How does a legal team check a non-EU vendor's CADA level 3 eligibility?

Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider subject to the control of a third country can only qualify for U

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider subject to the control of a third country can only qualify for Union assurance level 3 if the European Commission has formally designated that third country as an "associated third country" under Article 18. This designation is a strict prerequisite; without it, the vendor is ineligible for level 3 recognition regardless of their technical capabilities. Legal teams must first verify this designation exists, then ensure the vendor's independent audit explicitly validates the foreign-control safeguards detailed in Annex II, Section 3.1(g). These safeguards require proof that third-country control does not restrict service delivery, prevent unauthorized data access, or compel the provider to comply with restrictive measures like sanctions.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. While Union assurance level 1 allows for self-assessment, levels 2, 3, and 4 require independent third-party audits to verify compliance with stringent criteria. Union assurance level 3 is specifically designed for public sector activities that contribute to the preservation of public order, such as those in national security, internal security, defence, justice, or law enforcement.

A core principle of the proposal is that cloud services subject to the control of a third country are generally excluded from these higher assurance levels to prevent extraterritorial interference. However, Article 18 creates a narrow, conditional pathway for non-EU vendors to achieve level 3 recognition. This pathway is not automatic; it hinges on a two-step verification process: confirming the geopolitical status of the vendor's home jurisdiction and validating the specific operational safeguards against foreign control during the audit.

Step 1: Verify the "Associated Third Country" Designation (Article 18)

The first and most critical gatekeeper for any non-EU vendor is Article 18. As proposed, a cloud computing service provider subject to the control of a third country may only be audited against the criteria for Union assurance level 3 if the Commission has adopted an implementing act identifying that third country as fulfilling a set of cumulative criteria.

Legal teams must consult the Commission's official list of associated third countries before engaging in any procurement or audit process. If the vendor's home country is not on this list, the vendor is legally ineligible for level 3 recognition. The proposal explicitly states that the Commission may adopt decisions identifying third countries only if they fulfill the following cumulative criteria under Article 18(1):

GDPR Adequacy: The third country is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR).
No Conflicting Control Measures: The third country has no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of the Data Act (Regulation (EU) 2023/2854).
No Service Disruption: The third country has no measures in place to compel the provider to degrade or disrupt service continuity or provision.
No Coercive Restrictive Measures: The third country has no measures in place to oblige the provider to implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or equivalent legal/administrative measures, unless these are legitimate under Member State or Union law.
Open Market: The third country maintains an open market to Union cloud computing services.
Reciprocity: The third country grants equivalent levels of access to public procurement procedures for cloud computing services subject to the control of a Union Member State or entity.

This status is dynamic. Under Article 18(2), if available information reveals that a third country no longer fulfills these requirements, the Commission must repeal, amend, or suspend the decision. Therefore, legal teams must treat this verification as an ongoing compliance obligation, not a one-time check.

Step 2: Validate Foreign-Control Safeguards in the Audit (Annex II 3.1(g))

Once the associated third-country status is confirmed, the vendor must undergo an independent third-party audit under Article 20 to obtain a "positive" audit opinion. The legal team's role shifts to ensuring the auditor rigorously assesses the vendor against the specific criteria for level 3 found in Annex II, Section 3.1(g).

Annex II, Section 3.1(g) establishes a derogation from the general rule that providers subject to third-country control are ineligible. It states that such providers may be audited for level 3 only if they demonstrate that necessary legal, technical, and organisational measures are implemented to ensure four specific outcomes:

No Restriction on Service Delivery: The control of the third country must not be exercised in a manner that restrains or restricts the provider's ability to perform and deliver the service, imposes limitations on the infrastructure, assets, and personnel required, or undermines the capabilities and standards necessary to perform the audited service. Crucially, the provider must allow for reasonable access to the code.
Prevention of Data Access: Access by the third country or a legal entity established in that third country to customer data must be prevented.
Prevention of Service Disruption: The possibility of disruption of service continuity and/or the degradation of service quality by the third country must be prevented.
No Coercive Compliance: The control of the third country must not oblige the provider to implement, enforce, give effect to, or comply with restrictive measures (such as sanctions or embargoes) adopted by that third country, unless such measures are legitimate under Member State or Union law.

