How does CADA protect against the US CLOUD Act through its tiers?

Summary As proposed, the Cloud and AI Development Act (CADA) establishes a four-tier sovereignty framework designed to mitigate the risks of extraterritorial data access, such as those posed by the US CLOUD Act. While Union Assurance Level 1 requires only that a provider be established in the EU, Levels 2, 3, and 4 impose increasingly strict criteria to prevent third-country control over infrastructure, personnel, and data. Specifically, Levels 3 and 4 prohibit providers and their subcontractors from being subject to third-country control entirely, ensuring that foreign laws cannot compel access to EU customer data or disrupt service continuity.

Detail

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) mandates that US-based service providers must disclose electronic communications and records within their "possession, custody, or control," regardless of whether the data is located within or outside the United States. This creates a significant sovereignty risk for EU entities using cloud services provided by companies subject to US jurisdiction, as those providers may be legally compelled to hand over data to US authorities, potentially conflicting with EU data protection and security standards.

CADA addresses this dependency by introducing a "Union cloud computing sovereignty framework" comprising four Union Assurance Levels (UALs). These levels are not merely technical certifications; they are legal and operational safeguards designed to ensure that cloud services used by the public sector remain under EU control. The framework is detailed in Article 16 of the CADA proposal, which sets out the scope of the framework and refers to Annex II for the specific cumulative criteria each level must meet.

How the Tiers Mitigate Foreign Legal Compulsion

The protection against acts like the CLOUD Act escalates with each tier. The criteria in Annex II are cumulative, meaning a provider seeking Level 3 must meet all requirements of Levels 1 and 2, plus the additional Level 3 constraints.

Union Assurance Level 1: The Baseline Level 1 is the entry point for public sector procurement. It requires that the cloud computing service provider be established in the Union. Crucially, it mandates that infrastructure, assets, and customer data (including metadata and telemetry) remain exclusively within the Union, unless the public sector body explicitly requires otherwise.

However, Level 1 does not prohibit third-country ownership. A provider subject to Level 1 can still be controlled by a third-country entity. To mitigate this, Annex II, Section 1.1(g) requires that if a provider is subject to third-country control, they must guarantee that there are no existing laws or practices in that third country requiring the provider to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited. While this offers some transparency, it does not fully insulate the provider from broader data access demands like those under the CLOUD Act.

Union Assurance Level 2: Enhanced Control and Data Isolation Level 2 introduces stricter requirements on personnel and data usage. Under Annex II, Section 2.1, the provider and its subcontractors must be established in the Union, and all infrastructure, assets, and personnel involved in the service must be located in the Union.

More importantly for CLOUD Act risks, Annex II, Section 2.1(f) explicitly states that data generated by using the audited service "are not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country, and are not transferred outside the Union in any case."

If a Level 2 provider is subject to third-country control, Annex II, Section 2.1(g) requires them to demonstrate that necessary legal, technical, and organizational measures are implemented to ensure:

1. The third-country control does not restrict the provider's ability to perform the service.
2. Access by a third country to customer data is prevented.
3. The possibility of disruption of service continuity or degradation of service quality by a third country is prevented.
4. The provider is not obliged to implement restrictive measures (such as sanctions or embargoes) adopted by a third country, unless those measures are legitimate under EU or Member State law.

Union Assurance Levels 3 and 4: Exclusion of Third-Country Control Levels 3 and 4 provide the highest level of protection against extraterritorial legal compulsion. The defining characteristic of these tiers, as set out in Annex II, Sections 3.1(g) and 4.1(g), is that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country."

This is a decisive break from the model that exposes users to the CLOUD Act. By prohibiting third-country control entirely, CADA ensures that no foreign government can exert legal pressure on the provider to access data or disrupt services.

• Level 3 allows for a narrow derogation. Under Article 18 and Annex II, Section 3.1(g), a provider subject to third-country control may still be audited for Level 3 if the Commission has adopted an implementing act recognizing that specific third country as providing sufficient assurances. This requires the third country to have an adequacy decision under the GDPR and no measures enabling it to exercise control that conflicts with EU data protection rules. However, this is an exception, not the rule.
• Level 4 has no such derogation. It strictly prohibits any third-country control. Additionally, Level 4 requires that sensitive data identified through a risk assessment remains exclusively within the Union, and that personnel handling the service are Union citizens with appropriate national security clearances.

