes

Article 23 imposes transparency obligations on providers. If a provider's circumstances change (e.g., a change in ownership that introduces third-country control), they must notify the auditing organization and competent authority. Ensure your contracts include clauses requiring immediate notification of any changes in corporate structure or control that could affect their CADA assurance level.

5. Penalties and Liability

Article 24 outlines penalties for infringements. While the specific fines are to be determined by Member States, they must be "effective, proportionate and dissuasive." Providers misrepresenting their assurance level could face significant penalties and loss of recognition. As a customer, ensure you have the right to compensation if a provider fails to meet the assured level.

Common misconceptions

Misconception 1: "If the GDPR allows the transfer, CADA does too."

  • Reality: No. The GDPR and CADA have different objectives. The GDPR protects personal data privacy; CADA protects public order and operational sovereignty. A transfer can be GDPR-compliant (via adequacy) but fail CADA Level 4 due to third-country control risks.

Misconception 2: "US providers can get Level 4 if they store data in the EU."

  • Reality: No. While Level 4 requires data to remain in the Union (Criterion 4.1(c)), it also requires that the provider is not subject to third-country control (Criterion 4.1(g)). US providers are subject to the CLOUD Act regardless of where data is stored.

Misconception 3: "Level 3 is the same as Level 4."

  • Reality: No. Level 3 allows for derogations for "associated third countries" under Article 18, provided strict safeguards are met. Level 4 has no such derogation and requires absolute freedom from third-country control. Furthermore, Level 4 requires a "high" cybersecurity certification, whereas Level 3 requires only "substantial."

Misconception 4: "CADA replaces the GDPR."

  • Reality: No. CADA complements the GDPR. Providers must comply with both. CADA adds a layer of sovereignty and resilience requirements that the GDPR does not address. The proposal explicitly states it is consistent with the GDPR but addresses sovereignty concerns that go beyond data transfers.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.