CADA Data Training Ban

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 are strictly prohibited from using data generated by their services to train or fine-tune any AI system operated by a third country or a legal entity established outside the EU. This ban applies to all data types—including telemetry, metadata, and non-personal data—and mandates that such data never be transferred outside the Union. Compliance is not self-declared for these tiers; it requires independent third-party audits verifying contractual and technical safeguards. While Level 1 ensures basic data residency, only Levels 2–4 explicitly codify the prohibition against foreign AI model training.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" designed to mitigate strategic dependencies on non-European providers. A critical component of this framework is preventing the "exfiltration" of EU-generated data to fuel the AI models of foreign competitors or governments. This addresses a specific gap in existing regulations: while the GDPR protects personal data, it does not explicitly prevent the use of non-personal or aggregated data for training foreign AI systems if the data leaves the EU under a valid transfer mechanism. CADA closes this gap for public-order-relevant activities.

The Explicit Prohibition on Third-Country AI Training

The core obligation is located in Annex II of the proposal, which defines the cumulative criteria for the four Union assurance levels. While Union assurance level 1 relies on a self-assessment of basic residency and cybersecurity, Levels 2, 3, and 4 require rigorous independent auditing against specific sovereignty criteria.

For Union assurance level 2, Annex II, section 2.1(f) mandates that:

"the data generated by using the audited service are not used to train or fine-tune any AI system operated by a third country or a legal entity established in a third-country , and are not transferred outside the Union in any case;"

This identical prohibition is reiterated for Union assurance level 3 in Annex II, section 3.1(f) and for Union assurance level 4 in Annex II, section 4.1(f). The uniformity of this text across the three highest tiers indicates that preventing the use of EU data for foreign AI training is a non-negotiable baseline for any service deemed sufficiently sovereign for sensitive public sector use.

The phrase "data generated by using the audited service" is interpreted broadly. It encompasses:

• Input data: Any data uploaded or processed by the customer.
• Output data: Results, predictions, or content generated by the service.
• Telemetry and metadata: Logs, usage patterns, performance metrics, and configuration data.

The Dual Barrier: Residency and Usage

The prohibition in Annex II creates a dual barrier to foreign AI training:

1. Physical Residency: The clause explicitly states the data "are not transferred outside the Union in any case." This ensures the data physically remains within EU infrastructure.
2. Functional Prohibition: Even if a theoretical scenario allowed data to leave the EU (which is prohibited for these levels), the clause explicitly forbids its use for training or fine-tuning third-country AI systems.

This distinction is vital. Union assurance level 1 (Annex II, 1.1(c)) requires customer data to "remain exclusively within the Union, unless the public sector body explicitly requires otherwise." However, Level 1 does not contain the specific "no training of third-country AI" clause found in Levels 2–4. Consequently, a Level 1 provider might legally transfer data outside the EU if a customer explicitly permits it, and the regulation does not explicitly bar that transferred data from being used for foreign AI training. Only Levels 2–4 provide the explicit, audited guarantee against this specific risk.

Audit and Verification Mechanisms

Because these claims are critical for preserving public order, providers cannot simply self-declare compliance for Levels 2–4. Article 20 establishes an independent third-party audit framework. Auditing organizations must assess compliance based on the evidence listed in Annex III.

Specifically, Annex III, section 6 (Audit criterion F) requires auditors to examine:

• Contractual Clauses: Explicit prohibitions stating that data "will not be used to train or fine-tune any AI model or system operated by a third country or a third-country legal entity."
• Data Flow Diagrams: End-to-end documentation showing where AI pipelines connect with customer data, ensuring no leakage to foreign entities.
• Model Cards: Documentation covering training sources, including statements that data generated by the audited service does not leave the Union.
• Data Lineage Policies: Tools and documentation proving the specific usage of data, demonstrating it has not been repurposed for foreign model training.
• MLOps Records: Evidence that build, test, and release locations for any AI models interacting with this data remain within the EU.

If a provider fails to demonstrate that data is not being used to train foreign AI models, the auditing organization must issue a "negative opinion" (Article 20(5)(g)). Under Article 17(4), a negative opinion precludes recognition at Union assurance levels 2, 3, or 4.

