How does CADA define the boundary between levels 2 and 3 on foreign control?

Under the proposed Cloud and AI Development Act (CADA), the boundary between Union assurance levels 2 and 3 regarding foreign control is defined by a funda

Summary Under the proposed Cloud and AI Development Act (CADA), the boundary between Union assurance levels 2 and 3 regarding foreign control is defined by a fundamental shift from managed mitigation to strict prohibition. As proposed in Annex II, Union assurance level 2 permits cloud providers subject to third-country control to qualify, provided they implement specific legal, technical, and organizational safeguards to prevent data access or service disruption. In contrast, Union assurance level 3 generally bars any provider subject to third-country control, permitting it only if the Commission has adopted a specific implementing act for that third country under Article 18 (designating it as an "associated third country"). This distinction creates a binary compliance threshold: level 2 is for providers who can isolate EU operations from foreign controllers, while level 3 is reserved for providers with no foreign control or those from a Commission-approved whitelist.

Detail

The CADA proposal establishes a four-tiered "Union cloud computing sovereignty framework" to mitigate risks associated with dependence on non-European cloud providers. The distinction between Union assurance level 2 and Union assurance level 3 is critical for providers subject to the control of a third country or a legal entity established in a third country. The boundary is not merely a matter of enhanced security controls or higher audit rigor; it is a structural limitation on ownership, governance, and the very nature of the provider's legal subordination.

Level 2: Managing Foreign Control via Safeguards

As proposed in Annex II, Section 2.1(g), Union assurance level 2 explicitly permits a cloud computing service provider to qualify even if it is subject to the control of a third country or a legal entity established in a third country. This is a conditional allowance, not a blanket permission. The provider and its subcontractors involved in the service provision must demonstrate that necessary legal, technical, and organizational measures have been implemented to neutralize the risks posed by that control.

These measures must ensure four specific, cumulative outcomes:

Operational Autonomy: The third-country control is not exercised in a manner that restrains or restricts the provider's ability to perform and deliver the service, imposes limitations on infrastructure, assets, and personnel, or undermines the capabilities and standards necessary for service provision.
Data Protection: Access by the third country or the third-country legal entity to customer data is prevented.
Service Continuity: The possibility of disruption of service continuity and/or degradation of service quality by the third country or legal entity is prevented.
Compliance with EU Law: The third-country control is not exercised in a manner that obliges the provider to implement, enforce, or comply with restrictive measures (such as sanction regimes or embargoes) adopted by the third country, unless those measures are legitimate under Member State or Union law.

In essence, level 2 operates on a "manage the risk" model. It acknowledges that foreign investment or corporate structures may exist but requires robust, auditable firewalls between the third-country controller and the EU-based service operations, data, and personnel. The provider must prove that the foreign controller cannot legally, technically, or operationally compel actions that would harm EU public order or data sovereignty. The burden of proof lies with the provider to demonstrate that these safeguards are effective and enforceable.

Level 3: The Prohibition and the Associated Third-Country Exception

The boundary shifts dramatically at Union assurance level 3. As proposed in Annex II, Section 3.1(g), the general rule is a strict prohibition: the audited provider and its relevant subcontractors must not be subject to the control of a third country or a legal entity established in a third country.

This is a binary criterion. Unlike level 2, level 3 does not allow for a case-by-case assessment of safeguards to mitigate the risk of foreign control. The presence of third-country control is inherently disqualifying for level 3, unless a specific derogation applies. The logic is that for the highest tiers of public-order relevance, the risk of foreign influence is too great to be managed solely by internal safeguards; the control itself must be absent.

The sole exception to this prohibition is found in the second sentence of Annex II, Section 3.1(g): a provider subject to third-country control may be audited for level 3 only where the Commission has adopted an implementing act under Article 18 identifying that specific third country as providing sufficient assurances. These are referred to as "associated third countries."

Article 18 sets out a rigorous mechanism for this recognition. The Commission may identify a third country only if it fulfills cumulative criteria, including:

The existence of a relevant adequacy decision under Article 45 of the GDPR.
No measures in place that enable the third country to exercise control over the provider in a way that conflicts with lawful access to non-personal data rules (specifically Article 32 of the Data Act).
No measures in place to compel the provider to degrade or disrupt service continuity.
No measures in place to compel the provider to implement restrictive measures (sanctions, embargoes) unless legitimate under EU law.
An open market to Union cloud computing services.
Equivalent levels of access to public procurement procedures for Union entities.

If a third country is not on this Commission-approved list, a provider subject to its control cannot achieve level 3, regardless of the internal safeguards it implements. This creates a "whitelist" approach for level 3, contrasting with the "risk-mitigation" approach of level 2.

