Summary Under the proposed Cloud and AI Development Act (CADA), "third-country control" would describe a situation where a cloud computing service provider is subject to the control of a non-EU state or a legal entity established outside the Union. This concept is central to CADA's sovereignty framework, which sorts cloud services into four Union assurance levels. As proposed, providers subject to third-country control would face escalating restrictions: permitted with conditions at level 1, tightly constrained at level 2, prohibited by default at level 3 (with a narrow Article 18 derogation), and prohibited outright at level 4.
Detail
The proposed CADA would introduce a sovereignty framework to mitigate dependence on non-European cloud providers, and the definition and management of "third-country control" is a core component.
Defining third-country control
CADA's Article 2, point (21), defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697. CADA applies this concept to determine whether a provider is subject to the influence of a third country or a legal entity established in a third country. The concept is not limited to direct ownership; it captures situations where a third country or non-EU legal entity can exercise influence over the provider's strategic decisions, operations, data access, or service delivery — including where a provider is headquartered in the EU but controlled by a parent or shareholders in a third country.
Recital 46 identifies the risks: the Union "still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries," exposing it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws," potential disruptions to continuity, and reduced oversight over data and infrastructure.
How CADA tiers restrict third-country control
CADA would establish four Union assurance levels (Article 16); the strictness regarding third-country control rises with each.
Union assurance level 1. Providers subject to third-country control are permitted but must meet a transparency condition. Under Annex II, point 1.1(g), the provider must guarantee — demonstrated by independent sources — that no existing laws or practices in that third country require it to report software vulnerabilities to third-country authorities before those vulnerabilities are known to have been exploited.
Union assurance level 2. Under Annex II, point 2.1(g), where the provider and its subcontractors are subject to third-country control, they must demonstrate that legal, technical, and organisational measures ensure:
- third-country control does not restrain the provider's ability to perform the service (2.1(g)(i));
- third-country access to customer data is prevented (2.1(g)(ii));
- disruption or degradation of the service by the third country is prevented (2.1(g)(iii)); and
- the provider is not obliged to enforce restrictive measures such as sanctions or embargoes adopted by the third country, unless legitimate under EU or Member State law (2.1(g)(iv)).
Union assurance level 3. Under Annex II, point 3.1(g), the audited provider and its subcontractors must not be subject to third-country control. By way of derogation, a provider subject to such control may be audited for level 3 where the Commission has adopted an implementing act under Article 18 recognising that third country as providing sufficient assurances — in which case the provider must still demonstrate the same protective measures as at level 2 (3.1(g)(i)–(iv)).
Union assurance level 4. Under Annex II, point 4.1(g), the provider and subcontractors must not be subject to third-country control, with no derogation. This level would be reserved for the most critical public order activities.
The role of risk assessments
Article 29 would require Member States and Union entities to conduct risk assessments to determine the appropriate assurance level, considering the sensitivity of data, the risk of unlawful access by a third country, and the risk of service disruption (Article 29(2)). Where a risk assessment requires level 3 or 4, procurement rules under Article 30(3) mandate that authorities only procure services meeting those levels — effectively excluding most third-country-controlled providers from high-security public contracts.
What this means for you
For in-house counsel and compliance officers, the proposal would create significant due-diligence obligations regarding the ownership and control of cloud providers.
1. Conduct deep-dive ownership audits. Look beyond the registered office. If your provider is a subsidiary of a non-EU parent or has significant non-EU shareholders, assess whether this is "control" under the referenced regulation. Map the ownership chain to identify ultimate beneficial owners and any third-country influence.
2. Map providers to assurance levels. If you are a public sector body or critical entity (e.g., under NIS2), you may need level 3 or 4 for certain workloads. Providers subject to third-country control would likely be disqualified from these tiers unless they qualify for the narrow level 3 derogation.
3. Prepare for derogation requirements. If you rely on a third-country-controlled provider, check whether its home country has been recognised under Article 18 (and remains on the Article 18(3) list). Recognition requires, among other things, a GDPR adequacy decision and the absence of laws enabling conflicting extraterritorial access. If the country is not recognised, your provider cannot reach level 3 or 4.
4. Review subcontractor chains. CADA's requirements extend to subcontractors. For level 3 or 4, ensure subcontractors are also free from third-country control, supported by robust contractual clauses and ongoing monitoring.
5. Plan for migration and multi-cloud. Article 29(9) would have entities consider multi-vendor or multi-cloud strategies. If your provider cannot meet a higher level, plan migrations early — Article 29(6) allows a transition period not exceeding 12 months.
Common misconceptions
"If my provider is incorporated in the EU, it is not subject to third-country control." Incorrect. CADA looks at control, not just incorporation. An EU-established provider can still be subject to third-country control if, for example, a parent or majority shareholder in a third country can exert strategic influence.
"Third-country control is only a problem for level 4." It is relevant at all levels: a vulnerability-reporting guarantee at level 1, extensive safeguards at level 2, default prohibition with a narrow Article 18 derogation at level 3, and an outright prohibition at level 4.
"GDPR adequacy decisions solve the third-country control problem." No. Sovereignty under CADA goes beyond data transfers. Recital 61 notes the Commission would assess whether a third country has a GDPR adequacy decision, but recognition under Article 18 also requires the absence of conflicting access measures, protection of service continuity, market openness, and procurement reciprocity. A country could be adequacy-listed yet still pose sovereignty risks.
"Private companies are not affected." CADA's mandatory procurement rules apply to public sector bodies, but Article 31 allows private entities in NIS2 Annex I sectors to carry out similar assessments, and market dynamics would push many private enterprises toward higher assurance levels.
Official sources
Related
- What does 'control under Union jurisdiction' mean in CADA?
- How does CADA third-country recognition work for sovereignty level 3?
- How does CADA reduce dependence on third-country providers?
- CADA Sovereignty: Why Assessment is Per Service, Not Per Provider
- CADA Level 4: Why EU Control is Mandatory for the Highest Sovereignty Tier
This is general information about a draft EU regulation, not legal advice.