Summary Under the proposed Cloud and AI Development Act (CADA), minority foreign investment alone does not automatically amount to "control." But if the minority stake confers decisive influence — for example through veto rights, board-appointment rights or a golden share — it can constitute control. For Union assurance levels 3 and 4, third-country control is, as proposed, not permitted, with one narrow exception: level 3 alone has an associated-third-countries derogation. Compliance officers should therefore look past headline shareholding percentages to the governance and contractual rights that actually decide strategy.
Detail
CADA would build a sovereignty framework for cloud computing services around four "Union assurance levels." A decisive factor for reaching levels 3 and 4 is whether the cloud computing service provider and its relevant subcontractors are "subject to the control of a third country or a legal entity established in a third country."
The definition of control
CADA does not write its own definition of control. Article 2(21) of the proposal defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697. That cross-reference imports an established EU control concept that looks beyond nominal ownership to who can exercise decisive influence over the undertaking — through ownership, voting or appointment rights, or rights conferred by contract. (Note: Regulation (EU) 2021/697 is the borrowed source of the definition; it is not the Cybersecurity Act.)
The practical upshot is that control is about decisive influence, not a simple majority of shares.
How minority investment can trigger control
Because the test is decisive influence, a minority position can amount to control where it carries mechanisms that let the investor block or direct strategic decisions.
1. Veto rights and protective provisions. If a minority investor can veto key strategic decisions — amending the articles of association, approving the budget or business plan, changing the capital structure, or appointing or removing senior management — that can amount to decisive influence and therefore control.
2. Board representation and golden shares. Control can flow from governance design. A right to appoint a majority of the board, or a golden share giving unilateral power over critical decisions such as mergers or changes in core business, can constitute control regardless of the headline equity figure.
3. Contractual influence. Control is not confined to equity. A shareholders' agreement or other contract that lets the investor direct the provider's operations can equally trigger the control concept.
Implications for Union assurance levels 3 and 4
The consequences of being "under control" are significant for providers targeting high-sovereignty public sector demand. The relevant criteria sit in Annex II of the proposal:
- Union assurance level 3: Annex II, Section 3.1(g) requires that the audited provider and the subcontractors involved in the service are not subject to third-country control. There is a narrow derogation: where the Commission has adopted an act recognising a third country under the associated-third-countries mechanism (Article 18), a provider subject to control from that country may still be audited for level 3, provided it also demonstrates the additional safeguards listed there (preventing third-country access to customer data, preventing service disruption, and so on). This is the exception, not the rule.
- Union assurance level 4: Annex II, Section 4.1(g) requires that the provider and the relevant subcontractors are not subject to third-country control, and the proposal sets no associated-third-countries derogation for level 4. Level 4 also requires the provider and those subcontractors to be established in the Union (Section 4.1(a)).
So a provider with a minority foreign investor who holds veto rights would likely fail the level 3 and 4 criteria, as proposed, leaving it to compete at levels 1 and 2.
What this means for you
For in-house counsel and compliance officers at providers — or at entities taking stakes in EU providers — the analysis should move from headline percentages to a granular review of governance rights.
1. Audit your shareholders' agreements. Identify protective provisions or veto rights held by foreign investors. If a foreign investor can block strategic decisions, the provider may be "under control." Reaching levels 3 and 4 may require renegotiating those rights.
2. Assess board composition. Ensure foreign minority investors cannot appoint a majority of the board or key executives; restructure appointment mechanics if they can.
3. Prepare for the audit. Auditing organisations will examine corporate structure, cap tables and governance documents to assess control under Article 2(21). Be ready to show that no single foreign entity, whatever its stake, can unilaterally dictate strategy.
4. Track the associated-third-countries list. The Commission's power under Article 18 to recognise third countries can change which foreign holdings are workable for level 3. It does not assist level 4.
Common misconceptions
"If I own less than 50%, I don't have control." Control turns on decisive influence, not majority ownership. As proposed, a small stake combined with veto rights over the budget can amount to control under CADA.
"Control only applies to majority foreign owners." The control concept imported via Article 2(21) reaches minority holders who can exercise decisive influence through rights or contracts.
"Union assurance level 1 requires no foreign control." Level 1 (Annex II, Section 1.1(g)) does not bar foreign control outright; where the provider is under third-country control it must guarantee that no laws or practices in that country require reporting software vulnerabilities to authorities before they are known to have been exploited. Levels 3 and 4 are far stricter.
"The level 3 derogation also covers level 4." No. As proposed, the associated-third-countries derogation (Article 18) is available only for level 3. Level 4 has no third-country-control derogation.
"A golden share is irrelevant if it is never used." The existence of the right to exercise decisive influence is what matters; it need not have been exercised.
Official sources
Related
- What the CADA control definition means for cloud providers seeking high assurance levels
- What does control mean under CADA? Third-country control explained
- How CADA's control definition affects sovereignty tier eligibility
- Does a hyperscaler's EU subsidiary escape the CADA control test?
- Why does CADA's frontier AI definition have no fixed compute threshold?
This is general information about a draft EU regulation, not legal advice.