Summary The proposed Cloud and AI Development Act (CADA) targets the risks of extraterritorial laws — foreign legal frameworks that can compel cloud providers to hand over EU data or disrupt services regardless of where the data sits. Laws such as the US CLOUD Act can conflict with EU fundamental rights and create strategic dependencies, especially for the public sector. As proposed, CADA would address this through a sovereignty framework requiring risk assessments and restricting procurement of cloud services exposed to such laws for public-order-critical functions. CADA is a proposal and not yet in force.

Detail

The CADA explanatory memorandum describes a European cloud market with a "pronounced dependence on a limited pool of third-country providers," noting that three non-EU hyperscalers control over 70% of the European cloud market. These incumbents are subject to third-country jurisdictions where laws with extraterritorial effect apply — laws that, as the memorandum puts it, may mandate "data access and transfer that may conflict with EU fundamental rights and data protection frameworks."

The problem: extraterritorial reach and fundamental rights

Extraterritorial laws apply beyond the borders of the enacting country. In cloud computing, a provider headquartered in Country A can be legally compelled by Country A's government to access, monitor, or seize data held on servers in the EU, even where that data belongs to EU citizens or public authorities.

The proposal highlights the resulting risks, including:

  1. Operational discontinuity: unilateral decisions by third-country actors could disrupt service provision and threaten essential public services.
  2. Conflict with fundamental rights: the memorandum links extraterritorial laws to possible conflict with EU fundamental rights and data-protection frameworks.
  3. Loss of control: reduced Union ability to retain control over infrastructure, data, and technology under Union jurisdiction.

Recital 5 records that the Council called for CADA to include "common criteria for sovereign cloud computing services, allowing market transparency risks and risks associated with dependencies, including extraterritorial effects of legislation adopted by third countries, to be addressed." The intent is legal and political autonomy, not just technical security.

The CLOUD Act as a primary example

CADA does not name specific foreign laws in its operative articles, but the most prominent example of "extraterritorial effect" is the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act). Under 18 U.S.C. § 2713, a provider of electronic communication or remote computing service must comply with obligations to "preserve, backup, or disclose the contents" of communications and customer records "regardless of whether such communication, record, or other information is located within or outside of the United States."

For an EU ministry using a provider subject to US jurisdiction, that provider may be legally obligated to hand over sensitive data to US authorities on request, bypassing EU safeguards. This is the core sovereignty risk CADA aims to mitigate.

How CADA would address extraterritorial risks

1. The Union cloud computing sovereignty framework (Article 16) CADA would establish four Union assurance levels, with criteria set out in Annex II. Higher levels impose stricter limits on third-country control:

  • Union assurance level 1: where a provider is subject to third-country control, it must guarantee (demonstrated by independent sources) that no laws in that country require it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited (Annex II, 1.1(g)).
  • Union assurance levels 2, 3, and 4: these require independent third-party audits (Article 20). The Annex II criteria assess whether the provider is subject to third-country control and whether measures prevent that country from accessing customer data, disrupting service continuity, or compelling the provider to apply restrictive measures (such as embargoes) that conflict with EU or Member State law.

2. Risk assessments for public-sector procurement (Article 29) Member States and Union entities would carry out risk assessments to identify which public-sector activities contribute to the preservation of public order, considering at least: the sensitivity and criticality of the data; the risk and impact of unlawful access by a third country or an entity established there; and the risk of service disruption. The assessment then determines the appropriate Union assurance level (2, 3, or 4) for those activities.

3. Procurement obligations (Article 30) As proposed:

  • Public-sector bodies whose activities are not identified as contributing to public order must use cloud services recognised as having at least Union assurance level 1 (Article 30(2)).
  • Contracting authorities whose activities are identified as contributing to public order (e.g. national security, defence, justice, law enforcement, or NIS2 sectors) must only procure services recognised as having Union assurance level 2, 3, or 4 (Article 30(3)).

This would effectively bar exposed cloud services from the most critical government functions unless a provider can demonstrate through audit that it can resist such foreign demands.

4. Associated third countries (Article 18) The Commission may, by implementing act, identify third countries whose providers — despite being subject to that country's control — may be audited against the criteria for Union assurance level 3. The country must meet cumulative criteria, including: a relevant adequacy decision under Article 45 GDPR; no measures enabling control conflicting with lawful access to non-personal data; no measures to degrade or disrupt service continuity; an open market to Union cloud services; and equivalent public-procurement access for Union-controlled services.

What this means for you

For public-sector procurement officers and legal advisers, CADA would shift cloud evaluation beyond price, performance, and standard security certifications to include legal jurisdiction and exposure to extraterritorial laws.

Key actions:

  1. Conduct risk assessments: Perform the Article 29 assessments to determine whether your activities contribute to public order — this dictates whether level 1, or level 2/3/4, applies.
  2. Verify assurance levels: Before tendering, check the central repository (Article 22) for services recognised at the required level.
  3. Scrutinise third-country links: Where an EU-established provider has significant third-country control, ensure it has undergone the necessary audits (Article 20) for higher levels.
  4. Plan for migration: If your provider does not meet the required level, Article 29(6) allows a reasonable transition period not exceeding 12 months, accounting for technical feasibility, continuity, and data portability.

Common misconceptions

"CADA bans all non-EU cloud providers." Incorrect. CADA would not ban non-EU providers outright; it restricts using providers exposed to high-risk extraterritorial laws for critical public-sector functions. A third-country provider can still be audited for level 3 if the Commission designates that country under Article 18. For non-critical activities, level 1 suffices.

"GDPR compliance is enough to protect against extraterritorial laws." Incorrect. The memorandum states that while the EU-US Data Privacy Framework addresses transatlantic transfers, it "does not remove sovereignty concerns about dependence on third-country providers." GDPR governs data protection but does not stop a foreign government compelling access via its own laws where the provider is subject to that jurisdiction.

"Only US laws are a problem." Incorrect. The US CLOUD Act is the most prominent example, but CADA's framework is jurisdiction-neutral and applies to any third-country law that could compel data access, transfer, or service disruption, regardless of political alignment.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.