Summary Under the proposed Cloud and AI Development Act (CADA), the definition of "control" is the threshold that determines whether a cloud provider can reach Union assurance levels 3 and 4. As proposed, a provider (and its relevant subcontractors) subject to the control of a third country or a third-country legal entity is barred from these tiers — with one narrow exception at level 3 only, where the Commission has recognised the relevant third country under Article 18 ("Associated third countries"). Article 2(21) defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697 (the European Defence Fund Regulation), a test that looks beyond nominal ownership to decisive influence over an entity.

Detail

CADA's sovereignty framework (Article 16 and Annex II) sets four Union assurance levels. The line between the lower and higher levels turns heavily on "control."

The definition of control As proposed, Article 2(21) defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697 — the European Defence Fund Regulation. (Note: this is not the EU Cybersecurity Act, which is Regulation (EU) 2019/881 and appears separately in the Annex II cybersecurity-certification criteria.) In substance, the control test concerns the ability to exercise decisive influence over an entity, whether through ownership, contractual rights or other arrangements — not merely a shareholding percentage.

For providers seeking levels 3 and 4, the cumulative criteria in Annex II are stringent:

  • Union assurance level 3 (Annex II, point 3.1(g)): the audited provider and its subcontractors involved in the provision of the audited service must not be subject to the control of a third country or a third-country legal entity. By way of derogation, a provider that is so controlled may nonetheless be audited for level 3 where the Commission has adopted an implementing act recognising that third country under Article 18. Even then, the provider must demonstrate legal, technical and organisational measures so that the third-country control cannot restrain service delivery, cannot enable third-country access to customer data, cannot enable disruption or degradation of the service, and cannot oblige the provider to give effect to third-country restrictive measures that are not legitimate under Member State or Union law.
  • Union assurance level 4 (Annex II, point 4.1(g)): the provider and subcontractors must not be subject to the control of a third country or a third-country legal entity. As proposed, no derogation is available at level 4, making it the most exclusive tier.

Why the control test matters The rationale is operational autonomy and data sovereignty. As proposed, the framework is designed to address risks that arise where a provider is subject to third-country control — including unauthorised access to data, disruption of service continuity, and pressure to apply foreign restrictive measures. To reach the higher tiers, a provider must be able to show that no third-country actor can access customer data (including encrypted data), disrupt or degrade the service, or compel compliance with third-country measures that are not legitimate under EU or Member State law.

Mapping ownership and governance To meet the levels 3 and 4 criteria, providers undergo independent third-party audits (Article 20), and Annex III sets out the evidence for the control criterion (the "audit criterion G" evidence). Auditors examine:

  • Ownership structures and specific rights: shareholders and their voting rights or percentage of interest; shareholders' agreements and constitutional documents; and, for any legal-person shareholder holding at least 5% of the capital or voting rights, an ownership graph through to the ultimate owners.
  • Corporate governance: the composition, nationality and appointment rules of decision-making bodies, and voting, veto and approval rights — to assess whether any party can block or steer strategic decisions.
  • Commercial and financial links conferring control: very long-term supply agreements, credits or structural links that confer a level of control similar to ownership.
  • Subsidiary separation: where the provider maintains a third-country subsidiary, evidence of effective legal, technical and organisational separation from the Union parent.

What this means for you

For providers and data-centre operators, the control definition imposes a rigorous due-diligence burden. If you aim to serve public-sector activities identified as contributing to the preservation of public order (e.g. national security, defence, justice), you will likely need level 3 or 4 (Article 30(3)).

1. Conduct a control assessment Map your ownership and governance against the Article 2(21) test. Identify third-country shareholders, especially those with veto rights, board representation or significant voting power. Even a minority stake can amount to "control" where it confers decisive influence.

2. Prepare for independent audits Unlike level 1 (self-assessment, Article 19), levels 2–4 require independent audits (Article 20). Be ready to provide shareholders' agreements, board records, ownership graphs and evidence of separation from any third-country subsidiary, as Annex III contemplates.

3. Implement structural separation If you have third-country ownership or subsidiaries, document the legal, technical and organisational measures that prevent third-country access to Union customer data, prevent privileged administrative access, and prevent influence over Union operational staff. For levels 3 and 4, you must also be able to address the software-supply-chain and support-location criteria in Annex II — including, where the provider is third-country-controlled at level 3, that no third-country law requires you to report software vulnerabilities to that country's authorities before they are known to be exploited.

4. Monitor Article 18 decisions The Commission may adopt implementing acts under Article 18 recognising specific third countries, opening a path to level 3 for otherwise-controlled providers. Level 4 remains closed to providers under third-country control.

Common misconceptions

Misconception 1: Minority foreign investment is automatically disqualifying. Reality: The test is about decisive influence, not just majority ownership. A sub-50% third-country stake can constitute control through veto rights, board dominance or contractual arrangements; conversely, a stake with no decisive influence may not.

Misconception 2: Data localisation alone satisfies the high tiers. Reality: Levels 3 and 4 require data to remain within the Union, but localisation does not by itself satisfy the control criterion. A localised provider can still be subject to third-country control. The control test addresses operational autonomy, not just data residency.

Misconception 3: Self-assessment suffices for levels 3 and 4. Reality: Only level 1 allows self-assessment (Article 19). Levels 2, 3 and 4 require independent third-party audits (Article 20); you cannot self-certify into the high-assurance tiers.

Misconception 4: Control is only about current ownership. Reality: The assessment also weighs rights and links that confer influence — appointment and veto rights and long-term commercial or financial dependencies — across the whole chain of ownership up to the ultimate owners.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.