Associated Third Countries under CADA

Summary Under the proposed Cloud and AI Development Act (CADA), "associated third countries" are non-EU nations designated by the European Commission via implementing acts, creating a specific derogation that allows cloud providers controlled by those countries to qualify for Union Assurance Level 3. This is not automatic; the third country must satisfy six cumulative criteria, including holding an EU adequacy decision, prohibiting service disruption, and ensuring reciprocal public procurement access. Crucially, this mechanism does not apply to Level 4, which strictly prohibits third-country control. For legal teams, this represents a narrow, conditional pathway for non-EU providers to serve sensitive public-sector contracts, subject to ongoing Commission monitoring and potential revocation.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. The default rule for the higher assurance levels (2, 3, and 4) is that providers and their subcontractors must not be subject to the control of a third country or a legal entity established in a third country. However, the proposal introduces a carefully calibrated exception to maintain an open market while safeguarding sovereignty.

The Legal Mechanism: Article 18

The specific provision governing this exception is Article 18, titled "Associated third countries." This article empowers the Commission to adopt implementing acts identifying third countries where cloud computing service providers subject to their control may be audited against the criteria for Union Assurance Level 3.

As stated in Article 18(1), the Commission may only make such a designation if the third country fulfills a set of cumulative criteria. This is a high bar; failure to meet even one criterion prevents the designation. The mechanism is distinct from the general GDPR adequacy process, as it addresses broader sovereignty concerns including service continuity, market access, and the absence of coercive legal measures.

The Six Cumulative Criteria for Designation

For a third country to be designated as "associated" under Article 18(1), it must simultaneously satisfy the following conditions:

1. GDPR Adequacy Decision (Article 18(1)(a)): The third country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR). This ensures a baseline of data protection equivalence.
2. No Conflict with Lawful Access (Article 18(1)(b)): The country must have no measures enabling it to exercise control over the cloud provider in a manner that conflicts with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act). This prevents foreign laws from overriding EU data sovereignty rules.
3. No Compulsion to Degrade or Disrupt (Article 18(1)(c)): The country must have no measures compelling the provider to degrade or disrupt service continuity. Furthermore, it must not oblige the provider to implement, enforce, or comply with restrictive measures such as sanction regimes, embargoes, or equivalent legal measures, unless such measures are legitimate under the national laws of Member States or Union law.
4. No Impediment to Technology (Article 18(1)(d)): The country must have no measures in place to impede the provision of state-of-the-art technologies and services by the cloud provider.
5. Open Market Access (Article 18(1)(e)): The third country must maintain an open market to Union cloud computing services, ensuring non-discriminatory access for EU providers.
6. Reciprocal Public Procurement (Article 18(1)(f)): The third country must grant equivalent levels of access to public procurement procedures for cloud services subject to the control of a Union Member State, a Union entity, or a legal entity established in the Union.

The Scope Limitation: Level 3 Only

It is critical to distinguish the scope of this derogation. Article 18 explicitly applies only to Union Assurance Level 3.

• Level 3 Eligibility: Under Annex II, Section 3.1(g), providers subject to third-country control are generally barred from Level 3. However, Article 18 provides the derogation: "By way of derogation to this criterion, a cloud computing service provider... subject to the control of a third country... may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 19 [sic: Article 18]." Note: The draft text in Annex II references Article 19, but the explanatory memorandum and the main text of Article 18 clarify that the implementing act is adopted under Article 18. This is a known drafting slip in the proposal text.
• Level 4 Exclusion: Union Assurance Level 4 (Annex II, Section 4.1(g)) contains a strict prohibition: "the audited provider and the subcontractors... are not subject to the control of a third country or a legal entity established in a third-country." There is no derogation for associated third countries at Level 4. Consequently, even if a country is designated as "associated," its providers cannot reach the highest assurance level required for the most sensitive classified information.

Revocation and Transparency

The designation is dynamic, not permanent. Article 18(2) mandates that if available information reveals a third country no longer fulfills the requirements, the Commission "shall repeal, amend or suspend the decision." This creates a continuous compliance obligation for providers relying on this status.

To ensure market transparency, Article 18(3) requires the Commission to publish on its website a list of third countries that fulfill the requirements and those that no longer do. This list serves as the definitive reference for contracting authorities and providers.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the "associated third country" mechanism introduces a complex, conditional variable into cloud strategy.

