Summary Under the proposed Cloud and AI Development Act (CADA), the definition of "control" is decisive for which Union assurance level a cloud service can reach. Article 2(21) defines control by reference to Regulation (EU) 2021/697. A provider subject to the control of a third country (or of a legal entity established in a third country) would be barred outright from Union assurance level 4, barred from level 3 unless an associated-third-country derogation applies, and admitted to levels 1 and 2 only on demonstrating extensive safeguards. The framework lives in Articles 16–22 and Annex II, and is aimed at limiting third-country reach over EU public-sector data and services.

Detail

CADA would establish a "Union cloud computing sovereignty framework" of four assurance levels (Article 16). How much third-country control a provider is subject to determines how far up that ladder it can climb.

The definition of control

CADA defines "control" in Article 2(21) as "control as defined in Article 2, point (6), of Regulation (EU) 2021/697" (the European Defence Fund Regulation). That Regulation is not reproduced in the CADA corpus, so its precise wording should be read from the source; in EU law, control of this kind generally extends beyond simple majority ownership to capture the ability to exercise a decisive or dominant influence — for example through voting rights, rights to appoint or remove governing-body members, veto rights, or contractual arrangements. The point of using a "control" concept rather than "ownership" is to reach functional influence, not just formal shareholdings.

This matters because the policy concern behind CADA is the extraterritorial reach of third-country laws — the kind of access-and-disclosure regime exemplified by the US CLOUD Act. The proposal's explanatory material repeatedly highlights the risk of third-country laws with extraterritorial effect that mandate data access or that could degrade or disrupt service.

Impact on the Union assurance levels

The criteria for each level are set out in Annex II. Third-country control is addressed in paragraph (g) of each level.

Union assurance level 1. A provider subject to third-country control can qualify. Annex II, Section 1.1(g) would require it to guarantee — demonstrated by independent sources — that no laws or practices in the controlling third country require the provider to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited. Infrastructure and data must remain in the Union unless the public sector body explicitly requires otherwise (Section 1.1(b), (c)).

Union assurance level 2. A provider subject to third-country control can qualify, but only on demonstrating that the necessary legal, technical and organisational measures are in place (Annex II, Section 2.1(g)) so that:

  • control is not exercised in a way that restrains or restricts the provider's ability to perform and deliver the service (i);
  • access by the third country to customer data is prevented (ii);
  • disruption or degradation of the service by the third country is prevented (iii);
  • the provider is not obliged to give effect to third-country restrictive measures such as sanctions or embargoes, unless those measures are legitimate under Member State or Union law (iv).

Union assurance level 3. As a rule, providers subject to third-country control are not eligible: Annex II, Section 3.1(g) requires that the provider and its relevant subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." By way of derogation, such a provider may be audited for level 3 where the Commission has identified the relevant third country as an associated third country. Article 18 empowers the Commission to adopt implementing acts identifying third countries whose controlled providers may be audited against the level 3 criteria, provided the country meets cumulative conditions including an adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679), no measures conflicting with lawful-access rules under Article 32 of the Data Act (Regulation (EU) 2023/2854), no measures to compel service degradation or disruption, an open market to Union cloud services, and equivalent access to public procurement. Even then, the provider must additionally demonstrate the level-2-style safeguards in Section 3.1(g)(i)-(iv) and allow reasonable access to the code.

Union assurance level 4. Providers subject to third-country control are not eligible, with no derogation. Annex II, Section 4.1(g) requires that the provider and its relevant subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." This top tier is reserved for the most sensitive public-sector activities and adds, among other things, a cybersecurity certificate at assurance level "high" (Section 4.1(e)) and Union-citizen personnel (Section 4.1(d)).

The role of Articles 16-22

  • Article 16 establishes the four assurance levels and points to the criteria in Annex II.
  • Article 17 sets out recognition: the provider applies to the national competent authority of establishment with the required evidence.
  • Article 18 ("Associated third countries") lets the Commission identify third countries whose controlled providers may be audited for level 3.
  • Article 19 governs the conformity self-assessment route for level 1; Article 20 governs the independent third-party audit required for levels 2–4.
  • Article 21 specifies that compliance is assessed on the basis of the audit evidence in Annex III — including the ownership-and-control evidence in Annex III, Section 7.
  • Article 22 establishes the central repository of recognised services.

What this means for you

For cloud providers and data-centre operators, control is a market-access question, not just a governance one.

  1. Corporate structure determines your ceiling. A provider controlled by a non-EU parent is effectively barred from level 4 and, absent an Article 18 derogation, from level 3. Level 2 remains reachable, but only with substantial legal and technical safeguards under Annex II, Section 2.1(g).
  2. Prepare for ownership scrutiny. Auditors will examine your ownership and control under Annex III, Section 7: direct and indirect shareholders up to ultimate owners, the cap table, governing-body composition, quorums and majorities, veto and other specific rights, and influence via commercial or financial links.
  3. Manage subcontractors. The control criteria extend to subcontractors involved in providing the service; at levels 3 and 4 they too must be free of third-country control.
  4. Consider structural options for the top tiers. Reaching level 3 or 4 may require establishing genuinely independent EU entities free of third-country control.

Common misconceptions

  • "Control means only majority ownership." Incorrect. The control concept captures decisive influence, which can arise from veto rights, contractual arrangements or de facto dominance, not just majority shareholdings.
  • "If we store data in the EU, we are sovereign." Incorrect. Data localisation is one criterion among many. A provider can store data in the Union yet remain subject to third-country control, capping its assurance level.
  • "Non-EU controlled providers can never qualify for any level." Incorrect. They can reach levels 1 and 2 with safeguards, and potentially level 3 if the Commission designates their country as an associated third country under Article 18. Only level 4 is closed entirely.
  • "The CLOUD Act is the only concern." Incorrect. The framework applies to any third country whose laws could enable access to data or disruption of services, not only the United States.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.