CADA Establishment Requirement

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud computing service provider must be legally "established in the Union" to qualify for any of the four Union assurance levels. As explicitly set out in Annex II, Section 1.1(a) for Level 1 and Section 2.1(a) for Level 2 (and replicated for Levels 3 and 4), this is a cumulative, non-negotiable criterion. A provider cannot achieve sovereignty status merely by hosting data in the EU; the legal entity itself must be incorporated under the law of a Member State. Furthermore, for Levels 2, 3, and 4, this establishment requirement extends to all subcontractors involved in the provision of the service, effectively closing the door on third-country operational chains for higher assurance tiers.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" designed to mitigate strategic dependencies on third-country providers. At the heart of this framework is the concept of Union establishment. Unlike previous initiatives that focused primarily on data localization or cybersecurity certification, CADA mandates that the legal domicile of the provider be within the European Union. This requirement serves as the foundational gatekeeper for market access to public sector procurement under the Act.

The Cumulative Nature of the Establishment Requirement

The requirement for Union establishment is not a tiered option but a baseline condition for the entire framework. The text of Annex II makes this clear by listing it as the first cumulative criterion for every assurance level.

• Union Assurance Level 1: As the baseline for public procurement, Annex II, Section 1.1(a) states that for Union assurance level 1, cloud computing service providers must meet the criterion that "the cloud computing service provider is established in the Union." This is the minimum threshold required under Article 30(2), which mandates that public sector bodies whose activities do not contribute to the preservation of public order must procure services recognized at this level.
• Union Assurance Levels 2, 3, and 4: The requirement remains absolute and intensifies in scope. Annex II, Section 2.1(a) specifies that for Union assurance level 2, "the audited provider and the subcontractors which are involved in the provision of the audited service are established in the Union." This exact phrasing is replicated for Union assurance levels 3 and 4 in Annex II, Sections 3.1(a) and 4.1(a) respectively.

Consequently, a provider legally incorporated outside the EU cannot qualify for Level 1, let alone the higher tiers. The proposal does not offer a "sovereign" label to entities that are merely operating data centers in the EU but are legally domiciled and controlled abroad.

Distinction Between Legal Establishment and Physical Location

A critical distinction in the CADA proposal is between legal establishment and the location of infrastructure. While the regulation imposes strict data localization rules (e.g., Annex II, Section 1.1(b) and (c) requiring infrastructure and data to remain in the Union), these are separate from the establishment criterion.

"Establishment" refers to the provider's corporate domicile and primary place of business. A provider cannot satisfy the establishment requirement by merely leasing server space in an EU data center or maintaining a sales office in Brussels. The legal entity itself must be incorporated under the law of a Member State. This is reinforced by the enforcement mechanism in Article 25(4), which grants exclusive competence to the Member State where the provider has its "main establishment," defined as the place where the provider has its "head office or registered office from which the principal financial functions and operational control are exercised."

If a provider is not established in the Union, it cannot have a "national competent authority of establishment" within the meaning of the regulation. Without such an authority to evaluate and recognize the service, the provider is ineligible for the central repository of recognized services under Article 22.

Subcontractor Obligations: The Supply Chain Lock-In

The establishment requirement evolves significantly as the assurance level increases, particularly regarding the supply chain.

• Level 1: The requirement applies solely to the primary cloud computing service provider. Subcontractors are subject to due diligence and transparency obligations (Annex II, Section 1.1(f)), but they are not required to be established in the Union, provided the primary provider ensures traceability and operational autonomy.
• Levels 2, 3, and 4: The requirement expands to the entire operational chain. Annex II, Section 2.1(a) explicitly states that "the audited provider and the subcontractors which are involved in the provision of the audited service are established in the Union." This language is identical for Levels 3 and 4.

This creates a "supply chain lock-in" for higher assurance tiers. A provider cannot outsource core operational functions, such as technical support or maintenance, to third-country entities if they seek Level 2, 3, or 4 recognition. This ensures that the entire operational chain is subject to EU jurisdiction and oversight, preventing third-country actors from retaining control over critical service components.

The Limited Derogation for Third-Country Control

It is important to distinguish between establishment and control. While a provider must be established in the Union, Annex II, Section 1.1(g) allows a provider established in the Union to be "subject to the control of a third country" for Level 1, provided specific safeguards regarding vulnerability reporting are met.

