How to check if your country is a CADA 'associated third country' for Level 3

Summary Under the proposed Cloud and AI Development Act (CADA), there is no self-service portal for providers to verify their country's status. Instead, you must consult the official list published by the European Commission on its website, as mandated by Article 18(3). This list identifies "associated third countries" whose cloud providers may be audited for Union assurance level 3, provided they meet strict cumulative criteria regarding data protection adequacy and operational autonomy. Crucially, even if your country is on this list, providers subject to its control cannot achieve Union assurance level 4; they are capped at level 3.

Detail

The CADA proposal establishes a comprehensive sovereignty framework to mitigate risks associated with dependence on non-European cloud providers. A critical, yet often misunderstood, component of this framework is the mechanism for "associated third countries." This mechanism creates a narrow pathway for cloud computing services controlled by entities in specific non-EU jurisdictions to qualify for Union assurance level 3. This is a significant distinction, as Union assurance level 4 is exclusively reserved for providers not subject to any third-country control.

The Legal Basis: Article 18

The rules governing associated third countries are set out in Article 18 of the CADA proposal. This article empowers the European Commission to adopt implementing acts that identify specific third countries. A cloud computing service provider subject to the control of such a country, or a legal entity established therein, may then be audited against the criteria for Union assurance level 3.

Cumulative Criteria for Recognition

Under Article 18(1), a third country can only be designated as an "associated third country" if it fulfills a set of cumulative criteria. This means that failing any single criterion disqualifies the country entirely. The criteria are designed to ensure that the third country's laws do not undermine the sovereignty and security objectives of the EU. The criteria include:

1. Adequacy Decision: The country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR). This ensures a baseline level of data protection comparable to EU standards.
2. No Extraterritorial Data Access Conflicts: The country must have no measures in place that enable it to exercise control over the cloud provider in a way that conflicts with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act).
3. No Service Disruption or Degradation: The country must have no measures compelling the provider to degrade or disrupt service continuity. It must also lack measures obliging the provider to implement restrictive measures (such as sanctions or embargoes) unless those measures are legitimate under EU or Member State law.
4. No Impediment to Technology: The country must have no measures impeding the provision of state-of-the-art technologies and services by the cloud provider.
5. Open Market: The country must maintain an open market to Union cloud computing services.
6. Reciprocal Procurement Access: The third country must grant equivalent levels of access to public procurement procedures for cloud services subject to the control of a Union Member State or entity.

The Official List and Dynamic Status

Article 18(3) explicitly states: "The Commission shall publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so."

This means the definitive source for verification is the European Commission's official website. The list is not static; the Commission has the power to repeal, amend, or suspend the designation if a country ceases to meet the criteria (Article 18(2)). Therefore, providers must treat this list as a dynamic reference that requires regular monitoring. A country's status can change if its legal landscape shifts, for example, through new surveillance laws or trade restrictions.

Limitations on Assurance Levels: The Level 3 Cap

It is crucial to note that even if a provider is located in an associated third country, they can only be audited up to Union assurance level 3. They cannot achieve Union assurance level 4.

According to Annex II, Section 3, point (g) of the CADA proposal, for Union assurance level 3, providers must demonstrate that they are not subject to the control of a third country, or if they are, that the Commission has adopted an implementing act under Article 18 recognizing that country. However, Annex II, Section 4, point (g) (Union assurance level 4) strictly requires that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." There is no derogation for associated third countries at level 4. This means that providers from associated third countries are capped at level 3, regardless of their internal safeguards or the robustness of their home country's legal framework.

What this means for you

For cloud service providers and data centre operators, determining whether your country is an "associated third country" is a prerequisite for accessing the EU public sector market at higher assurance levels.

Steps to Verify Your Status

1. Consult the Commission Website: Regularly check the European Commission's website for the official list of associated third countries. This list will be published as an implementing act under Article 18(1). Do not rely on third-party summaries or news reports; the official list is the only legal source.
2. Monitor for Changes: Because the Commission can suspend or repeal a designation if a country no longer meets the cumulative criteria (Article 18(2)), you must monitor updates. A change in your country's legal or regulatory landscape could lead to the loss of associated status, which would immediately disqualify your services from Union assurance level 3.
3. Assess Your Control Structure: Even if your country is on the list, you must still prove that you are subject to its control in a way that meets the specific audit criteria. The definition of "control" is broad and includes ownership, voting rights, and strategic decision-making power. You must demonstrate that the third country's control does not restrict your ability to deliver the service or compromise data security.
4. Plan for Level 3 Cap: If you are a provider from an associated third country, you cannot pursue Union assurance level 4. Your market access will be limited to public sector activities that require level 1, 2, or 3. Activities requiring level 4 (typically the most sensitive national security or classified data) will remain inaccessible to you.

Strategic Implications

• Market Access: Being in an associated third country allows you to compete for EU public contracts that require Union assurance level 3. Without this status, you would likely be restricted to level 1 (which has lower sovereignty requirements) or excluded from public procurement entirely if the contracting authority requires level 2 or higher.
• Compliance Costs: To maintain eligibility, you must ensure your home country continues to meet the cumulative criteria. If your government introduces new data access laws or service disruption mandates, you risk losing your associated status. You should engage with your national authorities to ensure alignment with these EU requirements.
• Audit Readiness: If your country is designated, you must be prepared for independent third-party audits (as per Article 20) to demonstrate compliance with the strict criteria of Union assurance level 3, including software supply chain transparency and personnel screening.

Common misconceptions

Misconception 1: "If my country has an EU-US Data Privacy Framework adequacy decision, it is automatically an associated third country." Reality: While an adequacy decision (Criterion 1 in Article 18(1)) is necessary, it is not sufficient. The country must also meet five other cumulative criteria, including open market access, reciprocal procurement rights, and the absence of service disruption measures. A country could have data adequacy but fail on market openness or reciprocal access, thus disqualifying it.

Misconception 2: "Associated third country status allows me to qualify for Union assurance level 4." Reality: No. As noted above, Union assurance level 4 strictly prohibits any third-country control. Associated third country status only permits auditing up to Union assurance level 3. Level 4 is reserved for providers with no third-country control whatsoever.

Misconception 3: "I can self-certify my country's status." Reality: The designation is a political and legal decision made by the European Commission via implementing acts. Providers cannot unilaterally declare their country an associated third country. You must rely on the official list published by the Commission.

Misconception 4: "Once designated, the status is permanent." Reality: The Commission can suspend or repeal the designation if the country no longer fulfils the requirements (Article 18(2)). This could happen due to changes in the third country's laws, such as new surveillance laws or trade restrictions. Providers must treat this status as conditional and ongoing.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How to get recognised at CADA Union assurance level 3: Audit, criteria & third-country rules
• How to prove immunity from third-country law for CADA Level 3 & 4
• CADA: How to handle the third-country vulnerability-reporting criterion?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• CADA Recognition Refused: Your 30-Day Right to Comment & Re-application Guide

This is general information about a draft EU regulation, not legal advice.