Summary Under the proposed Cloud and AI Development Act (CADA), an acquisition by a non-EU company constitutes a "material change in circumstances" that triggers an immediate transparency obligation under Article 23. The provider must notify its auditing organisation and national competent authority "as soon as possible." Such a change of control typically violates the strict sovereignty criteria for Union assurance levels 3 and 4, which generally prohibit third-country control (Annex II, Sections 3.1(g) and 4.1(g)). Unless the acquiring country benefits from a specific Commission implementing act under Article 18 (applicable only to Level 3), the provider would likely face a downgrade or revocation of its recognition. This would force public sector customers to migrate to compliant services within a transition period not exceeding 12 months as stipulated in Article 29(6).

Detail

The proposed Cloud and AI Development Act (CADA) establishes a dynamic, risk-based sovereignty framework designed to ensure that cloud services supporting the Union's public order remain resilient against third-country interference. A pivotal mechanism within this framework is the continuous monitoring of a provider's ownership and control structure. A change in controlβ€”specifically an acquisition by a non-EU entityβ€”acts as a critical regulatory trigger that can fundamentally alter a provider's eligibility for high-assurance levels.

The Mandatory Transparency Obligation: Article 23

The first and most immediate consequence of a non-EU acquisition is the obligation to report. Article 23 of the CADA proposal imposes a strict duty on recognised cloud computing service providers to maintain the accuracy of their status.

The text of Article 23(1) mandates that:

"On becoming aware of any information or any material change in circumstances that may affect the audit report and the 'positive' opinion under Article 20 or the recognition under Article 17, the recognised cloud computing service provider shall, as soon as possible, notify the auditing organisation and the national competent authority of establishment."

An acquisition by a non-EU company is unequivocally a "material change in circumstances." It alters the legal entity's governance, ownership chain, and exposure to third-country laws, directly impacting the criteria for Union assurance levels. Failure to report this change promptly constitutes an infringement of the transparency obligations.

Upon notification, the process follows a strict chain of assessment:

  1. Auditing Organisation Assessment: The auditing organisation must assess whether the audit report or the 'positive' audit opinion needs to be amended or revoked (Article 23(2)). If the change of control renders the provider non-compliant with the criteria for its current level, the auditor will issue a negative opinion or revoke the report.
  2. Competent Authority Assessment: The national competent authority of establishment then assesses whether its recognition of the service needs to be amended or revoked (Article 23(3)).
  3. Publication: If recognition is revoked, this must be published in the central repository of recognised cloud computing services, making the loss of status immediately visible to public sector buyers (Article 22(3)).

The Sovereignty Barrier: Annex II and Third-Country Control

The severity of the outcome depends entirely on the provider's current assurance level and the specific criteria set out in Annex II. The distinction between Level 3 and Level 4 is particularly critical regarding third-country control.

Union Assurance Level 3: The Conditional Derogation

For a service to maintain Union assurance level 3, the provider must meet the cumulative criteria in Annex II, Section 3.1. Crucially, point 3.1(g) states that the provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country."

However, Annex II, Section 3.1(g) provides a specific, narrow derogation:

"By way of derogation to this criterion, a cloud computing service provider and its subcontractors which are involved in the provision of the audited service that are subject to the control of a third country or a legal entity established in a third-country may be audited for Union assurance level 3 where the Commission has adopted an implementing act under Article 18."

Article 18 allows the Commission to identify third countries that provide "sufficient assurances" (e.g., via adequacy decisions and safeguards against data access or service disruption).

  • Scenario A: If the acquiring non-EU company is from a country not covered by an Article 18 implementing act, the provider immediately fails the criteria for Level 3.
  • Scenario B: If the country is covered, the provider must still demonstrate that the new control structure does not restrict service delivery, prevent data access, or undermine service continuity (Annex II, 3.1(g)(i)-(iv)).

Union Assurance Level 4: The Absolute Prohibition

The requirements for Union assurance level 4 are significantly stricter. Annex II, Section 4.1(g) explicitly states that the audited provider and its subcontractors "are not subject to the control of a third country or a legal entity established in a third-country."

Unlike Level 3, there is no derogation in Annex II for Level 4 based on Commission implementing acts under Article 18. Consequently, an acquisition by any non-EU entity that results in third-country control will automatically disqualify the provider from maintaining Union assurance level 4. The provider would be forced to downgrade to a lower level (if eligible) or lose its recognised status entirely for public sector use cases requiring Level 4.

Recognition Revocation and the 12-Month Migration Clock

If the change of control leads to a failure to meet the criteria, the national competent authority may revoke the provider's recognition. Article 17(11) empowers the evaluating national competent authority to revoke recognition where it finds that a provider "intentionally or negligently, supplied incorrect or misleading information," or where the service no longer meets the criteria.

For public sector bodies, this triggers a mandatory migration obligation. Article 29 requires Member States and Union entities to conduct risk assessments to determine the appropriate assurance level for their activities. If a provider's status changes such that it no longer meets the required level (e.g., dropping from Level 3 to Level 1), the public sector body must procure services that meet the required level.

Article 29(6) sets a strict timeline for this transition:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This 12-month cap is a hard limit. Public sector bodies cannot delay migration indefinitely; they must secure a compliant provider within this window.

