CADA

Summary Under the proposed Cloud and AI Development Act (CADA), a cloud provider is "subject to the control of a third country" if a foreign state or legal entity exercises decisive influence over its strategic decisions, ownership, or operations. This concept is the central pivot of the Union cloud computing sovereignty framework. As proposed, the consequences escalate with the assurance level: Level 1 requires guarantees on vulnerability reporting; Level 2 mandates safeguards against data access and service disruption; Level 3 generally excludes such providers unless the Commission recognizes the third country under Article 18; and Level 4 imposes an absolute ban. Providers must prove that foreign control does not compromise Union autonomy, prevent unauthorized data access, or allow the enforcement of restrictive third-country measures.

Detail

The concept of being "subject to the control of a third country or a legal entity established in a third-country" is the cornerstone of the CADA's sovereignty framework. It addresses the strategic risk that foreign laws with extraterritorial reach could compel a cloud provider to access EU data, disrupt services, or enforce sanctions, thereby undermining the Union's strategic autonomy and public order.

Defining "Control" Under CADA

While CADA does not provide a standalone definition in its general definitions article, it explicitly references the definition of "control" found in Article 2, point (21) of the Regulation, which points to Article 2, point (6) of Regulation (EU) 2021/697. In practice, this means a provider is subject to third-country control if a foreign state or entity has the ability to direct the provider's strategic behavior.

The operational test for this concept is detailed in Annex III (Audit Evidence), specifically under Audit criterion G. Auditing organisations must assess:

• Ownership and voting rights: Identifying shareholders holding at least 5% of capital or voting rights, including through intermediaries, and analyzing cap tables up to ultimate owners.
• Governance and decision-making: Examining bodies empowered to take strategic decisions (e.g., board of directors) and the rules for their appointment. Crucially, auditors must check if any shareholder can block strategic decisions through veto rights or special majority requirements.
• Commercial and financial links: Evaluating whether long-term supply agreements, credit lines, or financial dependencies confer a level of control similar to ownership.
• Other sources of control: Identifying any other means, processes, or links that ultimately confer control to a third country.

If an auditing organisation determines that a provider is subject to such control, it triggers a mandatory requirement for additional evidence: proof that the provider has implemented effective legal, technical, and organisational separation from the third country to prevent unauthorized data access or service disruption.

Impact Across Union Assurance Levels

The "control" test applies to all four Union assurance levels, but the consequences escalate significantly as the assurance level increases. The criteria are set out in Annex II.

Union Assurance Level 1 (Baseline)

At Level 1, a provider subject to third-country control can still qualify, provided it meets the specific criterion in Annex II, Section 1.1(g). The provider must guarantee that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited. This ensures that security flaws are not exploited by foreign actors before the EU is aware.

Union Assurance Level 2 (Enhanced)

At Level 2, the requirements tighten significantly. Under Annex II, Section 2.1(g), if the provider and its subcontractors are subject to third-country control, they must demonstrate that necessary legal, technical, and organisational measures are in place to ensure:

1. The control is not exercised in a manner that restrains the provider's ability to perform the service, imposes limitations on infrastructure, or undermines capabilities.
2. Access by the third country to customer data is prevented.
3. The possibility of disruption of service continuity or degradation of service quality by the third country is prevented.
4. The provider is not obliged to implement, enforce, or comply with restrictive measures (such as sanction regimes or embargoes) adopted by the third country, unless such measures are legitimate under the national laws of Member States or Union law.

Additionally, Level 2 requires a complete Software Bill of Materials (SBOM) and controls to block remote features that could tamper with the service.

Union Assurance Level 3 (Sovereign)

Level 3 introduces a presumption of exclusion. Under Annex II, Section 3.1(g), providers and subcontractors involved in the service must not be subject to the control of a third country or a legal entity established in a third country.

However, a critical derogation exists. A provider subject to third-country control may still be audited for Level 3 if the Commission has adopted an implementing act under Article 18 recognizing that specific third country as providing "sufficient assurances." This recognition requires the third country to meet strict cumulative criteria, including:

• Having a relevant adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR).
• Having no measures enabling control that conflicts with EU data laws (specifically Article 32 of the Data Act).
• Having no measures to compel service degradation, disruption, or compliance with restrictive measures (sanctions/embargoes) unless legitimate under EU law.
• Maintaining an open market to Union cloud services and granting equivalent access to public procurement.

