What is a dependency vulnerability in cloud computing under CADA?

Summary A dependency vulnerability in cloud computing is a structural, strategic risk: a public body's reliance on a small number of providers creates exposure to political or economic coercion, service disruption, or unauthorised data access. As proposed in the Cloud and AI Development Act (CADA), these vulnerabilities arise in particular where providers are subject to the control of a third country, which could enable embargoes, sanctions, monopoly pricing or service degradation. CADA would mitigate this through a Union cloud computing sovereignty framework (Article 16), risk assessments (Article 29) and procurement obligations tied to four Union assurance levels (Article 30).

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, treats dependency vulnerabilities as a risk to the Union's public order, economic security and technological autonomy. Unlike conventional cybersecurity threats, which centre on technical exploits, dependency vulnerabilities are structural risks arising from market concentration and the legal jurisdictions that govern cloud providers.

Defining dependency vulnerabilities

As proposed, the risk crystallises where the Union and its Member States are critically dependent on a limited number of cloud computing service providers subject to the control of a third country or a legal entity established in a third country. Recital 50 of the proposal groups the resulting risks into three categories:

1. Misuse — manipulation, remote access and control, sabotage, or weaponisation.
2. Access to information — access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, or espionage.
3. Dependency vulnerabilities — described in Recital 50 as "political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States."

The explanatory memorandum notes that three non-EU hyperscalers control over 70% of the European cloud market, while the EU providers' share fell from 29% in 2017 to 15% in 2022. As proposed, this concentration amplifies the vulnerabilities by limiting alternatives and increasing the leverage available to third-country actors.

Economic and political coercion

A central element of the concept is the potential for coercion. As characterised in the recitals, it can take several forms:

• Embargoes and sanctions: a third country could compel a provider to restrict or deny services to EU entities.
• Monopoly pricing: with few competitive alternatives, a dominant provider could impose disproportionate costs that damage public-sector budgets.
• Service degradation or disruption: a third country could push a provider to degrade quality or interrupt continuity, holding critical public services hostage.

Recital 46 explains that large incumbents are often subject to third-country jurisdictions whose laws have extraterritorial effects. As proposed, those laws may mandate data access or transfer that conflicts with EU fundamental rights and data-protection frameworks, or compel actions that disrupt service provision — making the continuity of essential public services contingent on foreign policy decisions.

CADA's sovereignty framework as mitigation

To address these vulnerabilities, CADA would establish a Union cloud computing sovereignty framework built on four Union assurance levels (Article 16), with the detailed criteria set out in Annex II. The levels progressively reduce exposure to third-country control:

• Union assurance level 1 would require the provider to be established in the Union, with infrastructure and assets located in the Union and customer data (including metadata and telemetry) remaining exclusively within the Union unless the public-sector body requires otherwise. It also requires full transparency around subcontractors and, where the provider is subject to third-country control, a guarantee that no laws in that country require reporting software vulnerabilities to its authorities before those vulnerabilities are known to have been exploited (Annex II, 1.1).
• Union assurance level 2 would add, for providers under third-country control, a duty to show that legal, technical and organisational measures prevent that control from restricting service delivery, prevent third-country access to customer data, prevent disruption of continuity, and prevent the provider being obliged to apply foreign sanctions or embargoes (Annex II, 2.1(g)).
• Union assurance levels 3 and 4 would generally require that the provider and its subcontractors are not subject to the control of a third country, with a narrow derogation at level 3 for "associated third countries" recognised under Article 18.

By tying procurement to these levels, CADA aims to insulate critical public functions from coercion. Under Article 29, Member States and Union entities would conduct risk assessments to identify activities contributing to the preservation of public order and to determine the appropriate level. Under Article 30, activities contributing to public order would have to be procured at Union assurance levels 2, 3 or 4; other activities would use level 1.

The link to public order

CADA frames mitigating dependency vulnerabilities as essential to protecting public order. As proposed, retaining the Union's and Member States' control over infrastructure, data, assets and technology systems under Union jurisdiction has become "an imperative policy objective" (Recital 46). Shifting procurement toward providers with lower dependency vulnerabilities is intended to safeguard operational autonomy.

What this means for you

For public-sector procurement officers and legal teams, CADA would add a sovereignty dimension to cloud procurement, beyond traditional security and price criteria.

1. Conduct risk assessments. Under Article 29, you would identify activities that contribute to the preservation of public order, weighing the sensitivity, criticality and magnitude of data, the risk of unlawful third-country access, and the risk of service disruption.
2. Procure at the appropriate assurance level. For activities not linked to public order, level 1 would be the minimum (Article 30(2)). For activities in sectors covered by the NIS2 Directive or in national security, internal security, border management, defence, justice or law enforcement, you would procure at level 2, 3 or 4 (Article 30(3)).
3. Evaluate third-country control. Look beyond technical specifications to ownership and control structures. Providers under third-country control face stricter scrutiny, especially at the higher levels.
4. Consider multi-cloud strategies. Article 29(9) requires you to consider whether a multi-vendor or multi-cloud strategy is appropriate, which can further limit single-provider dependency.
5. Plan for transition. Where a risk assessment requires migration, Article 29(6) allows a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity and data portability.

Common misconceptions

• "Dependency vulnerability is the same as cybersecurity risk." They are distinct. Cybersecurity risk concerns technical breaches of confidentiality, integrity or availability; dependency vulnerability concerns structural and geopolitical risk, such as a foreign government's legal ability to coerce a provider. CADA's sovereignty framework targets the latter.
• "All non-EU providers are banned." As proposed, they are not. Providers under third-country control face higher hurdles at levels 3 and 4, but may qualify for level 1 or 2 on strict criteria, or for level 3 if their country is recognised as an "associated third country" under Article 18.
• "Only large hyperscalers are affected." The framework applies to any cloud computing service provider, though the risk is most acute with large incumbents. Smaller EU providers may offer lower dependency vulnerabilities — a potential advantage under the Union added-value procurement criteria in Article 32.
• "Sovereignty levels are optional." For public-sector bodies, procuring at the minimum required Union assurance level would be mandatory under Article 30 once the regulation is adopted.

Related

• Why does CADA treat cloud computing as a public-order issue?
• Why does CADA call cloud dependence a strategic dependency?
• What Is Operational Sovereignty in Cloud Computing? CADA Guide
• What Is Jurisdictional Risk in Cloud Computing? CADA Explained
• What is foreign ownership risk in cloud computing under CADA?

This is general information about a draft EU regulation, not legal advice.