The Practical Boundary: Audit Evidence and Verification

The boundary between these levels is enforced through the audit process described in Article 20 and detailed in Annex III. For level 2, the auditing organization must assess "Audit criterion G" (Absence of third-country control) by examining ownership structures, corporate governance, and commercial/financial links. If control is found, the auditor then verifies the implementation of the safeguards listed in Annex II 2.1(g). The audit opinion will be positive only if the safeguards are deemed sufficient to prevent the specific harms listed.

For level 3, the auditor first checks for the existence of third-country control. If found, the audit cannot proceed to a positive opinion unless the provider demonstrates that the Commission has adopted an implementing act under Article 18 for that specific country. If no such act exists, the provider fails the criterion automatically. The auditor does not evaluate the quality of safeguards for level 3 if third-country control is present; the control itself is the disqualifier.

This creates a clear compliance boundary: level 2 is for providers who can technically and legally isolate EU operations from foreign controllers; level 3 is for providers with no foreign control, or those from a whitelist of trusted jurisdictions where the Commission has determined that the third-country legal environment itself provides sufficient assurance.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, this distinction dictates your market access strategy, your audit preparation, and your eligibility for critical public contracts.

Assess Your Control Structure: Determine if your entity is "subject to the control" of a third-country legal entity. CADA defines "control" broadly, referencing Regulation (EU) 2021/697. This includes not just majority ownership, but also veto rights, board appointment rights, or strategic influence. If you are controlled by a non-EU parent, you are likely barred from level 3 unless your country is an "associated third country."
Target the Right Level: If you are a non-EU controlled provider and your home country is not yet recognized under Article 18, you must target level 2. Ensure your legal, technical, and organizational safeguards are documented and ready for independent audit. This includes demonstrating that foreign controllers cannot access data or disrupt services. Do not attempt to claim level 3 without the Article 18 act, as the audit will fail immediately on the control criterion.
Monitor Article 18 Developments: If you aim for level 3, monitor the Commission's adoption of implementing acts under Article 18. This list will be published on the Commission's website. If your home country is not on the list, level 3 is unattainable for your entity, regardless of your internal security posture.
Prepare for Audit Criterion G: Regardless of the level, the audit will scrutinize your ownership chain up to ultimate owners. Prepare detailed documentation on voting rights, board composition, and commercial/financial links. For level 2, prepare evidence of the specific safeguards (e.g., access logs, contractual clauses, technical isolation measures) that prove foreign control does not compromise EU service integrity. For level 3, prepare proof of the Article 18 implementing act if third-country control exists.
Public Procurement Implications: Under Article 30, public sector bodies must procure at least level 1. However, for activities contributing to public order (identified via risk assessments under Article 29), authorities must procure level 2, 3, or 4. If a public tender requires level 3 for a critical use case (e.g., defense, justice, law enforcement), and you are a non-EU controlled provider from a non-associated country, you will be ineligible. You may only bid for level 2 contracts, which may not be sufficient for the most sensitive public-order activities.

Common misconceptions

"Strong cybersecurity equals level 3 eligibility." Incorrect. Level 3 requires the absence of third-country control (or an Article 18 derogation). Strong cybersecurity (e.g., EUCS certification) is a requirement for both level 2 and 3, but it does not override the ownership/control prohibition in level 3. You can have the best security in the world, but if you are controlled by a non-associated third country, you cannot achieve level 3.
"Level 2 is just 'lighter' level 3." Incorrect. Level 2 and 3 are structurally different. Level 2 allows foreign control with safeguards; level 3 bans it (with a narrow exception). You cannot "upgrade" from level 2 to 3 simply by adding more security controls if the underlying control structure remains unchanged and the country is not associated. The criteria are mutually exclusive regarding the presence of control.
"Associated third-country status is automatic." Incorrect. Article 18 sets a high bar. It requires an adequacy decision, open market access, reciprocal procurement rights, and specific legal safeguards against data access and service disruption. The Commission must adopt a specific implementing act for each country. This is not a self-declaration or a bilateral agreement that automatically triggers level 3 eligibility.
"Subcontractors don't matter for control." Incorrect. Annex II 2.1(g) and 3.1(g) explicitly include subcontractors involved in the provision of the service. If your provider is EU-controlled but relies on a critical subcontractor that is third-country controlled, this may impact your ability to meet the criteria, particularly at level 3 where the prohibition extends to subcontractors.
"Level 3 is just Level 2 with more data protection." Incorrect. The distinction is not about the volume of data protection but the source of control. Level 2 accepts foreign control if mitigated; Level 3 rejects it unless the country itself is deemed safe by the Commission.

Official sources

This is general information about a draft EU regulation, not legal advice.