Summary The proposed Cloud and AI Development Act (CADA) central repository does not explicitly list the specific third countries associated with a cloud service. Instead, it displays the recognized Union Assurance Level (Level 1 to 4) of the service. This level acts as a certified proxy for third-country exposure, reflecting whether the provider is free from third-country control or subject to a specific Commission-recognized derogation. Buyers must interpret the assurance level against the criteria in Annex II and cross-reference the separate list of recognized third countries published under Article 18 to understand the specific jurisdictional risks.

Detail

Under the proposed CADA (COM(2026) 502 final), the transparency mechanism is designed to signal compliance outcomes rather than disclose granular corporate ownership data. The central repository serves as the public interface for the Union cloud computing sovereignty framework, but its data fields are strictly limited to the recognition status of the service.

The Central Repository: A Register of Recognition, Not Ownership

Article 22 of the proposal mandates the Commission to "establish and maintain a dedicated repository of cloud computing services that have been recognised in accordance with Article 17." The text specifies that this repository must be "publicly available and regularly updated" by the Commission and national competent authorities.

Crucially, Article 22 does not prescribe the publication of detailed ownership structures, ultimate beneficial owners, or a list of specific third-country jurisdictions linked to the provider. The repository's primary function is to list:

  1. The cloud computing service.
  2. The specific Union Assurance Level (1, 2, 3, or 4) it has been recognized as offering.
  3. The status of that recognition (active, amended, or revoked).

As stated in the recitals, the repository facilitates the "secure and efficient storage, access, and exchange of relevant information" between customers, auditors, and authorities. However, the "relevant information" published to the public is the result of the audit and recognition process, not the raw data of the audit itself. Therefore, a buyer searching the repository will see that a service is "Union Assurance Level 3," but they will not see a field stating "Controlled by Entity X in Country Y."

How Assurance Levels Reflect Third-Country Exposure

While the repository does not list countries, the Union Assurance Levels displayed are directly derived from strict criteria regarding third-country control and exposure, as defined in Annex II. The level assigned to a service implicitly communicates the provider's relationship with third countries:

  • Union Assurance Level 1 (Baseline):

    • Third-Country Context: This level allows for significant third-country involvement. The provider must be established in the Union, but subcontractors may be outside the Union.
    • Control Criteria: If the provider is subject to the control of a third country, it must guarantee that no laws in that country require reporting software vulnerabilities to authorities before they are known to be exploited.
    • Repository Signal: A Level 1 listing indicates the service meets baseline EU establishment and data residency rules but may involve third-country control or subcontracting, provided specific safeguards are in place.

  • Union Assurance Level 2 (Substantial):

    • Third-Country Context: This level requires infrastructure, assets, and personnel to be located in the Union.
    • Control Criteria: If the provider is subject to third-country control, it must demonstrate that this control does not restrict service delivery, prevent third-country access to data, or allow service disruption. It also requires that the provider is not obliged to comply with restrictive measures (sanctions/embargoes) of a third country unless legitimate under EU law.
    • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level "substantial" (Annex II 2.1(e)).
    • Repository Signal: A Level 2 listing signals that third-country risks have been mitigated through technical and legal safeguards, even if the provider is not entirely free from third-country influence.

  • Union Assurance Level 3 (High Sovereignty):

    • Third-Country Context: The general rule is that the provider and subcontractors must not be subject to the control of a third country.
    • The Derogation (Article 18): There is a specific exception. A provider subject to third-country control can achieve Level 3 if the Commission has adopted an implementing act identifying that specific third country as providing "sufficient assurances."
    • Criteria for Derogation: The third country must have an adequacy decision under GDPR, no laws enabling control that conflicts with EU data access rules, and no measures to disrupt service continuity.
    • Repository Signal: A Level 3 listing implies either: (a) the provider is entirely free from third-country control, or (b) the provider is from a specific third country that the Commission has explicitly whitelisted under Article 18.

  • Union Assurance Level 4 (Maximum Sovereignty):

    • Third-Country Context: This level strictly prohibits third-country control.
    • Criteria: The provider and subcontractors must not be subject to the control of a third country. There is no derogation for Level 4.
    • Cybersecurity: Requires a European cybersecurity certificate of at least assurance level "high" (Annex II 4.1(e)).
    • Repository Signal: A Level 4 listing guarantees the service is free from third-country control and meets the highest cybersecurity standards.

