What does 'control under Union jurisdiction' mean in CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), "control" is the legal and operational determinant of whether a cloud service can reach the highest sovereignty assurance levels. As proposed, Article 16 and Annex II create a framework where services subject to third-country control are largely excluded from Union assurance levels 3 and 4, unless a specific Article 18 derogation applies at level 3. Recital 46 frames the ability to retain control over infrastructure, data, assets and technology under Union and national jurisdiction as having become "an imperative policy objective."

Detail

CADA would introduce a sovereignty framework to address the EU's dependence on non-European cloud providers. Central to it is the concept of "control," which dictates whether a cloud computing service provider can be recognised at a given Union assurance level.

The legal definition of control

CADA does not redefine "control" from scratch. Article 2, point (21) of the proposal provides that "'control' means control as defined in Article 2, point (6), of Regulation (EU) 2021/697" (the regulation establishing the European Defence Fund). In that sense, control refers to the ability to exercise a decisive influence over a legal entity, directly or indirectly, including through ownership, financial participation, or the rights or agreements that confer it. It is therefore about corporate governance and decisive influence, not merely the physical location of servers.

Recital 46: control as an imperative objective

The legislative intent is set out in Recital 46, which states that the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries." It identifies risks including the extraterritorial application of third-country laws, disruptions to service continuity, reduced control and oversight over data and infrastructure, and the risk of undue economic or political influence. Against that background, the recital states that "the ability of the Union and its Member States to retain control over infrastructure, data, assets and technology systems under Union and national jurisdiction has become an imperative policy objective."

Control and the assurance levels

Article 16 establishes the four Union assurance levels; the criteria in Annex II impose increasingly strict requirements on control:

• Union assurance level 1: A provider can meet this level even if subject to third-country control, provided it guarantees there are no laws or practices in that third country, demonstrated by independent sources, requiring it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited (Annex II, point 1.1(g)).
• Union assurance level 2: Third-country-controlled providers can qualify if they implement legal, technical and organisational measures ensuring that the control does not restrict service delivery, enable access to customer data, or disrupt service continuity, and does not oblige the provider to apply restrictive measures not legitimate under EU or Member State law (Annex II, point 2.1(g)).
• Union assurance level 3: Generally requires that the audited provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country (Annex II, point 3.1(g)). A derogation exists only where the Commission adopts an implementing act under Article 18 recognising a specific third country as providing sufficient assurances.
• Union assurance level 4: Strictly prohibits third-country control: the audited provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country (Annex II, point 4.1(g)), with no Article 18 derogation.

Scope of control: infrastructure, data, assets and technology

The requirement to retain control extends beyond corporate governance. Recital 46 and the Annex II criteria emphasise control over:

1. Infrastructure: Physical data centres and network components located in the Union (e.g., Annex II, points 1.1(b), 2.1(b)).
2. Data: Customer data, including metadata and telemetry, remaining exclusively within the Union (e.g., points 1.1(c), 2.1(c)).
3. Assets: Hardware and software assets used to deliver the service.
4. Technology: Transparent software supply chains, including SBOM requirements and measures addressing remote features that could tamper with systems (Annex II, point 2.1(i) and following).

What this means for you

For in-house counsel and compliance officers, understanding "control" is critical for procurement and risk management.

• Procurement obligations: Under Article 30(2), entities whose activities are not identified as contributing to public order must use services recognised at Union assurance level 1. Under Article 30(3), contracting authorities whose activities have been identified as contributing to public order (national security, defence, justice and the other listed areas) must procure services recognised at level 2, 3 or 4.
• Vendor due diligence: Map your providers' ownership structures. A third-country-controlled provider cannot offer levels 3 or 4 unless a Commission decision under Article 18 applies at level 3. For level 2, verify the provider's legal and technical isolation measures.
• Deadlines: Member States and Union entities must carry out risk assessments by entry into force plus one year, then every two years or whenever necessary (Article 29(1)).
• Penalties: Member States must lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty framework (Article 24). Recipients of services may also seek compensation for damage caused by a provider's infringement (Article 24(3)).

Common misconceptions

• "'Control' only means where the servers are located." Incorrect. While data localisation is a requirement, "control" primarily refers to decisive influence and ownership. A provider can have all servers in the EU yet fail the control test if its parent is subject to third-country laws compelling data access or disruption.
• "All non-EU providers are banned." Incorrect. Third-country-controlled providers can still offer levels 1 and 2. They are excluded from levels 3 and 4, reserved for the most sensitive public-sector use cases.
• "Third-country providers can never qualify for high assurance." Incorrect. Article 18 lets the Commission recognise specific third countries as providing sufficient assurances for level 3, after a rigorous assessment of adequacy and the absence of coercive measures. There is no equivalent route at level 4.

Related

• What does third-country control of a cloud provider mean under CADA?
• CADA Level 4: Why EU Control is Mandatory for the Highest Sovereignty Tier
• What is the role of EU citizenship and staff control in cloud sovereignty?
• Cloud vs AI Sovereignty: How CADA Distinguishes Control Over Data, Compute and Models
• What does immunity from foreign law mean for a cloud service under CADA?

This is general information about a draft EU regulation, not legal advice.