The audit evidence required to prove these safeguards is detailed in Annex III, Criterion G. The auditing organisation must analyze the vendor's ownership structure, corporate governance, and commercial/financial links to identify any ultimate control by the third country. If control is identified, the auditor must request additional evidence demonstrating the effective legal, technical, and organisational separation between the provider and the third country. This includes verifying that the provider can refuse third-country requests to access data or disrupt service, and that such refusals are recorded.

The Role of the National Competent Authority

Following the audit, the vendor submits an application for recognition to the national competent authority of establishment under Article 17. The evaluating authority must assess the audit report and the "positive" opinion. For non-EU vendors, this step is particularly critical. The authority must verify that the associated third-country designation under Article 18 is still valid at the time of the application and that the audit evidence adequately addresses the specific foreign-control safeguards in Annex II 3.1(g). If the authority finds the evidence insufficient, it may reject the request for recognition.

What this means for you

For in-house counsel, compliance officers, and procurement teams, the CADA proposal introduces a rigorous, multi-layered due diligence burden for any cloud procurement involving non-EU vendors for high-risk public sector activities.

1. Pre-Engagement Geopolitical Screening Before initiating any procurement process for level 3 services, verify the vendor's jurisdiction against the Commission's list of associated third countries. If the vendor is from a non-designated country, they cannot legally qualify for level 3. Do not rely on general GDPR adequacy decisions alone; the CADA designation under Article 18 is a distinct, stricter requirement that includes operational autonomy, market reciprocity, and protection against service disruption.

2. Audit Scope and Oversight When selecting an auditing organisation under Article 20, ensure they have the specific expertise to assess complex corporate governance structures and foreign control mechanisms. The legal team should review the audit scope to confirm it explicitly covers Annex II, Section 3.1(g). Pay particular attention to the auditor's analysis of "commercial links conferring control" and "financial links conferring control," as outlined in Annex III, Criterion G. These are often the hidden vectors of third-country influence that standard cybersecurity audits might miss.

3. Contractual Safeguards Ensure your contracts with the cloud provider include clauses that mirror the Annex II 3.1(g) requirements. The provider must contractually guarantee that they will not comply with any third-country requests that conflict with EU law and that they will notify the public sector body of any such requests. These contractual provisions serve as the legal backbone for the "organizational measures" required by the regulation.

4. Ongoing Monitoring Under Article 18(2), the Commission can suspend or revoke a country's associated status if circumstances change. Legal teams must monitor these regulatory updates. If a vendor's home country loses its designation, the vendor's level 3 recognition will be invalid, potentially triggering immediate non-compliance for the public sector body and requiring urgent migration to a compliant provider.

5. Penalties and Liability Under Article 24, Member States must lay down rules on penalties applicable to infringements of the sovereignty chapter. These penalties must be "effective, proportionate and dissuasive." If a public sector body procures a level 3 service from a vendor that does not meet the associated third-country criteria or fails the Annex II safeguards, it may face regulatory scrutiny. Additionally, Article 24(3) gives recipients the right to seek compensation from providers for any damage or loss suffered due to an infringement.

Common misconceptions

Myth: GDPR adequacy is enough for CADA level 3. Reality: While an adequacy decision under GDPR Article 45 is a prerequisite for Article 18, it is not sufficient. CADA adds layers of operational autonomy, market reciprocity, and protection against service disruption that go beyond data privacy. A country can have an adequacy decision but still fail the CADA sovereignty tests if it retains the ability to disrupt services or coerce providers.

Myth: Non-EU vendors can self-certify for level 3. Reality: Self-assessment is only permitted for Union assurance level 1 under Article 19. Levels 2, 3, and 4 require independent third-party audits under Article 20. For non-EU vendors seeking level 3, the audit must specifically validate the foreign-control safeguards in Annex II 3.1(g).

Myth: If the vendor is EU-incorporated, third-country control doesn't matter. Reality: CADA looks through corporate structures to ultimate control. Annex III, Criterion G requires auditors to identify all direct and indirect shareholders up to the ultimate owners. If a third country or entity established in a third country exercises control (e.g., through veto rights, board appointments, or financial dependence), the strict safeguards of Annex II 3.1(g) apply, regardless of where the service provider is legally incorporated.

Myth: The associated third-country list is static. Reality: The list is dynamic. The Commission must review and can revoke designations if a country no longer meets the criteria (Article 18(2)). Legal teams must treat this as a live compliance requirement, not a one-time check.

Official sources

This is general information about a draft EU regulation, not legal advice.