What does 'associated third country' status mean for a US cloud provider under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), "associated third country" status is a specific legal designation that allows cloud computing service providers subject to the control of a third country (such as the United States) to qualify for Union Assurance Level 3. As proposed in Article 18, the European Commission may designate a third country only if it fulfills six strict cumulative criteria, including the existence of an adequacy decision under the GDPR and the absence of laws enabling extraterritorial data access or service disruption. For US cloud providers, this status is the only pathway to serve high-risk public sector contracts requiring Level 3 assurance, but it remains legally uncertain due to inherent tensions between US surveillance laws (like the CLOUD Act and FISA) and the stringent "no conflict" requirements of CADA Article 18(1).

Detail

The proposed Cloud and AI Development Act (CADA) establishes a "Union cloud computing sovereignty framework" comprising four assurance levels (Article 16). While Union Assurance Level 1 can be achieved through a self-assessment, Levels 2, 3, and 4 require independent third-party audits and formal recognition by national competent authorities. Crucially, the criteria for Levels 3 and 4 generally prohibit cloud computing service providers that are "subject to the control of a third country or a legal entity established in a third-country" from qualifying (Annex II, Section 3.1(g) and Section 4.1(g)).

However, CADA provides a specific derogation for Union Assurance Level 3. Article 18, titled "Associated third countries," outlines the mechanism by which the European Commission may allow providers subject to foreign control to be audited against Level 3 criteria. This is the only route for a US-based hyperscaler, or any non-EU controlled provider, to access the most sensitive public sector workloads that require Level 3 assurance. Without this designation, a US-controlled provider is legally barred from Level 3 recognition, regardless of its technical security posture.

The Cumulative Criteria of Article 18(1)

For a third country to be designated as an "associated third country," the Commission may adopt implementing acts identifying that country, provided it fulfills a set of cumulative criteria listed in Article 18(1). All criteria must be met simultaneously; failure to meet even one disqualifies the country:

1. Adequacy Decision: The third country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR). This is a foundational gatekeeper; without an adequacy decision, the process cannot begin.
2. No Conflict with Lawful Access to Non-Personal Data: The country must have no measures in place that enable it to exercise control over the cloud provider in a way that conflicts with the requirements for lawful access to non-personal data set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854 (the Data Act).
3. No Compulsion to Disrupt or Degrade Service: The country must have no measures in place to compel the provider to degrade or disrupt service continuity. Furthermore, it must not oblige the provider to implement restrictive measures (such as sanctions or embargoes) unless those measures are legitimate under EU or Member State law.
4. No Impediment to State-of-the-Art Technology: The country must have no measures impeding the provision of state-of-the-art technologies and services by the provider.
5. Open Market: The country must maintain an open market to Union cloud computing services.
6. Reciprocal Public Procurement Access: The third country must grant equivalent levels of access to public procurement procedures for cloud services controlled by Union entities or Member States.

The US Context: CLOUD Act and FISA Tensions

For US cloud providers, the primary obstacle to meeting Article 18(1) criteria lies in the intersection of US national security laws and the EU's sovereignty requirements. The explanatory memorandum to CADA explicitly identifies the "extraterritorial effect" of third-country laws, such as those mandating data access, as a core risk the legislation aims to mitigate.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) requires US-based providers to preserve and disclose data within their "possession, custody, or control," regardless of whether the data is located within or outside the United States (18 U.S.C. § 2713). This statutory obligation directly challenges CADA's requirement that a provider must demonstrate that third-country control does not enable access to customer data (Annex II, Section 3.1(g)(ii)).

While the US and EU have an Executive Agreement under the CLOUD Act (18 U.S.C. § 2523) that includes safeguards such as minimization procedures and targeting restrictions, CADA's Article 18(1)(b) demands a higher threshold. It requires the absence of measures that enable control in a way that conflicts with EU law. Critics and legal scholars argue that the inherent structure of the CLOUD Act, which grants US law enforcement extraterritorial reach, may inherently conflict with the "no conflict" requirement of Article 18(1)(b) and the strict data localization and access prevention criteria of Annex II.

Furthermore, the US Intelligence Community's access to data under Section 702 of the FISA (Foreign Intelligence Surveillance Act) raises questions about whether the US meets the criterion of having no measures that enable access to data in a manner inconsistent with EU fundamental rights. While the EU-US Data Privacy Framework relies on an adequacy decision (satisfying Article 18(1)(a)), the specific operational mechanisms of US surveillance laws remain a point of contention for whether they satisfy the "no conflict" and "no compulsion to disrupt" tests of Article 18(1)(b) and (c). The Commission must determine if the statutory obligations of the CLOUD Act constitute a "measure" that enables control in conflict with the Data Act, a determination that goes beyond the scope of the Data Privacy Framework.

