CADA and the EU-US DPF

Summary As proposed, the Cloud and AI Development Act (CADA) draws a sharp line between data protection and technological sovereignty. The EU-US Data Privacy Framework (DPF) does not automatically grant compliance with CADA's higher sovereignty tiers. While the DPF establishes the necessary GDPR adequacy decision required to even consider a third-country provider for Union Assurance Level 3 under Article 18, it is merely a prerequisite, not a guarantee. Crucially, the DPF is legally insufficient for Union Assurance Level 4, which strictly prohibits any third-country control over the provider. For public sector bodies, this means a US provider operating under the DPF may be eligible for a Level 3 audit (subject to further Commission criteria) but can never achieve Level 4 status.

Detail

The relationship between the proposed Cloud and AI Development Act (CADA) and the EU-US Data Privacy Framework (DPF) is defined by a fundamental distinction: the DPF addresses the legality of data transfers under the GDPR, whereas CADA addresses operational sovereignty and resilience against third-country interference. For legal counsel and compliance officers, conflating these two regimes creates significant procurement risks.

The Fundamental Distinction: Transfers vs. Sovereignty

The Explanatory Memorandum accompanying the CADA proposal (COM(2026) 502 final) explicitly clarifies this separation. It states that while the proposal is consistent with the GDPR and the EU-US Data Privacy Framework, the DPF "does not remove sovereignty concerns about dependence on third-country providers."

Sovereignty under CADA encompasses more than the right to move data across borders. It includes:

• Operational Autonomy: The ability of the provider to function without external political or legal coercion.
• Resilience: Protection against service disruption or degradation caused by third-country laws (such as the US CLOUD Act).
• Control: Ensuring that no foreign government or entity can compel access to data or influence the provider's strategic decisions.

The DPF, based on an adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR), ensures that the United States provides a level of data protection "essentially equivalent" to that of the EU. However, it does not alter the jurisdiction of US authorities or prevent US laws from compelling US-based providers to disclose data. Consequently, compliance with the DPF is a necessary condition for certain CADA tiers but is insufficient on its own to satisfy the sovereignty requirements of the Act.

Article 18: Adequacy as a Gatekeeper for Level 3

CADA establishes a "Union cloud computing sovereignty framework" comprising four assurance levels in Article 16. Article 18 specifically governs the conditions under which cloud computing service providers subject to the control of a third country may be audited for Union Assurance Level 3.

Under Article 18(1), the Commission may adopt implementing acts to identify third countries eligible for Level 3 audits. This identification is contingent on the third country meeting a set of cumulative criteria. The first and most critical criterion, listed in Article 18(1)(a), is that the third country "is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679."

This creates a direct dependency: without an adequacy decision like the DPF, a third country is automatically excluded from Level 3 consideration. However, adequacy is only the entry ticket. Article 18(1) mandates that the third country must also satisfy five additional criteria:

1. No Conflicting Control: The country must have no measures enabling control over the provider that conflicts with lawful access rules (Article 18(1)(b)).
2. No Service Disruption: The country must have no measures compelling the provider to degrade or disrupt service continuity (Article 18(1)(c)).
3. No Tech Impediment: The country must not impede the provision of state-of-the-art technologies (Article 18(1)(d)).
4. Open Market: The country must maintain an open market to Union cloud services (Article 18(1)(e)).
5. Reciprocal Access: The country must grant equivalent access to public procurement procedures (Article 18(1)(f)).

Recital 61 further refines this process. It instructs the Commission to assess whether the adequacy decision applies generally to the third country or is limited to specific sectors or certified organizations. It also requires an assessment of whether the scope of the adequacy decision extends to the specific processing activities carried out in the context of the service provision. If transfers remain subject to additional safeguards under GDPR Chapter V, the Commission may determine that the sovereignty assurance is weakened, even if the DPF exists.

Therefore, the DPF is a prerequisite for the Level 3 audit mechanism, but the Commission must still issue a specific implementing act confirming that the US (or any other third country) meets all cumulative criteria before a provider can be audited for Level 3.

The Absolute Barrier: Why DPF Cannot Satisfy Level 4

While the DPF opens a potential pathway to Level 3 (subject to the Commission's implementing act), it is legally impossible for it to satisfy Union Assurance Level 4.

