Summary As proposed, the Cloud and AI Development Act (CADA, COM(2026) 502 final) would let a cloud service controlled by a third country qualify for Union assurance level 3 only where the Commission has recognised that third country as an "associated third country" by implementing act. A GDPR adequacy decision under Article 45 of Regulation (EU) 2016/679 is the first of six cumulative criteria for that recognition (Article 18(1)) — necessary but not sufficient. The Commission must also satisfy itself that the country's laws do not enable foreign control over the provider, do not compel service disruption or illegitimate restrictive measures, do not impede state-of-the-art technologies, and that it keeps an open market and grants equivalent procurement access. Recital 61 adds that the Commission should weigh how broadly the adequacy decision applies. The result is a narrow, conditional pathway for third-country-controlled providers to serve sensitive public-sector needs.

Detail

CADA's "Union cloud computing sovereignty framework" (Article 16) comprises four assurance levels with the criteria set out in Annex II; levels 2, 3 and 4 require independent third-party audit. Level 3 matters here because it is the level at which a service subject to the control of a third country can, exceptionally, still be audited — but only through the "associated third country" mechanism.

Article 18: associated third countries

Under Article 18(1), the Commission may, by implementing act, identify third countries whose cloud providers — even though subject to that country's control — "may be audited against the criteria for Union assurance level 3 pursuant to Annex II," provided the third country fulfils six cumulative criteria:

  • (a) it is subject to a relevant adequacy decision adopted under Article 45 of the GDPR;
  • (b) it has no measures enabling it to exercise control over the provider in a way that would conflict with the requirements for lawful access to non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854);
  • (c) it has no measures compelling the provider to degrade or disrupt service continuity, nor obliging it to give effect to restrictive measures such as sanctions or embargoes unless those are legitimate under Member State or Union law;
  • (d) it has no measures impeding the provision of state-of-the-art technologies and services by the provider;
  • (e) it maintains an open market to Union cloud services;
  • (f) it grants equivalent access to its public-procurement procedures for Union-controlled cloud services.

These implementing acts follow the examination procedure (Article 46(2)). Adequacy is thus one gateway among six — and the only one drawn directly from data-protection law.

How the adequacy decision is weighed (Recital 61)

Recital 61 explains how the Commission should treat the adequacy criterion. The Commission "should assess whether the third country is covered by an adequacy decision adopted pursuant to Article 45 of Regulation (EU) 2016/679," and in particular should determine:

  • whether the adequacy decision "applies generally to the third country as a whole or is limited to specific sectors or certified organisations"; and
  • whether "the scope of the adequacy decision extends to the specific processing activities that are carried out in the context of the service provision, or whether transfers remain subject to the requirements to implement appropriate safeguards."

So a narrow or sector-limited adequacy decision (for example, one resting on certification of particular organisations) provides weaker support than a general one, and the Commission must check that the adequacy actually covers the processing involved in delivering the cloud service.

Beyond data privacy

The decisive point is that adequacy is about personal-data protection, whereas level 3 is about sovereignty. An adequacy decision does not address whether a third country's laws could compel a provider to disrupt service, degrade quality, or be controlled in ways that reach non-personal data such as telemetry. That is why Article 18(1)(b)–(d) impose tests on control, service continuity and access to non-personal data — anchored in the Data Act's lawful-access provisions — that go well beyond the GDPR. Even a valid adequacy decision leaves those tests to be satisfied.

Why this exists only at level 3

The associated-third-country route is specific to level 3 by design. Recital 61 explains that the policy objectives behind levels 1, 2 and 3 should be understood as "the Union's capacity to act autonomously where necessary, while remaining engaged with its international partners and fostering mutually beneficial cooperation." Against that backdrop, the Commission "may decide, for Union assurance level 3, that a cloud computing service subject to the control of a third country … can still be audited against the audit criteria where the third country has implemented specific safeguards that ensure that there is no risk of unauthorised access to Union data or possible disruption of service quality or continuity."

Level 4 carries no equivalent opening. As the highest tier — the one Recital 62 ties to the secure hosting of EU classified information for the most critical activities, including defence — it does not offer a third-country-control pathway via Article 18. In practice, then, recognising an associated third country widens eligibility up to level 3 only; the most sensitive workloads remain reserved for services that do not depend on this derogation.

The audit still has to be passed

Article 18 does not itself confer level 3 on any provider; it merely makes a third-country-controlled provider eligible to be audited against the level-3 criteria in Annex II. The provider must still undergo an independent third-party audit under Article 20, satisfy all the cumulative criteria for levels 1, 2 and 3 (failure at a lower level precludes the higher), obtain a "positive" audit opinion, and be recognised through the Article 17 procedure by the national competent authority of establishment, subject to the cross-border review by other Member States' authorities. Article 18 opens the door; the audit decides whether the provider walks through it.

The EU-US Data Privacy Framework, specifically

The most-watched case is the United States under the EU-US Data Privacy Framework, the basis for the relevant US adequacy decision. Recital 61's instruction to check whether an adequacy decision "applies generally to the third country as a whole or is limited to specific sectors or certified organisations" is pointed here, because the Framework operates through organisations that self-certify. Even if the Commission were to recognise the United States as an associated third country under Article 18, that recognition would turn on satisfying all six cumulative criteria — including the absence of measures enabling control over the provider or compelling service disruption — not on Data Privacy Framework participation alone.

Maintenance of the list

The mechanism is dynamic. Under Article 18(2), where available information reveals that a third country no longer fulfils the paragraph-1 requirements, the Commission must repeal, amend or suspend the decision. Under Article 18(3), the Commission must publish on its website a list of third countries that fulfil the requirements and those that no longer do. Recognition is therefore continually contingent on the third country's law and practice remaining compatible with the criteria.

What this means for you

For cloud service providers

  • Adequacy is necessary, not sufficient. Operating in a country with an adequacy decision — for instance the United States under the EU-US Data Privacy Framework — would not, by itself, qualify your services for level 3. You would still depend on the Commission recognising your country under Article 18, satisfying all six criteria.
  • Recognition is country-level and Commission-driven. Until your controlling country is listed by implementing act, a third-country-controlled provider cannot be audited for level 3, however strong its other controls.
  • Expect deeper audits. A level-3 audit would scrutinise corporate governance, supply-chain transparency, and the ability to resist third-country orders to disrupt service or access data — not just data-protection measures.

For public-sector procurement officers

  • Run the risk assessment. Under Article 29 you must determine the level your activities need; public-order activities may call for level 3 or 4.
  • Verify the list, not just adequacy. Before procuring from a third-country-controlled provider for a high-assurance use, check that its controlling country appears on the Commission's Article 18 list. An adequacy decision alone does not confer level-3 eligibility.
  • Mind the migration window. If a reassessment requires migration, Article 29(6) sets a reasonable transition period not exceeding 12 months, accounting for technical feasibility, continuity and data portability.

Common misconceptions

"An adequacy decision guarantees level-3 eligibility." No. It is criterion (a) of six in Article 18(1). The Commission must also confirm the absence of control, disruption and access measures, an open market and equivalent procurement access — and must weigh how broadly the adequacy decision applies (Recital 61).

"CADA replaces GDPR adequacy decisions." No. Adequacy remains the GDPR mechanism for lawful personal-data transfers. CADA would add sovereignty and operational-resilience conditions on top, for the specific purpose of level-3 eligibility.

"Every EU-US Data Privacy Framework participant gets level 3 automatically." No. Article 18 recognition attaches to the country, by implementing act, not to individual certified organisations — and Recital 61 directs the Commission to consider whether an adequacy decision is general or limited to certified organisations when assessing it.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.