Designation, Revocation, and the Path to Level 3

The designation process is discretionary and dynamic. Under Article 18(1), the Commission adopts implementing acts to identify qualifying countries. This process involves the examination procedure referred to in Article 46(2), meaning Member States have a say in the designation.

Crucially, the status is not permanent. Article 18(2) states that where available information reveals that a third country no longer fulfills the requirements, the Commission shall repeal, amend, or suspend the decision. This creates a continuous compliance burden for US providers, who must monitor changes in US legislation and enforcement practices to ensure the US continues to meet the cumulative criteria. The Commission is also required to publish a list of countries that fulfill the requirements and those that do not (Article 18(3)).

If the US is designated, US-controlled providers can then undergo the independent audit required for Level 3. Under Annex II, Section 3.1(g), even with the designation, the provider must demonstrate that "necessary legal, technical and organisational measures have been implemented to ensure that... access by a third country... to customer data is prevented." This creates a dual burden: the country must be designated, and the specific provider must prove it can legally and technically resist access requests.

What this means for you

For in-house counsel and compliance officers at US cloud providers, the implications of CADA's associated third country status are strategic and operational:

1. Market Access Dependency: If the US is not designated as an associated third country, your providers cannot achieve Union Assurance Level 3. This effectively bars you from bidding on public sector contracts in the EU that require Level 3 assurance, which typically cover activities related to national security, defense, justice, and critical infrastructure (Article 29(1)). You would be restricted to Level 1 and Level 2 markets, which may represent a significant revenue contraction in the public sector.
2. Proactive Engagement with Brussels: Compliance teams must actively engage with the European Commission and the US Department of Commerce to advocate for the US meeting the Article 18(1) criteria. This involves demonstrating that internal compliance programs, contractual safeguards, and technical controls (such as "break-glass" mechanisms or encryption key management) sufficiently mitigate the extraterritorial reach of the CLOUD Act.
3. Audit Readiness for Level 3: Even if the US is designated, providers must still undergo rigorous independent audits against Annex II criteria. Annex II, Section 3.1(g) requires that the provider demonstrate that necessary legal, technical, and organizational measures are implemented to prevent third-country access. Compliance officers must document these measures meticulously, including evidence of resistance to unlawful foreign data requests, as detailed in Annex III (Audit Evidence).
4. Monitoring for Revocation: Establish a legal watch function to monitor changes in US surveillance law and EU-US adequacy decisions. If the adequacy decision is invalidated or US laws are amended to expand extraterritorial access, the US could lose its associated status, triggering a loss of Level 3 recognition and requiring immediate notification to EU clients and competent authorities (Article 23).

Common misconceptions

• "An adequacy decision is enough to qualify for Level 3." Incorrect. While an adequacy decision (Article 18(1)(a)) is a prerequisite, it is only one of six cumulative criteria. The US must also prove the absence of laws enabling data access conflicts, service disruption, and market barriers. An adequacy decision focuses on personal data transfers, whereas CADA Level 3 also covers non-personal data, operational continuity, and sovereignty risks.

• "US providers can self-certify for Level 3 if they implement strong technical controls." Incorrect. Level 3 requires independent third-party audits (Article 20). More importantly, if the provider is subject to US control, they cannot qualify for Level 3 unless the US is formally designated as an associated third country under Article 18. Technical controls alone do not bypass the jurisdictional requirement.

• "The CLOUD Act Executive Agreement automatically satisfies Article 18." Uncertain. The Executive Agreement under 18 U.S.C. § 2523 provides safeguards for cross-border data requests, but CADA's Article 18(1)(b) and (c) require the absence of conflicting measures. The Commission will assess whether the CLOUD Act's statutory obligations fundamentally conflict with EU data protection and sovereignty norms, regardless of the Executive Agreement's procedural safeguards. This is a legal determination, not a technical one.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Can a CADA associated third country status be suspended?
• CADA Associated Third Country: What if GDPR Adequacy is Lost?
• CADA Article 18: How the 'Associated Third Country' Mechanism Works for Providers
• What criteria must a third country meet to be associated under CADA?
• How does a third country become associated under CADA?

This is general information about a draft EU regulation, not legal advice.