How does CADA third-country recognition work for sovereignty level 3?

Summary Under the proposed Cloud and AI Development Act (CADA), a provider subject to third-country control could qualify for Union assurance level 3 only if the European Commission adopts an implementing act recognising its home country as an "associated third country" providing sufficient assurances (Article 18). This derogation from the default "no third-country control" rule would apply exclusively to level 3; level 4 would allow no such exception. To be recognised, the third country must meet six cumulative criteria, including an adequacy decision under the GDPR and guarantees that its laws do not compel unauthorised data access, service disruption, or the enforcement of its own sanction regimes against EU law.

Detail

The proposal would establish a tiered sovereignty framework to mitigate dependence on non-European cloud providers. A central tension is balancing technological sovereignty with a globalised market. While the default for high-assurance levels is strict territorial and legal containment within the EU, Article 18 would introduce a circumscribed mechanism for "associated third countries" to qualify for Union assurance level 3.

The general rule vs. the Article 18 derogation

For Union assurance level 3, the default criterion (Annex II, point 3.1(g)) is that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." This is a default prohibition on foreign control.

By way of derogation, Annex II, point 3.1(g) provides that a provider subject to such control may be audited for level 3 where the Commission has adopted the relevant implementing act. The operative mechanism is set out in Article 18(1), which empowers the Commission to identify third countries whose controlled providers "may be audited against the criteria for Union assurance level 3." This is not an automatic right for providers; it is a determination made by the Commission about the third country itself. As Recital 48 notes, tailored service versions from third-country providers do not inherently address core sovereignty issues such as extraterritorial legal reach — hence the need for formal recognition of the country.

In contrast, Union assurance level 4 (Annex II, point 4.1(g)) contains no such derogation. It requires that the provider and subcontractors "are not subject to the control of a third country or a legal entity established in a third-country," full stop. Level 4 would be reserved for the most sensitive operations, where absolute insulation from foreign jurisdictional reach is treated as non-negotiable.

Cumulative criteria for recognition

Article 18(1) sets out six cumulative criteria the third country must fulfil. If a country fails even one, it cannot be recognised:

1. Adequacy decision. It is subject to a relevant adequacy decision adopted under Article 45 of the GDPR (Regulation (EU) 2016/679) (Article 18(1)(a)).
2. Lawful access to non-personal data. It has no measures enabling control over the provider that would conflict with the lawful-access requirements for non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854) (Article 18(1)(b)).
3. No compulsion to disrupt or sanction. It has no measures compelling the provider to degrade or disrupt service continuity, and no measures obliging it to "implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or any equivalent legal or administrative measures," unless those measures are legitimate under EU or Member State law (Article 18(1)(c)).
4. Technology access. It has no measures impeding the provision of state-of-the-art technologies and services by the provider (Article 18(1)(d)).
5. Open market. It maintains an open market to Union cloud computing services (Article 18(1)(e)).
6. Reciprocal procurement access. It grants equivalent levels of access to its public procurement procedures for cloud services controlled by a Union Member State, entity, or legal entity established in the Union (Article 18(1)(f)).

The role of the Commission and dynamic review

The Commission would adopt recognition by implementing acts under the examination procedure in Article 46(2). Recognition would not be permanent: where available information reveals a country no longer fulfils the requirements, the Commission "shall repeal, amend or suspend" the decision (Article 18(2)). The Commission would publish on its website a list of third countries that fulfil the requirements and those that no longer do (Article 18(3)).

Operational implications for providers

Recognition of the country would not grant level 3 automatically. The provider must still undergo the independent third-party audit under Article 20, and must demonstrate the specific mitigations in Annex II, point 3.1(g)(i)–(iv) — proving that:

• third-country control does not restrain service delivery, infrastructure, assets, or personnel (and the provider should allow reasonable access to the code);
• third-country access to customer data is prevented;
• disruption or degradation of the service by a third country is prevented; and
• the provider is not obliged to enforce the third country's restrictive measures unless legitimate under EU or Member State law.

This places a heavy evidentiary burden on the provider to show effective legal, technical, and organisational separation between the EU entity and the controlling third-country entity.

What this means for you

For in-house counsel and compliance officers, Article 18 would create a two-layer compliance challenge for non-EU providers targeting sensitive public sector workloads.

1. Monitor the Commission's recognition list. You cannot assume your home country qualifies. Track the Article 18(3) list. If your country is not on it, you would be barred from level 3 — effectively capped at level 2 (EU establishment with safeguards) or level 1 (self-assessment).

2. Prepare for enhanced audit scrutiny. If your country is recognised, your Article 20 audit will test the separation between your EU operations and your parent's jurisdiction. Document that your EU entity can refuse data requests from your home government, that you have no obligation to apply conflicting export controls or sanctions, and that infrastructure and personnel in the EU are isolated from third-country access.

3. Level 4 is off-limits. If your organisation is subject to third-country control, you cannot bid for level 4 contracts. Do not invest in level 4 unless you can remove third-country control entirely.

4. Reciprocity and market access. Ensure your home country's procurement rules give EU providers equivalent access — Article 18(1)(f) makes this a recognition condition.

5. Transition and revocation risks. Plan for revocation. If the Commission suspends your country's recognition under Article 18(2), level 3 status would be lost; have a migration strategy to level 2 or another provider to protect public sector clients.

Common misconceptions

"Level 3 is just a stricter version of level 2." Level 3 marks a qualitative shift on third-country control. Level 2 allows some third-country control if strict safeguards are met (Annex II, point 2.1(g)); level 3 prohibits it by default (3.1(g)), with Article 18 as a narrow exception. Many third-country providers will find level 2 more attainable.

"GDPR adequacy is enough." An adequacy decision is only one of six cumulative criteria. A GDPR-adequate country could still fail Article 18 if, for example, it imposes conflicting sanction regimes or restricts EU providers' market access.

"I can get level 3 if I build a fully independent EU subsidiary." Independence is not sufficient if the ultimate controlling entity sits in a non-recognised third country. Article 18 requires the country to be recognised. Such a subsidiary might still reach level 2 by demonstrating effective separation, but level 3 would remain out of reach without national recognition.

"Level 4 allows exceptions for trusted allies." No. Annex II, point 4.1(g) is absolute; there is no Article 18 mechanism for level 4. Level 4 would require freedom from any third-country control.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Level 4: Why EU Control is Mandatory for the Highest Sovereignty Tier
• National vs EU-Level Cloud Sovereignty: What CADA Changes
• What does third-country control of a cloud provider mean under CADA?
• How does CADA reduce dependence on third-country providers?
• Can a cloud service lose its CADA sovereignty recognition?

This is general information about a draft EU regulation, not legal advice.