Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers subject to the control of a third country or a third-country legal entity face a high bar to qualify for Union Assurance Levels (UAL) 2 and 3. As proposed in Annex II, these providers must demonstrate that foreign control does not: (1) restrain service delivery; (2) allow access to customer data; (3) disrupt service continuity; or (4) compel compliance with unlawful third-country sanctions. These safeguards are mandatory for UAL 2 and UAL 3 under Annex II, Section 2.1(g)(i)-(iv) and Section 3.1(g)(i)-(iv). Failure to prove these measures precludes recognition at these tiers, effectively excluding many global hyperscalers from critical public-sector contracts unless they can legally and technically ring-fence their EU operations.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework to mitigate risks stemming from dependence on non-EU providers. A core mechanism of this framework is the four-tier Union Assurance Level (UAL) system. While UAL 1 serves as a baseline, UAL 2 and UAL 3 are the primary tiers for public-sector procurement involving public-order relevance, yet they present a specific hurdle for providers subject to third-country control.

The Legal Basis for Third-Country Control Safeguards

The definition of "control" in CADA is not self-contained; Article 2(21) defines it by reference to Article 2, point (6), of Regulation (EU) 2021/697 (the European Defence Fund Regulation). This definition captures not just majority ownership, but also the ability to exercise decisive influence over strategic objectives and significant decisions.

For providers falling under this definition of being "subject to the control of a third country or a legal entity established in a third-country," CADA does not impose an automatic ban. Instead, it imposes a conditional path to recognition. Annex II sets out cumulative criteria that must be met. Specifically, for UAL 2 and UAL 3, the provider must prove that specific legal, technical, and organisational measures are in place to neutralise the risks posed by that foreign control.

The Four Mandatory Safeguards (Annex II 2.1(g) & 3.1(g))

To be recognised at UAL 2 or UAL 3, a provider under third-country control must demonstrate that the control is not exercised in a manner that:

  1. Restrains Service Performance: The foreign control must not "restrain or restrict the provider's ability to perform and deliver the service." This includes ensuring that the control does not impose limitations on the infrastructure, assets, and personnel required for service provision, nor undermine the capabilities and standards necessary to perform the audited service.

    • UAL 3 Specificity: For UAL 3, Annex II, Section 3.1(g)(i) adds a verification requirement: "The audited provider should allow for reasonable access to the code." This ensures auditors can verify that the code itself does not contain backdoors or mechanisms that could be triggered by the third-country controller.

  2. Prevents Data Access: The provider must ensure that "access by a third country or by a legal entity established in a third-country to customer data is prevented." This is a strict data sovereignty requirement, designed to block extraterritorial access requests (such as those under the US CLOUD Act) that could conflict with EU data protection standards.

  3. Prevents Disruption or Degradation: The provider must prove that the "possibility of disruption of the service continuity and/or the degradation of the service quality by a third country or a legal entity established in a third country is prevented." This safeguards against operational coercion, where a foreign state might threaten to shut down services or degrade performance as a form of economic or political pressure.

  4. No Compliance with Unlawful Sanctions: The control must not oblige the provider to "implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or any equivalent legal or administrative measures adopted by a third country."

    • Exception: This prohibition applies unless such measures are "legitimate under the national laws of Member States or Union law." This ensures that EU providers are not forced to comply with foreign sanctions that contradict EU foreign policy or law.

Applicability: Levels 2 and 3 Only

It is critical to note that these four safeguards apply specifically to UAL 2 and UAL 3.

  • UAL 1: Under Annex II, Section 1.1(g), a provider under third-country control can qualify for UAL 1 if it guarantees that there are no laws in that third country requiring the reporting of software vulnerabilities to authorities prior to exploitation. This is a much lower threshold focused on vulnerability disclosure rather than operational sovereignty.
  • UAL 4: Under Annex II, Section 4.1(g), the default rule is stricter: the provider and subcontractors must not be subject to the control of a third country. While a derogation exists if the Commission has adopted an implementing act under Article 18 (Associated third countries), UAL 4 generally excludes third-country controlled providers unless they can prove a complete severance of control, which is often commercially unfeasible.

The Audit and Recognition Process

Proof of these safeguards is not a self-declaration. Article 20 mandates that providers seeking UAL 2, 3, or 4 undergo independent third-party audits. The auditing organisation must assess compliance against the criteria in Annex II using evidence listed in Annex III.

