Summary Under the proposed Cloud and AI Development Act (CADA), the status of an "associated third country" is inextricably linked to the validity of its GDPR adequacy decision. If the European Commission determines that a third country no longer fulfils the requirements of Article 18(1)β€”specifically the loss of an adequacy decision under Article 18(1)(a)β€”the Commission is legally obligated to "repeal, amend or suspend" the decision recognizing that country under Article 18(2). As a direct consequence, cloud computing service providers subject to the control of that third country would immediately lose their eligibility to be audited for Union assurance level 3. Public sector contracting authorities relying on such providers for public-order-relevant activities would then be forced to migrate to alternative sovereign providers within a maximum transition period of 12 months, as stipulated in Article 29(6).

Detail

The CADA proposal establishes a rigorous sovereignty framework designed to mitigate risks arising from dependence on non-European cloud providers. A critical, yet conditional, mechanism within this framework is the recognition of "associated third countries" under Article 18. This provision creates a narrow pathway allowing cloud computing service providers subject to the control of a third country or a legal entity established there to be audited against the criteria for Union assurance level 3. However, this pathway is not permanent; it is contingent upon the third country maintaining a specific set of cumulative criteria, the most fundamental of which is the existence of a valid GDPR adequacy decision.

The Legal Dependency: Adequacy as a Prerequisite

The architecture of Article 18 establishes a strict dependency chain. Article 18(1) sets out the cumulative criteria that a third country must fulfil to be identified as an associated third country. The very first criterion, Article 18(1)(a), mandates that the third country "is subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679" (the GDPR).

The proposal clarifies that this adequacy decision must apply generally to the third country as a whole or be limited to specific sectors or certified organizations, and crucially, it must extend to the specific processing activities carried out in the context of the service provision. This creates a binary condition: without a valid adequacy decision covering the relevant activities, the third country fails the cumulative test of Article 18(1). Consequently, it cannot be designated as an associated third country. Without this designation, the legal basis for auditing providers controlled by that jurisdiction against the criteria for Union assurance level 3 evaporates.

The Trigger: Loss of Adequacy and Mandatory Suspension

The mechanism for handling the deterioration of a third country's status is explicitly defined in Article 18(2). This article states: "Where available information reveals that the third country no longer fulfils the requirements under paragraph 1, the Commission shall repeal, amend or suspend the decision referred to in paragraph 1."

Because the adequacy decision is a foundational requirement under Article 18(1)(a), the loss, suspension, or amendment of that adequacy decision by the Commission (under GDPR rules) automatically means the third country "no longer fulfils the requirements" of Article 18(1). The language of Article 18(2) is mandatory ("shall"), leaving the Commission no discretion to maintain the associated third-country status once the adequacy prerequisite is removed.

This triggers an immediate legal cascade:

  1. Revocation of Status: The Commission must issue an implementing act to repeal, amend, or suspend the decision identifying the country as an associated third country.
  2. Loss of Audit Eligibility: Once the decision is suspended or repealed, cloud computing service providers subject to the control of that third country lose the eligibility to be audited against the criteria for Union assurance level 3. They can no longer obtain a "positive" audit opinion required for this level, as the prerequisite legal framework for their control structure has been removed.
  3. Ineligibility for Public Procurement: Under Article 30(3) of the CADA proposal, contracting authorities whose activities contribute to the preservation of public order (e.g., national security, defence, justice, law enforcement) are restricted to procuring only cloud computing services recognised as having Union assurance level 2, 3, or 4. If a provider loses its eligibility for level 3 due to the loss of associated third-country status, it effectively falls out of the permissible procurement pool for these high-criticality activities.

The Migration Obligation: A 12-Month Hard Cap

The loss of assurance level 3 eligibility creates an immediate compliance gap for public sector bodies. Article 29(6) addresses this by mandating a migration process. It states: "Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months."

This transition period is not indefinite. It is bounded by the strict cap of 12 months, which must be calculated taking into account "technical feasibility, continuity of service and data portability requirements." For public bodies, this means that upon the Commission's announcement of the suspension under Article 18(2), the clock starts ticking. They must identify a compliant alternative (a provider recognised at level 2, 3, or 4 that does not rely on the now-suspended third-country status) and execute the migration within this timeframe.

