Summary No. The proposed Cloud and AI Development Act (CADA) would not ban US cloud providers, or any other third-country vendors, from operating in the EU. As proposed, CADA would instead establish a tiered sovereignty framework with four "Union assurance levels" that public-sector bodies must use when procuring cloud services. US providers would face stricter scrutiny at higher levels to mitigate risks from extraterritorial laws, but they could still compete for EU contracts by meeting specific technical and legal criteria, including, for the higher tiers, via the third-country recognition mechanism in Article 18.

Detail

CADA, proposed by the European Commission in 2026, is designed to strengthen the EU's cloud and AI ecosystem by reducing strategic dependencies and reinforcing technological sovereignty. A common concern among international providers is whether the legislation amounts to a de facto ban on non-European, particularly US-based, cloud computing service providers. As proposed, it does not. CADA would not prohibit any provider from offering services in the EU based on country of origin. Instead, it would create a harmonised, risk-based framework requiring public-sector bodies to match the sensitivity of their activities to an appropriate level of cloud assurance.

A graduated sovereignty framework, not a ban

At the heart of CADA's approach is a four-tier system of "Union assurance levels" (Article 16, with the detailed criteria in Annex II). Levels 1 to 4 impose progressively stricter requirements on data location, personnel, cybersecurity certification, and freedom from third-country control.

  • Union assurance level 1 is the baseline for most public-sector procurement. As proposed, it requires the provider to be established in the Union, with infrastructure, assets and customer data remaining within the Union unless the public-sector body explicitly requires otherwise (Annex II, points 1.1(a)–(c)). Crucially, level 1 does not bar providers controlled by third-country entities, provided they can demonstrate that no laws or practices in that third country require them to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited (Annex II, point 1.1(g)).
  • Union assurance levels 2, 3 and 4 apply to activities identified as contributing to the preservation of public order, such as those in national security, defence, justice or critical infrastructure. These levels add stricter rules, such as requiring Union citizenship for personnel (levels 3 and 4) and prohibiting third-country control over the provider and its subcontractors (Annex II, points 3.1 and 4.1).

The framework is designed to be proportionate. Recital 52 states that "Most public services would not require the highest levels of assurance." Most public-sector cloud procurement would therefore fall under level 1, where third-country-controlled providers can compete if they meet the criteria.

The third-country recognition route (Article 18)

For higher assurance levels, the default criteria generally exclude providers subject to third-country control. CADA provides a specific pathway for non-EU providers to qualify for Union assurance level 3 through Article 18 ("Associated third countries").

As proposed, Article 18 would allow the Commission to adopt implementing acts identifying third countries whose providers may be audited against the level 3 criteria. This is not automatic; the third country must satisfy cumulative criteria, including:

  1. Being subject to a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679).
  2. Having no measures enabling it to control the provider in a way that conflicts with the lawful-access rules for non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854).
  3. Having no measures to compel the provider to degrade or disrupt service continuity, nor to impose restrictive measures such as sanctions not legitimate under EU or Member State law.
  4. Having no measures impeding the provision of state-of-the-art technologies.
  5. Maintaining an open market to Union cloud computing services.
  6. Granting equivalent access to public procurement for EU-controlled providers.

If a third country qualifies, its providers can undergo independent third-party audits (Article 20) against the level 3 criteria, demonstrating that third-country control does not restrict service delivery, enable access to customer data, or disrupt service quality.

Reinforcing sovereignty in an open manner

The proposal's recitals stress that the objective is to strengthen autonomy while remaining open to cooperation. Recital 61 states that "The Union's objective of strengthening its autonomy should be pursued in a manner that remains open, cooperative and consistent with the Union's international commitments and partnerships."

This frames the sovereignty framework as risk mitigation, not protectionism. It targets specific risks, such as unauthorised data access or service disruption stemming from extraterritorial laws like the US CLOUD Act, rather than excluding foreign providers outright. Recital 64 reaffirms that the Union maintains an open, non-discriminatory framework for market access, in accordance with the TFEU and commitments under the WTO Agreement on Government Procurement.

Addressing the US CLOUD Act context

The proposal acknowledges risks from laws with extraterritorial effect, such as the US CLOUD Act, which can compel US-controlled companies to disclose data regardless of where it is stored. As proposed, CADA would not ban US providers; it would require them to demonstrate legal, technical and organisational measures against such access or disruption. For level 1, that means showing no third-country law requires pre-disclosure of vulnerabilities. For level 3 (only if the US were recognised under Article 18), it would mean demonstrating that US control cannot enable access to EU customer data or disrupt services.

What this means for you

For public-sector procurement officers, CADA would change how you evaluate and select cloud providers. You could no longer choose any provider on price or features alone; you would align procurement with the assurance level set by your risk assessment.

  1. Conduct risk assessments: Under Article 29, Member States and Union entities must identify which activities contribute to the preservation of public order, which determines whether level 1 (baseline) or levels 2–4 apply.
  2. Check the central repository: Before procuring, consult the central repository of recognised services (Article 22) to verify a provider's assurance level.
  3. Evaluate third-country providers: For a US or other non-EU provider, verify their level. For level 1, check for a valid EU statement of conformity; for level 3, check whether their home country is recognised under Article 18 and whether they have passed the required independent audit.
  4. Plan for migration: If a current provider would not meet the required level, Article 29(6) provides a transition period not exceeding 12 months.

Common misconceptions

Misconception: CADA bans all non-EU cloud providers. CADA would not ban any provider. It sets criteria providers must meet for specific public-sector use cases. US and other third-country providers could compete for level 1 contracts, and potentially level 3 if their country is recognised under Article 18.

Misconception: The EU is building a closed digital fortress. The proposal states autonomy should be pursued in an "open, cooperative" manner (Recital 61) and reaffirms open, non-discriminatory market access consistent with the WTO GPA (Recital 64).

Misconception: Only EU-based companies can provide sovereign cloud services. EU establishment is required at every level, but third-country "control" is not automatically disqualifying. Level 1 allows third-country-controlled providers meeting the vulnerability-reporting criterion; level 3 allows them if their country is recognised under Article 18 and they pass the audit.

Misconception: All public-sector cloud use requires the highest level. Most public-sector activities would require only level 1. Levels 2–4 are reserved for activities with public-order relevance, such as defence, justice or critical infrastructure.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.