Summary Under the proposed Cloud and AI Development Act (CADA), cloud service providers controlled by a third country or a legal entity established in a third country face a strict "vulnerability-reporting" hurdle. To achieve Union assurance level 1, these providers must guarantee that no existing laws or practices in that third country require them to report software vulnerabilities to foreign authorities prior to those vulnerabilities being known to have been exploited. Crucially, this guarantee cannot be self-declared; it must be demonstrated by independent sources. This criterion is a mandatory cumulative requirement for Level 1 recognition under Annex II, Section 1(g), and failure to prove it disqualifies the provider from serving public sector bodies under the baseline procurement rules of Article 30(2).

Detail

The proposed Cloud and AI Development Act (CADA), as set out in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. While Union assurance level 1 serves as the baseline for most public sector procurement, it imposes specific legal safeguards for providers subject to third-country control. The most nuanced of these safeguards concerns the timing of vulnerability disclosure.

The Specific Criterion: Annex II, Section 1(g)

For a cloud computing service provider to be recognised as offering Union assurance level 1, it must meet a set of cumulative criteria. Annex II, Section 1, point (g) specifically addresses the risk of third-country interference in software security. The text states:

"Where the cloud computing service provider is subject to the control of a third country or a legal entity established in a third-country, the cloud computing service provider guarantees that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."

This provision targets a specific geopolitical risk: the scenario where a foreign government compels a provider to disclose a "zero-day" vulnerability (a flaw unknown to the vendor or public) to its intelligence or security services before a patch is available. If such a law exists, the foreign government could theoretically exploit the flaw in EU infrastructure before EU users are protected. CADA seeks to eliminate this risk by requiring a guarantee of non-existence for such laws.

The "Independent Sources" Requirement

A critical distinction in Annex II, Section 1(g) is the evidentiary standard. The proposal does not accept a provider's internal legal opinion or a simple statement of policy. The text explicitly mandates that the absence of such laws and practices must be "demonstrated by independent sources."

This requirement shifts the burden of proof from a subjective assertion to an objective verification. "Independent sources" implies evidence originating from entities outside the provider's corporate structure and, ideally, outside the direct influence of the third-country government. Acceptable evidence might include:

  • Independent legal opinions from reputable international law firms specializing in the third country's jurisdiction, explicitly analyzing the absence of mandatory pre-exploitation reporting statutes.
  • Official government publications from the third country that clarify the scope of its cybersecurity laws (e.g., confirming that reporting is only mandatory after exploitation or public disclosure).
  • Verified reports from independent cybersecurity research bodies or international organizations that have assessed the third country's legal framework regarding vulnerability disclosure.

Without such external corroboration, a provider cannot satisfy the criterion, regardless of their internal compliance posture.

Interaction with the Conformity Self-Assessment (Article 19)

The mechanism for proving compliance with Annex II, Section 1(g) is tied to the conformity self-assessment procedure for Union assurance level 1. Article 19(1) requires providers seeking Level 1 recognition to carry out a self-assessment of compliance with all criteria in Annex II.

Following this assessment, Article 19(2) mandates the issuance of an EU statement of conformity. By issuing this statement, the provider assumes full responsibility for the compliance of the service with the criteria, including the vulnerability-reporting guarantee. Consequently, the provider must retain the "independent sources" evidence within their self-assessment documentation. While Level 1 does not require a third-party audit (unlike Levels 2–4), the national competent authority of establishment may request this evidence to verify the self-assessment. If the provider cannot produce the independent demonstration, the recognition process under Article 17 will fail.

Relevance to Higher Assurance Levels

While this FAQ focuses on Level 1, the vulnerability-reporting criterion is not unique to the baseline. Annex II, Section 2.1(i)(iii) (Level 2) and Section 3.1(i)(iii) (Level 3) reiterate the exact same requirement for providers subject to third-country control. The language remains identical: a guarantee that no laws or practices require reporting prior to exploitation, demonstrated by independent sources.

