Summary The proposed Cloud and AI Development Act (CADA) and the Data Act (Regulation (EU) 2023/2854) function as complementary pillars of EU digital sovereignty, addressing distinct but interconnected risks. While the Data Act facilitates data switching and governs lawful access to non-personal data by third-country public authorities, CADA establishes a sovereignty framework to mitigate risks arising from third-country control over cloud infrastructure. Crucially, CADA Article 18(1)(b) explicitly cross-references Article 32 of the Data Act, establishing a mandatory "associated third-country" test. This provision prevents cloud providers subject to third-country control from qualifying for Union assurance level 3 unless that third country has no measures enabling it to exercise control in a way that conflicts with the Data Act's strict requirements for lawful access to non-personal data. This linkage ensures that sovereignty assessments under CADA effectively neutralize extraterritorial foreign laws that lack EU-standard safeguards for proportionality and judicial review.

Detail

The relationship between the proposed Cloud and AI Development Act (CADA) and the existing Data Act is foundational to the EU's strategy for technological autonomy. The Data Act focuses on data portability, switching rights, and access to data generated by connected products to reduce vendor lock-in. CADA, conversely, focuses on the underlying infrastructureβ€”cloud computing servicesβ€”that hosts and processes this data. The two instruments are designed to work in tandem: the Data Act removes technical and contractual barriers to moving data, while CADA ensures that the destination infrastructure is sovereign and resilient against foreign interference.

The Legal Bridge: Article 18 and the Data Act's Article 32

The most direct and legally significant link between the two regulations is found in CADA's criteria for recognizing cloud computing services from "associated third countries." Under CADA Article 18(1), the Commission may adopt implementing acts identifying third countries whose cloud providers can be audited against Union assurance level 3, even if they are subject to third-country control. This is a derogation from the general rule that Level 3 requires no third-country control. However, this derogation is subject to strict cumulative criteria.

Article 18(1)(b) is the critical provision linking the two laws. It mandates that a third country must demonstrate that it:

"has no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854;"

Regulation (EU) 2023/2854 is the Data Act. Article 32 of the Data Act lays down specific, rigorous conditions for the lawful access to non-personal data by public authorities of third countries. It requires that such access must be necessary, proportionate, and subject to effective judicial review and independent oversight. By embedding this reference, CADA ensures that a cloud provider cannot claim "sovereign" status under Union assurance level 3 if its home country has laws that allow unchecked, disproportionate access to non-personal data stored in the EU.

This creates a "sovereignty filter." If a third country's legal framework (such as the US CLOUD Act) permits access to data without meeting the specific safeguards of Data Act Article 32(2) and (3), that country cannot be designated as an "associated third country" under CADA Article 18. Consequently, providers controlled by that country would be ineligible for Union assurance level 3, effectively barring them from serving public sector activities identified as contributing to the preservation of public order under CADA Article 30(3).

Complementary Objectives: Switching vs. Sovereignty

The explanatory memorandum of the CADA proposal explicitly frames the Data Act as an "enabler" for CADA. The Data Act introduces rules on switching between data processing services, aiming to ensure that cloud computing service providers compete on quality, innovation, and price rather than vendor lock-in. It enables users to freely choose providers and combine offers in a multi-cloud approach.

However, the Data Act does not address the strategic risk of dependence on non-EU providers whose operations may be subject to extraterritorial laws. CADA fills this gap by introducing a harmonized sovereignty framework. While the Data Act ensures you can move your data, CADA ensures that the infrastructure you move it to is not vulnerable to foreign government demands that could compromise EU public order or fundamental rights.

The Data Act's Article 32 was designed to create a "safe harbor" for data transfers to third countries only if those countries have adequate safeguards. CADA Article 18(1)(b) operationalizes this by making compliance with those safeguards a prerequisite for the highest levels of cloud sovereignty recognition (Level 3). This prevents a scenario where a provider is technically compliant with the Data Act's switching rules but remains legally vulnerable to foreign data access requests that undermine EU sovereignty.

Sovereignty Assurance Levels and Data Access

CADA introduces four Union assurance levels for cloud computing services. The criteria for these levels, particularly levels 2, 3, and 4, increasingly restrict the involvement of third-country entities.

  • Union Assurance Level 1: Requires providers to be established in the Union and for infrastructure and customer data to remain within the Union, unless explicitly required otherwise by the public sector body. It also requires transparency regarding subcontractors.
  • Union Assurance Levels 2–4: These higher levels impose stricter requirements. For instance, at Level 2, providers must demonstrate that data generated by the service is not used to train AI systems operated by third countries. At Level 3 and 4, the criteria become even more stringent regarding third-country control.

