How does a foreign-owned EU subsidiary get CADA recognition?

Summary As proposed in the Cloud and AI Development Act (CADA), a foreign-owned EU subsidiary can achieve recognition for Union assurance levels 1, 2, and potentially 3, but the path is strictly tiered by the degree of third-country control. For Level 1, the subsidiary must prove its controlling third country has no laws requiring the reporting of software vulnerabilities before they are exploited (Annex II 1.1(g)). For Levels 2 and 3, the provider must demonstrate effective legal, technical, and organizational separation to prevent third-country access to data or service disruption. Crucially, Level 3 requires a specific Commission implementing act under Article 18 identifying the third country as "associated," whereas Level 4 is strictly reserved for providers not subject to third-country control, effectively barring foreign-owned entities from the highest tier unless they divest control.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" (Article 16) comprising four assurance levels. For a cloud computing service provider (CSP) that is an EU-established subsidiary of a foreign parent, the route to recognition is not a single path but a series of escalating hurdles defined by the cumulative criteria in Annex II and the specific derogation mechanism in Article 18.

Union Assurance Level 1: The Baseline for Foreign-Owned Subsidiaries

Union assurance level 1 serves as the baseline for public sector bodies whose activities are not identified as contributing to the preservation of public order (Article 30(2)). It is the most accessible tier for foreign-owned EU subsidiaries, provided they meet specific sovereignty safeguards regarding third-country legal influence.

Under Annex II, Section 1.1, a CSP must be established in the Union. However, criterion 1.1(g) explicitly addresses the risk of foreign legal overreach: "Where the cloud computing service provider is subject to the control of a third country or a legal entity established in a third-country, the cloud computing service provider guarantees that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."

This criterion is a targeted safeguard against "zero-day" harvesting. It means a foreign-owned subsidiary can achieve Level 1 recognition only if it can prove, via independent sources, that its home country does not possess laws compelling the disclosure of unpatched software vulnerabilities to foreign intelligence or law enforcement authorities before those vulnerabilities are publicly known or exploited. This prevents foreign governments from gaining an asymmetric advantage over EU infrastructure through mandatory reporting regimes.

Union Assurance Levels 2 and 3: Proving Immunity from Control

For higher assurance levels, the requirements shift from merely checking for specific laws to proving a comprehensive immunity from third-country control. Annex II, Section 2.1(g) (Level 2) and Section 3.1(g) (Level 3) mandate that if the audited provider is subject to third-country control, it must demonstrate that necessary legal, technical, and organizational measures are in place to ensure four critical outcomes:

1. Operational Autonomy: The third country's control must not restrain the provider's ability to perform and deliver the service, impose limitations on infrastructure or personnel, or undermine the capabilities necessary for the service.
2. Data Access Prevention: Access by the third country or a legal entity established in a third country to customer data must be prevented.
3. Service Continuity: The possibility of disruption of service continuity or degradation of service quality by the third country must be prevented.
4. Sanctions Immunity: The provider must not be obliged to implement, enforce, or comply with restrictive measures (such as sanction regimes or embargoes) adopted by the third country, unless such measures are legitimate under the national laws of Member States or Union law.

Furthermore, Level 3 introduces a critical distinction. While Annex II, Section 3.1(g) generally states that the provider and subcontractors "are not subject to the control of a third country," it immediately provides a derogation: "By way of derogation to this criterion, a cloud computing service provider... subject to the control of a third country... may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18."

This means that for a foreign-owned entity to reach Level 3, it is not enough to simply prove separation; the country of the parent company must first be officially recognized by the Commission.

Article 18: The Gateway for Third-Country Providers at Level 3

Article 18, titled "Associated third countries," is the exclusive gateway for foreign-controlled entities to qualify for Union assurance level 3. The Commission may adopt implementing acts identifying third countries whose CSPs can be audited against Level 3 criteria, provided the country meets a strict set of cumulative criteria:

• Adequacy: The third country must be subject to a relevant adequacy decision adopted under Article 45 of the GDPR (Regulation (EU) 2016/679).
• No Extraterritorial Data Access: The country must have no measures enabling it to exercise control over the CSP in a way that conflicts with lawful access to non-personal data rules (specifically referencing Article 32 of the Data Act).
• No Service Disruption: The country must have no measures to compel the CSP to degrade or disrupt service continuity.
• No Coercive Measures: The country must have no measures to oblige the CSP to enforce third-country sanctions or embargoes, unless legitimate under EU law.
• Technology Access: The country must not impede the provision of state-of-the-art technologies.
• Market Openness: The country must maintain an open market to Union cloud computing services.
• Reciprocity: The country must grant equivalent levels of access to public procurement procedures for EU-controlled services.

If a third country meets these criteria, the Commission may recognize it. Consequently, an EU subsidiary of a provider from that recognized country can undergo the independent third-party audit required for Level 3 (Article 20). Without this Article 18 recognition, a foreign-controlled entity is effectively barred from Level 3, regardless of its EU establishment or internal separation measures.