However, the context differs for Union assurance level 4. At Level 4, Annex II, Section 4.1(g) generally prohibits third-country control entirely ("the audited provider... are not subject to the control of a third country"). Therefore, a standalone vulnerability-reporting guarantee is not separately listed at Level 4 (unlike Sections 2.1(i)(iii) and 3.1(i)(iii)) and becomes largely theoretical, as the primary barrier is the existence of control itself. If a provider is Level 4, they must first prove they are not controlled by a third country, rendering the specific "law demonstration" less relevant than the structural separation of ownership.

The "Prior to Exploitation" Distinction

The phrasing "prior to those vulnerabilities being known to have been exploited" is legally precise. It does not ban all cooperation with third-country authorities. A provider may still be legally required to report a vulnerability after it has been publicly disclosed or after it has been exploited in the wild. The prohibition is strictly on pre-exploitation reporting. This distinction allows for standard vulnerability disclosure programs (VDPs) and post-incident reporting while blocking the specific "zero-day hoarding" risk that threatens EU operational autonomy.

What this means for you

If you are a cloud computing service provider established in the EU but controlled by a parent entity in a third country, this criterion is a potential deal-breaker for public sector contracts. You cannot rely on "good faith" or internal policies.

1. Conduct a Third-Country Legal Audit

You must commission an external, independent legal analysis of the third country where your controlling entity is established. This analysis must explicitly answer:

  • Are there any statutes, regulations, or executive orders that compel the reporting of software vulnerabilities to state authorities?
  • If such laws exist, do they mandate reporting before the vulnerability is known to be exploited?
  • Are there "practices" (even unwritten ones) that effectively force such reporting?

2. Secure "Independent Sources"

Gather the evidence required by Annex II, Section 1(g). This should be a dossier containing:

  • A formal legal opinion from a qualified law firm in the third country (or an international firm with specific expertise in that jurisdiction) stating that no such mandatory pre-exploitation reporting laws exist.
  • Copies of relevant sections of the third country's cybersecurity or national security laws, annotated to show the absence of the prohibited requirement.
  • If available, public statements from the third country's government confirming that vulnerability reporting is voluntary or post-exploitation only.

3. Document in the Self-Assessment

When preparing your conformity self-assessment under Article 19, explicitly reference Annex II, Section 1(g). Attach the independent sources as annexes to your self-assessment report. Your EU statement of conformity will be a public declaration that you have met this criterion; ensure your internal records can substantiate this claim if challenged by a national competent authority.

4. Monitor for Legislative Changes

Laws change. A country that currently has no pre-exploitation reporting laws might pass one tomorrow. Article 23 imposes transparency obligations: if you become aware of a material change in circumstances (such as a new law in your controlling country), you must notify the auditing organisation (if applicable) and the national competent authority of establishment immediately. Failure to do so could lead to the revocation of your recognition.

5. Understand the Procurement Impact

Under Article 30(2), public sector bodies must procure cloud services recognised at Union assurance level 1 as a minimum. If you cannot satisfy Annex II, Section 1(g), you cannot be recognised at Level 1. Consequently, you would be ineligible to bid for the vast majority of public sector cloud contracts under CADA, as you would fail the baseline requirement.

Common misconceptions

"If my company policy says we won't report, that's enough." No. The criterion requires a guarantee that no law or practice forces you to report. Even if your internal policy forbids it, if a third-country statute compels it, you fail the criterion. The focus is on the external legal environment, not internal intent.

"A letter from our in-house legal team is sufficient." No. The text explicitly requires the demonstration to be made by "independent sources." Internal legal memos are not independent. You need external, verifiable evidence from third parties.

"This only applies to Level 3 or 4 (high security)." No. This is a Level 1 requirement. Since Level 1 is the mandatory baseline for all public sector procurement under Article 30(2), this criterion applies to every provider seeking to serve the public sector, regardless of the sensitivity of the data.

"If I am physically located in the EU, I am safe." No. The criterion applies specifically to providers "subject to the control of a third country or a legal entity established in a third-country." Your physical location in the EU does not exempt you if your controlling entity is abroad. The sovereignty framework targets the control structure, not just the physical infrastructure.

"I can just say 'no' to the government if they ask." No. The criterion is about the existence of a legal requirement, not your ability to resist it. If a law exists that requires reporting, you are non-compliant, even if you believe you could legally challenge it. The guarantee must be that the law does not exist.

Related

This is general information about a draft EU regulation, not legal advice.