Penalties and Compensation

Providers that fail to report the acquisition or continue to claim a higher assurance level after losing eligibility face significant risks. Article 24 requires Member States to lay down rules on penalties for infringements of the sovereignty chapter. These penalties must be "effective, proportionate and dissuasive."

When determining penalties, authorities must consider:

  • The nature, gravity, scale, and duration of the infringement.
  • Any financial benefits gained or losses avoided by the infringing party.
  • The infringing party's annual turnover in the Union.

Furthermore, Article 24(3) grants a private right of action:

"Recipients of the cloud computing services shall have the right to seek, in accordance with Union and national law, compensation from cloud computing service providers for any damage or loss suffered due to an infringement by those providers of their obligations under this Chapter."

What this means for you

For in-house counsel, compliance officers, and public procurement teams, a non-EU acquisition is not merely a corporate event; it is a regulatory crisis that requires immediate action.

1. Immediate Notification Protocol

Do not wait for the next annual audit cycle. As soon as the acquisition is legally binding or the change of control is effective, you must trigger the Article 23 notification.

  • Action: Notify the auditing organisation and the national competent authority of establishment "as soon as possible."
  • Risk: Delaying notification is an infringement that can lead to penalties and reputational damage, potentially accelerating the revocation of recognition.

2. Pre-emptive Reassessment of Assurance Level

Before the auditor issues a formal opinion, conduct an internal gap analysis against Annex II.

  • Level 4 Check: If you hold Level 4, an acquisition by a non-EU entity is likely fatal to your status unless the acquirer is fully EU-controlled (which contradicts the premise). Prepare for an immediate downgrade.
  • Level 3 Check: Verify if the acquirer's country has an Article 18 implementing act. If not, you will lose Level 3 status. If yes, prepare evidence demonstrating that the new control structure does not restrict service delivery or data access (Annex II, 3.1(g)(i)-(iv)).
  • Level 1/2 Viability: Assess if you can still meet the criteria for Level 1 or 2. Level 1 allows third-country control provided there are no laws requiring vulnerability reporting before exploitation (Annex II, 1.1(g)). Level 2 requires robust measures to prevent third-country interference (Annex II, 2.1(g)).

3. Contractual and Migration Management

Public sector contracts often contain "sovereignty clauses" requiring the maintenance of a specific Union assurance level.

  • Breach Risk: A downgrade may constitute a material breach of contract.
  • Customer Communication: Inform public sector customers immediately. They are legally required to migrate within 12 months of the risk assessment triggering the need (Article 29(6)). If you do not notify them, they may be forced to terminate the contract immediately to avoid non-compliance with their own procurement obligations.
  • Transition Planning: Work with the customer to ensure data portability and continuity during the migration window.

4. Audit Cooperation

The auditing organisation will need to reassess your compliance.

  • Evidence: Provide full access to the new ownership structure, corporate governance documents, and any new third-country laws that now apply.
  • Control Definition: Be prepared to demonstrate that "control" (as defined in CADA) has not been transferred in a way that undermines sovereignty. This includes assessing board composition, veto rights, and commercial/financial dependencies.

5. Strategic Options

If maintaining Level 3 or 4 is critical:

  • Structural Separation: Can the acquisition be structured to avoid "control" (e.g., minority stake without board representation or veto rights)? Note that CADA looks at effective control, not just majority shareholding.
  • Article 18 Advocacy: Engage with the Commission and Member States to explore if the acquirer's country could be considered for an Article 18 implementing act. However, this is a long-term political process and cannot be relied upon for immediate compliance.

Common misconceptions

Misconception 1: "An acquisition by a non-EU company automatically disqualifies a provider from all assurance levels." This is incorrect. A provider can still qualify for Union assurance level 1 and level 2 even if subject to third-country control, provided it meets the specific criteria in Annex II.

  • Level 1: Requires that no third-country laws force the reporting of software vulnerabilities before they are exploited (Annex II, 1.1(g)).
  • Level 2: Requires that third-country control does not restrict service delivery, prevent data access, or disrupt continuity (Annex II, 2.1(g)). Automatic disqualification primarily applies to levels 3 and 4, unless an Article 18 derogation applies for Level 3.

Misconception 2: "The 12-month migration period starts only after the new assurance level is officially published in the repository." The Article 29(6) timeline is triggered when the risk assessment requires migration. While the official revocation of recognition may take administrative time, public sector bodies may initiate migration planning as soon as they are notified of the material change under Article 23. Providers should not assume they have a full 12 months from the acquisition date; the clock may start ticking once the public sector body determines that the service no longer meets the required assurance level for their specific use case.

Misconception 3: "'Control' is defined solely by majority shareholding." CADA's definition of "control" is broader and functional. It includes the ability to materially influence technical evolution, maintenance priorities, and security remediation. Even if a non-EU acquirer holds less than 50% of the shares, if they have veto rights, board representation, or contractual rights that allow them to influence these strategic decisions, the provider may be deemed "subject to the control" of a third country. Compliance officers must assess control holistically, considering corporate governance, commercial links, and financial dependencies as outlined in Annex III (Audit Criterion G).

Related

This is general information about a draft EU regulation, not legal advice.