Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing services controlled by a third country, or by a legal entity established in a third country, would be capped at Union assurance level 3. They could not achieve Union assurance level 4, which requires absolute freedom from third-country control with no derogation. This ceiling exists because level 4 is reserved for the most sensitive public-order activities, where neither the provider nor its subcontractors may be subject to the control of any third country.

Detail

CADA would establish a four-tier sovereignty framework — the Union assurance levels — to protect the EU's public order and operational autonomy. A critical feature is how it treats cloud services subject to third-country control. As proposed, the legislation creates a hard ceiling: services controlled by third countries can never qualify for Union assurance level 4.

The absolute ceiling of level 4 Level 4 is the highest tier of sovereignty and trust. Under Annex II, §4.1(g) of the proposal, a provider seeking recognition at this level must demonstrate that it and its subcontractors involved in the service are "not subject to the control of a third country or a legal entity established in a third-country."

This is an absolute prohibition. There is no derogation, no audit-based exception and no mitigation measure that lets a provider under third-country control meet the level 4 criteria. Level 4 is designed for the most critical public-sector activities, where any external leverage, coercion or access risk is treated as unacceptable.

Third-country recognition is limited to level 3 By contrast, Article 18 introduces a mechanism for "associated third countries." It would allow the Commission, by implementing act, to identify specific third countries whose cloud providers — even if subject to that country's control — may be audited against the criteria for Union assurance level 3 (Annex II).

For a third country to be eligible under Article 18(1), it must meet cumulative criteria, including:

  1. An adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679).
  2. No measures enabling it to control the provider in a way that conflicts with the lawful-access rules for non-personal data in Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854).
  3. No measures compelling the provider to degrade or disrupt service continuity, and no measures forcing it to apply restrictive measures such as sanctions or embargoes (unless legitimate under Member State or Union law).
  4. No measures impeding state-of-the-art technologies; an open market to Union cloud services; and equivalent access for Union-controlled providers to its public-procurement procedures.

If those conditions are met, the Commission can allow providers from that country to undergo independent audits for level 3. But even a provider from an "associated third country" that passes a rigorous audit and receives a "positive" opinion remains capped at level 3. It cannot ascend to level 4, because the level 4 criterion of being free from third-country control (Annex II, §4.1(g)) cannot be satisfied by a provider that is, by definition, subject to that control.

(One drafting note: Annex II §3.1(g) cross-refers to "Article 19" for the associated-third-countries derogation, but the operative mechanism is set out in Article 18 — an apparent cross-reference error in the proposal.)

Why the cap exists: the nature of control The distinction hinges on "control" and the risk of extraterritorial application of foreign laws. The CADA explanatory memorandum highlights that dependence on third-country providers exposes the EU to risks such as unauthorised data access, service disruption and political or economic coercion.

For level 3, the framework allows a "managed risk" approach. If a third country is deemed sufficiently aligned with EU values (via adequacy and reciprocal guarantees), the risk of interference can be mitigated through strict legal, technical and organisational measures verified by independent audit (Article 20). The audit must verify, among other things, that the third country's control is not exercised so as to restrict service delivery, that third-country access to customer data is prevented, and that disruption or degradation of service is prevented (Annex II, §3.1(g)).

For level 4, the risk tolerance is zero. Level 4 requires that technical and operational support be performed exclusively within the Union by personnel who are Union residents and by third parties not subject to third-country control (Annex II, §4.1(h)). The software supply chain must be free from effective third-country control over design, development, maintenance and evolution (Annex II, §4.1(i)). These requirements are incompatible with being subject to third-country control. So a provider under such control can never structurally meet level 4, regardless of safeguards.

Implications for public procurement This ceiling would shape procurement under Article 30. Contracting authorities whose activities are identified as contributing to the preservation of public order (for example national security, defence, justice) must procure cloud services based on the risk assessment (Article 29). If the assessment determines an activity requires level 4, the authority must exclude any provider subject to third-country control — even one from an "associated third country" recognised under Article 18 for level 3.

What this means for you

For in-house counsel and compliance officers at cloud providers, this distinction shapes market positioning and audit planning.

1. Assess your control structure. If your provider is controlled by a third-country entity (for example a non-EU parent), you would be permanently excluded from level 4. Do not invest in trying to meet level 4, because the "control" criterion (Annex II, §4.1(g)) is a binary disqualifier. Your ceiling is level 3 — and only if your controlling country is designated as "associated" under Article 18.

2. Monitor Article 18 designations. Your ability to serve high-assurance public-sector clients would depend on the Commission's decision regarding your home country. Track whether it meets the Article 18 criteria (adequacy, no disruptive measures, reciprocal market access). If it is not designated, you could not offer recognised level 3 (or 4) services, since you could not undergo the required audit for those tiers.

3. Prepare for the level 3 audit. If you are from an associated third country, prepare for rigorous independent audits under Article 20. You must show that, despite third-country control, you have legal, technical and organisational measures preventing: third-country access to customer data; disruption of service continuity; coercion to apply foreign sanctions or embargoes (unless legitimate under EU or Member State law); and restrictions on your ability to deliver the service (Annex II, §3.1(g)).

4. Brief clients on the ceiling. If a client's risk assessment (Article 29) mandates level 4, you are not a compliant vendor. Communicate clearly that you can meet level 3 (if audited) but cannot satisfy the absolute sovereignty requirements of level 4 because of your corporate control structure.

Common misconceptions

"If I pass the level 3 audit, I can upgrade to level 4." Incorrect. Level 4 has a distinct, non-waivable criterion: the provider must not be subject to third-country control. A level 3 audit verifies that such control is managed and restricted in its effect. Level 4 requires that it does not exist. These are mutually exclusive states.

"Adequacy decisions automatically grant level 3 recognition." Incorrect. A GDPR adequacy decision is a prerequisite for a country to be considered under Article 18, but not sufficient. The Commission must still adopt an implementing act identifying the country as "associated," based on the additional cumulative criteria, and individual providers must still pass an independent audit.

"Level 4 is just a higher security standard." Incorrect. Level 4 does require the highest cybersecurity certificate (assurance level "high"), but it is primarily a sovereignty and control standard. The key differentiator from level 3 is legal and operational isolation from third-country influence — including Union citizenship for personnel and strict control over the software supply chain — not just stronger technical security.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.