Summary Under the proposed Cloud and AI Development Act (CADA), a cloud service provider controlled by a third country can only qualify for Union assurance level 3 if that third country is formally "associated" by the European Commission. This association requires a valid GDPR adequacy decision (Article 45 of Regulation (EU) 2016/679) as a mandatory precondition, but adequacy alone is not sufficient. The Commission must also verify that the third country meets five additional cumulative criteria regarding data access, service continuity, technology access, market openness, and procurement reciprocity. Without this specific CADA association decision, third-country providers cannot serve public sector activities requiring assurance levels 2, 3, or 4.

Detail

The CADA proposal (COM(2026) 502 final) establishes a rigorous sovereignty framework to mitigate the risks of the EU's reliance on non-European cloud providers. A central pillar of this framework is the Union cloud computing sovereignty framework, which defines four assurance levels. While Union assurance levels 1 and 2 generally require providers to be established in the Union with infrastructure and personnel located within the EU, Union assurance level 3 introduces a specific derogation. This level allows cloud services controlled by a third country to be recognised, provided that the third country is formally identified as "associated" by the Commission.

The relationship between CADA and the General Data Protection Regulation (GDPR) is explicit, hierarchical, and distinct. Article 18(1)(a) of the CADA proposal states that for a third country to be identified as associated, it "is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679." This establishes the GDPR adequacy decision as the entry ticket: without it, a third country cannot be considered for association under CADA, regardless of its other merits.

However, the CADA proposal makes it unequivocally clear that GDPR adequacy is a necessary but not sufficient condition. The GDPR's adequacy assessment focuses primarily on whether a third country ensures a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. CADA broadens this scope significantly to include operational sovereignty, supply chain security, geopolitical resilience, and the prevention of extraterritorial interference.

To achieve "associated" status, the third country must satisfy six cumulative criteria listed in Article 18(1). Beyond the GDPR adequacy decision (criterion a), the Commission must verify five additional conditions:

  1. Non-Interference with Data Access (Article 18(1)(b)): The third country must have no measures in place that enable it to exercise control over the cloud provider in a way that conflicts with the lawful access rules for non-personal data set out in Article 32 of the Data Act (Regulation (EU) 2023/2854). This prevents third countries from using their jurisdiction to access data in ways that bypass EU legal safeguards or undermine the Data Act's provisions on non-personal data.
  2. Service Continuity and Restrictive Measures (Article 18(1)(c)): The third country must have no measures in place to compel the cloud computing service provider to degrade or disrupt service continuity or provision. Furthermore, it must have no measures to oblige the provider to implement, enforce, or comply with restrictive measures (such as sanction regimes or embargoes) adopted by the third country, unless such measures are legitimate under the national laws of Member States or Union law. This directly addresses the risk of unilateral service shutdowns or forced compliance with foreign foreign policy objectives.
  3. Technology Access (Article 18(1)(d)): The third country must have no measures in place to impede the provision of state-of-the-art technologies and services provided by the cloud computing service provider. This ensures that geopolitical tensions do not result in arbitrary restrictions on the technological capabilities available to EU users, ensuring the provider can maintain high-performance standards.
  4. Market Openness (Article 18(1)(e)): The third country must maintain an open market to Union cloud computing services. This reciprocity requirement ensures that EU providers are not unfairly excluded from the third country's market while their counterparts serve the EU, preventing a one-sided dependency.
  5. Procurement Reciprocity (Article 18(1)(f)): The third country must grant equivalent levels of access to public procurement procedures of cloud computing services subject to the control of a Union Member State or entity, or a legal entity established in the Union. This prevents a situation where EU public bodies are restricted from buying from third-country providers while those providers freely bid for public contracts in the EU.

The Commission assesses these criteria through implementing acts adopted under the examination procedure. Recital 61 of the CADA proposal further clarifies that the Commission will examine whether the GDPR adequacy decision applies generally to the third country or is limited to specific sectors, and whether it covers the specific processing activities involved in the cloud service. If the adequacy decision is narrow or sector-specific, it may not satisfy the broader requirements of CADA association.