For Cloud Service Providers (Non-EU Controlled)

If your organization is controlled by a third country, your path to serving EU public-sector clients at high assurance levels is bifurcated:

• The Level 3 Opportunity: If your controlling country is designated under Article 18, you may apply for Level 3 recognition. This allows you to serve activities contributing to public order (e.g., law enforcement, critical infrastructure) that require Level 2, 3, or 4 under Article 30(3).
• The Level 4 Barrier: You cannot reach Level 4. If your client requires Level 4 (e.g., for handling EU classified information), you are ineligible regardless of your country's status. You must either divest third-country control or partner with an EU-controlled entity.
• Audit Preparation: Even with a designated country, you must undergo an independent third-party audit under Article 20 to prove compliance with all Level 3 criteria, including data localization, personnel screening (Union citizens), and cybersecurity certification (at least "substantial" assurance).
• Risk of Revocation: Your eligibility is tied to your country's status. If the Commission suspends the designation under Article 18(2) due to a change in foreign law or policy, your recognition could be revoked, potentially triggering contract termination or migration obligations.

For Public Sector Procurement Officers

When procuring cloud services for public-order-relevant activities, the verification process becomes more granular:

• Verify the Country, Not Just the Provider: Before accepting a Level 3 recognition from a third-country-controlled provider, you must verify that the controlling country is currently listed as "associated" on the Commission's website. A provider's recognition is invalid if the underlying country designation is suspended.
• Check the Repository: Confirm the provider's status in the central repository established under Article 22. The repository should reflect the current recognition status, but cross-referencing with the Commission's list is prudent.
• Reciprocity Check: Be aware that the designation relies on reciprocal market access (Article 18(1)(f)). If your Member State's procurement practices are perceived as non-compliant with reciprocity, it could jeopardize the designation of the provider's home country.
• Migration Planning: Include clauses in contracts that address the scenario where a third-country designation is revoked. Under Article 29(6), if migration to another service is required, the transition period must not exceed 12 months.

Strategic Timeline Considerations

• Proposal Status: CADA is currently a proposal. The "associated third country" mechanism is not yet in force.
• Entry into Force: If adopted, the Regulation enters into force 20 days after publication in the Official Journal (Article 48).
• Application: It applies one year after entry into force.
• Designation Timing: The Commission will adopt implementing acts to designate countries. The timeline for these acts is not fixed in the primary text but will follow the examination procedure in Article 46(2). Providers should monitor the Commission's work program for the first wave of designations.

Common misconceptions

Misconception 1: "If a country has a GDPR adequacy decision, it is automatically an 'associated third country' under CADA."

• Reality: An adequacy decision is merely the first of six cumulative criteria (Article 18(1)(a)). A country can have an adequacy decision but still fail the criteria regarding service disruption, market openness, or reciprocal procurement access. All six must be met.

Misconception 2: "Associated third countries allow providers to reach Union Assurance Level 4."

• Reality: Article 18 is strictly limited to Union Assurance Level 3. Annex II, Section 4.1(g) explicitly prohibits third-country control for Level 4 with no derogation. This is a hard ceiling for third-country-controlled providers.

Misconception 3: "Once a country is designated, the status is permanent."

• Reality: Article 18(2) provides for the repeal, amendment, or suspension of the decision if requirements are no longer met. This creates a "dynamic" risk where a provider's eligibility can vanish overnight due to geopolitical shifts or legislative changes in the third country.

Misconception 4: "This rule applies to all cloud services, including private B2B."

• Reality: The sovereignty framework and the associated third-country mechanism are designed for services provided to Union entities and public sector bodies (Title IV). While private entities in critical sectors may voluntarily conduct impact assessments under Article 31, the mandatory procurement obligations and the associated third-country derogation primarily target the public sector.

Misconception 5: "The cross-reference in Annex II to 'Article 19' is the correct article number."

• Reality: Annex II, Section 3.1(g) contains a drafting slip, referencing "Article 19" for the implementing act. The correct legal basis is Article 18, as established in the main text of the proposal and the explanatory memorandum. Legal teams should cite Article 18.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why does CADA only allow associated third countries at Level 3?
• CADA Article 18: Lawful Access Conditions for Associated Third Countries
• CADA Article 18: How the Commission designates associated third countries
• Where is the list of CADA associated third countries published?
• CADA Associated Third Countries vs. GDPR Adequacy: Key Differences

This is general information about a draft EU regulation, not legal advice.