What does CADA mean by 'control' of a cloud provider?

Summary Under the proposed Cloud and AI Development Act (CADA), "control" is not defined from scratch but imported: Article 2(21) of the proposal defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697. The concept determines whether a cloud computing service provider is subject to the control of a third country or a legal entity established in a third country. That distinction is pivotal, because it drives the cumulative criteria a provider must meet for the higher Union assurance levels in Annex II - especially regarding data access, service continuity, and software-vulnerability reporting.

Detail

The legal definition of control

CADA relies on an existing EU instrument to define "control." Per Article 2(21) of the proposal, "control" means control as defined in Article 2, point (6), of Regulation (EU) 2021/697 - the regulation establishing the European Defence Fund. (CADA also imports related defence-fund concepts elsewhere, such as "classified or sensitive information" for higher-level subcontractors.)

While CADA does not reproduce the full definition, importing it establishes a broad, functional test for control. In EU law of this kind, control typically captures not only majority ownership but also other means of exercising decisive influence over an entity - for example through voting rights, the power to appoint or remove a majority of the management or supervisory body, or dominant influence via contractual arrangements. The point is that the test is deliberately broad, reaching indirect influence and governance rights, not just direct shareholding.

Relevance to the Union assurance levels

Determining "control" is the linchpin of CADA's sovereignty framework in Title IV. The proposal sets out four Union assurance levels in Annex II, with progressively stricter requirements for providers subject to third-country control.

Union assurance level 1 For the baseline, Annex II, Section 1.1(g) provides that where a provider is subject to third-country control, it must guarantee that there are no existing laws or practices in that third country requiring it to report software-vulnerability information to that country's authorities before the vulnerabilities are known to have been exploited. Level 1 is established by self-assessment (Article 19).

Union assurance levels 2 and 3 For higher levels, the requirements become more rigorous. Annex II, Sections 2.1(g) and 3.1(g) impose cumulative criteria on providers subject to third-country control, requiring them to demonstrate that:

1. the third-country control is not exercised in a way that restrains the provider's ability to perform and deliver the service or undermines the capabilities and standards required;
2. access by the third country or its entities to customer data is prevented;
3. the possibility of disruption of service continuity or degradation of service quality by the third country is prevented;
4. the control does not oblige the provider to implement restrictive measures (such as sanctions or embargoes) adopted by the third country, unless those measures are legitimate under EU or Member State law.

Union assurance level 3 - prohibition with a narrow derogation For Union assurance level 3, Annex II, Section 3.1(g) sets a general rule that the audited provider and its subcontractors must not be subject to third-country control. By derogation, a provider subject to third-country control may nonetheless be audited for Union assurance level 3 where the Commission has adopted an implementing act recognising that third country under the "associated third countries" mechanism (Article 18), and where the provider also demonstrates the cumulative protective measures (i)-(iv) above. (The annex text cross-refers to the implementing act somewhat inconsistently, but the substantive mechanism is the associated-third-countries decision in Article 18.)

Union assurance level 4 The highest tier prohibits third-country control outright. Annex II, Section 4.1(g) requires that the audited provider and its subcontractors involved in the service "are not subject to the control of a third country or a legal entity established in a third-country," with no derogation.

The role of auditing and evidence

Because control can be complex - especially for multinationals with layered subsidiaries - CADA would rely on rigorous evidence. Article 20 would require independent third-party audits for Union assurance levels 2, 3, and 4. The audit evidence the auditing organisation must assess is set out in Annex III, including documentation of corporate ownership and governance and, for higher levels, software supply-chain measures such as a complete and up-to-date SBOM, source-code audits of security-relevant third-country components, and migration plans. Where a provider is found to be under third-country control, the higher levels would require evidence of effective legal, technical, and organisational measures (and, where applicable, separation of any EU parent from a third-country subsidiary) to prevent unauthorised data access or service disruption.

What this means for you

For in-house counsel and compliance officers, "control" under CADA would create distinct compliance pathways depending on ownership.

1. Map your ownership structure Review your corporate hierarchy for any third-country influence meeting the imported definition of control, looking beyond direct shareholders to indirect influence via contractual or governance mechanisms. If your provider is subject to third-country control, you could not offer Union assurance level 4 services.

2. Prepare for rigorous audits If you seek Union assurance level 2 or 3 while subject to third-country control, prepare for deep audits of your ability to resist third-country requests for data access or service disruption, with documented technical and organisational measures keeping EU operations autonomous.

3. Assess procurement requirements Public bodies would conduct risk assessments under Article 29 to determine the required level. For public-order-relevant activities they would procure only at Union assurance levels 2, 3, or 4. A provider subject to third-country control would be ineligible for level 4, and ineligible for level 3 unless the Commission has recognised its home country under Article 18.

4. Monitor Commission implementing acts The Commission would adopt implementing acts identifying associated third countries whose providers may be audited for Union assurance level 3 (Article 18). Track these decisions, as they would determine which jurisdictions' providers can compete for higher-assurance contracts.

Common misconceptions

Misconception: "Control" only means majority ownership. Reality: The imported definition is broader, reaching decisive influence achieved through voting rights, board appointments, or contractual dominance - so even certain minority positions with strategic veto rights could amount to control.

Misconception: Third-country control automatically disqualifies a provider from all EU public-sector contracts. Reality: Providers subject to third-country control could still qualify for Union assurance level 1 and 2, and potentially level 3 via the Article 18 derogation. They would be barred only from level 4. Many activities would require only level 1 or 2.

Misconception: Only US providers are affected. Reality: The test applies to any third country. While the extraterritorial reach of laws such as the US CLOUD Act is a key driver, the criteria apply equally to providers controlled from any non-EU jurisdiction, assessed country by country under Article 18.

Related

• What is a cloud computing service provider under CADA?
• What does 'reducing dependencies on critical technologies' mean in CADA?
• What does CADA mean for the average EU citizen?
• What does CADA mean for SMEs and startups in the EU cloud market?
• What does CADA mean for public-sector cloud buyers?

This is general information about a draft EU regulation, not legal advice.