Summary Under the proposed Cloud and AI Development Act (CADA), the "associated third country" mechanism creates a narrow, conditional pathway for cloud providers controlled by non-EU entities to qualify for Union Assurance Level 3. As proposed in Article 18, the European Commission may designate specific third countries that meet rigorous sovereignty, data protection, and market-access criteria. For a provider, this means that even if you are owned or controlled by a third-country entity, you may still serve critical EU public sector clients, provided your home country is on the approved list and you demonstrate robust legal and technical safeguards against foreign interference. Crucially, this mechanism does not apply to Level 4, and the designation alone does not guarantee recognition; the provider must still pass a strict independent audit proving that foreign control cannot compromise EU public order.

Detail

The Cloud and AI Development Act (CADA) establishes a "Union cloud computing sovereignty framework" to safeguard the Union's public order by ensuring that critical cloud services are not subject to the extraterritorial laws or political coercion of non-EU countries. This framework relies on four "Union assurance levels," with Level 3 and Level 4 representing the highest tiers of sovereignty required for sensitive public sector activities.

Under the standard rules, achieving Union Assurance Level 3 is generally restricted to providers that are not subject to the control of a third country or a legal entity established in a third country. This is explicitly stated in Annex II, section 3.1(g), which requires that "the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country." Without a derogation, this criterion effectively bars many major global hyperscalers, which are often headquartered in the US or other non-EU jurisdictions, from bidding for sensitive public sector contracts requiring Level 3 assurance.

However, the CADA proposal introduces a specific derogation mechanism in Article 18 to address this rigidity for specific partners. This "associated third country" mechanism allows the Commission to designate a third country as "associated," thereby permitting providers controlled by entities in that country to be audited against the Level 3 criteria.

The Designation Process: Article 18 Criteria

Article 18 empowers the European Commission to adopt implementing acts identifying third countries for which cloud computing service providers subject to their control may be audited against the criteria for Union Assurance Level 3. This designation is not automatic; it requires the third country to fulfill a set of cumulative criteria:

  1. GDPR Adequacy: The country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR). The Commission must assess whether this decision applies generally or is limited to specific sectors.
  2. No Conflicting Data Access Laws: The country must have no measures in place that enable it to exercise control over the provider in a way that conflicts with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act).
  3. No Service Disruption Powers: The country must have no measures to compel the provider to degrade or disrupt service continuity or provision.
  4. No Forced Compliance with Sanctions: The country must not oblige the provider to implement, enforce, or comply with restrictive measures (such as sanction regimes or embargoes) adopted by that third country, unless these specific measures are legitimate under the national laws of Member States or Union law.
  5. Open Market: The country must maintain an open market to Union cloud computing services.
  6. Reciprocity: The third country must grant equivalent levels of access to its own public procurement procedures for cloud computing services subject to the control of a Union Member State or entity.

If the Commission determines these criteria are met, it will publish a list of associated third countries. This designation can be repealed, amended, or suspended if the country no longer fulfills the requirements.

The Provider's Burden: Annex II, 3.1(g)

For a cloud provider subject to third-country control, the designation of their home country as an "associated third country" is the gateway to Level 3, but it is not the key to the door. The designation merely removes the automatic disqualification. The provider must still undergo a rigorous independent audit to prove that they meet the specific safeguards outlined in Annex II, section 3.1(g).

Even with an associated country designation, the provider must demonstrate that the following conditions are met:

  • Unrestricted Performance: The control of the third country is not exercised in a manner that restrains or restricts the provider's ability to perform and deliver the service, imposes limitations on infrastructure/assets/personnel, or undermines necessary capabilities.
  • Data Access Prevention: Access by the third country (or its legal entities) to customer data is prevented.
  • Service Continuity: The possibility of disruption of service continuity or degradation of service quality by the third country is prevented.
  • Sanction Independence: The control of the third country does not oblige the provider to implement or enforce restrictive measures (sanctions/embargoes) unless those measures are legitimate under EU law.

