What is a 'kill switch' risk in foreign-controlled cloud under CADA?

Summary A "kill switch" risk in foreign-controlled cloud computing is the threat that a provider subject to the jurisdiction or control of a non-EU country could be compelled to degrade, disrupt, or entirely cut off service. The proposed Cloud and AI Development Act (CADA) treats this as a public-order risk linked to "misuse" (sabotage, weaponisation) and "dependency vulnerabilities" (coercion, sanctions). To mitigate it, CADA would, as proposed, set up a four-tier sovereignty framework (Article 16, with detailed criteria in Annex II) backed by independent audits; at the highest tiers, providers must not be subject to third-country control at all.

Detail

A "kill switch" in cloud infrastructure is not merely a technical failure scenario; it is a geopolitical and legal vulnerability. It describes a situation where a cloud service provider, while operating within the EU, remains legally or structurally subject to the authority of a third country. That third-country authority may hold laws with extraterritorial reach that can compel the provider to restrict access to data, degrade service quality, or halt operations entirely. For EU public sector bodies, this is a direct threat to operational autonomy and public order.

The nature of the risk

The proposed CADA frames this risk in its recitals. Recital 48 notes that providers have launched "tailored versions of their service offerings" in response to sovereignty concerns, but that those versions "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." The proposal argues that without a harmonised mechanism, the Union "will not ensure autonomy or control over its data, assets and digital infrastructure."

Recital 50 categorises the specific threats arising from dependence on providers subject to third-country control. It lists "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation)," "access to information" (e.g. exfiltration, espionage), and "dependency vulnerabilities (i.e. political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing)." A "kill switch" is the sharpest form of these vulnerabilities: the ability of a foreign power to coerce a provider into stopping or degrading service, paralyzing the public functions that rely on it.

CADA's response: the sovereignty framework

To address such risks, CADA would establish a Union cloud computing sovereignty framework consisting of four "Union assurance levels" (Article 16). The detailed criteria for each level are set out in Annex II of the proposal; the levels are cumulative, so each higher level must also satisfy every criterion of the levels below it (Article 20(1)). The criteria escalate in strictness regarding third-country control:

• Union assurance level 1 (Annex II, Section 1): the provider must be established in the Union; infrastructure and assets must be in the Union; and customer data, including metadata and telemetry, must remain exclusively within the Union (unless the public sector body explicitly requires otherwise). Where the provider is subject to third-country control, it must guarantee there are no laws in that country requiring it to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited (Annex II, Section 1.1(g)).
• Union assurance level 2 (Annex II, Section 2): if the provider or its subcontractors are subject to third-country control, they must demonstrate that the control does not restrict the provider's ability to perform the service, prevents third-country access to customer data, and prevents disruption of service continuity or degradation of service quality (Annex II, Section 2.1(g)). Personnel and infrastructure must be located in the Union, and a European cybersecurity certificate of at least "substantial" assurance is required.
• Union assurance level 3 (Annex II, Section 3): the provider and its subcontractors must not be subject to third-country control (Annex II, Section 3.1(g)). A narrow derogation lets a controlled provider be audited for Level 3 only where the Commission has designated the country as an "associated third country" under Article 18 (which requires a GDPR adequacy decision and guarantees against control, service disruption and coerced sanctions).
• Union assurance level 4 (Annex II, Section 4): the highest level. The provider and subcontractors must not be subject to third-country control (Annex II, Section 4.1(g)), with no associated-third-country derogation, and a "high" cybersecurity certificate is required. This tier is designed to eliminate kill-switch exposure for the most sensitive activities.

Risk assessments and procurement

The framework is demand-driven. Article 29 would oblige Member States and Union entities to carry out risk assessments (at least every two years) to identify which public sector activities contribute to the preservation of public order. Those assessments must consider, among other things, "the risk and consequent impact on public order of possible service disruption" (Article 29(2)(c)).

Based on these assessments, Article 30 would set procurement rules:

• Bodies whose activities are not identified as contributing to public order must use services recognised at Union assurance level 1 (Article 30(2)).
• Bodies whose activities are so identified — in NIS2 sectors or in national security, defence, justice or law enforcement — must only procure services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)).

This tiered approach would insulate critical functions from foreign-induced disruption while keeping a baseline of EU establishment and data localisation for everything else.

What this means for you

For public-sector procurement officers, "kill switch" risk would translate into due diligence that goes well beyond a provider's technical SLA. You would need to evaluate the legal and corporate structure of your cloud vendors and their exposure to foreign jurisdiction.

1. Conduct sovereignty risk assessments. Under Article 29, you would assess your use cases. If your department handles services critical to public order (emergency management, border control, justice), you cannot simply buy the cheapest option; you must determine the appropriate Union assurance level.
2. Verify assurance levels, not just certifications. A generic cybersecurity certificate (e.g. ISO 27001) is not enough. You would check the central repository that the Commission would maintain under Article 22 to confirm a provider has been formally recognised at the level your risk assessment requires.
3. Plan for multi-cloud strategies. Article 29(9) would require you to consider whether a multi-vendor or multi-cloud strategy is appropriate, reducing the chance that a single foreign-controlled provider could disrupt your entire operation.
4. Review existing contracts. For existing arrangements with third-country-controlled providers, assess whether they meet the new minimum (Level 1 under Article 30(2)). Where your activities are public-order relevant, you may need to migrate to a Level 2, 3, or 4 provider — within a transition period that, under Article 29(6), would not exceed 12 months.

Common misconceptions

"A European subsidiary solves the kill switch risk." Having an EU-registered entity is not enough. CADA's criteria for Levels 2, 3 and 4 focus on control. If the ultimate parent is subject to foreign laws allowing service disruption or data access, the provider would not qualify for higher levels unless effective legal, technical and organisational separation is proven and audited (Annex II, Section 2.1(k)). For Levels 3 and 4, third-country control is prohibited outright (subject only to the Article 18 derogation at Level 3).

"Cybersecurity certification equals sovereignty." The Cybersecurity Act and schemes like EUCS address technical security. They do not address the legal risk that a foreign government could lawfully order a provider to turn off a service. CADA's sovereignty framework is aimed squarely at that operational-autonomy gap.

"This only applies to defence and intelligence." While Levels 3 and 4 are associated with high-security sectors, Article 29 would require risk assessments for all relevant public sector activities. Many non-defence services (healthcare, tax administration, emergency response) may be deemed to contribute to public order and so need higher assurance than Level 1.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Why is EU dependence on foreign cloud providers seen as a risk under CADA?
• What is foreign ownership risk in cloud computing under CADA?
• Vendor Lock-In and Cloud Sovereignty: Why CADA Treats It as a Risk
• Lawful vs. Unlawful Access: Why 'Lawful' Foreign Orders Threaten EU Cloud Sovereignty under CADA
• What is systemic digital infrastructure risk under CADA?

This is general information about a draft EU regulation, not legal advice.