Summary Under the proposed Cloud and AI Development Act (CADA), a third country can only be "associated" — opening the door for providers under its control to be audited for Union assurance level 3 — if the European Commission adopts an implementing act confirming the country meets six cumulative criteria as proposed in Article 18. These include holding a GDPR adequacy decision, having no laws that enable conflicting data access or compel service disruption, maintaining an open market for EU cloud services, and granting EU providers equivalent public-procurement access. Association does not by itself grant level 3; the provider would still need a positive independent audit and recognition.
Detail
CADA, as proposed, introduces a sovereignty framework intended to reduce EU reliance on non-European cloud providers. A central component is the four "Union assurance levels" in Annex II, which categorise cloud services by their autonomy from third-country interference. Union assurance levels 3 and 4 require that the provider and its subcontractors are not subject to the control of a third country — but level 3 contains a narrow derogation: a provider under third-country control may be audited for level 3 where the Commission has adopted an implementing act associating that third country.
This association is not automatic. As proposed in Article 18(1), the Commission "may adopt decisions, by means of implementing acts" identifying third countries whose controlled providers may be audited against the level 3 criteria, "provided that that third country fulfils the following cumulative criteria." Cumulative means every condition must be met; failing even one disqualifies the country.
The six cumulative criteria (Article 18(1)(a)–(f))
1. GDPR adequacy decision — Article 18(1)(a). The third country must be "subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679" (the GDPR). This is the foundational requirement, ensuring the country's data-protection regime is treated as essentially equivalent to the EU's.
2. No conflicting access measures — Article 18(1)(b). The country must have "no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data" set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854 (the Data Act). This targets extraterritorial access laws (the US CLOUD Act is the frequently cited example) that could compel disclosure of EU-stored data outside proper legal channels.
3. No power to disrupt service or impose restrictive measures — Article 18(1)(c). The country must have no measures to compel the provider to "degrade or disrupt service continuity or provision," and no measures to oblige it to "implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or any equivalent legal or administrative measures" — unless those specific measures are legitimate under Member State or Union law. This addresses "weaponised" interdependence, where a third country could cut off critical EU infrastructure.
4. No impediment to state-of-the-art technology — Article 18(1)(d). The country must have no measures "to impede the provision of state-of-the-art technologies and services" by the provider, ensuring the associated country does not block advanced offerings to EU customers.
5. Open market for EU cloud services — Article 18(1)(e). The country must "maintain an open market to Union cloud computing services" — a reciprocity requirement on market access.
6. Reciprocal public-procurement access — Article 18(1)(f). The country must "grant equivalent levels of access to public procurement procedures of cloud computing services" to providers controlled by a Union Member State or entity, or established in the Union.
These implementing acts would be adopted under the examination procedure referred to in Article 46(2).
Assessment, suspension and transparency
Association would be dynamic, not permanent. As proposed in Article 18(2), where available information reveals that a third country no longer fulfils the requirements of paragraph 1, the Commission "shall repeal, amend or suspend" the decision. Under Article 18(3), the Commission would publish on its website a list of third countries that fulfil the requirements and those that no longer do. Legal changes in a third country (e.g. new surveillance legislation) could therefore remove associated status quickly.
Interaction with Union assurance level 3
Association does not automatically grant level 3. Under Annex II, point 3.1(g), where the Commission has adopted the relevant implementing act, a provider under third-country control "may be audited for Union assurance level 3" — but it would also have to demonstrate that the necessary legal, technical and organisational measures are in place so that the third country's control does not restrict its ability to perform the service, that access to customer data is prevented, that disruption or degradation of the service is prevented, and that the provider is not obliged to give effect to restrictive measures. (Note: the cross-reference in Annex II point 3.1(g) names "Article 19"; the substantive associated-third-country regime sits in Article 18 of the proposal.) Association merely opens the door; the provider would still have to pass the independent audit required for levels 2, 3 and 4 under Article 20.
What this means for you
For in-house counsel and compliance officers, the associated-third-country regime reshapes cloud procurement and vendor risk management.
1. Jurisdictional analysis, not just data location. You cannot look solely at where the data centre sits. You must assess the provider's ultimate controlling jurisdiction. If a provider is controlled by a country that is not associated, its service could not reach Union assurance level 3 — regardless of where the servers are hosted.
2. Monitor the Commission's list. Because the Commission could suspend or repeal association (Article 18(2)), the list published under Article 18(3) would need ongoing monitoring. A sudden change in a third country's laws could remove associated status and trigger re-assessment or migration.
3. Contractual safeguards. Providers seeking level 3 under the derogation should ensure arrangements with third-country parents or affiliates prevent compliance with foreign laws that would cut against Article 18(1)(b) or (c), and be ready to demonstrate to auditors that they can refuse conflicting access requests.
4. Public-procurement compliance. Where a risk assessment under Article 29 dictates level 3, you would be permitted to procure from providers in associated third countries — but only after verifying the provider has passed the independent audit and been recognised under Article 17. Associated status alone does not establish eligibility.
5. Reciprocity and market access. If your organisation operates in a third country seeking association, expect EU scrutiny of your home market's openness to EU providers (Article 18(1)(e)) and procurement access (Article 18(1)(f)). Barriers to EU providers could jeopardise the country's status.
Common misconceptions
Misconception 1: Association guarantees Union assurance level 3. Reality: As proposed, association only makes a third-country-controlled provider eligible to be audited for level 3 (Annex II point 3.1(g)). The provider would still need a positive independent audit opinion (Article 20), recognition under Article 17, and proof of measures preventing third-country interference.
Misconception 2: Any country with GDPR adequacy is automatically associated. Reality: Adequacy is only the first of six cumulative criteria (Article 18(1)(a)). A country with adequacy could still fail if, for example, it has measures compelling service disruption (Article 18(1)(c)) or does not grant reciprocal procurement access (Article 18(1)(f)).
Misconception 3: The association mechanism applies across assurance levels. Reality: As proposed, the associated-third-country derogation is specific to Union assurance level 3 (Annex II point 3.1(g)). Level 4 requires that the provider and subcontractors are not subject to third-country control, with no equivalent association derogation (Annex II point 4.1(g)). Level 1 is based on EU establishment and self-assessment.
Misconception 4: Physical data location overrides controlling jurisdiction. Reality: CADA, as proposed, turns heavily on "control." Even with EU-hosted data, a provider controlled by a non-associated third country could not reach level 3. Legal and operational control matters as much as physical infrastructure location.
Official sources
Related
- CADA Associated Third Country: What if GDPR Adequacy is Lost?
- CADA Article 18: How the 'Associated Third Country' Mechanism Works for Providers
- What does 'associated third country' status mean for a US cloud provider under CADA?
- What criteria must a provider meet for CADA assurance level 4?
- What criteria must a provider meet for CADA assurance level 3?
This is general information about a draft EU regulation, not legal advice.