Summary As proposed, the Cloud and AI Development Act (CADA) would balance openness with sovereignty through a risk-based, non-discriminatory framework that lets third-country providers compete for public contracts if they meet strict assurance criteria. Under Article 18, providers controlled by a third country could be audited for Union assurance level 3 where that country satisfies specific legal and market-openness safeguards — reflecting the EU's "open strategic autonomy" rather than isolation. The approach is presented as compatible with the EU's International Digital Strategy and with WTO rules, allowing procurement restrictions only where necessary to protect public order.

Detail

CADA is designed to reduce critical dependencies on non-European providers while keeping an open, non-discriminatory single market. The proposal explicitly rejects an outright ban on non-EU providers. Instead, it introduces a harmonised sovereignty framework based on four "Union assurance levels," letting public-sector bodies procure cloud services according to the sensitivity of their activities and the risks tied to a provider's jurisdictional control.

The sovereignty framework and Union assurance levels

The core sits in Title IV, Chapter I. Article 16 establishes the Union cloud computing sovereignty framework comprising four assurance levels, with criteria set out in Annex II, that providers must meet to serve Union entities and public-sector bodies.

  • Union assurance level 1: providers must be established in the Union, with infrastructure, assets, and customer data remaining within the Union unless the public sector body explicitly requires otherwise (Annex II, point 1.1). This is the minimum for procurement where activities are not identified as contributing to public order (Article 30(2)).
  • Union assurance levels 2, 3, and 4: higher levels add independent third-party audits, Union-citizenship requirements for personnel (Levels 3 and 4), and restrictions on third-country control (Annex II, sections 2-4).

Openness through Article 18: third-country eligibility

A key feature of the balance is Article 18, "Associated third countries." It allows providers subject to the control of a third country (or a third-country entity) to be audited against the criteria for Union assurance level 3, provided that country fulfils strict cumulative criteria — so that high standards, not nationality, govern eligibility.

Under Article 18(1), the Commission may adopt implementing acts identifying third countries whose providers may qualify for Level 3 if the country meets all of the following:

  1. Adequacy decision: it is subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679).
  2. No conflicting data-access measures: it has no measures enabling control over the provider in a way that conflicts with the rules on lawful access to non-personal data in Article 32(2) and (3) of the Data Act (Regulation (EU) 2023/2854).
  3. No service-disruption powers: it has no measures to compel the provider to degrade or disrupt service continuity, nor to oblige it to implement restrictive measures such as sanctions or embargoes, unless legitimate under Member State or Union law.
  4. No technology impediments: it has no measures to impede the provision of state-of-the-art technologies and services.
  5. Open market: it maintains an open market to Union cloud-computing services.
  6. Reciprocal access: it grants equivalent access to its public-procurement procedures for services controlled by a Union Member State or entity.

If a third country ceases to fulfil these requirements, the Commission must repeal, amend, or suspend the decision (Article 18(2)). The Commission would publish a list of qualifying (and no-longer-qualifying) third countries (Article 18(3)).

Alignment with open strategic autonomy

The proposal frames its approach as consistent with "open strategic autonomy." Per the explanatory memorandum, it is presented as compatible with the EU's 2025 Communication on an International Digital Strategy, offering a transparent, non-discriminatory blueprint for digital autonomy at home and a trusted model for international partnerships abroad. The framework is presented as respecting the Union's international commitments, allowing restrictions on public-procurement access only where necessary to protect public order, in line with the relevant WTO Government Procurement Agreement exception.

Risk assessments and procurement obligations

The balance is operationalised through risk assessments. Member States and Union entities must conduct risk assessments — within one year of entry into force and thereafter every two years, or whenever necessary — to identify which public-sector activities contribute to the preservation of public order (Article 29). For activities so identified (for example, national security, defence, justice), contracting authorities must only procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)). For other activities, Union assurance level 1 is sufficient (Article 30(2)). This tiering keeps sovereignty requirements proportionate to actual risk.

What this means for you

For in-house counsel and compliance officers, CADA as proposed would add due-diligence and strategic-planning layers for public-sector contracts and critical-infrastructure projects.

  • Assess your jurisdictional risk. If your organisation is controlled by a third country, evaluate whether your home country meets the Article 18 criteria; if not, the route to Union assurance level 3 via Article 18 would be unavailable. Monitor the Commission's published list closely.
  • Prepare for audits. Providers seeking Levels 2-4 must undergo independent third-party audits (Article 20). Ensure internal controls, data-localisation policies, and supply-chain documentation are audit-ready. Even under Article 18, Level 3 requires demonstrating effective measures against third-country interference.
  • Review public-procurement strategies. Contracting authorities conduct risk assessments at least every two years (Article 29(1)). Map activities against the assurance levels; procuring the wrong level for a public-order activity would breach Article 30.
  • Monitor legislative developments. CADA is a proposal. Implementing acts identifying associated third countries (Article 18) and delegated acts on audit rules (Article 20(9)) remain to be adopted. Track this secondary legislation.
  • Penalties and liability. Member States must lay down effective, proportionate, and dissuasive penalties for infringements of the sovereignty framework (Article 24). Recipients of services have the right to seek compensation for damage caused by a provider's infringement of its obligations under that chapter (Article 24(3)). Ensure contracts include robust indemnification and compliance clauses.

Common misconceptions

  • Myth: CADA bans all non-EU cloud providers.
    • Fact: It does not. Article 18 expressly allows providers from qualifying third countries to be audited for Union assurance level 3. Providers established in the EU but controlled by third-country entities may also qualify at lower levels if they demonstrate effective legal, technical, and organisational measures — though Level 4 strictly prohibits third-country control.
  • Myth: Sovereignty means data must never leave the EU.
    • Fact: Annex II requires customer data to remain within the Union (unless the public sector body explicitly requires otherwise), but the framework centres on control and autonomy — preventing third-country laws from compelling data access or service disruption — rather than absolute localisation for every use case.
  • Myth: CADA discriminates against foreign companies.
    • Fact: The proposal is designed to be non-discriminatory, applying the same technical and legal criteria to all providers. The distinction is based on the risk posed by third-country jurisdictional control, not nationality, and the memorandum frames restrictions as limited to what is necessary to protect public order, consistent with WTO rules.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.