The Role of Risk Assessments

The application of these tiers is driven by risk assessments conducted by Member States and Union entities under Article 29. These assessments determine which public sector activities contribute to the preservation of public order and require higher assurance levels. For activities deemed critical to national security, internal security, or defense, Article 30 mandates the procurement of services recognized as offering Union Assurance Levels 2, 3, or 4. This ensures that the most sensitive data is hosted on infrastructure that is legally and operationally insulated from foreign jurisdiction.

What this means for you

For in-house counsel and compliance officers, CADA shifts the burden of proof regarding data sovereignty from contractual assurances to verifiable, audited structural criteria.

1. Vendor Due Diligence Must Go Beyond Contracts Historically, organizations relied on data processing agreements and standard contractual clauses to mitigate third-country access risks. Under CADA, these are insufficient for high-assurance levels. You must verify that your cloud provider meets the cumulative criteria of the required Union Assurance Level. For Levels 3 and 4, you must confirm that the provider is not subject to third-country control. This requires deep corporate structure analysis, including ownership, board composition, and voting rights, as detailed in the audit evidence requirements of Annex III.

2. Procurement Strategies Must Align with Assurance Levels Public sector bodies must conduct risk assessments under Article 29 to determine the appropriate assurance level for their cloud services. If your organization handles data related to public order, national security, or critical infrastructure, you will likely be required to procure from Level 3 or 4 providers. This may limit your vendor pool, as many major global hyperscalers are subject to third-country control and thus ineligible for Levels 3 and 4 (unless a specific derogation under Article 18 applies for Level 3).

3. Audit and Transparency Obligations Providers seeking recognition at Levels 2, 3, or 4 must undergo independent third-party audits (Article 20). As a customer, you will have access to a central repository of recognized services (Article 22). You should regularly check this repository to ensure your provider maintains their status. Providers must also notify competent authorities of any material changes that could affect their assurance level (Article 23).

4. Penalties and Liability Member States must lay down rules on penalties for infringements by cloud computing service providers (Article 24). These penalties must be effective, proportionate and dissuasive. Additionally, recipients of cloud services have the right to seek compensation for damage suffered due to a provider's infringement of their obligations under the sovereignty framework. Ensure your contracts include clear indemnification clauses related to sovereignty compliance.

Common misconceptions

Misconception 1: Level 1 is sufficient for all public sector data. While Level 1 is the minimum requirement for public sector procurement (Article 30(2)), it does not fully protect against extraterritorial access. A Level 1 provider can still be owned by a foreign entity. For data where public order is at stake, higher levels are mandatory.

Misconception 2: The CLOUD Act only affects US providers. The CLOUD Act applies to any provider subject to US jurisdiction, which can include subsidiaries of non-US companies if they are controlled by US entities or have significant US operations. CADA's prohibition of third-country control in Levels 3 and 4 is designed to close this loophole by excluding any provider subject to foreign legal compulsion, regardless of their primary market.

Misconception 3: Data localization alone solves the sovereignty problem. While CADA requires data to remain in the Union for all levels, data localization does not prevent foreign authorities from compelling a provider to decrypt data or access it remotely if the provider is subject to foreign law. The "control" criteria in Levels 2, 3, and 4 are essential to prevent this legal compulsion.

Misconception 4: Open-source software automatically qualifies for higher assurance levels. While CADA promotes open source (Article 41), the use of open-source software does not automatically grant a higher Union Assurance Level. Providers must still meet the strict criteria regarding establishment, location of assets/personnel, and absence of third-country control. In fact, Annex II requires specific controls to prevent remote features in open-source software that could tamper with or disrupt the service.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Sovereignty Tiers: Protection Against Foreign Law Explained
• Who can act as a CADA auditing organisation?
• Which CADA tier protects against foreign sanction compulsion?
• What questions should a CTO ask a vendor about its CADA tier?
• CADA Vulnerability Disclosure Rule: What the Draft Requires Across Tiers

This is general information about a draft EU regulation, not legal advice.