Summary Under the proposed Cloud and AI Development Act (CADA), "control" is not defined from scratch. Article 2(21) defines it by cross-reference: "'control' means control as defined in Article 2, point (6), of Regulation (EU) 2021/697," the regulation establishing the European Defence Fund. That imported concept of control — the ability to exercise decisive influence, directly or indirectly — would be the linchpin of CADA's sovereignty framework, determining whether a cloud provider is subject to third-country influence and therefore which Union assurance levels it can reach in public procurement.
Detail
The legal definition of control
The CADA proposal (COM(2026) 502 final) would establish a sovereignty framework for cloud computing services. To judge whether a provider is sufficiently autonomous from third-country influence, the proposal relies on a precise, borrowed definition of "control."
CADA would not create a new standalone definition. Instead, Article 2(21) provides:
"'control' means control as defined in Article 2, point (6), of Regulation (EU) 2021/697"
Regulation (EU) 2021/697 is the instrument establishing the European Defence Fund. The CADA text does not reproduce that definition, and it is not part of this source corpus, so the precise wording should be read from Regulation (EU) 2021/697 itself. In EU strategic-autonomy instruments of this kind, control is generally understood as the ability to exercise decisive influence over an undertaking, directly or indirectly — through ownership, rights, agreements, or other means. (Note: where you need the exact terms, cite Regulation (EU) 2021/697 directly rather than paraphrase.)
Why this definition matters for CADA
Control is central to CADA's Union cloud computing sovereignty framework. That framework would categorise services into four Union assurance levels, with higher levels offering stronger guarantees against third-country interference, data access, or service disruption. The criteria for the levels are set out in Annex II, and several of them turn on whether a provider, its subcontractors, or other parties involved in the service are subject to the control of a third country or a third-country entity:
- Union assurance level 1: Where a provider is subject to third-country control, it must guarantee that no law of that third country requires it to report information on software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited.
- Union assurance levels 2 and 3: As proposed, where a provider is subject to third-country control, it must demonstrate measures ensuring the third country cannot restrict the provision of the service, access customer data, or disrupt service continuity. For level 3, a limited derogation is available only where the Commission has identified the relevant country as an "associated third country" under Article 18.
- Union assurance level 4: The provider and the parties involved in the service must not be subject to the control of a third country or a third-country entity, with no derogation.
So the control determination under Article 2(21) would be a threshold question. A provider found to be under non-EU control would face significantly higher hurdles for the levels EU public bodies require for critical infrastructure and sensitive processing.
Assessing control: direct and indirect influence
Importing the Regulation (EU) 2021/697 concept implies a broad reading. Control would not be limited to majority shareholding; it can arise through:
- Ownership: a majority of voting rights or capital;
- Rights: veto rights over strategic decisions, such as board appointments or changes to corporate structure;
- Agreements: contractual rights conferring decisive influence over management and resources;
- Other means: any other link giving influence equivalent to ownership.
This breadth would bring complex corporate structures — joint ventures, or minority stakes with special voting rights — within scope of scrutiny for third-country influence.
The role of auditing organisations
Providers seeking recognition for Union assurance levels 2, 3, or 4 would undergo independent third-party audits (Article 20). Auditing organisations would assess compliance with the Annex II criteria, including the absence (or mitigation) of third-country control.
Annex III lists the audit evidence. For audit criterion G — Absence of third-country control or third-country entity — auditors would analyse, among other things:
- all direct and indirect shareholders, up to the ultimate owners;
- the cap table documenting the ownership structure;
- the bodies empowered to take strategic decisions (e.g. boards of directors);
- the rules for appointing and removing governing bodies;
- the quorums and majorities required for strategic decisions;
- possible influence through commercial or financial links.
Where an auditor determines that a provider is subject to third-country control, Annex III directs it to seek further evidence — for example, that the Commission has adopted a decision under Article 18 (associated third countries), or that the provider has implemented effective legal, technical, and organisational measures separating it from the third-country controller.
What this means for you
For in-house counsel and compliance officers at cloud providers, the control definition would have direct consequences for EU public sector market access.
1. Map your ownership and control structures
Review your corporate structure for direct or indirect non-EU control — not just majority shareholders, but minority shareholders with veto rights, special/"golden" shares, or significant influence over strategic decisions. A subsidiary of a non-EU parent is likely to be treated as under third-country control.
2. Prepare for sovereignty audits
To serve EU public bodies with sensitive data (levels 2-4), be ready to prove either that you are not under third-country control, or that you have implemented robust legal, technical, and organisational measures preventing the third country from accessing data, disrupting services, or restricting operations.
3. Assess eligibility for higher assurance levels
- Level 4: If you are under third-country control, you could not qualify — this tier permits no third-country control and no derogation.
- Level 3: A derogation is possible where the Commission has identified the relevant country as an associated third country under Article 18 and you meet the mitigation criteria.
- Level 2: Requires mitigation of third-country control, with requirements that are generally less stringent than the higher levels.
4. Monitor Commission decisions on associated third countries
Under Article 18, the Commission may identify third countries whose providers may be audited against the level-3 criteria — conditioned on cumulative requirements including a relevant GDPR adequacy decision and the absence of measures allowing the country to compel data access or service disruption. Watch the Commission's published list, which can be repealed, amended, or suspended as circumstances change.
5. Plan for procurement impact
EU public bodies would conduct risk assessments (Article 29) to set the appropriate assurance level. Public-order activities — critical infrastructure, national security, law enforcement — would likely require levels 2, 3, or 4. A control structure that disqualifies you from those levels could exclude you from significant public contracts.
Common misconceptions
Misconception 1: Control only means majority ownership. Reality: The referenced definition reaches indirect influence — veto rights, strategic agreements, or financial dependence. A minority stake with veto power over board appointments can amount to control.
Misconception 2: An EU subsidiary means no third-country control. Reality: The framework looks to the ultimate controller. An EU subsidiary controlled by a non-EU parent would still be treated as under third-country control, unless effective legal and technical separation is demonstrated and recognised.
Misconception 3: Data localisation solves control issues. Reality: Data localisation is required across the levels, but it does not negate control. Data can sit in the EU while the provider remains subject to third-country laws permitting access or disruption. CADA's framework would address both data location and control/autonomy.
Misconception 4: Only US providers are affected. Reality: The definition applies to any third country, regardless of alliance status. The Commission may, however, identify certain third countries under Article 18 — conditioned on a GDPR adequacy decision and other safeguards — easing the path to higher levels for providers controlled from those countries.
Official sources
Related
- What is software under CADA? Article 2 definition explained
- What is hardware under CADA? Definition and scope explained
- What is audit evidence under CADA? Article 2(20) explained
- What the CADA control definition means for cloud providers seeking high assurance levels
- What does a cloud computing service mean for cloud providers under CADA?
This is general information about a draft EU regulation, not legal advice.