Summary As proposed, the Cloud and AI Development Act (CADA) is framed as non-discriminatory rather than protectionist: the explanatory memorandum describes a "transparent, non-discriminatory blueprint for digital autonomy," and third-country providers can qualify for high assurance. Where the US relies on bilateral executive agreements (under the CLOUD Act) to manage cross-border data access, CADA uses a tiered framework in which a non-EU provider can reach Union assurance level 3 if its home country meets strict adequacy and non-interference criteria (Article 18). The difference is structural: CADA mandates risk-based procurement for public order, while the US model prioritises cross-border data flow with reciprocal access agreements.

Detail

To assess whether CADA is protectionist, compare its mechanisms for third-country access with the US CLOUD Act's framework. The proposal rejects a closed-market model. Recital 64 states that the "Union maintains an open and non-discriminatory framework for market access, in accordance with the TFEU and subject to international commitments," including the WTO Agreement on Government Procurement (GPA). The explanatory memorandum frames the proposal as "a transparent, non-discriminatory blueprint for digital autonomy."

The CADA sovereignty framework and third-country access CADA's core mechanism is the Union cloud computing sovereignty framework of four assurance levels (Article 16). Rather than a blanket ban on non-EU providers, it allows nuanced access based on risk:

  1. Union assurance level 1: the baseline requires the provider to be established in the Union, but Annex II (Section 1) does not categorically bar a third-country-controlled entity, provided it meets the level 1 criteria — including the guarantee that no third-country law requires it to report software vulnerabilities to foreign authorities before exploitation.
  2. Union assurance levels 2-4: required for public-order activities (Article 30(3)). Annex II generally requires the provider and subcontractors to be established in the Union and (at levels 3 and 4) not subject to third-country control. Article 18 provides a critical exception: the Commission may, by implementing act, identify third countries whose controlled providers may be audited against the criteria for Union assurance level 3.

To qualify under Article 18, a third country must meet cumulative criteria, including:

  • a relevant adequacy decision under Article 45 of the GDPR;
  • no measures enabling control over the provider that conflict with the lawful-access rules for non-personal data in the Data Act (Article 32(2)-(3) of Regulation (EU) 2023/2854);
  • no measures to compel degradation or disruption of service, or to compel restrictive measures such as sanctions or embargoes (unless legitimate under Member State or Union law);
  • no measures impeding the provision of state-of-the-art technologies and services;
  • an open market to Union cloud computing services;
  • equivalent access to its public-procurement procedures for cloud services controlled by a Union Member State, entity, or entity established in the Union (Article 18(1)(f)).

This structure is risk-based rather than origin-based: a third-country provider can compete for high-assurance public contracts if its home country demonstrates equivalent legal safeguards and market reciprocity.

Comparison with the US CLOUD Act The US approach, under the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), starts from a different premise. The CLOUD Act added 18 U.S.C. § 2713, providing that a covered provider must preserve, back up or disclose data within its "possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States." To manage conflicts with foreign law, § 2523 lets the US enter executive agreements with "qualifying foreign governments."

Under § 2523, those agreements involve reciprocal arrangements between the US and the partner government for cross-border access to data held by providers, subject to defined conditions. This is fundamentally a law-enforcement access model.

By contrast, CADA focuses on operational sovereignty and public-order protection rather than law-enforcement data sharing. Article 18 is aimed at preventing third-country governments from disrupting service continuity or accessing customer data, and its "equivalent levels of access to public procurement" condition (Article 18(1)(f)) ties reciprocity to the legal and technical safeguards of the cloud service itself.

Transparency and non-discrimination CADA addresses protectionism concerns directly. Recital 64 notes that the Union retains the right, "in accordance with Article III:2(a) of the WTO GPA, to adopt or maintain measures necessary to protect public morals, order or safety," with restrictions that are necessary and proportionate. The proposal argues that divergent national sovereignty rules fragment the internal market, whereas a harmonised EU framework (Article 16) actually reduces barriers for compliant third-country providers by offering one clear set of criteria rather than 27 national standards.

What this means for you

For in-house counsel and compliance officers at cloud providers (EU and non-EU), the distinction has operational implications:

  1. Audit readiness for Article 18: if your provider is non-EU and targets level 3 EU public-sector contracts, monitor whether your home country is designated under Article 18. Qualification is not automatic; it requires your home country to meet the cumulative criteria, and you must show your operational autonomy is legally insulated from third-country mandates.
  2. Reciprocity in procurement: Article 18(1)(f) requires the third country to grant equivalent access to its public-procurement procedures for EU-controlled services. If your home country restricts EU providers, your provider may be blocked from level 3 recognition in the EU.
  3. Risk-assessment alignment: under Article 29, Member States and Union entities determine which assurance levels apply to specific public-order activities. Access to certain public-sector workloads would therefore depend on those assessments, not only on technical capability.
  4. Penalties and transparency: non-compliance can lead to penalties under Article 24, which must be "effective, proportionate and dissuasive." Article 23 imposes transparency obligations, requiring providers to notify the auditing organisation and the competent authority of material changes affecting their assurance status; failure to do so can lead to revocation.

Common misconceptions

CADA bans all non-EU cloud providers. No. It creates a tiered system. Non-EU providers can qualify for level 1 and, via Article 18, level 3 where their home country meets the criteria. The constraint is on unmitigated third-country control over data and service continuity, not on origin alone.

CADA is a data-localisation law. While it requires data to remain in the Union for higher levels (Annex II), it is primarily a sovereignty and operational-autonomy framework focused on preventing third-country governments from disrupting services or accessing data — not merely where the bits sit.

The US CLOUD Act is purely "open market" with no restrictions. The CLOUD Act facilitates cross-border data access but relies on reciprocal executive agreements (§ 2523) and lets US legal process reach data held abroad, which can conflict with EU data-protection law. CADA is more restrictive on who can supply critical public infrastructure, but more permissive on data flow within the EU for compliant providers.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.