Summary The three jurisdictions take fundamentally different routes. As proposed, the EU's Cloud and AI Development Act (CADA) would grade cloud sovereignty through four "Union assurance levels" (Article 16, criteria in Annex II) and make recognised levels mandatory in public procurement (Article 30). The US CLOUD Act instead keeps the market open but extends law-enforcement reach extraterritorially: a US provider must disclose data in its "possession, custody, or control" wherever stored. China relies on data localisation and state security reviews. For in-house counsel, the practical effect is that CADA would turn cloud procurement into a risk-based, evidence-heavy obligation for EU public bodies, with penalties on providers for infringements (Article 24) — a different exercise from managing CLOUD Act exposure or Chinese localisation. CADA is still a proposal and the text may change.
Detail
Cloud sovereignty regulation is diverging into three philosophies: the EU's risk-based assurance model, the US extraterritorial-access model, and China's localisation-and-review model.
The EU approach: CADA's graded assurance levels
As proposed, CADA does not ban non-EU providers. It builds a "Union cloud computing sovereignty framework comprising four Union assurance levels" (Article 16), whose cumulative criteria are set out in Annex II.
- Level 1 (Annex II): the provider is established in the Union; its infrastructure and assets are located in the Union; and customer data, including metadata and telemetry, remains exclusively within the Union — in each case "unless the public sector body explicitly requires otherwise." Level 1 is self-assessed, and the provider issues an EU statement of conformity (Article 19).
- Levels 2–4 (Annex II) add successively stricter, audited criteria. Level 2, for example, requires that data generated by using the service is not used to train or fine-tune any AI system operated by a third country, and adds software supply chain and third-country-control safeguards. Level 3 requires that personnel involved in providing the service are Union citizens, with national security clearance "where appropriate". Level 4 goes further still: the provider and its subcontractors must not be subject to the control of a third country or a third-country entity. Levels 2–4 require an independent third-party audit (Article 20).
A distinctive mechanism is the "associated third country". Under Article 18, the Commission may, by implementing act, identify third countries whose providers (even where controlled by that third country) "may be audited against the criteria for Union assurance level 3." The third country must meet six cumulative criteria, including an adequacy decision under Article 45 GDPR, the absence of measures enabling control conflicting with the lawful-access rules in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854), no power to compel service disruption or to force the provider to apply third-country sanctions, an open market to Union cloud services, and equivalent procurement access for Union providers.
Procurement is risk-driven. Under Article 29, Member States and Union entities must run risk assessments (within one year of entry into force, then every two years) to identify public sector activities contributing to the preservation of public order and to determine the appropriate level. Under Article 30, bodies whose activities are not so identified must use level 1 services; those whose activities are identified must procure only level 2, 3 or 4 services, subject to narrow, justified derogations (Article 30(4)). Member States must set penalties for provider infringements that are "effective, proportionate and dissuasive" (Article 24).
The US approach: extraterritorial access, open market
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) prioritises law-enforcement reach over localisation. It amends the Stored Communications Act so that a covered provider "shall comply with the obligations of this chapter to preserve, backup, or disclose" data "within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."
For EU users this creates a structural sovereignty concern: a US-controlled provider may be compelled to disclose data it controls, including data physically stored in the EU. The Act adds a "comity analysis" letting a provider move to quash an order where the customer is not a US person and disclosure would risk violating the law of a "qualifying foreign government" — but that mechanism depends on the US having an executive agreement with the relevant government under §2523 of the Act. There is no US analogue to CADA's assurance levels; sovereignty frictions are managed through bilateral agreements and contract terms rather than legislative tiering.
The China approach: localisation and security review
China's regime combines localisation with state security review. The Cybersecurity Law, Data Security Law and Personal Information Protection Law require critical information infrastructure operators and large-scale processors to store data in China, and subject many cross-border transfers to assessments by the Cyberspace Administration of China. Foreign providers commonly operate through local partners and remain exposed to security reviews that can block services on national-security grounds. There is no tiered assurance scheme for procurement; the model is closer to binary — comply with localisation and review, or face exclusion.