Article 16 delegates the specific criteria for each level to Annex II. For Union Assurance Level 4, Annex II, Section 4.1(g) sets a strict, non-derogable condition: "the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."

There is no exception in Article 18 or Annex II for Level 4 based on adequacy decisions. The DPF does not remove the legal jurisdiction of the United States over US-based entities, nor does it prevent US authorities from exercising control over data or service continuity. Because a US provider is inherently subject to US control, it cannot meet the "no third-country control" requirement of Level 4. This tier is reserved exclusively for providers fully established and controlled within the Union, ensuring the highest level of operational autonomy.

Implications for Risk Assessments (Article 29)

Public sector bodies and Union entities are required to conduct risk assessments under Article 29 to determine the appropriate assurance level for their activities. Article 29(2)(b) explicitly requires these bodies to consider "the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country."

Even with the DPF in place, the risk of access under US laws (such as the CLOUD Act, which compels disclosure regardless of data location) remains a material sovereignty risk. Therefore, for activities identified as having "public order relevance" under Article 30(3)—such as law enforcement, defense, or critical infrastructure—contracting authorities must recognize that Level 3 is likely the maximum achievable tier for US-based providers. If the risk assessment determines that Level 4 is necessary to preserve public order, US providers (even those under the DPF) are ineligible, and procurement must be restricted to EU-controlled providers.

What this means for you

For in-house counsel, procurement officers, and compliance teams, the interplay between CADA and the DPF requires a nuanced, two-step evaluation strategy.

1. Verify the Article 18 Implementing Act: Do not assume that the existence of the DPF automatically qualifies a US provider for Level 3. You must verify that the Commission has adopted the specific implementing act under Article 18 confirming that the US meets all cumulative criteria (not just adequacy). Until that act is published, the Level 3 audit pathway remains theoretical.
2. Accept the Level 4 Ceiling: If your organization requires Union Assurance Level 4 (e.g., for handling classified information or critical national security functions), you must exclude US-based providers entirely. The DPF does not overcome the "no third-country control" prohibition in Annex II, Section 4.1(g). Procurement strategies for Level 4 must focus exclusively on providers established and controlled within the EU.
3. Document Residual Sovereignty Risks: Under Article 29, your risk assessment must explicitly distinguish between data protection risks (mitigated by the DPF) and sovereignty risks (not mitigated by the DPF). If you procure a Level 3 service from a US provider, document why the residual risks of extraterritorial access and service disruption are acceptable for your specific use case.
4. Monitor Dynamic Adequacy: Recital 61 indicates that the Commission will assess the scope of the adequacy decision. If the DPF is challenged, narrowed, or revoked, the Level 3 eligibility of US providers would immediately cease. Compliance plans must include a contingency for the potential loss of adequacy status.

Common misconceptions

• "The DPF makes US providers automatically compliant with CADA Level 3." Incorrect. The DPF (adequacy) is only one of six cumulative criteria in Article 18(1). The Commission must still issue an implementing act confirming the US meets the other criteria, such as not compelling service disruption. Adequacy is a necessary condition, not a sufficient one.

• "If the DPF is in place, US providers can qualify for Level 4." Incorrect. Level 4 explicitly prohibits any third-country control over the provider (Annex II, Section 4.1(g)). The DPF does not remove US jurisdiction or control over US-based entities. Therefore, US providers cannot achieve Level 4.

• "CADA replaces the DPF for data transfers." Incorrect. CADA and the DPF serve different purposes. The DPF facilitates lawful data transfers under GDPR. CADA establishes a sovereignty framework for public sector procurement. They are complementary; the DPF underpins the adequacy requirement for Level 3, but CADA adds layers of operational and geopolitical risk mitigation.

• "Adequacy decisions are static." Incorrect. Recital 61 notes that the Commission will assess the scope of the adequacy decision. If the DPF's implementation changes or is challenged, the Commission's assessment under Article 18 may be affected. Compliance officers must monitor the status of the adequacy decision as a dynamic factor in CADA compliance.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)

Related

• Why is the GDPR not enough to achieve cloud sovereignty under CADA?
• Does health data under EHDS need a CADA sovereignty tier?
• Do financial entities need a CADA sovereignty tier in addition to DORA due diligence?
• Do EU common data spaces need a CADA sovereignty tier?
• Do AI Act high-risk systems need a specific CADA sovereignty tier?

This is general information about a draft EU regulation, not legal advice.