Furthermore, Annex II, 3.1(h) requires that technical and operational support be initiated and performed exclusively within the Union by Union residents and third parties not subject to third-country control. Annex II, 3.1(d) also mandates that personnel involved in the service are Union citizens (with security clearances where necessary for classified information).

Essentially, the "associated third country" status shifts the burden from a blanket prohibition to a demonstrable compliance model. The provider must prove that, despite being owned or controlled by a foreign entity, its EU operations are effectively ring-fenced from foreign government interference.

What this means for you

If you are a cloud service provider controlled by a non-EU entity, the associated third country mechanism presents a high-stakes opportunity to access the EU public sector market, but it comes with a heavy compliance burden.

1. Monitor Commission Designations Closely

Your eligibility to bid for high-value, sensitive public sector contracts depends entirely on whether your country of control is on the Commission's list of associated third countries. You must actively monitor the Commission's publications for updates. If your country is not yet designated, you may need to engage with your national government to ensure it meets the criteria, particularly regarding GDPR adequacy and reciprocity in public procurement. Without this designation, you are legally barred from Level 3 recognition.

2. Prepare for "Deep-Dive" Audits

Even if your country is designated, you cannot assume automatic qualification. You must prepare for independent third-party audits as required for Levels 2, 3, and 4 under Article 20. Auditors will scrutinize your corporate governance, data flows, and incident response plans to verify that you have implemented the safeguards required by Annex II, 3.1(g). You must be able to prove that your foreign parent company cannot remotely access EU customer data or disrupt your EU services. This includes providing evidence of "legal, technical and organisational separation" between the Union parent and any third-country subsidiary.

3. Implement Strict Ring-Fencing Measures

To meet the criteria, you will likely need to implement strict technical and legal ring-fencing:

  • Data Residency: Ensure all EU customer data remains exclusively within the Union (a core requirement of Level 3).
  • Access Controls: Implement technical barriers (e.g., geofencing, privileged access management) that prevent employees or systems in the third country from accessing EU infrastructure or data.
  • Legal Firewalls: Draft internal policies and contractual clauses that explicitly prohibit compliance with foreign government requests that conflict with EU law. You must establish procedures to refuse such requests and document any attempts by third countries to access data.

4. Maintain Transparency and Agility

You must be transparent about your ownership structure and any changes in control. Under Article 23, if you become aware of material changes that may affect your audit report or recognition, you must notify the auditing organisation and the national competent authority immediately. If your country's designation is revoked, or if your corporate structure changes in a way that violates the safeguards, your recognition could be withdrawn.

Common misconceptions

Misconception 1: "If my country is an associated third country, I automatically get Level 3." This is incorrect. The designation only makes you eligible to be audited for Level 3. You must still undergo a rigorous independent audit and prove that you meet all the specific criteria in Annex II, including the safeguards against foreign control. A negative audit opinion will result in rejection, regardless of your country's status.

Misconception 2: "Associated third country status applies to all assurance levels." No. The mechanism specifically relates to Union Assurance Level 3. Level 4 has even stricter criteria, including a complete ban on third-country control with no associated third country derogation mentioned in the same way. Level 1 and Level 2 have different requirements (Level 2 allows third-country control only if specific safeguards are met, but does not rely on the Article 18 designation mechanism in the same explicit manner for the "control" criterion). You must check the specific requirements for the level you are targeting.

Misconception 3: "GDPR adequacy is enough." While a GDPR adequacy decision is a prerequisite for associated third country status, it is not sufficient on its own. The Commission also assesses issues like service disruption risks, market reciprocity, and the absence of conflicting data access laws. A country can have GDPR adequacy but still fail to meet the broader sovereignty criteria required for CADA.

Misconception 4: "This is a loophole for all foreign providers." The mechanism is not a loophole; it is a highly restrictive exception. It applies only to countries that meet all six cumulative criteria in Article 18. It does not apply to providers controlled by entities in countries that do not have an adequacy decision or that maintain laws allowing extraterritorial data access or service disruption.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.