How should a non-EU provider weigh whether to pursue CADA recognition at all?

Summary Under the proposed Cloud and AI Development Act (CADA), non-EU cloud providers face a binary strategic choice: adapt to the EU's sovereignty framework or exit the public sector market. Article 30 mandates that public sector bodies procure only from recognised providers, effectively barring unrecognised non-EU providers from selling to EU governments. While Union Assurance Level 4 is strictly reserved for providers with no third-country control, Level 3 remains accessible to non-EU providers only if their home country is designated as an "associated third country" under Article 18. Without this designation, a non-EU provider is capped at Level 2, limiting access to lower-risk public contracts. The decision to pursue recognition hinges on whether the provider's jurisdiction can meet Article 18's cumulative criteria and whether the resulting market access justifies the cost of independent audits and structural separation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally alters the market access rules for cloud computing services in the European Union. For providers headquartered outside the EU, the decision to pursue formal recognition is no longer a voluntary compliance exercise but a prerequisite for accessing the public sector. The regulation establishes a tiered sovereignty framework with four Union Assurance Levels (UALs), each with escalating requirements regarding establishment, data localisation, personnel, and third-country control.

The Procurement Barrier: Article 30

The primary driver for pursuing CADA recognition is the mandatory procurement regime established in Article 30. This article creates a legal barrier to entry for any provider not recognised under the CADA framework.

Article 30(2) stipulates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised at Union Assurance Level 1. This sets a baseline requirement for general public sector procurement.

More critically, Article 30(3) imposes a strict limitation on high-risk sectors. It mandates that contracting authorities whose activities are identified as contributing to the preservation of public order—specifically in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and in areas such as national security, internal security, external border management, defence, justice, or law enforcement—must only procure services recognised at Union Assurance Level 2, 3, or 4.

For a non-EU provider, this creates a hard market barrier. Without CADA recognition, a provider cannot legally supply cloud services to the vast majority of EU public authorities, including those in critical infrastructure and security sectors. While private sector entities are not subject to these mandatory procurement rules, the public sector represents a significant, stable revenue stream. Furthermore, the sovereignty requirements often spill over into the private sector, as regulated industries (such as finance and energy) may voluntarily adopt similar risk mitigation standards or conduct their own impact assessments under Article 31. Therefore, the first strategic question for any non-EU provider is whether the target market includes public sector entities or highly regulated private sectors that mirror public sector risk assessments.

The Level 3 Ceiling for Non-EU Providers

If a provider determines that public sector access is essential, the next step is assessing which Assurance Level is attainable. The CADA framework imposes strict ownership and control requirements that escalate with each level, creating a "ceiling" for providers subject to third-country control.

Union Assurance Level 1 can be achieved through a self-assessment and an EU statement of conformity. However, Annex II, Section 1.1(g) requires that if a provider is subject to the control of a third country, it must guarantee that no laws in that third country require the reporting of software vulnerabilities to third-country authorities prior to their exploitation. This is a significant hurdle for providers subject to broad national security laws.

Union Assurance Level 2 requires an independent third-party audit. Annex II, Section 2.1(g) imposes stricter controls, requiring providers to demonstrate that third-country control does not restrict service delivery, access customer data, or disrupt service continuity.

The critical ceiling for non-EU providers is Union Assurance Level 3. Under Annex II, Section 3.1(g), providers and subcontractors involved in Level 3 services must not be subject to the control of a third country or a legal entity established in a third country. This is an absolute prohibition, with one narrow, conditional exception.

Union Assurance Level 4 is entirely inaccessible to non-EU providers. Annex II, Section 4.1(g) strictly prohibits any third-country control, with no derogation mechanism. Level 4 is reserved exclusively for providers with no third-country control whatsoever.

The Exception: Associated Third Countries under Article 18

The only pathway for a non-EU provider to achieve Level 3 recognition is through the mechanism established in Article 18, titled "Associated third countries."

Article 18(1) empowers the European Commission to adopt implementing acts identifying specific third countries whose providers may be audited against the Level 3 criteria. For a third country to be designated as "associated," it must fulfil a set of cumulative criteria:

1. It is subject to a relevant adequacy decision under Article 45 of the GDPR (Article 18(1)(a)).
2. It has no measures enabling it to exercise control over the provider in ways that conflict with lawful access to non-personal data (Article 18(1)(b)).
3. It has no measures to compel the provider to degrade or disrupt service continuity (Article 18(1)(c)).
4. It maintains an open market to Union cloud services and grants equivalent access to public procurement (Article 18(1)(e) and (f)).

