How should a non-EU cloud provider approach CADA recognition?

Summary Non-EU cloud providers can pursue recognition under the proposed Cloud and AI Development Act (CADA), but the path is strictly segmented by sovereignty level. Providers subject to third-country control can only achieve Union assurance level 1 or 2, provided they implement rigorous technical and legal isolation measures to ensure operational autonomy. Access to level 3 is possible only if the provider's home country is formally designated as an "associated third country" by the Commission under Article 18. Union assurance level 4 is effectively closed to providers under third-country control, as it mandates absolute independence from foreign jurisdiction with no derogation mechanism.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a four-tier "Union cloud computing sovereignty framework" under Article 16. This framework is designed to mitigate risks associated with dependence on non-European providers by defining cumulative criteria for "Union assurance levels." For non-EU providers—defined in the context of the sovereignty framework as those subject to the control of a third country or a legal entity established in a third country—the route to recognition is not uniform. It depends entirely on the assurance level sought and the specific safeguards the provider can demonstrate against extraterritorial access, service disruption, and foreign jurisdictional control.

Level 1 and Level 2: Managed Foreign Control with Strict Safeguards

Providers subject to third-country control may apply for recognition at Union assurance level 1 or level 2. However, they must meet cumulative criteria in Annex II that specifically address the risks of foreign oversight. The proposal does not ban foreign control outright at these levels but demands proof that such control cannot compromise the service's integrity or the EU's public order.

For Union assurance level 1, the baseline requirement for providers subject to third-country control is found in Annex II, Section 1.1(g). The provider must demonstrate that there are no existing laws or practices in the controlling third country, "demonstrated by independent sources," that require the provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited. Additionally, if the provider outsources technical and operational support outside the Union, it must implement necessary legal, technical, and organisational measures to ensure traceability, security, and governance, ensuring these operations do not, in any way, compromise the operational autonomy of the cloud computing service provider (Annex II, Section 1.1(d)).

For Union assurance level 2, the requirements tighten significantly to address deeper sovereignty concerns. The provider must demonstrate that the control exercised by the third country or entity does not:

• Restrain or restrict the provider's ability to perform and deliver the service.
• Impose limitations on the infrastructure, assets, and personnel required for service provision.
• Undermine the capabilities and standards necessary to perform the audited service.
• Oblige the provider to implement, enforce, or comply with restrictive measures such as sanction regimes or embargoes, unless such measures are legitimate under the national laws of Member States or Union law (Annex II, Section 2.1(g)(i) and (iv)).

Crucially, for level 2, the provider must also prevent any access by the third country to customer data and prevent any possibility of disruption of service continuity and/or degradation of service quality by the third country (Annex II, Section 2.1(g)(ii) and (iii)). Furthermore, the provider must implement robust software supply chain measures, including a complete and up-to-date software bill of materials (SBOM) and controls to block any remote features that could materially tamper with or disrupt a device, system, or software (Annex II, Section 2.1(i)).

Level 3: The "Associated Third Country" Gatekeeper

Union assurance level 3 introduces a strict barrier: providers subject to third-country control are generally excluded unless a specific derogation applies. Under Annex II, Section 3.1(g), the default criterion is that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country."

However, a derogation exists. The text states: "By way of derogation to this criterion, a cloud computing service provider and its subcontractors which are involved in the provision of the audited service that are subject to the control of a third country or a legal entity established in a third-country may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18."

Article 18 sets high thresholds for this designation. The Commission may only designate a third country as "associated" if it cumulatively meets strict criteria, including:

• Being subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR).
• Having no measures in place that enable it to exercise control over the provider in a way that conflicts with lawful access to non-personal data.
• Having no measures to compel the provider to degrade or disrupt service continuity or provision.
• Having no measures to oblige the provider to implement restrictive measures such as sanction regimes or embargoes, unless legitimate under EU law.
• Maintaining an open market to Union cloud computing services.
• Granting equivalent levels of access to public procurement procedures for EU-controlled providers (Article 18(1)).

If a country is not designated under Article 18, a provider subject to its control cannot achieve level 3 recognition, regardless of the technical safeguards it implements. The "associated third country" status is a prerequisite, not just a facilitator.

Level 4: Closed to Foreign-Controlled Providers

Union assurance level 4 is the highest tier, reserved for the most sensitive public sector activities, including the secure hosting of EU classified information. It is effectively closed to non-EU providers. Annex II, Section 4.1(g) explicitly states that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country."