How Information Reaches Buyers: The Two-Step Verification

Since the repository does not list third countries directly, buyers must perform a two-step verification process to understand the specific third-country associations:

  1. Check the Repository (Article 22): The buyer identifies the service and its Union Assurance Level.

    • If the level is 4, the buyer knows there is no third-country control.
    • If the level is 3, the buyer knows there is either no third-country control OR the provider is from a whitelisted country.
    • If the level is 1 or 2, the buyer knows third-country elements may exist but are mitigated.

  2. Cross-Reference the Article 18 List:

    • Article 18 empowers the Commission to adopt implementing acts identifying third countries that provide sufficient assurances for Level 3 recognition.
    • The proposal explicitly states: "The Commission shall publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so."
    • The Workflow: If a buyer sees a Level 3 service and knows the provider is a non-EU entity, they must check the Article 18 list.
      • If the provider's country is on the list, the service is compliant.
      • If the provider's country is not on the list, the service must be entirely free from third-country control to qualify for Level 3. If the buyer knows the provider is controlled by a non-listed country, the Level 3 recognition would be invalid (and should have been revoked under Article 23).

The Role of the Recognition Process (Articles 16–19)

The data in the repository is the output of a rigorous process defined in Title IV, Chapter I:

  • Article 16 establishes the framework and the four levels.
  • Article 17 sets out the recognition procedure. For Levels 2–4, the provider must undergo an independent third-party audit. The audit report and "positive" audit opinion are submitted to the national competent authority.
  • Article 19 covers the self-assessment for Level 1.
  • Article 23 imposes transparency obligations: if a provider becomes aware of a material change (e.g., a change in third-country control that violates the criteria), they must notify the auditor and authority. This can lead to the amendment or revocation of the recognition, which is then updated in the repository.

Thus, the repository acts as a dynamic "traffic light" system. It does not show the "engine" (the specific country), but it shows the "light" (the assurance level) which is determined by the engine's compliance with the rules.

What this means for you

For CTOs, procurement officers, and compliance teams, the absence of explicit third-country data in the repository requires a shift in due diligence strategy. You cannot rely on the repository alone to map the full geopolitical risk profile of a provider.

  1. Treat the Assurance Level as a Certified Risk Filter: Do not expect the repository to list "Country X." Instead, treat the Union Assurance Level as a legally binding certification of risk mitigation. A Level 3 or 4 listing is a strong signal that the service is either fully EU-controlled or from a Commission-recognized safe third country.
  2. Perform the "Article 18 Cross-Check": If you are evaluating a Level 3 service from a non-EU provider, you must verify the provider's country against the Commission's published list of recognized third countries. If the country is not on the list, the provider must be entirely free from third-country control. If you suspect they are not, the recognition may be flawed.
  3. Request Audit Evidence for High-Risk Procurement: Under Article 29, public bodies must conduct risk assessments. If your activity is deemed to contribute to public order (requiring Level 2, 3, or 4), the repository listing is the minimum requirement. For high-stakes decisions, you should request the audit report (or a summary of the audit opinion) from the provider to understand the specific nature of any third-country exposure and the safeguards implemented.
  4. Monitor for Revocations: The repository will publish revocations. A sudden drop from Level 3 to Level 2 (or removal from the list) could indicate a change in third-country control that the provider failed to manage or disclose. Set up alerts for your critical providers.

Common misconceptions

  • Misconception: The repository is a full transparency tool for ownership.
    • Reality: The repository is a recognition register, not a corporate registry. It confirms that a service meets specific sovereignty criteria but does not disclose granular ownership details or list every third country with which the provider has ties.
  • Misconception: UAL 1 means no third-country involvement.
    • Reality: UAL 1 allows for subcontractors outside the Union and does not strictly prohibit third-country control, provided specific guarantees regarding vulnerability reporting and operational autonomy are met. It is the lowest level of assurance and may involve significant third-country exposure.
  • Misconception: If a third country is not on the Commission's list, no services from there can be in the repository.
    • Reality: Services from non-listed third countries can still be in the repository if they achieve UAL 1 or 2. They can only achieve UAL 3 if they are not subject to third-country control or if the Commission has specifically recognized the country. UAL 4 strictly prohibits third-country control regardless of the country.
  • Misconception: The repository lists the specific third country for Level 3 services.
    • Reality: The repository lists the level, not the country. The link between a Level 3 service and a specific third country is only established if the buyer cross-references the provider's origin with the separate Article 18 list published by the Commission.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.