If a third country no longer fulfills these requirements, the Commission is empowered under Article 18(2) to repeal, amend, or suspend the association decision. The Commission must also publish a list of associated and non-associated third countries on its website (Article 18(3)), providing transparency for public sector procurers.

Crucially, this mechanism is the only pathway for a third-country-controlled provider to reach Union assurance level 3. As set out in Annex II, Section 3.1(g), a provider subject to third-country control may be audited for level 3 "where the Commission has adopted an implementing act under Article 19." (Note: The source text in Annex II cross-refers to Article 19 here; the substantive associated-third-country mechanism is set out in Article 18, while Article 19 itself governs conformity self-assessment for level 1.)

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the distinction between GDPR adequacy and CADA association is critical for public sector procurement strategies and risk management.

1. Re-evaluate "Sovereign" Cloud Claims: Many third-country providers market their services as "sovereign" or "GDPR-compliant" based solely on Standard Contractual Clauses (SCCs) or existing adequacy decisions (e.g., the EU-US Data Privacy Framework). Under CADA, these claims are insufficient for Union assurance level 3. You must verify if the provider's home country has been formally "associated" by the Commission via an implementing act under Article 18. If the country is not on the Commission's list of associated third countries, the service cannot be used for public sector activities identified as contributing to the preservation of public order (which require assurance levels 2, 3, or 4 under Article 30(3)).

2. Monitor Geopolitical Developments: CADA association is dynamic and reversible. Even if a country has a valid GDPR adequacy decision, it can lose its CADA association status if it introduces laws that allow for data access, service degradation, or discriminatory procurement practices. Compliance teams must monitor Commission decisions and the published list of associated countries. A loss of association status could trigger a mandatory migration for public sector clients within a reasonable transition period not exceeding 12 months (Article 29(6)), requiring robust exit strategies and data portability plans.

3. Impact on Private Sector Entities: While CADA's procurement mandates primarily target public bodies, Article 31 allows private sector entities in high-criticality sectors (as defined in Annex I of the NIS2 Directive) to conduct similar impact assessments. These entities may voluntarily align their procurement with CADA assurance levels to mitigate supply chain risks. Understanding the CADA-GDPR nexus helps private companies assess whether a third-country provider's legal environment poses operational sovereignty risks beyond data privacy.

4. Deadlines and Penalties: Member States must designate national competent authorities within one year of CADA's entry into force (Article 25). Cloud providers seeking recognition must submit applications to these authorities. Penalties for non-compliance with the sovereignty framework are determined by Member States but must be effective, proportionate and dissuasive (Article 24). Recipients of cloud services also have the right to seek compensation from providers for damages resulting from infringements of these obligations.

Common misconceptions

Misconception 1: "GDPR Adequacy Equals CADA Association." Many assume that because the US, Japan, or other countries have GDPR adequacy decisions, their cloud providers automatically qualify for CADA Union assurance level 3. This is incorrect. Adequacy is only the first of six cumulative criteria. A country could have an adequacy decision but fail the CADA test if it maintains laws allowing for service disruption, technology embargoes, or discriminatory procurement practices.

Misconception 2: "CADA Replaces GDPR." CADA does not replace the GDPR. They operate in parallel. The GDPR governs the processing of personal data, while CADA governs the sovereignty and operational resilience of cloud services. A provider must comply with both. CADA's sovereignty requirements are broader, covering non-personal data, hardware supply chains, and service continuity, which fall outside the GDPR's scope.

Misconception 3: "Association Applies to All Assurance Levels." The associated third-country mechanism only applies to Union assurance level 3. Union assurance level 4, the highest level of assurance, generally requires that the provider and its subcontractors are not subject to the control of a third country (Annex II, Section 4.1(g)). Therefore, even associated third-country providers cannot offer Union assurance level 4 services.

Misconception 4: "Private Companies Are Exempt from Sovereignty Risks." While private companies are not mandated to procure based on assurance levels, they are exposed to the same underlying risks of third-country control. CADA encourages private entities in critical sectors to conduct impact assessments (Article 31). Ignoring these sovereignty factors can lead to operational disruptions if a third country exercises its legal powers to degrade service or access data, regardless of GDPR compliance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.