Summary Under the proposed Cloud and AI Development Act (CADA), a third country becomes "associated" only through a formal decision by the European Commission, adopted as an implementing act under the examination procedure. This specific status allows cloud computing service providers controlled by that third country to be audited for Union assurance level 3, but solely if the country satisfies six strict, cumulative criteria covering data protection adequacy, absence of coercive laws, technology access, and market reciprocity. Without this Commission decision, providers subject to third-country control are generally excluded from level 3 recognition.

Detail

The CADA proposal establishes a "Union cloud computing sovereignty framework" to mitigate risks arising from dependence on non-European cloud providers. A core component of this framework is the Union assurance levels system, which categorizes cloud services based on their sovereignty and resilience. While the default position for higher assurance levels (2, 3, and 4) requires providers to be established in the Union and free from third-country control, the proposal introduces a narrow, conditional pathway for providers controlled by a third country to qualify for Union assurance level 3.

This pathway is not automatic. It requires the European Commission to formally identify the third country as meeting specific, rigorous requirements. This process is governed exclusively by Article 18 of the CADA proposal.

The Legal Mechanism: Article 18 and the Examination Procedure

The authority to associate a third country rests solely with the Commission. Article 18(1) explicitly states that the Commission may adopt decisions, by means of implementing acts, identifying third countries for which cloud computing service providers subject to the control of that third country may be audited against the criteria for Union assurance level 3.

Crucially, this is not a unilateral executive decision. The proposal mandates that these implementing acts be adopted in accordance with the examination procedure referred to in Article 46(2) of the Regulation. This procedure involves a committee composed of representatives from the Member States. The committee must deliver an opinion on the draft implementing act; if the committee delivers a positive opinion, or if no opinion is delivered, the Commission may adopt the act. If the committee delivers a negative opinion, the Commission cannot adopt the act. This ensures that the decision to associate a third country reflects a collective EU stance, balancing sovereignty concerns with international relations.

The Six Cumulative Criteria

For the Commission to adopt an implementing act under Article 18(1), the third country must fulfill six cumulative criteria. The text of the proposal is explicit: the country must satisfy all of the following conditions. Failure to meet even one criterion precludes the adoption of the decision.

  1. GDPR Adequacy Decision: The third country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR). This ensures that the country's data protection laws provide a level of protection essentially equivalent to that of the EU, forming the baseline for trust.
  2. No Conflicting Control Measures: The country must have no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act). This prevents third-country laws from overriding EU rules on data access and portability.
  3. No Coercion to Disrupt or Sanction: The country must have no measures in place to compel the provider to degrade or disrupt service continuity or provision. Furthermore, it must have no measures obliging the provider to implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or any equivalent legal or administrative measures, unless these specific measures are legitimate under the national laws of Member States or Union law. This criterion safeguards the operational autonomy of the cloud service.
  4. No Impediment to Technology: The country must have no measures in place to impede the provision of state-of-the-art technologies and services provided by the cloud computing service provider. This ensures that the provider can access and deploy the latest innovations without political or legal obstruction.
  5. Open Market: The third country must maintain an open market to Union cloud computing services. This criterion ensures that the EU market is not closed off to European providers while the EU opens its market to the third country.
  6. Reciprocal Procurement Access: The third country must grant equivalent levels of access to public procurement procedures of cloud computing services subject to the control of a Union Member State or entity or a legal entity established in the Union. This ensures a level playing field for EU providers seeking to contract with public bodies in that third country.

Dynamic Monitoring and Revocation

The status of an "associated third country" is not permanent. Article 18(2) establishes a dynamic monitoring mechanism. If available information reveals that a third country no longer fulfills the requirements under paragraph 1, the Commission shall repeal, amend or suspend the decision. This ensures that the association status remains responsive to changes in the third country's legal or political landscape, such as the introduction of new surveillance laws or the withdrawal of a GDPR adequacy decision.

Furthermore, Article 18(3) mandates transparency. The Commission shall publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so. This public register allows cloud providers, public sector bodies, and auditors to verify the current status of a third country before initiating an audit or procurement process.

