How will CADA third-country recognition decisions be adopted?

Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission would adopt decisions identifying "associated third countries" through implementing acts, utilising the examination procedure set out in Article 46(2). These decisions are a prerequisite for cloud computing service providers controlled by third-country entities to be audited for Union assurance level 3. Without such a decision, providers subject to third-country control are ineligible for level 3 recognition, regardless of their technical compliance. This mechanism, governed by Article 18, acts as a critical gatekeeper within CADA's sovereignty framework, ensuring that international cooperation does not compromise the Union's public order or operational autonomy.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised Union cloud computing sovereignty framework to mitigate the risks associated with dependence on non-European providers. A pivotal element of this framework is the mechanism for recognising third-country jurisdictions, allowing providers controlled by entities in those countries to qualify for Union assurance level 3. This recognition is not automatic; it is a political and legal determination made by the Commission through a specific legislative process involving implementing acts.

The Legal Basis: Article 18 and Implementing Acts

While Article 17 of the proposal outlines the general procedure for recognising cloud computing service providers across all assurance levels, the specific power to identify third countries for the purpose of enabling their controlled providers to access Union assurance level 3 is located in Article 18.

Article 18(1) explicitly grants the Commission the authority to adopt decisions "by means of implementing acts, identifying third countries for which cloud computing service providers subject to the control of that third country or a legal entity established in that third country may be audited against the criteria for Union assurance level 3 pursuant to Annex II."

Crucially, Article 18(1) mandates that these implementing acts "shall be adopted in accordance with the examination procedure referred to in Article 46(2)." This procedural link is vital for legal certainty. It ensures that the Commission's executive power in this sensitive area of digital sovereignty is checked by a committee of Member State representatives. The examination procedure, as defined in Regulation (EU) No 182/2011, requires a positive opinion from the committee for the act to be adopted. If the committee delivers a negative opinion, the Commission may refer the matter to an Appeal Committee or decide not to adopt the act. This process ensures that the identification of an "associated third country" reflects a consensus among Member States, balancing commercial interests with strategic security concerns.

Cumulative Criteria for Third-Country Recognition

For the Commission to adopt such an implementing act, the third country must fulfil a rigorous set of cumulative criteria outlined in Article 18(1)(a)–(f). These criteria are designed to neutralise risks arising from extraterritorial laws (such as the US CLOUD Act) and ensure that the provider's operational autonomy is preserved. The criteria include:

1. Adequacy Decision: The third country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR) (Article 18(1)(a)).
2. No Conflicting Data Access Laws: The country must have no measures enabling it to exercise control over the provider in a way that conflicts with lawful access to non-personal data under Article 32(2) and (3) of Regulation (EU) 2023/2854 (Data Act) (Article 18(1)(b)).
3. No Service Disruption or Degradation: The country must have no measures compelling the provider to degrade, disrupt, or implement restrictive measures (such as sanctions or embargoes), unless these are legitimate under the national laws of Member States or Union law (Article 18(1)(c)).
4. No Impediment to Technology: The country must not impede the provision of state-of-the-art technologies and services by the provider (Article 18(1)(d)).
5. Open Market: The country must maintain an open market to Union cloud computing services (Article 18(1)(e)).
6. Reciprocal Access: The third country must grant equivalent levels of access to its public procurement procedures for cloud services controlled by Union Member States or entities (Article 18(1)(f)).

Only if a third country meets all these conditions can the Commission adopt the implementing act. This high bar ensures that the "associated third country" status is reserved for jurisdictions with robust legal frameworks that align with EU sovereignty objectives.

The Role of the Examination Procedure (Article 46)

The adoption of these decisions via the examination procedure under Article 46(2) is a cornerstone of the proposal's governance structure. Article 46 states that the Commission shall be assisted by a committee, and where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 applies.

This procedure provides a robust layer of political accountability:

• Committee Scrutiny: The draft implementing act is submitted to a committee composed of representatives from all Member States.
• Voting Mechanism: The committee votes on the draft. A positive opinion allows the Commission to adopt the act. A negative opinion prevents adoption unless the Commission refers the matter to an Appeal Committee.
• Member State Consensus: This process ensures that the identification of an "associated third country" is not a unilateral Commission decision but one that requires the backing of Member States, reflecting the collective security interests of the Union.

Link to the Sovereignty Framework

This mechanism is intrinsically linked to the broader sovereignty framework established in Title IV of CADA. The framework comprises four Union assurance levels (1–4). Union assurance level 3 is particularly strict, requiring that providers and subcontractors are not subject to the control of a third country or a legal entity established in a third country.