If a provider's home country is not on this list of associated third countries, the provider cannot achieve Level 3 recognition. Consequently, it cannot serve public sector bodies whose activities are deemed to contribute to the preservation of public order (which require Level 2, 3, or 4). This effectively caps the non-EU provider's public sector market to only those entities using Level 1 or Level 2 services.

Strategic Weighing Factors

A non-EU provider should weigh the following factors when deciding whether to pursue recognition:

1. Jurisdictional Eligibility: Is the provider's home country likely to be designated as an "associated third country" under Article 18? This is a political determination made by the Commission, not a technical certification. If the country is not associated, the provider is capped at Level 2. The provider must assess whether the Level 1 and Level 2 public sector markets are large enough to justify the compliance costs.
2. Compliance Costs vs. Market Size: Achieving Level 2 or Level 3 recognition requires independent third-party audits under Article 20 and significant organisational changes to ensure legal, technical, and organisational separation from third-country control. These costs are substantial. The provider must calculate whether the revenue from EU public sector contracts outweighs these ongoing audit and compliance expenses.
3. Structural Feasibility: Can the provider structurally separate its EU operations from its global entity? Annex II requires effective legal, technical, and organisational separation between the Union parent company and any third-country subsidiary. If the provider's global architecture does not allow for this ring-fencing, recognition may be technically impossible regardless of political designation.
4. Private Sector Spillover: Even if the provider cannot serve high-risk public sector bodies (Level 3/4), achieving Level 2 recognition may be valuable for private sector clients in regulated industries who conduct their own impact assessments under Article 31. These entities may voluntarily require Level 2 assurance to mitigate their own sovereignty risks.

What this means for you

For cloud service providers and data centre operators headquartered outside the EU, the CADA proposal introduces a binary choice: adapt to the EU's sovereignty framework or cede the public sector market.

If you are a non-EU provider, you must first determine if your home government has the legal and political attributes required to be listed as an "associated third country" under Article 18. This is a political determination made by the European Commission, not a technical certification you can apply for directly. You should monitor the Commission's publications for the list of associated third countries.

If your country is not associated, your maximum attainable status is Level 2. You must evaluate whether the Level 1 and Level 2 public sector segments are sufficient to sustain your EU business. If your business model relies heavily on serving high-risk public sector entities (e.g., defence, justice, critical infrastructure), you will be excluded from these contracts unless your country achieves associated status.

To pursue recognition, you must prepare for rigorous independent audits. Article 20 requires that these audits be conducted by independent organisations that are free from conflicts of interest. You will need to demonstrate strict data localisation, personnel screening, and supply chain transparency. For Level 2 and above, you must prove that no third-country actor can access your customer data or disrupt your service. This often requires architectural changes, such as establishing a legally distinct EU subsidiary with no remote access from headquarters.

Common misconceptions

Misconception 1: Non-EU providers can achieve Level 4 recognition. This is incorrect. Annex II, Section 4.1(g) explicitly states that for Level 4, the audited provider and subcontractors must not be subject to the control of a third country. There is no exception for associated third countries at Level 4. Level 4 is reserved for providers with no third-country control whatsoever.

Misconception 2: Recognition is optional if you already comply with GDPR. While GDPR compliance is necessary, it is not sufficient for CADA recognition. CADA addresses sovereignty, operational autonomy, and supply chain risks that GDPR does not cover. As the explanatory memorandum notes, the EU-US Data Privacy Framework does not remove sovereignty concerns about dependence on third-country providers. Without CADA recognition, you cannot sell to public sector buyers, regardless of your GDPR status.

Misconception 3: All non-EU providers are treated equally. No. The framework distinguishes between providers from "associated third countries" and others. Only providers from associated third countries (designated under Article 18) can pursue Level 3 recognition. Providers from non-associated countries are capped at Level 2. This creates a two-tier system for non-EU providers in the EU public sector market.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What should a cloud provider do before CADA's application date?
• How does a provider already certified under EUCS map across to CADA recognition?
• How does a non-EU cloud provider qualify under CADA assurance level 3?
• How does a cloud provider check whether CADA's sovereignty rules apply to it?
• How to notify material changes affecting CADA recognition: A provider's guide

This is general information about a draft EU regulation, not legal advice.