How does the risk of unlawful third-country access feed into a CADA risk assessment?

Summary Under the proposed Cloud and AI Development Act (CADA), the risk of unlawful third-country access is a mandatory, explicit factor in the sovereignty risk assessments that public authorities must conduct. Specifically, Article 29(2)(b) requires assessors to evaluate the risk to public order arising from potential unlawful access to data by third countries or entities established in those countries. This provision directly addresses extraterritorial legal exposures, such as those created by the US CLOUD Act, which can compel cloud providers to hand over data stored in the EU to foreign law enforcement regardless of physical location. Failure to properly assess this risk can lead to non-compliant procurement decisions, exposing authorities to penalties and undermining the Union's strategic autonomy. The assessment acts as the trigger for Article 30(3), forcing the procurement of higher Union assurance levels (2, 3, or 4) where such risks are identified.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous framework to mitigate the EU's dependence on non-European cloud providers. A cornerstone of this framework is the obligation for Member States and Union entities to conduct regular risk assessments to determine the appropriate "Union assurance level" for their cloud services. These assessments are not merely technical checklists; they are strategic evaluations of sovereignty, operational continuity, and public order.

The Legal Obligation: Article 29 and Public Order

Article 29 of the CADA proposal mandates that Member States and Union entities carry out risk assessments by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary. The primary goal of these assessments is to identify public sector activities that contribute to the preservation of public order and to determine the appropriate Union assurance level (Level 2, 3, or 4) for those activities.

Crucially, Article 29(2) lists the specific aspects that must be considered during these assessments. While Article 29(2)(a) covers the sensitivity and criticality of data, Article 29(2)(b) explicitly requires assessors to consider:

"the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country;"

This provision transforms the abstract concept of "sovereignty" into a concrete compliance requirement. It forces public authorities to look beyond the physical location of data and examine the legal jurisdictions that can reach into their cloud environments. The assessment must determine whether the legal framework governing the provider allows for access that would be considered unlawful under EU law.

Understanding "Unlawful Access" and Extraterritorial Laws

The phrase "unlawful access under Union law" is the linchpin of this requirement. It refers to access that violates EU data protection and privacy standards, particularly when compelled by foreign laws that have extraterritorial effect. The most prominent example cited in the legislative context is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act of 2018).

The US CLOUD Act, specifically §2713, requires providers of electronic communication service or remote computing service to preserve and disclose the contents of communications and records "within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

For an EU public authority using a cloud provider headquartered in the US, this creates a direct conflict. Even if the data is stored physically in Frankfurt, the US provider may be legally compelled by a US warrant to hand that data to US authorities. Under EU law, this transfer may lack an adequate legal basis (such as an adequacy decision that covers the specific law enforcement context), rendering the access "unlawful" from the perspective of EU fundamental rights.

Recital 50 of the CADA proposal contextualizes this risk by listing the vulnerabilities associated with dependence on third-country providers. It explicitly mentions risks such as "misuse (i.e. manipulation, remote access and control...)" and "access to information (i.e. access to sensitive information, unauthorised communication... technology leakage, data manipulation or exfiltration, espionage)." The recital further notes that these risks can lead to "dependency vulnerabilities (i.e. political and/or economic coercion... by using vendor or technology lock-ins, embargos or sanctions)."

Therefore, when Article 29(2)(b) asks for an assessment of the risk of unlawful access, it is asking the authority to evaluate whether their chosen cloud provider is subject to foreign laws like the CLOUD Act that could force them to breach EU confidentiality and data protection norms. The assessment must consider whether the third country has measures in place that enable it to exercise control over the provider in a way that conflicts with EU law.

The Link to Public Order

The assessment of third-country access risk is not an isolated technical exercise; it is directly tied to the concept of "public order." Recital 52 states that the Union assurance levels are designed to ensure that public order is preserved by maintaining control and agency by public-sector bodies.

If a public authority processes sensitive data—such as law enforcement intelligence, national security information, or critical infrastructure data—using a cloud service vulnerable to extraterritorial access, the integrity of that data is compromised. The "impact on public order" in Article 29(2)(b) refers to the potential harm caused if this data is accessed by foreign adversaries, or if the threat of such access chills legitimate government operations.

Consequently, if the risk assessment identifies a high risk of unlawful third-country access, Article 30(3) dictates that the contracting authority must procure cloud services that have been recognized as offering Union assurance levels 2, 3, or 4. These higher assurance levels have stricter criteria regarding third-country control. For instance, under Annex II of the proposal, Union assurance level 3 and 4 generally require that the provider and its subcontractors are not subject to the control of a third country.

