How to prove immunity from third-country law for CADA Level 3 & 4

Summary Under the proposed Cloud and AI Development Act (CADA), demonstrating immunity from third-country law for Union assurance levels 3 and 4 requires proving that your service provider and subcontractors are not subject to the control of a third country or a legal entity established in a third country. For Level 4, this is an absolute prohibition with no exceptions. For Level 3, a derogation exists only if the Commission has adopted an implementing act under Article 18 designating the third country as providing sufficient assurances. To demonstrate compliance, you must provide independent-source evidence that no laws or practices in the controlling third country compel you to report software vulnerabilities prematurely, access customer data, or disrupt service continuity. This proof is validated through an independent third-party audit under Article 20, not self-assessment.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tier sovereignty framework designed to mitigate risks associated with dependence on non-European cloud providers. As you move up the tiers from Level 1 to Level 4, the requirements for operational autonomy and immunity from extraterritorial legal reach become increasingly stringent. Demonstrating this immunity is the most complex hurdle for providers with global footprints, particularly those linked to third-country parent companies or investors.

The Baseline: No Third-Country Control

For Union assurance level 4, the requirement is absolute. According to Annex II, Section 4.1(g), the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." There is no derogation or exception for Level 4. If any third-country entity holds control—defined broadly in the CADA proposal to include ownership, voting rights, commercial links, or financial dependencies that confer strategic decision-making power—the provider cannot achieve Level 4 recognition.

For Union assurance level 3, the baseline is similar but includes a critical exception. Annex II, Section 3.1(g) states that the provider and subcontractors must not be subject to third-country control, "By way of derogation to this criterion, a cloud computing service provider... may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 19."

Note on Drafting: While Article 18 of the Regulation is titled "Associated third countries" and sets out the criteria for the Commission to designate such countries, the text in Annex II, Section 3.1(g) explicitly references an implementing act under Article 19. This appears to be a drafting slip in the proposal text, as Article 19 governs "Conformity self-assessment" for Level 1, whereas Article 18 governs third-country designation. In practice, the legal mechanism for the derogation is the decision adopted under Article 18.

This creates two distinct paths for demonstrating immunity:

1. The Standard Path: Proving you have no third-country control whatsoever.
2. The Associated Third-Country Path: Proving you are under third-country control, but that the specific third country has been designated by the Commission under Article 18, and that you have implemented specific technical and legal safeguards to neutralize that control.

The Standard Path: Proving Absence of Control

To demonstrate that you are not subject to third-country control, you must undergo an independent third-party audit (required for Levels 2, 3, and 4 under Article 20). The auditor will assess your compliance with the criteria in Annex II using the evidence detailed in Annex III.

Annex III, Section 7 (Audit criterion G) outlines the rigorous evidence required to prove the absence of control. The auditing organization must analyze:

• Ownership Structures: All direct and indirect shareholders up to ultimate owners, including capital holdings and voting rights.
• Corporate Governance: The composition of governing bodies, rules for appointment, and quorum requirements to determine if any shareholder can block or impose strategic decisions.
• Commercial and Financial Links: Evidence of long-term supply agreements, credits, or other dependencies that could confer a level of control equivalent to share ownership.

Crucially, you must provide independent-source evidence regarding the legal environment of any third country with which you have ties. Annex II, Section 3.1(i)(iii) (and similarly for Level 4) requires that you guarantee "there are no existing laws and practices in that third country, demonstrated by independent sources, that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."

This "independent source" requirement is vital. You cannot simply assert that a foreign law does not apply. You must provide objective, verifiable evidence (such as legal opinions from independent counsel or official government statements) confirming that the third country lacks the legal mechanisms to compel you to:

1. Access customer data.
2. Disrupt service continuity or degrade service quality.
3. Implement restrictive measures (sanctions, embargoes) unless those measures are also legitimate under EU law.

The Associated Third-Country Path (Article 18)

If your provider is subject to third-country control, you can only qualify for Level 3 (not Level 4) if the Commission has adopted a decision under Article 18 identifying that third country as providing sufficient assurances.