Even with such a derogation, the provider must demonstrate the same safeguards as Level 2 regarding data access and service disruption.

Union Assurance Level 4 (Highly Sovereign)

At Level 4, the rule is absolute. Under Annex II, Section 4.1(g), the audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. There is no derogation for associated third countries at this level. This tier is designed for the most critical public sector activities where absolute operational autonomy is required, such as handling classified information or core national security functions.

The Role of Independent Auditing

Demonstrating compliance with these control requirements is not a self-assessment exercise for Levels 2–4. It requires an independent third-party audit under Article 20. The auditing organisation must verify the ownership structure, corporate governance, and any commercial links that might confer control.

If the auditor finds third-country control, they must request additional evidence demonstrating that the provider has implemented measures to enforce effective legal, technical, and organisational separation. This includes proof that the provider can refuse requests to access customer data or disrupt service. If the provider cannot provide this evidence, or if the control inherently prevents such separation, the audit opinion will be negative, and the provider cannot be recognized at that assurance level.

What this means for you

For in-house counsel, compliance officers, and public procurement teams, the "control" test has immediate and profound implications.

1. Map Your Entire Supply Chain: You must look beyond the immediate cloud provider to its subcontractors. Under CADA, subcontractors involved in the provision of the service are also subject to these control tests. Ensure your contracts require vendors to disclose their full ownership structures, voting rights, and any foreign influence.
2. Prepare for Rigorous Audits: If your organization procures cloud services for public sector activities identified as contributing to public order (requiring Level 2–4), you will rely on the provider's audit report. Ensure your vendor has engaged an independent auditing organisation capable of verifying compliance with Annex II criteria, particularly regarding third-country control and the "control" test in Annex III.
3. Assess Risk Levels Early: Conduct risk assessments as required by Article 29 to determine the appropriate Union assurance level for your activities. If your activities involve national security, defense, justice, or law enforcement, you may be required to use Level 3 or 4 services. This effectively excludes providers subject to third-country control (unless a specific derogation applies for Level 3), necessitating a shift to EU-controlled providers.
4. Monitor the "Associated Third Countries" List: The Commission's list of third countries recognized under Article 18 is dynamic. Monitor these implementing acts, as they determine whether providers from specific jurisdictions can still access the Level 3 market. A change in a third country's legal framework could instantly disqualify providers.
5. Understand Liability and Penalties: Non-compliance with the sovereignty framework can lead to penalties under Article 24, which Member States must ensure are "effective, proportionate and dissuasive." Furthermore, recipients of cloud services have the right to seek compensation for damage suffered due to a provider's infringement of these obligations.

Common misconceptions

• "Only US providers are affected." While the US CLOUD Act is a primary driver of these concerns, the rule applies to any third country. Providers from any jurisdiction outside the EU that are subject to foreign control must meet the same safeguards.
• "Ownership is the only factor." Control is not just about shareholding. It includes veto rights, board appointments, and even long-term commercial dependencies (e.g., critical supply agreements) that allow a foreign entity to influence strategic decisions.
• "Level 1 has no restrictions on foreign control." Level 1 does allow providers subject to third-country control, but it still requires a guarantee that no foreign laws require pre-notification of software vulnerabilities. It is not a "free pass" for all sovereignty risks.
• "Level 3 always excludes foreign-controlled providers." There is a derogation for Level 3 if the Commission has recognized the third country as providing sufficient assurances under Article 18. However, this is a high bar requiring GDPR adequacy and specific sovereignty guarantees, and it is not currently available for most major non-EU jurisdictions without specific legislative changes.
• "CADA replaces the AI Act's rules." CADA does not replace the AI Act. The AI Act governs the safety and fundamental rights of AI systems, while CADA governs the infrastructure and sovereignty of the cloud beneath it. A provider could be compliant with the AI Act but fail CADA's sovereignty test due to third-country control.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Level 2: Third-Country Control Safeguards Explained
• CADA Article 18: How the 'Associated Third Country' Mechanism Works for Providers
• CADA software supply chain: Third-country components, audits & Level 4 control
• CADA third-country subsidiary separation: rules for global providers
• CADA: How providers with third-country subsidiaries must separate to qualify

This is general information about a draft EU regulation, not legal advice.