How CADA prevents service disruption by a foreign government

Summary As proposed, the Cloud and AI Development Act (CADA) prevents service disruption by foreign governments through a tiered sovereignty framework that imposes strict legal and technical barriers on cloud providers. To achieve Union assurance levels 2, 3, and 4, providers must demonstrate that third-country control cannot be exercised to disrupt or degrade services. Crucially, Article 18 acts as a gatekeeper: a third country is barred from "associated" status if its laws empower it to compel service degradation or disruption. This ensures that even if a provider is foreign-controlled, the legal environment of the controlling country must explicitly lack the power to interrupt EU operations.

Detail

The CADA proposal addresses the strategic risk of service disruption—a critical vulnerability in the EU's dependence on non-European cloud infrastructure—by embedding specific anti-disruption criteria into its Union cloud computing sovereignty framework. This framework, established under Article 16, defines four "Union assurance levels" that cloud computing service providers must meet to serve Union entities and public sector bodies. The prevention of service disruption is not a uniform baseline but a cumulative requirement that tightens significantly as providers seek higher levels of assurance, moving from conditional safeguards to absolute prohibitions on foreign control.

The Anti-Disruption Mandate in Assurance Levels 2 and 3

For services aiming for Union assurance level 2, the criteria in Annex II, Section 2.1(g) address the scenario where a provider or its subcontractors are subject to the control of a third country. Under Annex II, Section 2.1(g)(iii), providers must demonstrate that necessary legal, technical, and organizational measures have been implemented to ensure that the "possibility of disruption of the service continuity and/or the degradation of the service quality by a third country or a legal entity established in a third country is prevented."

This requirement is cumulative with other criteria in Section 2.1(g), which also mandate that third-country control must not restrain the provider's ability to deliver the service, must not limit required infrastructure or personnel, and must not undermine the capabilities necessary to perform the audited service. The burden of proof lies with the provider to show that no extraterritorial legal mechanisms or technical backdoors allow a foreign authority to interrupt operations or reduce performance. This applies even if the provider is established in the Union, provided the ultimate control rests with a third-country entity.

The requirements become more restrictive at Union assurance level 3. Under Annex II, Section 3.1, the general rule is that the audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. However, a specific derogation exists: a provider subject to such control may still qualify for level 3 if the Commission has adopted an implementing act under Article 18 recognizing the third country as "associated."

Even under this derogation, the anti-disruption obligation remains absolute. Annex II, Section 3.1(g)(iii) explicitly requires that the provider demonstrate that the "possibility of disruption of the service continuity and/or the degradation of the service quality by a third country or a legal entity established in a third country is prevented." This mirrors the language in level 2 but operates within a stricter context where the provider is legally permitted to be foreign-controlled only because the controlling country has passed a rigorous EU assessment.

Article 18: The Associated Third-Country Gatekeeper

Article 18 establishes the mechanism for recognizing "associated third countries" whose providers may be audited against the level 3 criteria. This article functions as a critical filter to ensure that no third country with disruptive legal powers can qualify.

Article 18(1)(c) acts as a hard barrier: the Commission may only identify a third country if it has "no measures in place to compel the cloud computing service provider to degrade or disrupt service continuity or provision." This provision is distinct from data protection adequacy. While Article 18(1)(a) requires the third country to be subject to a relevant adequacy decision under the GDPR, Article 18(1)(c) adds a specific sovereignty layer. If a third country's legal framework allows it to force a provider to cut off service, degrade quality, or implement restrictive measures (such as sanctions or embargoes) that conflict with EU law, that country is automatically disqualified from the associated-country list.

This test directly targets extraterritorial laws, such as those seen in the US CLOUD Act, which can compel data access or service interruption. By requiring the absence of such measures as a precondition for recognition, CADA ensures that the "associated" status is not granted to jurisdictions where the government retains the legal right to disrupt EU cloud services. If a third country no longer fulfills these requirements, Article 18(2) mandates that the Commission shall repeal, amend, or suspend the decision.

Level 4: The Absolute Prohibition

At Union assurance level 4, the highest tier, the criteria in Annex II, Section 4.1(g) strictly prohibit any third-country control over the provider and its subcontractors. There is no derogation for associated countries at this level. Consequently, absolute prevention of foreign-induced disruption is achieved through the complete exclusion of foreign-controlled entities from this tier. The provider must demonstrate that it is not subject to the control of a third country, ensuring that no foreign legal mechanism can ever be invoked to disrupt the service.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, these provisions create distinct obligations and risk profiles depending on the sovereignty level your organization targets or procures.