Transparency and Public Registry

To ensure market participants are aware of these changes, Article 18(3) requires the Commission to "publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so." This public registry serves as the definitive source of truth for contracting authorities and providers. Once a country is removed from the list of those fulfilling requirements, the loss of eligibility for level 3 is immediate and publicly verifiable, triggering the compliance obligations described above.

What this means for you

For legal counsel, compliance officers, and procurement managers, the interplay between GDPR adequacy and CADA's sovereignty framework represents a high-stakes operational risk. The loss of adequacy is not merely a data-transfer issue; it is a structural disqualification from the highest tiers of sovereign cloud assurance.

For Cloud Service Providers

  • Continuous Monitoring is Mandatory: If your organization is controlled by a third country currently recognized under Article 18, you must monitor the status of that country's GDPR adequacy decision with extreme vigilance. The loss of adequacy is a "material change" that instantly invalidates your eligibility for Union assurance level 3.
  • Proactive Notification: Under Article 23, you are obligated to notify the auditing organization and the national competent authority of establishment "as soon as possible" upon becoming aware of any material change affecting your recognition. The revocation of the underlying adequacy decision constitutes such a change. Failure to notify promptly could lead to further penalties or reputational damage.
  • Contractual Exposure: Review all contracts with public sector clients. Many will contain clauses requiring a specific assurance level (often level 3 for public-order activities). Losing this status may constitute a breach of contract. You must prepare robust migration plans and data portability strategies to mitigate client churn and potential liability claims.
  • No "Grandfathering": There is no provision in the proposal for grandfathering existing level 3 recognitions if the underlying third-country status is suspended. The loss is immediate upon the Commission's decision under Article 18(2).

For Public Sector Contracting Authorities

  • Immediate Risk Re-assessment: Article 29(1) requires Member States and Union entities to carry out risk assessments at least every two years. However, the loss of a third country's status is an event that necessitates an immediate update to these assessments. You must verify that your current providers still meet the required assurance level.
  • Procurement Compliance: Under Article 30(3), you are prohibited from procuring services that do not meet the required assurance level for public-order-relevant activities. If your provider loses level 3 eligibility due to the loss of associated third-country status, you must immediately cease procuring or using their services for those specific activities.
  • Strict Migration Timeline: You have a maximum of 12 months to complete the migration, as per Article 29(6). This deadline is strict. Begin identifying alternative sovereign providers (Level 2, 3, or 4) immediately upon the Commission's announcement of the suspension. Do not wait for the 12-month period to elapse before taking action.
  • Due Diligence on Control Structures: When evaluating providers, verify not just their current status but the stability of the third-country control structure. A provider relying on a third country with a fragile or contested adequacy decision poses a significant continuity risk.

Common misconceptions

"Loss of adequacy only affects data transfers, not sovereignty status."

  • Reality: Under Article 18(1)(a), GDPR adequacy is a strict, cumulative prerequisite for associated third-country status. Without it, a country cannot be recognized, regardless of its other security measures or bilateral agreements. The sovereignty framework is explicitly tied to data protection adequacy; the two are legally inseparable in this context.

"Providers can maintain level 3 status through other means if adequacy is lost."

  • Reality: There is no alternative pathway in Article 18 for a third-country-controlled provider to achieve level 3 without the associated third-country designation. The proposal does not offer a "safety valve" or a separate track for providers in this scenario. If the designation is lost, the eligibility for the audit is lost.

"The transition period for migration is flexible beyond 12 months."

  • Reality: Article 29(6) sets a hard cap: the transition period "shall not exceed 12 months." While the regulation requires considering "technical feasibility," this is a factor in planning the migration, not a justification for extending the deadline beyond the statutory limit. The 12-month cap is designed to ensure timely mitigation of public order risks.

"The Commission has discretion to keep a country on the list even if adequacy is lost."

  • Reality: Article 18(2) uses mandatory language ("shall repeal, amend or suspend"). The Commission does not have the discretion to maintain the status of a third country that no longer fulfils the cumulative criteria, including the adequacy requirement.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.