CADA third-country subsidiary separation

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers operating globally must demonstrate effective legal, technical, and organisational separation between their Union parent company and any subsidiaries established in third countries. This requirement is mandatory for providers seeking recognition at Union assurance levels 2, 3, or 4, as set out in Annex II (Sections 2.1(k), 3.1(k), and 4.1(k)). The rule ensures that third-country entities cannot access Union customer data, influence service continuity, or bypass security procedures. Failure to maintain this separation can result in the revocation of a provider's recognition status and exposure to penalties under Article 24.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a rigorous sovereignty framework designed to mitigate risks associated with dependence on third-country cloud providers. A critical component of this framework is the requirement for global cloud providers to insulate their European operations from the influence, access, or control of their non-EU subsidiaries. This requirement is embedded in the criteria for Union assurance levels 2, 3, and 4 set out in Annex II of the proposal.

The Core Requirement: Effective Separation

For a cloud computing service provider to be recognised as offering a higher level of sovereignty assurance, it must prove that its Union-based operations are effectively separated from any subsidiaries it maintains in third countries. This rule applies to providers that offer services globally and maintain a legal presence outside the Union.

The specific criteria are identical across the three higher assurance levels, creating a cumulative obligation:

• Union Assurance Level 2: Annex II, Section 2.1(k) requires the provider to demonstrate that it has implemented necessary measures to ensure and enforce effective legal, technical, and organisational separation between the Union parent company and any such third-country subsidiary.
• Union Assurance Level 3: Annex II, Section 3.1(k) repeats this requirement for the higher assurance tier.
• Union Assurance Level 4: Annex II, Section 4.1(k) mandates the same separation for the highest level of assurance.

This requirement acknowledges that many global hyperscalers and large cloud providers operate through complex corporate structures. CADA does not prohibit having a third-country subsidiary; rather, it demands that the Union entity operates with autonomy that is legally, technically, and organisationally distinct from its foreign counterparts. The separation must be "effective," meaning it must be demonstrable in practice, not just on paper.

Audit Evidence and Verification

The requirement for separation is not self-declared without scrutiny. Under Article 20, providers seeking Union assurance levels 2, 3, or 4 must undergo independent third-party audits. The auditing organisation will assess compliance with the criteria in Annex II, including the separation requirement, based on audit evidence listed in Annex III.

According to Annex III, Section 11 (Audit criterion K), the auditing organisation must verify several specific aspects to confirm effective separation. The auditor must assess the following:

1. Legal and Operational Independence: The auditor must verify that the third-country subsidiary is legally and operationally independent from the audited Union provider.
2. No Access to Customer Data: The provider must demonstrate that the subsidiary has no access to systems processing or storing Union customer data.
3. No Privileged Accounts: The subsidiary must have no privileged accounts within the Union production environments. This includes restrictions on cloud administration, Identity and Access Management (IAM), Privileged Access Management (PAM), monitoring, and database administration privileges.
4. Personnel Restrictions: The auditor must verify that personnel of the third-country subsidiary cannot obtain access to Union customer data.
5. No Authority to Bypass Security: The subsidiary must have no authority to instruct Union operational staff to disclose customer data or bypass security procedures.
6. Handling Government Requests: The provider must verify that all foreign government requests received by the third-country subsidiary are formally redirected to the competent Union entity for legal assessment under Union and Member State law.

These criteria are designed to prevent scenarios where a third-country government could compel a local subsidiary to access data hosted in the EU, or where a parent company in a third country could exert control over EU operations in a way that compromises sovereignty.

Recognition and Enforcement

The process for obtaining recognition is governed by Article 17. A provider must submit an application for recognition to the national competent authority of its establishment, including the audit report and a 'positive' audit opinion from an auditing organisation. If the audit confirms that the separation criteria in Annex II are met, the provider may be recognised across the Union at the appropriate assurance level.

However, recognition is not permanent. Article 23 imposes transparency obligations on providers. If a provider becomes aware of any material change in circumstances that may affect the audit report or recognition—including changes in corporate structure or subsidiary relationships—it must notify the auditing organisation and the national competent authority as soon as possible. The auditing organisation may then amend or revoke the audit report, leading to a review of the provider's recognition status.

Penalties and Consequences

Non-compliance with the sovereignty framework carries significant risks. Article 24 empowers Member States to lay down rules on penalties applicable to infringements by cloud computing service providers. These penalties must be effective, proportionate and dissuasive. Factors considered include the nature, gravity, and duration of the infringement, as well as the financial benefits gained.

Furthermore, Article 24(3) grants recipients of cloud computing services the right to seek compensation from providers for any damage or loss suffered due to an infringement of their obligations under the sovereignty framework. For public sector bodies, procuring from a provider that has lost its recognition due to failed separation checks could disrupt critical services, given that Article 30 mandates that certain public sector activities must only procure from providers with specific Union assurance levels.

What this means for you

For in-house counsel and compliance officers at global cloud providers, the CADA's third-country subsidiary separation rules represent a significant operational and legal hurdle. You must move beyond high-level corporate governance assurances and implement concrete technical and organisational controls.

Actionable Steps:

1. Map Corporate Structures: Identify all subsidiaries and legal entities outside the Union. Determine which ones could be perceived as having control or access to Union operations.
2. Technical Isolation: Review IAM and PAM policies. Ensure that employees of third-country subsidiaries do not have privileged access to Union production environments. Implement strict network segmentation if necessary.
3. Legal Firewalls: Draft internal policies that explicitly prohibit third-country subsidiaries from accessing Union customer data or bypassing Union security protocols. Establish clear procedures for redirecting any foreign government data requests from the subsidiary to the Union legal team.
4. Audit Readiness: Prepare for independent audits under Article 20. Ensure your documentation aligns with Annex III, Section 11, particularly regarding the verification of no privileged accounts and the redirection of government requests.
5. Monitor Changes: Establish a process to immediately report any structural changes or breaches in separation to your auditing organisation, as required by Article 23.

Common misconceptions

Misconception 1: Having a third-country subsidiary automatically disqualifies a provider. CADA does not ban global providers from having subsidiaries outside the Union. The prohibition is on lack of separation. As long as a provider can demonstrate effective legal, technical, and organisational separation as detailed in Annex II and verified in Annex III, it can still achieve Union assurance levels 2, 3, or 4.

Misconception 2: This only applies to the highest assurance level. The separation requirement is cumulative. Annex II requires that a provider satisfying criteria for a higher level must also meet all criteria for lower levels. Therefore, the separation rule in Section 2.1(k) applies to Level 2, and by extension, Levels 3 and 4. It is not a niche requirement for only the most sensitive government data.

Misconception 3: Contractual clauses are sufficient. While contractual obligations are part of the legal separation, the audit criteria in Annex III focus heavily on technical and organisational reality. Auditors will check for the absence of privileged accounts and actual access logs. Relying solely on contracts without technical enforcement mechanisms will likely result in a negative audit opinion.

Related

• CADA Article 18: How the 'Associated Third Country' Mechanism Works for Providers
• CADA: What 'subject to the control of a third country' means for cloud providers
• CADA: How providers with third-country subsidiaries must separate to qualify
• CADA Level 2: Third-Country Control Safeguards Explained
• CADA Level 3: SBOM, Source Code Audits & Third-Country Controls

This is general information about a draft EU regulation, not legal advice.