How does a non-EU cloud provider qualify under CADA assurance level 3?

Summary A non-EU cloud provider cannot automatically qualify for Union assurance level 3 under the proposed Cloud and AI Development Act (CADA). As proposed, providers subject to the control of a third country or a legal entity established in a third country are generally prohibited from achieving this level, unless the European Commission has specifically adopted an implementing act identifying that third country as an "associated third country" under Article 18. To qualify, the third country must meet six strict cumulative criteria, including holding a GDPR Article 45 adequacy decision, having no laws compelling data access or service disruption, and maintaining an open market for EU cloud services. Without this specific Commission decision, a provider under third-country control is excluded from level 3 recognition, regardless of their technical cybersecurity certifications.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework designed to mitigate risks associated with dependence on non-European providers. This framework comprises four Union assurance levels, with levels 2, 3, and 4 requiring independent third-party audits. Union assurance level 3 is a high-assurance tier intended for public sector activities that contribute to the preservation of public order, such as national security, defence, and law enforcement.

Under the general criteria for Union assurance level 3 set out in Annex II of the proposed regulation, cloud computing service providers and their subcontractors must not be subject to the control of a third country or a legal entity established in a third country. This creates a significant barrier for non-EU providers, particularly those headquartered in jurisdictions with extraterritorial data access laws, such as the United States under the CLOUD Act.

However, CADA provides a specific derogation for providers under third-country control through Article 18, titled "Associated third countries." This article allows the Commission to adopt decisions identifying specific third countries for which cloud computing service providers subject to their control may be audited against the criteria for Union assurance level 3.

The Role of Article 18: Associated Third Countries

Article 18 is the sole mechanism by which a non-EU provider, subject to third-country control, can qualify for Union assurance level 3. Without a Commission decision under this article, such a provider is automatically excluded from level 3 recognition, regardless of its technical capabilities or cybersecurity certifications.

The Commission may only identify a third country under Article 18 if that country fulfils a set of strict cumulative criteria. All of the following conditions must be met simultaneously:

1. Adequacy Decision: The third country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR). This ensures that the third country provides a level of data protection essentially equivalent to that guaranteed within the EU.
2. No Conflict with Lawful Access to Non-Personal Data: The third country must have no measures in place that enable it to exercise control over the cloud computing service provider in a way that conflicts with the requirements for lawful access to non-personal data set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854 (the Data Act).
3. No Compulsion to Disrupt or Degrade Service: The third country must have no measures in place to compel the cloud computing service provider to degrade or disrupt service continuity or provision. Furthermore, it must have no measures obliging the provider to implement, enforce, or comply with restrictive measures such as sanction regimes, embargoes, or equivalent legal or administrative measures, unless these measures are legitimate under the national laws of Member States or Union law.
4. No Impediment to State-of-the-Art Technologies: The third country must have no measures in place to impede the provision of state-of-the-art technologies and services provided by the cloud computing service provider.
5. Open Market: The third country must maintain an open market to Union cloud computing services.
6. Reciprocal Access to Public Procurement: The third country must grant equivalent levels of access to public procurement procedures of cloud computing services subject to the control of a Union Member State or entity or a legal entity established in the Union.

If a third country meets these criteria, the Commission may adopt an implementing act identifying it as an associated third country. This act is adopted in accordance with the examination procedure referred to in Article 46(2) of CADA.

Audit Requirements for Associated Third Country Providers

Even if a third country is listed under Article 18, the cloud computing service provider itself must still demonstrate compliance with additional safeguards. According to Annex II, Section 3, point (g), a provider subject to third-country control may be audited for Union assurance level 3 only if the Commission has adopted the implementing act under Article 18.

In such cases, the audited provider and its subcontractors must demonstrate that necessary legal, technical, and organisational measures have been implemented to ensure that:

• The control of the third country over the provider is not exercised in a manner that restrains or restricts the provider's ability to perform and deliver the service, imposes limitations on infrastructure, assets, and personnel, or undermines the capabilities and standards necessary to perform the audited service. The provider should allow for reasonable access to the code.
• Access by the third country or a legal entity established in that third country to customer data is prevented.
• The possibility of disruption of service continuity and/or degradation of service quality by the third country or a legal entity established in that third country is prevented.
• The control of the third country over the provider is not exercised in a manner that obliges the provider to implement, enforce, give effect to, or comply with restrictive measures adopted by the third country, unless such measures are legitimate under Member State or Union law.