Interaction with Union Assurance Level 3 Criteria

It is vital to understand that the Article 18 decision is a precondition for the application of the third-country control derogation within Annex II, Section 3.1(g). Under the standard criteria for Union assurance level 3, providers and their subcontractors must not be subject to the control of a third country. However, Article 18 provides a specific derogation: if the Commission has adopted an implementing act identifying the third country, the provider may be audited for level 3 provided they also demonstrate that necessary legal, technical, and organisational measures are in place to prevent third-country control from restricting service delivery, accessing customer data, disrupting continuity, or forcing compliance with restrictive measures.

Thus, Article 18 does not lower the bar for the provider; it merely opens the door for the provider to attempt to meet the level 3 criteria despite third-country control, subject to the country passing the six-criteria test.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the Article 18 mechanism represents a critical gatekeeper for cloud sovereignty strategies.

1. Verification Before Procurement If your organization intends to procure cloud services at Union assurance level 3 from a provider controlled by a non-EU entity, you must first verify the status of that entity's controlling jurisdiction. You cannot rely on the provider's self-assessment alone. You must check the Commission's website (as required by Article 18(3)) to confirm that an implementing act under Article 18 is currently in force for that specific third country. If no such act exists, the provider is legally ineligible for level 3 recognition, regardless of their internal security measures.

2. Contractual Risk Management Because the association status is dynamic and subject to revocation under Article 18(2), contracts with cloud providers should include specific clauses addressing the loss of this status. If a third country loses its association (e.g., due to a change in GDPR adequacy or the introduction of coercive laws), the provider may immediately lose eligibility for level 3. Contracts should define the consequences of such a loss, including migration timelines, termination rights, and liability for service disruption.

3. The High Bar for Market Access The six criteria in Article 18(1) are designed to be stringent. The requirement for a GDPR adequacy decision immediately excludes many major global cloud markets. Furthermore, the reciprocity requirement (criterion 6) acts as a geopolitical lever, ensuring that association is not granted to countries that block EU providers from their public markets. Compliance teams should anticipate that very few, if any, third countries will meet all six criteria simultaneously in the near term.

4. Distinction from Other Assurance Levels It is important to note that Article 18 applies only to Union assurance level 3. It does not provide a mechanism for third-country controlled providers to qualify for level 1, 2, or 4.

  • Level 1 relies on self-assessment and establishment in the Union, but generally requires data to remain in the Union.
  • Level 2 requires the provider to be established in the Union and generally prohibits third-country control without specific derogations that are not covered by Article 18.
  • Level 4 imposes the strictest requirements, generally prohibiting third-country control entirely to ensure the highest level of sovereignty for classified or sensitive data.

Common misconceptions

Misconception 1: "Associated third country" means the country is part of the EU single market. No. "Associated third country" is a technical legal status defined strictly for the purpose of the CADA sovereignty framework. It does not imply political association, membership in the EU, or access to the single market for other goods and services. It is a narrow derogation allowing specific cloud providers to be audited for level 3.

Misconception 2: A country with a GDPR adequacy decision automatically qualifies. Incorrect. While a GDPR adequacy decision is the first of the six criteria (Article 18(1)(a)), it is merely the entry ticket. A country could have an adequacy decision but fail the test if it imposes sanctions on cloud providers, restricts technology exports, or does not grant reciprocal access to public procurement for EU providers. All six criteria are cumulative; failure in any one disqualifies the country.

Misconception 3: The Commission can decide to associate a country unilaterally. No. Article 18(1) mandates that the decision be adopted via an implementing act under the examination procedure (Article 46(2)). This involves a committee of Member State representatives, ensuring that the decision reflects a collective EU position rather than a unilateral executive action by the Commission.

Misconception 4: This mechanism applies to all cloud services globally. No. The Article 18 mechanism is specifically tied to the criteria for Union assurance level 3. It does not apply to level 1 (which focuses on establishment in the Union) or level 4 (which generally prohibits third-country control). It is a targeted exception for a specific assurance level, not a general waiver for all cloud services.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.