Summary Under the proposed Cloud and AI Development Act (CADA), a cloud provider that is subject to third-country control could reach Union assurance Level 3 only through a narrow derogation: the European Commission must first designate that provider's controlling third country as an "associated third country" under Article 18, and the provider must then pass an independent third-party audit (Article 20) proving the safeguards in Annex II, point 3.1(g) — preventing foreign data access, service disruption, and forced sanctions enforcement. Without an Article 18 decision, Level 3 would be closed to a third-country-controlled provider.

Detail

CADA would establish a Union cloud computing sovereignty framework of four Union assurance levels, the criteria for which are set out in Annex II (Article 16). Level 3 is one of the high tiers that contracting authorities whose activities contribute to the preservation of public order must procure (Article 30(3)). As a baseline, Annex II, point 3.1(g) requires that the audited provider and its relevant subcontractors are not subject to the control of a third country or a legal entity established in a third country.

For a provider that is under third-country control, the only proposed pathway to Level 3 runs through two distinct hurdles: a Commission designation of the controlling country, and then a demanding technical-legal audit.

1. The prerequisite: Commission designation under Article 18

Under Article 18(1), the Commission may, by means of implementing acts, identify third countries whose providers (or providers controlled by a legal entity established there) may be audited against the Level 3 criteria. This is the "associated third country" mechanism. It is a formal EU-level decision, not a self-declaration by the country or the provider.

The Commission may make this designation only where the third country fulfils all of the following cumulative criteria (Article 18(1)):

  • it is subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679);
  • it has no measures enabling it to exercise control over the provider in a way that would conflict with the lawful-access-to-non-personal-data requirements in Article 32(2) and (3) of the Data Act (Regulation (EU) 2023/2854);
  • it has no measures compelling the provider to degrade or disrupt service continuity, nor to give effect to restrictive measures such as sanctions or embargoes (unless those are legitimate under Member State or Union law);
  • it has no measures impeding the provision of state-of-the-art technologies and services by the provider;
  • it maintains an open market to Union cloud computing services; and
  • it grants equivalent access to its public procurement procedures for cloud services controlled by a Union Member State, entity, or legal entity established in the Union.

If the Commission has not adopted such a decision for the provider's controlling country, a third-country-controlled provider would be precluded from Level 3. (The Annex II 3.1(g) derogation cross-refers to a Commission implementing act; Article 18 is the operative associated-third-countries provision.)

2. The audit hurdle: Annex II, point 3.1(g)

Even where the controlling country is designated, the derogation does not waive the safeguards — it merely makes the provider eligible to be audited. The provider must still demonstrate, through the audit, that it has implemented the necessary legal, technical, and organisational measures to ensure that:

  • third-country control is not exercised in a way that restrains the provider's ability to perform and deliver the service, limits its infrastructure, assets, or personnel, or undermines the capabilities needed for the service — and the provider should allow for reasonable access to the code;
  • access by the third country (or a legal entity established there) to customer data is prevented;
  • the possibility of disruption of service continuity or degradation of service quality by the third country is prevented; and
  • control is not exercised in a way that obliges the provider to implement or comply with restrictive measures such as sanction regimes or embargoes adopted by the third country, unless legitimate under Member State or Union law.

Beyond point (g), the provider must also satisfy every other Level 3 criterion: Union establishment and location of infrastructure, assets, and personnel (3.1(a)–(b)); customer data remaining exclusively in the Union (3.1(c)); Union-citizen personnel with security clearance where appropriate (3.1(d)); a European cybersecurity certificate of at least assurance level "substantial" or the equivalent where no scheme yet exists (3.1(e)); no use of service-generated data to train third-country AI systems (3.1(f)); Union-based support (3.1(h)); software supply-chain controls including an SBOM (3.1(i)); open-source controls (3.1(j)); and effective separation from any third-country subsidiary (3.1(k)). Article 20(1) makes this cumulative: failure to meet any lower-level requirement precludes conformity with Level 3.

3. The audit and recognition process

To prove compliance, the provider would undergo an independent third-party audit at its own expense (Article 20(1)) by an auditing organisation that is independent, conflict-free, and technically competent (Article 20(4)). The auditor assesses compliance against Annex II using the audit evidence in Annex III and issues an audit report and a "positive" or "negative" opinion (Article 20(5)). A "positive" opinion specifying Level 3 is then submitted, with the audit report and all evidence given to the auditor, to the national competent authority of establishment for recognition (Article 17(4)).

What this means for you

For in-house counsel and compliance officers at non-EU-controlled providers, the route to Level 3 is narrow and conditional:

  1. Check the country first. Verify whether the controlling third country has been designated under Article 18 and listed by the Commission (Article 18(3)). If it has not, Level 3 recognition would not be open to you, regardless of your technical controls.
  2. Assess the cumulative criteria. Realistically evaluate whether your controlling country could meet all six Article 18(1) criteria — GDPR adequacy alone is not enough.
  3. Prepare for an intrusive audit. The Annex II 3.1(g) audit would examine ownership, governance, and control structures, and your ability to refuse foreign data-access or disruption demands. You would need to allow reasonable access to code.
  4. Implement and document separation. Air-gapped or logically isolated Union infrastructure, Union-only data handling, and enforced legal/technical separation from any third-country parent (3.1(k)) are central.
  5. Mind revocation and penalties. Recognition can be revoked for incorrect or misleading information (Article 17(11)), and Member States must impose effective, proportionate, and dissuasive penalties (Article 24); recipients may also seek compensation for damage (Article 24(3)).

Common misconceptions

  • "If we host data in the EU, we can get Level 3." Data location is necessary but not sufficient. Level 3 turns on control. If a third-country parent can legally compel data access or service disruption, you fail Annex II 3.1(g) unless your controlling country is designated under Article 18 and you prove the required separation.
  • "A strong cybersecurity certificate is enough." The "substantial" certificate (Annex II 3.1(e)) is one criterion among many and does not address sovereignty. A perfectly secure but third-country-controlled provider would still fail Level 3 absent the Article 18 route.
  • "We can self-assess for Level 3." Self-assessment and an EU statement of conformity are available only for Level 1 (Article 19). Levels 2, 3, and 4 require independent third-party audits (Article 20).
  • "Adequacy decision = automatic eligibility." Adequacy is only the first of six cumulative Article 18(1) criteria.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.