Audit Criterion G (Absence of third-country control) requires auditors to examine:

  • Ownership structures and cap tables up to ultimate owners.
  • Corporate governance rules, including voting rights, veto powers, and board composition.
  • Commercial and financial links that could confer control.
  • Evidence of effective legal, technical, and organisational separation between the EU parent and any third-country subsidiary.

If the auditor determines the provider is subject to third-country control, they must request evidence that the Commission has adopted a decision under Article 18 regarding that third country, or that the provider has implemented the specific measures in Annex II to enforce separation. Annex III, Section 7.2(c) explicitly lists "Demonstrating that the Commission has adopted a decision pursuant to Article 19" as evidence required in the audit file. Note: While the main text of the Regulation (Article 18) grants the power to identify third countries, the draft text in Annex III contains a cross-reference to Article 19. In practice, the substantive legal basis for the Commission's decision is Article 18.

If the provider cannot demonstrate these measures, the audit will result in a negative opinion, and the provider will not be recognised at UAL 2 or 3.

What this means for you

For in-house counsel, compliance officers, and cloud providers, CADA introduces a binary market access risk. If your entity is subject to the control of a third country, you cannot automatically offer services to public sector bodies requiring UAL 2 or 3. You must proactively implement and document robust legal and technical firewalls.

Key Obligations for Providers

  • Legal Ring-Fencing: Review corporate governance documents to ensure that foreign shareholders or states do not have veto rights or strategic decision-making powers that could be interpreted as "control" under the referenced Regulation (EU) 2021/697. If they do, you must implement contractual and technical measures to neutralise their ability to interfere with service delivery, data access, or sanction compliance.
  • Technical Separation: Implement strict access controls ensuring that personnel or systems in third countries cannot access EU customer data or infrastructure. This may require dedicated EU-only data centres, separate administrative networks, and EU-only support teams, as required by Annex II, Section 2.1(h) and 3.1(h).
  • Audit Readiness: Prepare for independent audits under Article 20. You must be able to provide auditors with evidence of your ownership structure, governance rules, and technical separation measures. Failure to provide this evidence will result in a negative audit opinion.

Timeline and Deadlines

  • National Competent Authorities: Member States must designate these authorities by one year after the Regulation's entry into force (Article 25).
  • Application: Providers must submit applications for recognition to the national competent authority of their establishment (Article 17).
  • Review Period: The evaluating competent authority has 60 days to assess the evidence, including the audit report and opinion, and notify other Member States for a 60-day review period (Article 17(5)).

Penalties and Liability

  • Penalties: Member States must lay down rules on penalties for infringements of the sovereignty framework. Penalties must be "effective, proportionate and dissuasive" (Article 24).
  • Compensation: Recipients of cloud services have the right to seek compensation from providers for damage or loss suffered due to infringements of these obligations (Article 24(3)).

Common misconceptions

Misconception 1: "If we have an EU subsidiary, we are not subject to third-country control." CADA looks through corporate structures to identify "control" as defined in Regulation (EU) 2021/697 (the European Defence Fund Regulation). Even if the EU subsidiary is legally established in the Union, if the ultimate parent company or a significant shareholder in a third country holds strategic decision-making power, veto rights, or can compel compliance with third-country laws, the provider is considered subject to third-country control. You must prove that this control does not translate into the ability to access data or disrupt services.

Misconception 2: "UAL 1 is sufficient for all public sector work." No. Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of public order. For activities identified in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defence, justice, or law enforcement, Article 30(3) mandates the procurement of services recognised at UAL 2, 3, or 4. UAL 1 is only sufficient for public sector activities not identified as contributing to the preservation of public order.

Misconception 3: "Data adequacy decisions under the GDPR are enough." CADA explicitly states that the notion of sovereignty goes beyond data transfers and relates to operational autonomy (Recital 5). While an adequacy decision under GDPR may facilitate data transfers, it does not automatically satisfy the CADA requirements for preventing service disruption or compliance with third-country sanctions. Providers must still demonstrate the specific safeguards in Annex II.

Misconception 4: "Article 19 is the correct article for third-country decisions." While the draft text in Annex III, Section 7.2(c) references "Article 19" for the Commission's decision on third countries, the substantive legal basis for this power is Article 18 ("Associated third countries"). Article 19 in the main text refers to "Conformity self-assessment" for UAL 1. This is a drafting inconsistency in the proposal; the correct legal basis for the Commission's implementing act is Article 18.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.