What evidence proves no foreign control under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), cloud computing service providers seeking Union assurance levels 2, 3, or 4 must prove they are not subject to third-country control through rigorous independent audits. As proposed in Article 21 and Annex III, auditors must examine ownership structures, corporate governance, and commercial links to demonstrate that no foreign entity can materially influence the provider's operations or access customer data. This evidence-based approach ensures that providers subject to extraterritorial laws must implement specific legal, technical, and organisational measures to guarantee operational autonomy. Crucially, for levels 2 and 3, providers must guarantee via independent sources that no third-country law compels the reporting of software vulnerabilities before exploitation.

Detail

The CADA proposal introduces a four-tier "Union assurance" framework (Article 16) to classify cloud services based on their level of sovereignty and trust. While Union assurance level 1 relies on self-assessment, levels 2, 3, and 4 require independent third-party audits. A critical component of these audits is proving the absence of foreign control, defined in Article 2 by reference to Article 2, point (6), of Regulation (EU) 2021/697.

The Audit Criteria for No Foreign Control

The specific criteria for demonstrating the absence of third-country control vary by assurance level but become increasingly stringent.

Union Assurance Level 2 Under Annex II, Section 2.1(g), if a provider and its subcontractors are subject to third-country control, they must demonstrate that legal, technical, and organisational measures have been implemented to ensure:

• The third-country control does not restrain the provider's ability to perform the service or impose limitations on infrastructure and personnel.
• Access by a third country or its legal entities to customer data is prevented.
• The possibility of service disruption or degradation by a third country is prevented.
• The provider is not obliged to implement restrictive measures (e.g., sanctions or embargoes) from the third country unless they are legitimate under EU law.

Union Assurance Levels 3 and 4 The requirements are stricter. For Union assurance level 3 (Annex II, Section 3.1(g)), providers and subcontractors must not be subject to third-country control. However, a derogation exists: if the Commission has adopted an implementing act under Article 18 ("Associated third countries") recognizing a third country as providing sufficient assurances, providers subject to that country's control may still be audited. They must still demonstrate the same legal, technical, and organisational safeguards as Level 2, plus allowing reasonable access to code.

For Union assurance level 4 (Annex II, Section 4.1(g)), providers and subcontractors must strictly not be subject to third-country control, with no derogation for associated third countries. Additionally, Level 4 requires demonstrating that a third country does not hold effective control over the design, development, maintenance, and evolution of software components.

Evidence Requirements Under Article 21 and Annex III

Article 21 of the CADA proposal mandates that auditing organisations assess compliance based on the audit evidence listed in Annex III. For the criterion of "Absence of third-country control or third-country entity control" (Audit Criterion G), Annex III specifies detailed evidence providers must supply.

1. Ownership and Control Structure Auditors must identify and analyse:

• All direct and indirect shareholders up to ultimate owners.
• The capitalisation table documenting ownership structure.
• Bodies empowered to take strategic decisions (e.g., general assembly, supervisory board).
• Rules for appointing governing bodies and their actual composition, specifically checking if any shareholder can nominate board representatives or hold majority seats.
• Quorums and majorities required for strategic decisions to determine if any shareholder can block or impose decisions.
• Influence through commercial or financial links.

Providers must supply commercial registry extracts, shareholders' books, shareholders' agreements, and articles of association. For any legal person holding at least 5% of capital or voting rights, the provider must provide a graph of ownership layers up to ultimate owners, articles of association, and a register of directors.

2. Corporate Governance and Decision-Making Providers must describe decision-making bodies, their composition, and nationality. They must provide evidence of internal governance policies recording how ownership and control decisions are approved. Supporting documents must include board minutes and resolutions reflecting control changes.

3. Commercial and Financial Links Providers must list individuals or legal entities with whom they have commercial relationships that confer a level of control similar to share ownership (e.g., long-term supply agreements or credits). They must also list entities on whom they are financially dependent in a way that could allow concessions in strategic business areas. Supporting documents include loan documents and cooperation agreements.

4. Additional Steps for Providers Under Third-Country Control If the auditor determines the provider is subject to third-country control, Annex III requires additional evidence:

• Proof that the Commission has adopted a decision under Article 18 regarding that third country (for Level 3).
• Evidence of measures enforcing effective legal, technical, and organisational separation between the provider and the third-country entity.
• Proof that the provider is unable to comply, legally and technically, with any request to access customer data or disrupt service.
• Evidence that the public sector body is informed of any such requests and that the request was refused.
• An up-to-date record of any requests to access data or disrupt service from a third country, including the response.

