How does CADA address extraterritorial third-country law in risk assessments?

Summary As proposed, the Cloud and AI Development Act (CADA) requires Member States and Union entities to conduct mandatory risk assessments under Article 29 to determine if their cloud computing services involve activities that preserve public order. These assessments must explicitly evaluate the risk of "unlawful access under Union law to such data by a third country or a legal entity established in a third country," a direct legislative response to extraterritorial laws such as the US CLOUD Act. If such risks are identified, the regulation mandates the procurement of cloud services with higher Union assurance levels (2, 3, or 4) to ensure data confidentiality and operational autonomy. This framework shifts the compliance burden from simple data localization to a rigorous analysis of legal control and third-country jurisdiction.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a rigorous framework to mitigate the strategic dependencies and security risks associated with the European Union's reliance on non-European cloud computing service providers. A central pillar of this framework is the "Union cloud computing sovereignty framework," which categorizes cloud services into four "Union assurance levels" based on their ability to protect against third-country interference. The mechanism that triggers the requirement for these higher assurance levels is the risk assessment mandated by Article 29 of the proposal.

The Legal Basis: Recitals 46 and 50

The rationale for addressing extraterritorial law is explicitly laid out in the recitals of the CADA proposal, providing the political and legal context for the mandatory assessments.

Recital 46 states that the Union remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third countries. This dependence exposes the Union to critical strategic dependencies, including vulnerabilities arising from the "extraterritorial application of third-country laws." The recital notes that these laws can mandate data access and transfer that may conflict with EU fundamental rights and data protection frameworks. It highlights that the ability of the Union to retain control over infrastructure, data, and assets under Union jurisdiction has become an "imperative policy objective."

Recital 50 further elaborates on the specific risks that necessitate mitigation measures to preserve public order. It identifies "access to information" risks, which include unauthorized communication, technology leakage, data manipulation or exfiltration, and espionage. It also highlights "dependency vulnerabilities," such as political or economic coercion through vendor lock-ins, embargoes, or sanctions. The recital explicitly links these risks to the need for specifying conditions in public procurement procedures to protect the public order of the Union and Member States. It frames the risk assessment not merely as a technical exercise, but as a fundamental safeguard against the misuse of data and the disruption of service continuity by third-country actors.

The Mechanism: Article 29 Risk Assessments

Article 29 of the CADA proposal imposes a binding obligation on Member States and Union entities to carry out risk assessments. This is not a voluntary best practice but a mandatory compliance step designed to operationalize the sovereignty framework.

1. Timing and Frequency: According to Article 29(1), Member States and Union entities must carry out these risk assessments by the date of entry into force plus one year, and thereafter every two years, or whenever necessary.
2. Scope of Assessment: The assessment must identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas of national security, internal security, external border management, defence, justice, and law enforcement.
3. Determining Assurance Levels: The primary output of the risk assessment is the determination of which Union assurance level (2, 3, or 4) is appropriate for the identified activities. Article 29(1)(b) explicitly requires the assessment to determine the appropriate assurance level to preserve public order.

Addressing Extraterritorial Law: Article 29(2)(b)

The specific provision that addresses extraterritorial third-country law is Article 29(2)(b). When conducting the risk assessment, Member States and Union entities must consider:

"(b) the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country;"

This clause directly targets the legal reality of extraterritorial data access laws, such as the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Under the CLOUD Act, US-based cloud providers are required to preserve and disclose electronic communications and records within their possession, custody, or control, regardless of whether the data is located within or outside the United States. This creates a scenario where data stored in an EU data center but hosted by a US-controlled provider can be accessed by US authorities, potentially bypassing EU data protection laws and judicial oversight.

By requiring an assessment of the "risk and consequent impact on public order of unlawful access," CADA forces public sector bodies to evaluate whether their chosen cloud provider is subject to such extraterritorial jurisdictions. If a provider is subject to a third-country law that permits access to EU data without adequate safeguards or EU judicial oversight, this constitutes a significant risk to public order. The assessment must weigh the "risk and consequent impact" of such access, moving beyond the mere existence of a law to its practical application and the likelihood of it being used to access Union data.

Linking Risk to Assurance Levels

The risk assessment does not exist in a vacuum; it directly dictates procurement requirements under Article 30.

• Minimum Baseline: All public sector bodies must use cloud computing services recognized as having at least Union assurance level 1 (Article 30(2)). Level 1 requires the provider to be established in the Union and infrastructure to be located in the Union, but it allows for some subcontracting outside the Union if certain safeguards are met.
• Higher Assurance for Public Order: If the risk assessment under Article 29 determines that the activities have public order relevance (e.g., due to the risk of extraterritorial data access), the contracting authority must only procure and use services recognized as offering Union assurance levels 2, 3, or 4 (Article 30(3)).