Penalties and Liability

CADA establishes a robust enforcement regime. Article 24(1) requires Member States to lay down rules on penalties for infringements of the sovereignty chapter that are "effective, proportionate and dissuasive." Article 24(2) lists criteria for imposing penalties, including the nature, gravity, and duration of the infringement, and the financial benefits gained by the infringing party.

Crucially, Article 24(3) grants recipients of the cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations. This creates a direct financial liability for providers who breach these data training prohibitions, allowing public bodies to claim damages if their data is misused for foreign AI training.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the CADA proposal introduces a new, critical layer of due diligence for cloud and AI procurement.

1. Scrutinize Current Contracts for "Training" Clauses Examine existing contracts with cloud providers, particularly those offering AI services. Do they contain explicit clauses prohibiting the use of your data (including telemetry, metadata, and logs) to train or fine-tune their AI models? If the contract is silent or allows data usage for "service improvement," the provider likely cannot qualify for Union assurance levels 2–4. You must renegotiate to include the specific prohibition found in Annex II.

2. Align Risk Assessments with Assurance Levels Under Article 29, Member States and Union entities must conduct risk assessments to determine which assurance level is appropriate for their activities. If your organization handles data relevant to public order, national security, or critical infrastructure (e.g., law enforcement, defense, justice), you will likely be required to procure services at Union assurance level 2, 3, or 4. This means you must use a provider that has passed the strict audit regarding foreign AI training. Relying on a Level 1 provider for these activities would be non-compliant with Article 30(3).

3. Demand "Positive" Audit Opinions When selecting a provider for high-assurance levels, request their "positive" audit opinion and the full audit report as required by Article 17(4). Ensure the audit explicitly covers Annex II, section 2.1(f), 3.1(f), or 4.1(f). Do not rely on general security certifications (like ISO 27001) or standard cybersecurity certificates alone; these do not cover the sovereignty-specific requirement of preventing foreign AI training.

4. Monitor for Material Changes Providers are obligated under Article 23 to notify authorities and auditors of any material changes that could affect their assurance level. If a provider changes its AI training policies, enters a partnership with a third-country entity, or alters its data usage terms, they must disclose this. Monitor these disclosures closely, as a material change could trigger a revocation of their recognition.

5. Prepare for Migration If your current provider cannot meet these standards, Article 29(6) allows for a transition period of up to 12 months to migrate to a compliant service. Begin identifying compliant European providers now to avoid service disruptions when the regulation enters into force.

Common misconceptions

Misconception 1: "GDPR compliance is enough." The GDPR focuses on personal data and individual rights. CADA's sovereignty framework covers all data generated by the service, including non-personal data, metadata, and telemetry. Furthermore, GDPR adequacy decisions or standard contractual clauses do not prevent a third country from accessing data for AI training if their domestic laws allow it. CADA explicitly blocks this use case regardless of data type or transfer mechanism.

Misconception 2: "Level 1 is sufficient for all public sector use." While Article 30(2) mandates a minimum of Union assurance level 1 for general public sector bodies, Article 30(3) requires levels 2, 3, or 4 for activities identified as contributing to the preservation of public order. Since Level 1 does not have the explicit "no third-country AI training" clause in Annex II, relying solely on Level 1 for sensitive functions may leave your organization exposed to foreign AI model training risks.

Misconception 3: "If the data is anonymized, it can be used for training." The prohibition in Annex II applies to "data generated by using the audited service." It does not distinguish between anonymized and non-anonymized data for the purpose of the training ban. If the data originates from your use of the service, it cannot be used to train a third-country AI model, even if it has been stripped of direct identifiers.

Misconception 4: "This only applies to US providers." The rule applies to any cloud computing service provider subject to the control of a third country or a legal entity established in a third country. This includes providers from all non-EU jurisdictions, not just the United States. The definition of "third country" is broad and encompasses any jurisdiction outside the EU.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Data Training Ban: Can Cloud Providers Train AI on Customer Data?
• What data rule applies at CADA Level 3? Residency & AI Training
• CADA vs the Data Act: How Article 18 Blocks Foreign Data Access
• Who can act as a CADA auditing organisation?
• Which CADA tier protects against foreign sanction compulsion?

This is general information about a draft EU regulation, not legal advice.