Revocation and Monitoring

The status of an associated third country is not permanent. Article 18(2) states that where available information reveals that the third country no longer fulfils the requirements, the Commission shall repeal, amend, or suspend the decision. The Commission is also required to publish a list on its website of third countries that fulfil the requirements and those that no longer do so.

What this means for you

For cloud service providers and data centre operators subject to the rules, understanding Article 18 is critical for market access to the EU public sector.

If you are an EU-based provider: You are not subject to the Article 18 derogation. Your path to Union assurance level 3 relies on meeting the standard criteria in Annex II, including establishing yourself in the Union, ensuring infrastructure and personnel are located in the Union, and obtaining a European cybersecurity certificate of at least assurance level 'substantial'. You do not need to worry about third-country control issues unless you have significant non-EU ownership that triggers the "control" definition in CADA.

If you are a non-EU provider: Your ability to qualify for Union assurance level 3 depends entirely on the geopolitical and legal status of your home country. You must first verify if your country has been identified by the Commission as an "associated third country" under Article 18. If your country is not on this list, you cannot qualify for level 3, regardless of your technical merits.

Strategic considerations for non-EU providers:

• Monitor Commission Decisions: Regularly check the Commission's published list of associated third countries. This list may change based on geopolitical developments, adequacy decision reviews, or changes in national laws regarding data access.
• Demonstrate Structural Separation: If your country is listed, you must implement robust legal, technical, and organisational measures to demonstrate effective separation from third-country control. This includes preventing remote access to customer data, blocking service disruption capabilities, and ensuring that third-country laws cannot compel you to degrade service.
• Prepare for Audits: Auditors will scrutinise your ownership structure, governance, and technical controls to verify that third-country control does not compromise the sovereignty requirements. You must provide evidence of code access, data flow restrictions, and incident response protocols that prevent third-country interference.
• Consider Alternative Levels: If your country does not qualify under Article 18, you may still qualify for Union assurance level 1 through a conformity self-assessment, provided you meet the criteria in Annex II, Section 1. This includes being established in the Union (or having a subsidiary that is) and ensuring data remains in the Union unless explicitly required otherwise by the public sector body.

Common misconceptions

Misconception 1: Any non-EU provider can qualify for level 3 if they have an adequacy decision. An adequacy decision under Article 45 of the GDPR is a necessary but not sufficient condition. Article 18 requires six cumulative criteria, including open market access, reciprocal public procurement access, and no measures to disrupt service. A country may have an adequacy decision but fail other criteria, such as maintaining an open market for EU cloud services.

Misconception 2: Technical cybersecurity certifications replace the need for Article 18. While Union assurance level 3 requires a European cybersecurity certificate of at least assurance level 'substantial', this technical certification does not override the sovereignty requirements. If a provider is subject to third-country control and that country is not listed under Article 18, the provider cannot achieve level 3, even if it holds the highest cybersecurity certifications.

Misconception 3: "Control" only means majority ownership. Under CADA, "control" is defined broadly, referencing Regulation (EU) 2021/697. It includes not just shareholding but also the ability to exercise decisive influence over strategic decisions, appointment of board members, and veto rights. Even minority shareholders with specific rights may constitute "control," triggering the need for an Article 18 decision.

Misconception 4: Level 3 is available for all public sector activities. Union assurance level 3 is reserved for public sector activities identified through risk assessments as contributing to the preservation of public order, such as national security, defence, and law enforcement. Most public services will only require Union assurance level 1. Level 3 is a high-bar tier for specific, sensitive use cases.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How does a public buyer verify a provider's CADA assurance level before awarding?
• How do I decide which CADA assurance level to target as a cloud provider?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How should a non-EU provider weigh whether to pursue CADA recognition at all?
• How does a public buyer justify procuring above the minimum CADA assurance level?

This is general information about a draft EU regulation, not legal advice.