CADA

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers that maintain a subsidiary in a third country must demonstrate "effective legal, technical and organisational separation" between that subsidiary and their Union parent company to qualify for Union assurance levels 2, 3, and 4. This requirement, detailed in Annex II of the proposal, aims to prevent third-country authorities from accessing EU customer data or disrupting services through their influence over the subsidiary. Providers failing to prove this separation will be ineligible for the higher assurance levels required for many public sector contracts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous sovereignty framework designed to mitigate the risks associated with the EU's dependence on non-European cloud providers. A central pillar of this framework is the requirement for cloud computing service providers to be recognized at one of four "Union assurance levels" (UALs) to offer services to Union entities and public sector bodies.

For providers operating globally, a critical hurdle involves the management of third-country subsidiaries. While CADA does not prohibit providers from maintaining operations outside the Union, it imposes strict containment requirements to ensure that data and operational control remain insulated from extraterritorial interference.

The Requirement for Effective Separation

The specific obligations for providers with third-country subsidiaries are codified in Annex II of the CADA proposal. The requirement applies cumulatively to providers seeking recognition for Union assurance level 2, Union assurance level 3, and Union assurance level 4.

• Union Assurance Level 2: Under Annex II, Section 2.1(k), an audited provider that provides services globally and maintains a subsidiary in a third country must demonstrate that it has implemented necessary measures to ensure and enforce the "effective legal, technical and organisational separation between the Union parent company and any such third-country subsidiary."
• Union Assurance Level 3: Similarly, Annex II, Section 3.1(k) mandates that for Level 3 recognition, the audited provider must demonstrate the same effective separation between the Union parent company and any third-country subsidiary.
• Union Assurance Level 4: Annex II, Section 4.1(k) repeats this exact requirement for the highest assurance level.

This tripartite requirement—legal, technical, and organisational—means that separation is not merely a contractual formality but a structural and operational imperative. The text explicitly states that the provider must "ensure and enforce" this separation, implying active governance and technical controls rather than passive declarations.

What Constitutes "Effective Separation"?

While the specific technical protocols may be further defined in delegated acts or auditing standards, the proposal's annexes and the associated audit evidence criteria clarify the scope of this separation. The separation is designed to ensure that the third-country subsidiary cannot act as a conduit for third-country authorities to access data or disrupt services.

1. Legal Separation: The provider must ensure that the third-country subsidiary is legally distinct and that no third-country law can compel the subsidiary to act in a way that compromises the Union parent's operations or data. This includes ensuring that the subsidiary cannot be used as a conduit for third-country authorities to access data stored in the Union.
2. Technical Separation: There must be robust technical barriers preventing the third-country subsidiary from accessing Union customer data, systems, or infrastructure. This includes network segmentation, access controls, and encryption keys held exclusively within the Union.
3. Organisational Separation: The governance and operational structures must be segregated. Personnel in the third-country subsidiary must not have administrative access to Union systems, and decision-making processes regarding Union operations must remain insulated from external influence.

Connection to Third-Country Control

This subsidiary separation requirement is closely linked to the broader criteria regarding "control" by third countries. For Union assurance levels 3 and 4, providers and their subcontractors must generally not be subject to the control of a third country or a legal entity established in a third country (Annex II, Sections 3.1(g) and 4.1(g)).

However, Annex II, Section 3.1(g) provides a derogation: a provider subject to third-country control may still be audited for Level 3 if the Commission has adopted an implementing act under Article 18 recognizing that third country as providing sufficient assurances. Even in such cases, the provider must demonstrate that the necessary legal, technical, and organisational measures are in place to prevent unauthorized access or service disruption. The subsidiary separation clause in Annex II, Section 3.1(k) operates alongside these controls, ensuring that even if the parent company is subject to third-country influence, the structural link via the subsidiary does not create a vulnerability.

Audit and Verification

Compliance with these separation requirements is verified through independent third-party audits for Union assurance levels 2, 3, and 4 (Article 20). Auditing organizations will assess the provider's compliance based on the criteria in Annex II and the audit evidence listed in Annex III.

Specifically, Annex III, Section 11 (Audit criterion K) outlines the evidence required to assess this separation. Auditors will verify that:

• The subsidiary is legally and operationally independent.
• The subsidiary has no access to systems processing or storing customer data.
• The subsidiary has no privileged accounts within Union production environments (e.g., cloud administration, IAM, PAM).
• Personnel of the subsidiary cannot obtain access to Union customer data.
• The subsidiary has no authority to instruct Union operational staff to disclose data or bypass security procedures.
• All foreign government requests received by the subsidiary are formally redirected to the competent Union entity for legal assessment.

What this means for you

For in-house counsel and compliance officers at multinational cloud providers, the CADA proposal introduces significant operational and legal restructuring requirements if you intend to compete for EU public sector contracts.

1. Structural Audit: You must immediately audit your global corporate structure. Identify all subsidiaries in third countries and map their current access rights, legal ties, and operational dependencies on your Union entities.
2. Technical Hardening: Ensure that your Union and non-Union environments are technically air-gapped or sufficiently segmented. Access logs, identity management systems, and network architecture must prove that no data flow or administrative command can traverse from the third-country subsidiary to the Union environment without explicit, audited authorization.
3. Legal Review: Review your corporate governance documents. Ensure that the legal autonomy of your Union parent company is protected from the legal jurisdiction of the third country where the subsidiary is located. This may involve restructuring ownership or management rights.
4. Documentation: Prepare comprehensive documentation to demonstrate "effective separation." This will be scrutinized during the independent audit process required for Union assurance levels 2, 3, and 4. Failure to provide this evidence will result in a negative audit opinion, disqualifying your service from the central repository and, consequently, from public procurement opportunities.
5. Public Procurement Impact: Under Article 30, contracting authorities whose activities concern public order must procure services recognized at Union assurance levels 2, 3, or 4. If you cannot demonstrate effective separation, you will be unable to meet these thresholds, effectively barring you from these critical markets.

Common misconceptions

• "Separation is just a contractual clause." Incorrect. CADA requires effective legal, technical, and organisational separation. A contract stating that the subsidiary will not access data is insufficient. You must demonstrate technical controls (e.g., network isolation, access rights) and organisational structures (e.g., separate reporting lines, distinct personnel) that enforce this separation in practice.

• "We are only affected if we are 'controlled' by a third country." Incorrect. The subsidiary separation requirement in Annex II, Sections 2.1(k), 3.1(k), and 4.1(k) applies to any audited provider that maintains a subsidiary in a third country, regardless of whether the provider is otherwise subject to third-country control. Even EU-headquartered providers with US or Asian subsidiaries must comply.

• "Level 1 does not require separation." Correct, but with a caveat. Union assurance level 1 relies on a self-assessment and does not explicitly list the subsidiary separation clause in Annex II, Section 1.1. However, Level 1 only requires that the provider be established in the Union and that infrastructure/assets be located in the Union. While the explicit subsidiary clause is absent, providers must still ensure that their operations comply with the general criteria for Level 1, which include ensuring that outsourcing to third parties does not compromise operational autonomy (Annex II, Section 1.1(d)). Furthermore, most high-value public sector contracts will require Levels 2–4, making the separation requirement de facto mandatory for market access.

Related

• CADA Article 18: How the 'Associated Third Country' Mechanism Works for Providers
• CADA: What 'subject to the control of a third country' means for cloud providers
• What criteria must a third country meet to be associated under CADA?
• CADA third-country subsidiary separation: rules for global providers
• CADA Level 2: Third-Country Control Safeguards Explained

This is general information about a draft EU regulation, not legal advice.