Article 18(1) sets strict cumulative criteria for a third country to be recognized. The country must:

• Have an adequacy decision under Article 45 of the GDPR.
• Have no measures enabling it to exercise control over the provider in a way that conflicts with lawful access to non-personal data.
• Have no measures to compel the provider to degrade or disrupt service continuity.
• Have no measures to oblige the provider to comply with restrictive measures (sanctions/embargoes) unless legitimate under EU law.
• Maintain an open market to Union cloud services.
• Grant equivalent access to public procurement procedures.

If your controlling third country meets these criteria and is listed by the Commission, you can proceed to demonstrate immunity through safeguards. Even with an Article 18 designation, Annex II, Section 3.1(g) requires you to demonstrate that you have implemented legal, technical, and organizational measures to ensure:

• The third country's control is not exercised to restrain your ability to perform the service.
• Access by the third country to customer data is prevented.
• Disruption or degradation of service by the third country is prevented.

Annex III, Section 7.2 details the specific evidence required for this scenario. You must provide:

• Proof that the Commission has adopted the Article 18 decision for your controlling country.
• Evidence of effective legal, technical, and organizational separation between your EU entity and the third-country entity.
• Proof that you are unable to comply, legally or technically, with any request from the third country to access data or disrupt service.
• A record of any such requests received and the confirmation that they were refused.

The Role of Independent Audits

For both Level 3 and Level 4, self-assessment is insufficient. Article 20(1) mandates that providers undergo independent third-party audits to obtain an audit report and opinion. The auditor must verify that your evidence meets the criteria in Annex II and Annex III.

The audit opinion must be "positive," meaning all evidence shows compliance. If the auditor cannot reach a conclusion on specific aspects, they must explain why. For providers under third-country control seeking Level 3 via Article 18, the auditor will scrutinize the "separation" measures heavily. They will look for technical proof (e.g., network isolation, access logs) and legal proof (e.g., contractual clauses, corporate charters) that the third-country parent cannot override the EU entity's operational decisions regarding data access or service continuity.

What this means for you

If you are a cloud service provider aiming for Union assurance levels 3 or 4, your corporate structure and legal exposure are under intense scrutiny.

1. Map Your Control: Conduct a thorough review of your ownership, voting rights, and commercial dependencies. Identify any third-country entities that could be deemed to exercise "control" under the broad definition in CADA.
2. Gather Independent Evidence: Do not rely on internal legal memos. Obtain independent, verifiable evidence that the laws of any controlling third country do not compel you to report vulnerabilities prematurely, access data, or disrupt services. This is a hard requirement for Levels 3 and 4.
3. Check Article 18 Status: If you are under third-country control, check if the Commission has adopted an implementing act under Article 18 for your controlling country. If not, you cannot qualify for Level 3. If yes, prepare to demonstrate robust technical and legal separation measures.
4. Prepare for Audit: Engage an auditing organization early. Ensure your documentation aligns with the specific evidence requirements in Annex III, particularly Section 7 (Absence of third-country control) and Section 7.2 (Additional steps for third-country control).
5. Level 4 is Exclusive: If you have any third-country control, you are automatically disqualified from Level 4. Level 4 is reserved for providers with complete EU-based control and no third-country legal exposure.

Common misconceptions

• "If we have an EU subsidiary, we are immune." No. CADA looks at "control," not just establishment. If a third-country parent controls the EU subsidiary through ownership, voting rights, or commercial dependencies, the subsidiary is subject to third-country control. You must prove that this control does not enable unlawful data access or service disruption.
• "GDPR adequacy is enough." No. While an adequacy decision is a prerequisite for Article 18, it is not sufficient on its own. Article 18 requires additional safeguards regarding service continuity, non-personal data access, and market openness. Furthermore, Level 4 does not allow for any third-country control, regardless of adequacy.
• "We can self-certify our immunity." No. Levels 3 and 4 require independent third-party audits under Article 20. Self-assessment is only permitted for Level 1.
• "If we refuse a foreign data request, we are compliant." Refusal is part of the evidence, but you must also demonstrate that you have the legal and technical capacity to refuse. This includes proving that no third-country law compels you to comply in the first place, and that you have implemented measures to prevent the third country from accessing data or disrupting service even if they try.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How to get recognised at CADA Union assurance level 3: Audit, criteria & third-country rules
• How to check if your country is a CADA 'associated third country' for Level 3
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How to prove state-of-the-art cybersecurity for CADA Level 1
• CADA: How to handle the third-country vulnerability-reporting criterion?

This is general information about a draft EU regulation, not legal advice.