Vulnerability Reporting Guarantees

A specific technical safeguard is required across levels 1, 2, and 3. Under Annex II, Section 1.1(g) (Level 1), Section 2.1(i)(iii) (Level 2), and Section 3.1(i)(iii) (Level 3), if a provider is subject to third-country control, it must guarantee that there are no existing laws and practices in that third country, demonstrated by independent sources, that require the provider to report software vulnerabilities to third-country authorities before those vulnerabilities are known to have been exploited. This directly addresses risks associated with laws like the US CLOUD Act or other national security legislation that might compel early disclosure of security flaws.

Note on Level 4: The text of Annex II, Section 4.1(i) regarding software supply chain measures for Level 4 does not include a specific point (iii) mirroring the vulnerability reporting guarantee found in lower levels. Instead, Level 4 focuses on retaining effective control over the design and evolution of software components.

What this means for you

For in-house counsel and compliance officers, the CADA proposal shifts the burden of proof regarding sovereignty from marketing claims to verifiable audit evidence.

1. Prepare for Deep-Dive Audits If your organisation seeks Union assurance levels 2, 3, or 4, you must prepare for extensive documentation requests. Auditors will not accept high-level assurances; they will request cap tables, shareholder agreements, and board minutes. You must be able to map ownership up to ultimate beneficial owners and prove that no foreign entity holds veto rights or majority influence over strategic decisions.

2. Document Legal, Technical, and Organisational Measures If your provider is controlled by a third-country entity (e.g., a US hyperscaler), you must document concrete measures that prevent foreign access to data and service disruption. This includes:

• Legal: Contracts and policies that explicitly refuse third-country data access requests, supported by evidence of refusal.
• Technical: Architectural separation of EU data and operations from global systems, preventing remote access from outside the EU.
• Organisational: Personnel screening and separation of duties to ensure EU-based staff have exclusive control over EU infrastructure.

3. Monitor Vulnerability Reporting Laws You must monitor the legal landscape of any third country controlling your provider. You need to gather independent sources (e.g., legal analyses, government statements, or court rulings) to prove that no law compels your provider to report software vulnerabilities to foreign authorities before exploitation. If such a law exists, you may not qualify for higher assurance levels unless the Commission grants a derogation under Article 18.

4. Penalties and Non-Compliance Article 24 of the CADA proposal stipulates that Member States must lay down effective, proportionate, and dissuasive penalties for infringements. Providing incorrect or misleading information during the audit process can lead to the revocation of recognition by the national competent authority (Article 17(11)) and potential fines. Recipients of the service also have the right to seek compensation for damages caused by such infringements (Article 24(3)).

Common misconceptions

Misconception 1: "If we have an EU subsidiary, we are not under foreign control." CADA looks beyond legal entities to ultimate ownership and control. Annex III requires auditors to trace ownership up to ultimate owners and assess whether foreign shareholders can block or impose strategic decisions. A US-owned EU subsidiary may still be deemed under US control if the US parent holds veto rights or majority board seats.

Misconception 2: "We only need to prove no data leaves the EU." Data localisation is only one part of the sovereignty framework. Even if data stays in the EU, a provider subject to foreign control may be compelled to disrupt service, degrade performance, or report vulnerabilities. CADA requires proof that such foreign influence is legally, technically, and organisationally blocked.

Misconception 3: "Open-source software eliminates foreign control risks." While open-source promotes transparency, CADA still requires audits of the provider's control structure. If a provider using open-source components is controlled by a third-country entity, it must still demonstrate that it cannot be compelled to disrupt service or access data. However, Annex II requires providers to document controls preventing remote features in open-source software that could tamper with systems.

Related

• Why does CADA exclude foreign control entirely at Level 4?
• CADA foreign-control safeguards: What providers must prove for UAL 2 & 3
• What evidence proves data stays in the EU under CADA?
• How does CADA define the boundary between levels 2 and 3 on foreign control?
• Which CADA tier protects against foreign sanction compulsion?

This is general information about a draft EU regulation, not legal advice.