Unlike level 3, there is no derogation, no "associated third country" mechanism, and no flexibility for level 4. The criteria require absolute independence from foreign jurisdictional control. Providers seeking this level must be entirely free from third-country control, meaning the provider and all relevant subcontractors must be established in the Union and not subject to any foreign control that could compromise the service.

The Recognition Process and Audit Requirements

Regardless of the level, non-EU providers must submit an application for recognition to the national competent authority of their establishment in the EU (Article 17(1)). The process differs by level:

• Level 1: The provider carries out a conformity self-assessment and issues an EU statement of conformity (Article 19).
• Levels 2, 3, and 4: The provider must undergo independent third-party audits to obtain an audit report and a "positive" audit opinion (Article 20).

The audit must verify compliance with the specific Annex II criteria, including the absence of third-country control risks. For levels 2-4, the audit evidence must demonstrate that the provider has implemented the necessary legal, technical, and organisational measures to prevent third-country interference (Annex II, Section 2.1(g) and 3.1(g)). If the audit yields a "positive opinion," the national competent authority prepares a draft recognition decision, which is subject to a 60-day review period by other Member States (Article 17(5)-(6)).

What this means for you

If you are a non-EU cloud provider, your strategy must be dictated by your corporate structure, home-country laws, and the specific assurance level you target.

1. Audit Your Jurisdictional Exposure: Before applying, conduct a rigorous legal audit of your home country's data access and surveillance laws. If your government can compel you to hand over data, disrupt services, or report vulnerabilities, you are likely ineligible for levels 3 and 4. For levels 1 and 2, you must prove you can legally and technically firewall your EU operations against these compulsion risks.
2. Leverage Article 18 for Level 3: If your home country has strong data protection laws and an adequacy decision with the EU, your primary strategic goal should be lobbying for designation under Article 18. This is the only path for foreign-controlled providers to access level 3 contracts. Monitor the Commission's list of associated third countries, as recognition is impossible without it.
3. Invest in Technical Isolation for Levels 1-2: To succeed at levels 1 and 2, you must prove "operational autonomy." This means implementing technical measures that physically and logically isolate EU data and operations from your global infrastructure. You must demonstrate that remote access from outside the EU is impossible for operational support (Annex II, Section 2.1(h)) and that your software supply chain is transparent and free of remote tampering mechanisms.
4. Accept the Level 4 Limitation: If your parent company is subject to foreign jurisdiction, you cannot achieve level 4. This level is reserved for providers with no third-country control. Do not invest resources in pursuing level 4 recognition unless you can restructure your corporate entity to be entirely independent of foreign control.
5. Prepare for Annual Reviews and Transparency: Recognition is not permanent. You must annually submit your audit report for review (Article 20(8)). Any material change in your home country's laws or your corporate control structure must be reported immediately (Article 23). Failure to do so can lead to revocation of recognition by the competent authority.

Common misconceptions

"Adequacy is enough for Level 3." No. An adequacy decision under the GDPR is a prerequisite for Article 18 designation, but it is not sufficient. The Commission must also verify that the third country has no laws enabling service disruption, data access conflicts, or forced implementation of sanctions. A country can have adequacy but still fail the Article 18 test if it retains the power to compel service degradation.

"I can reach Level 4 if I isolate my EU data center." No. Level 4 requires the provider to be free from third-country control, not just the data center. Annex II, Section 4.1(g) mandates that the provider and its subcontractors are not subject to third-country control. If your parent company is subject to foreign jurisdiction, you cannot achieve level 4, regardless of how well you isolate your EU infrastructure.

"Level 1 is just a self-assessment." While level 1 relies on a self-assessment and EU statement of conformity (Article 19), it is still subject to the same Annex II criteria regarding third-country control and vulnerability reporting. Competent authorities can investigate and revoke recognition if evidence shows non-compliance (Article 17(11)). The self-assessment is a declaration of compliance, not an exemption from the rules.

"Subcontractors don't matter." They do. For levels 2-4, subcontractors must also meet the establishment and location criteria. If you use a non-EU subcontractor for critical support, you may fail the criteria for Union assurance levels 2, 3, or 4, as subcontractors must be established in the Union and their personnel/infrastructure located there (Annex II, Sections 2.1(a), 3.1(a), 4.1(a)).

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What happens to a cloud provider without CADA recognition?
• CADA Recognition Revocation: What Happens if a Provider Supplies False Information?
• CADA: What happens to an assurance level if a provider is acquired by a non-EU company?
• CADA Recognition: What it means for a provider's go-to-market
• How should a provider prepare for a CADA audit?

This is general information about a draft EU regulation, not legal advice.