However, Article 18 provides a specific derogation to this rule. As stated in Annex II, Section 3.1(g): "By way of derogation to this criterion, a cloud computing service provider... that are subject to the control of a third country... may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18." (Note: The draft text in Annex II references Article 19, but the explanatory memorandum and Article 18 itself clarify that the power to adopt the decision lies with Article 18; this is a known drafting slip in the proposal).

Without such an implementing act, a provider controlled by a third country is legally barred from being recognised at level 3, regardless of its technical compliance with other criteria. This creates a "gatekeeper" function for the Commission, effectively determining which international jurisdictions are deemed trustworthy enough for high-stakes public sector cloud usage involving public order, national security, or critical infrastructure.

Consequences of Non-Compliance or Withdrawal

The status of an "associated third country" is not permanent. Article 18(2) mandates that "Where available information reveals that the third country no longer fulfils the requirements under paragraph 1, the Commission shall repeal, amend or suspend the decision."

This dynamic nature means that recognition is contingent on continuous compliance. If a third country enacts new surveillance laws, restricts market access for EU providers, or fails to uphold data protection standards, the Commission must act to revoke the status. Article 18(3) further requires the Commission to publish a list of third countries that fulfil the requirements and those that no longer do so, ensuring transparency.

What this means for you

For in-house counsel, compliance officers, and strategic planners at cloud computing service providers, particularly those with multinational structures or third-country ownership, the adoption of these implementing acts has direct operational and contractual implications.

1. Eligibility for Public Sector Contracts If your provider is controlled by a third-country entity (e.g., a US or Asian hyperscaler), you cannot be recognised as offering Union assurance level 3 unless the Commission has adopted an implementing act identifying your country of control as "associated." Without this act, you are effectively excluded from bidding for public sector contracts requiring level 3 or higher, which cover activities contributing to public order, national security, and critical infrastructure. You must monitor the Commission's website for the list of associated third countries published under Article 18(3).

2. Contractual Risk Management You should review existing and future contracts with public sector clients to include clauses addressing the potential revocation of third-country recognition. If the Commission suspends or repeals an implementing act for your controlling jurisdiction, your service may immediately cease to meet the contractual requirements for Union assurance level 3. You need clear exit strategies, migration plans, and liability allocations for such events to protect your organisation from breach of contract claims.

3. Compliance with Cumulative Criteria Ensure your organisation's internal governance structures align with the cumulative criteria in Article 18(1). For instance, demonstrate that your policies prevent third-country authorities from accessing customer data or disrupting service in violation of EU law. Document these measures thoroughly, as they will be scrutinised during the audit process for Union assurance level 3 (governed by Article 20 and Annex III). Note that even with an associated country status, the provider must still demonstrate that the third country's control does not restrain service delivery or compel compliance with restrictive measures.

4. Monitoring the Comitology Process Stay abreast of the comitology process. The adoption of implementing acts under Article 46(2) is a formal legislative step involving Member State scrutiny. Subscribe to EU comitology notifications or legal alerts to track drafts and final decisions regarding associated third countries. This proactive monitoring allows you to adjust your market strategy and compliance posture in anticipation of regulatory changes, rather than reacting to them after the fact.

Common misconceptions

Misconception 1: All third-country providers can automatically qualify for Union assurance level 3 if they meet technical standards. Reality: No. Under Article 18(1), third-country controlled providers can only be audited for level 3 if the Commission has explicitly adopted an implementing act identifying their country as "associated." Technical compliance with Annex II criteria is necessary but insufficient without this political and legal designation.

Misconception 2: The Commission's decision is a unilateral executive act with no oversight. Reality: The decision is an implementing act adopted via the examination procedure under Article 46(2). This involves a committee of Member State representatives, ensuring that the identification of associated third countries is subject to political scrutiny and consensus-building.

Misconception 3: Once a third country is recognised, the status is permanent. Reality: Article 18(2) mandates that the Commission must repeal, amend, or suspend the decision if the third country no longer fulfils the requirements. This could happen due to new national laws, changes in data protection practices, or shifts in market access policies. Recognition is dynamic and contingent on continuous compliance.

Misconception 4: Article 17 governs the identification of third countries. Reality: Article 17 governs the general recognition procedure for cloud computing service providers (the application process). Article 18 specifically governs the identification of "associated third countries" for the purpose of allowing third-country controlled providers to access Union assurance level 3. Confusing these articles can lead to misinterpreting the legal basis for third-country eligibility.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Will existing cloud contracts be affected when CADA starts to apply?
• CADA Implementing Acts: Which Rules Will Be Set by Secondary Legislation?
• When will the Cloud and AI Development Act (CADA) be reviewed?
• What will the Commission look at when it reviews CADA?
• CADA Exam Procedure: How Implementing Acts Are Adopted

This is general information about a draft EU regulation, not legal advice.