The criteria for these higher levels, set out in Annex II, are designed to mitigate the specific risks of extraterritorial law. For example, Union assurance level 2 requires that if the provider is subject to third-country control, they must demonstrate that legal, technical, and organizational measures prevent access by that third country to customer data and prevent disruption of service continuity. Union assurance level 3 and 4 impose even stricter requirements, including prohibitions on third-country control over the provider and subcontractors (unless a specific derogation under Article 18 is granted), and requirements for Union citizenship for personnel handling sensitive data.

Crucially, Annex II for levels 2, 3, and 4 requires the provider to demonstrate that "access by a third country or by a legal entity established in a third-country to customer data is prevented" and that the "possibility of disruption of the service continuity... by a third country... is prevented." This directly counters the mechanism of laws like the CLOUD Act by mandating technical and legal barriers that render such extraterritorial access impossible or ineffective.

Commission Guidance and Oversight

To ensure consistent application, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements for these risk assessments. The Commission will provide guidance to assist Member States, ensuring that the assessment of extraterritorial risks is harmonized across the Union. Furthermore, Article 29(5) allows the Commission to intervene if it concludes that the Union assurance level identified in a Member State's risk assessment is not appropriate or does not adequately address public order concerns. The Commission can then adopt implementing acts to specify the required assurance levels for specific public sector activities, ensuring a unified front against third-country legal overreach.

What this means for you

For in-house counsel and compliance officers in the public sector and regulated private industries, the CADA proposal introduces a new, mandatory layer of due diligence in cloud procurement.

1. Mandatory Risk Assessments: You must prepare to conduct comprehensive risk assessments of all cloud computing services used for activities related to public order, national security, defence, justice, and law enforcement. This is not optional. The deadline for the first assessment is one year after the regulation enters into force.
2. Focus on Extraterritorial Risk: Your assessments must explicitly evaluate the risk of unlawful data access by third countries. You cannot simply rely on standard data processing agreements or GDPR adequacy decisions. You must analyze the legal jurisdiction of your cloud provider's parent company and its subcontractors. If a provider is subject to the US CLOUD Act or similar legislation in another third country, this must be flagged as a risk factor. The assessment must quantify the "risk and consequent impact" on public order.
3. Procurement Implications: If your risk assessment identifies a significant risk of extraterritorial access, you may be legally prohibited from using standard commercial cloud offerings from non-EU providers. You must procure services with Union assurance levels 2, 3, or 4. This may require switching to EU-based providers or specific "sovereign" cloud offerings that have undergone independent third-party audits to demonstrate compliance with the strict criteria in Annex II.
4. Audit and Documentation: For providers aiming for assurance levels 2-4, be prepared for rigorous independent audits. Auditors will examine your corporate structure, shareholder agreements, and technical controls to verify that third-country entities cannot access data or disrupt services. You must maintain detailed documentation of your software supply chain, including Software Bills of Materials (SBOMs), to demonstrate that no remote features can be used to tamper with or disrupt services.
5. Private Sector Spillover: While Article 29 applies to public sector bodies, Article 31 allows private sector entities in critical sectors (as defined in NIS2) to conduct similar impact assessments. The Commission may issue guidance or even adopt delegated acts requiring impact assessments and risk mitigation measures for private entities in high-criticality sectors. Compliance officers in finance, energy, and transport should monitor this development closely.

Common misconceptions

• "GDPR adequacy is enough." An adequacy decision under the GDPR ensures that a third country provides a level of data protection essentially equivalent to the EU. However, as noted in Recital 46, the CADA addresses sovereignty concerns that go beyond data transfers. It focuses on operational autonomy and the risk of service disruption or unauthorized access via extraterritorial laws, which adequacy decisions do not fully mitigate. Adequacy covers data protection, but CADA covers data sovereignty and control.
• "Data localization solves the problem." Storing data physically in the EU is a requirement for Union assurance level 1, but it is not sufficient for higher levels. If the provider is controlled by a third-country entity subject to extraterritorial laws, the data can still be accessed legally by that third country, regardless of its physical location. CADA's higher assurance levels require legal and technical separation from third-country control, not just physical location.
• "Only the public sector is affected." While the mandatory risk assessments are for public sector bodies, the procurement requirements create a market signal. Private sector entities, especially those in critical infrastructure sectors under NIS2, are encouraged to conduct similar assessments. Furthermore, the push for sovereign cloud services will reshape the market, making non-compliant providers less viable for large-scale contracts.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How does the risk of unlawful third-country access feed into a CADA risk assessment?
• Does CADA require risk assessments for law enforcement cloud use?
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.