1. Procurement and Risk Assessment Obligations

Under Article 29, Member States and Union entities must conduct risk assessments to determine the appropriate assurance level for their activities. If your public sector activity is deemed to have "public order relevance" (e.g., law enforcement, national security, critical infrastructure), you must procure only services recognized at levels 2, 3, or 4.

• Verification Duty: You must verify that the provider's audit report explicitly confirms compliance with the anti-disruption criteria in Annex II. For level 3 providers that are foreign-controlled, you must confirm that the third country of control has been designated as "associated" under Article 18.
• Public Order Relevance: If your activity falls under the sectors listed in Article 29(1) (including national security, internal security, defence, justice, or law enforcement), the risk assessment must determine that the chosen assurance level is appropriate to prevent harm that could undermine public order.

2. Provider Compliance and Evidence

If you are a cloud provider seeking recognition:

• Level 2 & 3 (Foreign-Controlled): You must implement and document technical and legal measures that prevent foreign disruption. For level 2, this involves demonstrating that third-country control does not enable disruption. For level 3, if you are foreign-controlled, you must rely on an associated-country decision under Article 18. This requires proving that the third country lacks disruption-compelling laws. You must provide evidence that no measures exist to compel you to degrade or disrupt service continuity.
• Audit Readiness: Independent audits for levels 2–4 (Article 20) will scrutinize your governance structures, including shareholder agreements, jurisdictional exposures, and the legal framework of your controlling entity. Auditors will assess whether any third-country legal regime could compel service degradation. Ensure your legal team can provide evidence that no such compulsion exists or that technical isolation prevents it.
• Transparency: Under Article 23, you must promptly notify the auditing organisation and the national competent authority of any material change in circumstances that may affect the audit report or recognition, including changes in the legal framework of a controlling third country.

3. Timeline and Deadlines

• Competent Authorities: Member States must designate national competent authorities by the date of entry into force plus one year (Article 25).
• Risk Assessments: Member States and Union entities must carry out risk assessments within one year of entry into force and every two years thereafter (Article 29(1)).
• Recognition Applications: Providers must submit applications for recognition to the national competent authority of establishment (Article 17). For level 3, the process involves a review period where other Member States may raise objections if the associated-country status is questionable.

Common misconceptions

"Data localization alone prevents service disruption."

• Reality: CADA distinguishes between data sovereignty and operational autonomy. While data must remain in the Union (Annex II), service disruption is a separate operational risk. A provider can keep data in the EU but still have servers, control mechanisms, or legal obligations subject to foreign laws that allow service cuts. CADA's anti-disruption criteria specifically target this operational vulnerability, requiring proof that the third country cannot force a disruption.

"Any third country can qualify for level 3 if it signs a data adequacy decision."

• Reality: Article 18(1)(c) explicitly bars recognition if the third country has measures to compel disruption or degradation. An adequacy decision under the GDPR is a prerequisite but not sufficient; the absence of disruptive legal powers is a separate, mandatory condition. A country could have an adequacy decision for data transfers but still possess laws that allow it to shut down cloud services, which would disqualify it under CADA.

"Level 1 provides protection against foreign service disruption."

• Reality: Level 1 (Annex II, Section 1.1) requires the provider to be established in the Union and infrastructure to be located in the Union, but it does not include the explicit anti-disruption measures found in levels 2–4. Level 1 is a baseline for non-critical activities; higher assurance levels are required for activities where disruption would impact public order.

"The US CLOUD Act automatically disqualifies a provider from Level 3."

• Reality: While the CLOUD Act allows for data access, CADA's Article 18(1)(c) specifically targets measures that compel disruption or degradation of service. If a third country's laws allow for data access but do not compel the provider to degrade service quality or cut off continuity, the country might still qualify, provided other criteria (like no compulsion to implement sanctions) are met. However, if the law allows for service interruption, the country is barred.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why does CADA exclude foreign control entirely at Level 4?
• Which CADA tier protects against foreign sanction compulsion?
• CADA Recognition: When is a cloud service deemed accepted across the EU?
• CADA Sovereignty Tiers: Protection Against Foreign Law Explained
• CADA foreign-control safeguards: What providers must prove for UAL 2 & 3

This is general information about a draft EU regulation, not legal advice.