However, for higher levels, the control restrictions tighten. Annex II, Section 3.1(g) generally prohibits providers subject to third-country control, but introduces a specific derogation mechanism. It states that a provider subject to third-country control may be audited for Level 3 "where the Commission has adopted an implementing act under Article 18."

Note on Article Reference: The draft text of Annex II, Section 3.1(g) contains a drafting slip, referencing "Article 19" for this derogation. However, the correct cross-reference is Article 18 ("Associated third countries"), which empowers the Commission to identify third countries that provide sufficient assurances. This derogation does not override the establishment requirement; the provider must still be established in the Union. It merely allows a provider established in the Union but controlled by a third country to potentially qualify for Level 3 if that third country is deemed "associated" by the Commission. This mechanism does not apply to Level 1 or 2, nor does it apply automatically.

Recognition and Enforcement

The establishment requirement is the first hurdle in the recognition process outlined in Article 17. A provider must submit an application to the "national competent authority of establishment." Under Article 25(4), the Member State where the provider has its main establishment has exclusive competence for enforcing the framework. If a provider lacks a genuine establishment in the Union, no Member State can claim competence, and the recognition process cannot legally commence.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the establishment requirement has immediate and profound strategic implications.

1. Vendor Qualification and Due Diligence: When evaluating cloud providers for public sector contracts, you must verify the provider's legal domicile, not just their physical presence. A provider headquartered in a third country, even with significant EU data centers, will not qualify for Union assurance level 1 unless it operates through a distinct, legally independent EU-established subsidiary that meets the "main establishment" criteria (head office, registered office, principal financial functions).
2. Supply Chain Auditing for Higher Tiers: For contracts requiring Union assurance levels 2, 3, or 4, your due diligence must extend to the entire supply chain. You must verify that all subcontractors involved in the provision of the service are also established in the Union. Failure to do so will result in non-compliance with Annex II, Sections 2.1(a), 3.1(a), and 4.1(a). This may require restructuring existing multi-vendor or managed service arrangements.
3. Recognition Process for Providers: If your organization is a cloud provider seeking recognition, you must initiate the process with the national competent authority in your Member State of establishment (Article 17). Be prepared to demonstrate "genuine establishment" with evidence of local management, financial control, and operational decision-making. Mere registration without substantive operations may be challenged.
4. Penalties and Liability: Non-compliance with the sovereignty framework, including misrepresentation of establishment status, can lead to significant penalties. Article 24 requires Member States to impose "effective, proportionate and dissuasive" penalties. Furthermore, Article 24(3) grants recipients of cloud services the right to seek compensation for any damage or loss suffered due to a provider's infringement of these obligations.

Common misconceptions

• "Having data centers in the EU is enough." Incorrect. Physical infrastructure location is a separate criterion (Annex II, Section 1.1(b)). Legal establishment refers to corporate domicile and jurisdiction. A US-headquartered company with EU data centers is not "established in the Union" for the purpose of CADA unless it has a distinct EU legal entity that meets the establishment criteria (incorporation, head office, operational control).

• "Union assurance level 1 allows third-country providers." Incorrect. While Annex II, Section 1.1(g) allows providers subject to third-country control to qualify for Level 1 (if safeguards are met), the provider must still be established in the Union per Section 1.1(a). The control issue is addressed separately from the establishment requirement. A provider not established in the Union cannot qualify for any level.

• "Subcontractors can be outside the EU for Level 1." Correct for Level 1, but incorrect for Levels 2–4. For Union assurance level 1, only the primary provider must be established in the Union. However, for levels 2, 3, and 4, Annex II explicitly mandates that subcontractors involved in service provision must also be established in the Union (Annex II, Sections 2.1(a), 3.1(a), 4.1(a)).

• "Article 18 allows third-country providers to bypass the establishment rule." Incorrect. Article 18 (referenced in Annex II, Section 3.1(g)) allows the Commission to recognize third countries for the purpose of allowing providers established in the Union but controlled by a third country to qualify for Level 3. It does not allow providers that are not established in the Union to qualify. The establishment requirement remains absolute.

Related

• Who must meet CADA Union assurance levels?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• Which CADA assurance levels require an independent audit?
• Where are the criteria for the CADA assurance levels defined?
• CADA Assurance Levels: The Simplest Board-Level Explanation

This is general information about a draft EU regulation, not legal advice.