Union Assurance Level 4: The Sovereign Barrier

Union assurance level 4 represents the highest tier of sovereignty, intended for the most sensitive public order activities, including the hosting of EU classified information. Annex II, Section 4.1(g) states unequivocally: "The audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."

Unlike Level 3, there is no derogation and no Article 18 gateway for Level 4. The text is absolute. This means that, as proposed, a foreign-owned EU subsidiary cannot achieve Level 4 recognition. The framework explicitly excludes any entity subject to third-country control from the highest assurance tier. This creates a hard ceiling for non-EU owned infrastructure in the most critical national security and public order contexts. Even if a provider implements perfect firewalls and data segregation, the mere existence of third-country control disqualifies them from Level 4.

The Recognition Process

Regardless of the tier, the recognition process is centralized under Article 17. The CSP must submit an application to the national competent authority of its establishment (the EU Member State where its main establishment is located).

• For Level 1: The CSP performs a conformity self-assessment and issues an EU statement of conformity (Article 19). For SMEs, this is automatically recognized across the Union. For larger entities, the national competent authority assesses the evidence.
• For Levels 2-3: The CSP must undergo an independent third-party audit (Article 20). The auditor issues a "positive" audit opinion. The national competent authority then evaluates this audit report and the evidence, including the proof of separation and, for Level 3, the Commission's Article 18 decision.
• Mutual Recognition: Once recognized by the competent authority of establishment, the service is recognized across the entire Union (Article 17(7)). Other Member States have a 60-day review period to raise reasoned objections, but if none are raised, the recognition is Union-wide.

What this means for you

If you are a cloud service provider or data centre operator with an EU subsidiary but foreign ultimate ownership, you must tailor your compliance strategy to the assurance level you target.

1. Conduct a Legal Audit of Home Country Laws: For Level 1, you must gather independent evidence that your home country lacks mandatory pre-exploitation vulnerability reporting laws. For Levels 2 and 3, you must map all potential avenues of third-country control, including sanctions regimes, data access laws, and service disruption mechanisms.
2. Implement Structural Separation: To qualify for Levels 2 and 3, you must implement robust legal, technical, and organizational measures. This includes firewalls that prevent remote access from the parent company, strict data residency controls that ensure no data leaves the Union, and contractual guarantees that the parent cannot force service degradation. You must document these measures meticulously for the independent audit.
3. Monitor Article 18 Developments: If you aim for Level 3, your eligibility hinges entirely on the Commission's assessment of your home country under Article 18. Engage with your national competent authority to understand the likelihood of your country being designated as "associated." If your country is not designated, you are capped at Level 2.
4. Accept the Level 4 Ceiling: Do not invest in achieving Level 4 compliance if you remain under third-country control. The framework explicitly excludes you. Focus your resources on maximizing your Level 3 status or exploring joint ventures with purely EU-owned entities if Level 4 is required for specific clients.
5. Prepare for Independent Audits: Levels 2-4 require rigorous third-party audits (Article 20). Select an auditing organization that is independent, has no conflicts of interest, and possesses the technical competence to assess cloud sovereignty. Be prepared to provide extensive evidence, including software bills of materials (SBOMs), data flow diagrams, and proof of separation from third-country subsidiaries.

Common misconceptions

Misconception 1: Being established in the EU is enough for any level. While EU establishment is a prerequisite for all levels, it is not sufficient. Foreign ownership triggers additional, stricter criteria at every tier. Level 1 requires proof regarding vulnerability reporting; Levels 2 and 3 require proof of immunity from third-country control; Level 4 is outright prohibited for foreign-controlled entities.

Misconception 2: Article 18 applies to Level 2. Article 18 specifically governs the recognition of third countries for Union assurance level 3. Level 2 criteria (Annex II, Section 2.1(g)) allow for third-country control if the provider demonstrates effective separation measures, but this does not require a Commission decision under Article 18. The Article 18 gateway is exclusively for Level 3, where the default rule is a prohibition on third-country control.

Misconception 3: Data localization alone ensures sovereignty. CADA's sovereignty framework goes beyond data residency. Even if data stays in the EU, a foreign-owned provider may still be subject to third-country laws that compel service disruption, data access (via metadata or other means), or the implementation of sanctions. The framework requires proof that these extraterritorial pressures are effectively blocked, not just that data physically remains in the Union.

Misconception 4: Level 4 is achievable with strong contractual safeguards. No. Annex II Section 4.1(g) is absolute: the provider must not be subject to third-country control. Contractual safeguards are insufficient to override this statutory prohibition. Only entities with no third-country control can pursue Level 4.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How to get CADA Union assurance level 2 recognition: Audit, criteria & process
• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition
• What happens if another Member State objects to my CADA recognition?

This is general information about a draft EU regulation, not legal advice.