Comparative summary
| Feature | EU (CADA, proposed) | US (CLOUD Act) | China (CSL / DSL / PIPL) |
|---|---|---|---|
| Core mechanism | Graded Union assurance levels 1–4 | Extraterritorial disclosure of controlled data | Localisation + security review |
| Data location | In the Union (Annex II; level 1 allows explicit exception) | No location restriction; accessible if under provider control | Stored in China for covered entities |
| Personnel | Union citizens required for levels 3–4 | No citizenship requirement | Local partnership common |
| Third-country access | "Associated third country" route to level 3 only (Article 18) | Default disclosure; comity via §2523 agreements | Tightly controlled via CAC assessments |
| Public procurement | Mandatory recognised level (Article 30) | No sovereignty tiering | De facto domestic preference |
What this means for you
For in-house counsel and compliance leads, the divergence calls for a multi-jurisdiction strategy.
1. Map activities to CADA risk assessments. If you advise an EU public body or Union entity, the obligation to run Article 29 risk assessments determines whether level 1 or level 2/3/4 is required. Activities in NIS2 Annex I/II sectors or in national security, defence, justice and law enforcement will tend toward the higher levels under Article 30.
2. Check recognition status before relying on a provider. Only services recognised under Article 17 and listed in the Commission's central repository (Article 22) would satisfy the procurement obligation. Confirm the provider has applied to its national competent authority of establishment and holds a positive audit opinion for the relevant level.
3. Assess third-country exposure realistically. A US provider could, in principle, be audited against level 3 only if the US were designated an "associated third country" under Article 18 — which requires, among other things, a GDPR adequacy decision and the absence of measures enabling conflicting control or compelled disruption. Given the CLOUD Act's extraterritorial reach, that designation is not assured. Chinese providers are very unlikely to meet the Article 18 criteria.
4. Allocate CADA risk in contracts. Because penalties under Article 24 fall on providers, build representations, audit-cooperation duties (Article 20(2)), notification of material changes (Article 23) and liability allocation into provider contracts.
5. Track the legislative process. CADA is a proposal. The assurance criteria sit in Annex II, which the Commission could amend by delegated act (Article 16(2)) and must review at least every 18 months (Article 16(3)). Treat the specifics as movable.
Common misconceptions
1. "CADA bans non-EU providers." No. A third-country-controlled provider can be audited against level 3 where its home country is an "associated third country" under Article 18, and EU-established subsidiaries can pursue recognition on the merits.
2. "The CLOUD Act gives unrestricted access." Not unrestricted — the comity analysis lets providers challenge certain orders. But that protection turns on a §2523 executive agreement; absent one, disclosure of controlled data is the default.
3. "Data localisation equals sovereignty." No. Localisation is one criterion. CADA's higher levels also address third-country control, personnel citizenship, software supply chains and protection against service disruption. EU-stored data can still fail level 3 or 4 if the provider is subject to third-country control.
4. "CADA binds all private companies." The procurement obligations target public sector bodies and Union entities. Private NIS2 Annex I entities "may" carry out similar impact assessments (Article 31), and the Commission may require such assessments by delegated act for high-criticality sectors — but the core mandate is public sector. Market signalling will likely pull the private sector along.
Official sources
Related
- CADA's EU sovereignty framework vs China's cloud data localisation: what differs?
- CLOUD Act vs EU-US Data Privacy Framework vs CADA: which addresses sovereignty?
- CADA sovereignty risk assessment vs a NIS2 risk assessment
- CADA harmonised EU sovereignty criteria vs divergent national cloud rules: why harmonisation?
- GDPR data localisation vs CADA sovereignty levels: are they the same?
This is general information about a draft EU regulation, not legal advice.