The reference in Article 18(1)(b) to the Data Act's Article 32 is specifically relevant for Level 3. It allows for the possibility that a provider subject to third-country control might still qualify for Level 3, but only if that third country has implemented safeguards equivalent to those required by the Data Act for lawful access to non-personal data. This creates a high bar for third-country providers, effectively neutralizing the extraterritorial reach of laws that do not meet EU standards for proportionality and judicial oversight.

For Union assurance level 4, the criteria are even more restrictive. Under Annex II 4.1(g), providers must not be subject to the control of a third country or a legal entity established in a third-country at all. There is no derogation for Level 4 based on Article 18. This ensures that the most critical public sector activities, which require the highest level of assurance, are hosted on infrastructure completely free from third-country control.

Operational Continuity and Public Order

Beyond data access, CADA addresses operational continuity. The proposal notes that dependence on third-country providers exposes European users to risks of operational discontinuity, particularly where unilateral decisions by third-country actors could disrupt service provision. By mandating risk assessments (CADA Article 29) for public sector activities, CADA ensures that critical services are not hosted on infrastructure vulnerable to foreign coercion. This complements the Data Act's goal of ensuring uninterrupted access to data by ensuring the underlying platform is resilient.

The risk assessment under Article 29 must consider "the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country." The Article 18(1)(b) test provides the legal mechanism to determine if such a risk exists based on the third country's laws. If the third country's laws conflict with Data Act Article 32, the risk is deemed unacceptable for Level 3 services, and the provider cannot be recognized.

What this means for you

For in-house counsel and compliance officers, the interplay between CADA and the Data Act creates a dual-compliance landscape that requires careful mapping of data flows and provider jurisdictions.

  1. Audit Your Cloud Providers' Jurisdictions: If you are a public sector body or a critical private entity (under NIS2), you must assess whether your cloud provider is subject to third-country control. If so, you must verify whether that third country meets the criteria in CADA Article 18(1)(b). Specifically, check if that country's laws on accessing non-personal data conflict with Article 32 of the Data Act. If they do, the provider may not qualify for higher assurance levels, and you may be prohibited from using them for public-order-relevant activities.
  2. Prepare for Risk Assessments: Under CADA Article 29, Member States and Union entities must conduct risk assessments to determine the appropriate Union assurance level for their cloud services. Your legal team should collaborate with IT and data protection officers to document the sensitivity of the data processed and the potential impact of foreign access. This assessment will dictate whether you must migrate to a provider recognized at Level 2, 3, or 4.
  3. Contractual Due Diligence: When negotiating cloud contracts, ensure that clauses regarding data access by foreign authorities are explicit. The Data Act already requires transparency on data access requests. CADA reinforces this by making such transparency a condition for sovereignty recognition. Ensure your contracts allow for the audit evidence required by CADA Annex III, which includes detailed information on ownership, control, and data access policies.
  4. Monitor Implementing Acts: The Commission will adopt implementing acts to specify the list of associated third countries under Article 18. Keep abreast of these lists, as they will directly determine which non-EU providers can legally serve critical public sector functions. A country's designation can be repealed, amended, or suspended if it no longer fulfills the requirements, including the Data Act reference.
  5. Penalties and Compensation: Be aware that CADA Article 24 introduces penalties for infringements by cloud providers. If a provider misrepresents its sovereignty status or fails to meet assurance level criteria, you may have grounds to seek compensation for damages suffered. Ensure your contracts include indemnification clauses for such scenarios.

Common misconceptions

"The Data Act replaces the need for CADA." No. The Data Act focuses on data portability and access rights but does not address the strategic risk of foreign control over infrastructure. CADA addresses the "sovereignty" aspect, ensuring that the infrastructure itself is resilient and not subject to extraterritorial interference. They are complementary, not substitutive.

"All non-EU cloud providers are banned." No. CADA does not ban non-EU providers. It establishes a tiered assurance system. Non-EU providers can qualify for Union assurance level 3 if their home country meets the strict criteria in Article 18, including the Data Act reference in Article 18(1)(b). However, they will face higher scrutiny and may be excluded from the most sensitive public sector use cases (Level 4).

"CADA only applies to personal data." No. CADA covers all customer data, including non-personal data. The reference to the Data Act's Article 32 specifically highlights the importance of non-personal data access rights in determining sovereignty. This is crucial for industrial AI and business-critical applications that rely on non-personal data.

"Sovereignty is only about data location." No. While data localization is a component (e.g., data must remain in the Union unless explicitly required otherwise), sovereignty under CADA also encompasses operational autonomy, control over infrastructure, and protection against foreign legal orders. A provider can have data in the EU but still be subject to foreign laws that allow access to that data, which CADA aims to mitigate via the Article 18 test.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.