What is extraterritoriality in cloud computing law? (CADA)

Summary Extraterritoriality is when a country's law reaches beyond its borders — for example, when it compels a provider to disclose data or disrupt a service regardless of where that data sits or where the provider operates. The proposed Cloud and AI Development Act (CADA) treats this as a primary sovereignty risk: recital 46 lists "vulnerabilities arising from the extraterritorial application of third-country laws" among the dependencies it seeks to address. CADA's response is the four Union assurance levels (Article 16), whose criteria — especially at levels 3 and 4 — require freedom from coercive third-country control. The US CLOUD Act and FISA Section 702 are the standard examples. CADA is a proposal and not yet in force.

Detail

Extraterritoriality in cloud computing arises when a nation's laws compel a provider to disclose data, degrade service, or comply with sanctions irrespective of where the data is stored or where the provider's operations physically sit. The result can be conflicting obligations across jurisdictions for one and the same service.

CADA's framing of extraterritorial risk

CADA (COM(2026) 502 final) identifies extraterritorial legal reach as a key driver. Recital 46 states that the Union "remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries", which exposes it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws", as well as to reduced control over data and infrastructure and the risk of "undue economic or political influence".

The proposal's explanatory memorandum sharpens the point, observing that large market incumbents "are subject to third-country jurisdictions where laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks", and that this also "exposes European users to the risks related to operational discontinuity". Recital 50 expands the catalogue of harms — from "manipulation, remote access and control, sabotage, weaponisation" to "espionage" and "political and/or economic coercion ... by using vendor or technology lock-ins, embargos or sanctions".

To mitigate this, Article 16 establishes a Union cloud computing sovereignty framework of four assurance levels, with criteria in Annex II, that providers must meet to serve Union entities and public sector bodies. The criteria are designed to keep extraterritorial reach from undermining public order:

• Level 1. The provider is established in the Union and infrastructure and assets remain in the Union; where the provider is under third-country control, it guarantees that no third-country law forces early reporting of software vulnerabilities to that country's authorities (Annex II, 1.1(g)).
• Levels 2, 3 and 4. Independent audits and progressively stricter control criteria. At levels 3 and 4 the provider and subcontractors must in principle not be under third-country control (Annex II, 3.1(g) and 4.1(g)). A narrow derogation applies at level 3 where the Commission has designated an associated third country (Article 18); there is no such derogation at level 4.

The US CLOUD Act as a primary example

The best-known instance of extraterritoriality in cloud law is the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Its core provision, 18 U.S.C. § 2713, requires a provider of electronic communication service or remote computing service to preserve, back up or disclose the contents of communications and records within its "possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

In practice, a US-based provider can be compelled to produce data stored in an EU data centre on valid US legal process. For an EU public body that needs its data shielded from foreign access, this is the precise risk CADA's higher assurance levels are meant to remove.

FISA Section 702

A second example is Section 702 of the US Foreign Intelligence Surveillance Act. It is not a cloud-specific statute; it authorises US intelligence agencies to target non-US persons located outside the United States for foreign-intelligence purposes, with data held by US communications and internet providers. Where a European entity uses a US-controlled cloud service, its data may be reached under this authority — another form of extraterritorial effect. CADA addresses this for high-risk public-sector use by requiring higher assurance levels that exclude the relevant third-country control. (The detailed mechanics of Section 702 are US law and outside CADA's text; CADA addresses the risk such laws create, as flagged in recital 46.)

Managing extraterritorial risk through Article 18

Article 18 is the proposal's calibrated mechanism for handling foreign-controlled providers without a blanket exclusion. The Commission may, by implementing act, designate a third country whose providers may be audited for level 3, but only where that country meets all of a set of cumulative conditions, including: a relevant GDPR adequacy decision; no measures enabling control that conflicts with the lawful-access rules for non-personal data in Article 32 of Regulation (EU) 2023/2854; no measures to compel service degradation or disruption, or to force compliance with sanction regimes or embargoes (unless legitimate under Member State or Union law); no measures impeding state-of-the-art technologies; an open market to Union cloud services; and equivalent access to its public procurement for Union-controlled providers. Critically, where information shows that a country no longer meets these conditions, the Commission "shall repeal, amend or suspend" the designation (Article 18(2)), and it publishes the list of qualifying and disqualified countries (Article 18(3)). Extraterritorial legal risk is thus continuously assessed, not fixed at a point in time.

Procurement obligations

Under Article 29, Member States and Union entities would run risk assessments to determine the assurance level appropriate to each activity. Where an activity contributes to public order — NIS2 sectors, national security, justice, law enforcement and similar — Article 30(3) would require procurement only of services recognised at levels 2, 3 or 4, effectively barring services where extraterritorial legal risk cannot be adequately mitigated.

What this means for you

For in-house counsel and compliance officers, CADA would shift sovereignty from contractual assurance to auditable regulatory compliance:

1. Audit your cloud stack. Assess whether your providers meet the level your risk assessment requires. If you are a public body or NIS2-scope entity, verify that the provider is not under third-country control that could trigger extraterritorial access, and check whether it is recognised under the framework once it applies.
2. Expect independent audits. Providers seeking levels 2–4 must obtain a "positive" audit opinion (Article 20). As a buyer, ensure your contracts let the provider share the audit evidence you need for your own assessment.
3. Track third-country designations. The Commission may designate associated third countries for level 3 (Article 18) and may repeal, amend or suspend a designation where the conditions cease to be met (Article 18(2)). A change could require migrating workloads.
4. Align procurement policy. Article 32 allows EU added-value award criteria; though they cannot be decisive on their own, they can favour providers that reduce extraterritorial exposure.

Common misconceptions

GDPR compliance eliminates extraterritorial risk. The GDPR regulates personal-data transfers; it does not stop a third country from legally compelling a provider to access data. CADA targets the gap by focusing on operational autonomy and control, not only data protection.

Data localisation solves it. Storing data in the EU does not protect it if the provider is under third-country control. At levels 2–4, location is only one factor; the legal control over the provider and the absence of compelling third-country laws matter equally.

All providers face the same rules. CADA differentiates by assurance level. A level 1 provider may still be under some third-country control if it meets the transparency and vulnerability-reporting criteria. For public-order activities, only levels 2–4 are permitted, which largely exclude providers under coercive third-country control.

The CLOUD Act applies to every US company. It applies to providers subject to US jurisdiction. Under CADA, a provider may still pursue lower assurance levels if it can demonstrate the required separation, but proving freedom from such control at levels 3 and 4 is demanding.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why does CADA treat cloud computing as a public-order issue?
• What Is Operational Sovereignty in Cloud Computing? CADA Guide
• What Is Jurisdictional Risk in Cloud Computing? CADA Explained
• What is foreign ownership risk in cloud computing under CADA?
• What is a dependency vulnerability in cloud computing under CADA?

This is general information about a draft EU regulation, not legal advice.