Article 18 provides a specific mechanism for "Associated third countries," allowing the Commission to adopt implementing acts identifying third countries where cloud providers subject to their control may still be audited for Level 3. However, this is a derogation that requires the third country to have no measures enabling control that conflicts with EU law. If such a derogation does not exist for a specific country (e.g., the US, absent a specific implementing act), the risk of unlawful access remains a critical factor that likely precludes Level 1 or Level 2 services for public-order-relevant activities.

Implications for Compliance Officers

For in-house counsel and compliance officers in the public sector, this creates a clear chain of liability:

1. Conduct the Assessment: You must formally assess the risk of unlawful third-country access for every cloud use case identified as relevant to public order under Article 29(1).
2. Document the Risk: If you use a provider subject to extraterritorial laws (like the US CLOUD Act) without adequate legal shields (such as a Commission implementing act under Article 18), you must document this as a significant risk to public order under Article 29(2)(b).
3. Procure Accordingly: If the risk is significant, you cannot procure standard services. You must seek providers recognized under the CADA framework as offering higher Union assurance levels, which effectively filters out many non-EU hyperscalers unless they have achieved specific derogations or safeguards.

Failure to perform this assessment or ignoring its results could be construed as failing to protect public order. While Article 24 sets out penalties for cloud computing service providers, Member States are required to lay down rules on penalties for infringements by other actors, ensuring that the framework is "effective, proportionate and dissuasive."

What this means for you

As an in-house counsel or compliance officer responsible for public sector IT procurement, the CADA proposal shifts your focus from purely technical security to legal sovereignty. Here is how you should adapt your processes:

• Review Vendor Jurisdictions: Map your current cloud providers against their country of incorporation and control. Identify which are subject to extraterritorial data access laws. The US CLOUD Act is the primary benchmark, but similar laws in other jurisdictions must also be scrutinized.
• Integrate Article 29(2)(b) into Risk Registers: Update your internal risk assessment templates to include a specific line item for "Risk of unlawful third-country access." Do not treat this as a generic data protection issue; treat it as a sovereignty and public order issue.
• Prepare for Higher Assurance Levels: If your organization handles data related to national security, law enforcement, or critical infrastructure, expect to move away from standard commercial cloud offerings. You will need to procure services that have been audited and recognized under the CADA framework (Union assurance levels 2–4). This may require longer procurement cycles and engagement with specialized sovereign cloud providers.
• Monitor Legislative Developments: The CADA is still a proposal. Pay close attention to the final text of Article 29 and the delegated acts that will define the detailed methodology for these risk assessments. The Commission will issue guidance on how to map data sensitivity to assurance levels, which will clarify exactly how much third-country access risk triggers a move to Level 3 or 4.
• Audit Subcontractors: Remember that the risk extends to subcontractors. If your primary provider is EU-based but uses a non-EU subcontractor for support or storage, the third-country access risk remains. Ensure your contracts and assessments cover the entire supply chain.

Common misconceptions

• "Data localization solves third-country access risk." Many assume that storing data in an EU data center eliminates the risk of foreign access. This is incorrect. Under laws like the US CLOUD Act, the physical location of the data is irrelevant; the legal control over the provider is what matters. If the provider is subject to third-country law, they can be compelled to disclose data regardless of where it sits. Article 29(2)(b) specifically targets this legal, not just physical, vulnerability.

• "GDPR adequacy decisions are sufficient." An adequacy decision under the GDPR allows for commercial data transfers. However, CADA's focus on "public order" and "unlawful access" often involves law enforcement and national security contexts where adequacy decisions may not apply or may be insufficient. Recital 61 notes that the Commission will assess whether an adequacy decision applies generally or is limited, and whether it covers the specific processing activities in question. Do not assume GDPR compliance equates to CADA sovereignty compliance.

• "Only national security data is at risk." While national security is a key area, Article 29(1) defines public order broadly to include sectors falling under NIS2, internal security, external border management, justice, and law enforcement. This means healthcare, energy, and transport sectors using public cloud services may also need to undergo these rigorous assessments if their activities are deemed to contribute to public order.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• How does data sensitivity factor into a CADA risk assessment?
• How does CADA address extraterritorial third-country law in risk assessments?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.