Summary Section 702 of the US Foreign Intelligence Surveillance Act (FISA) authorises US intelligence agencies to target non-US persons located outside the United States for foreign-intelligence purposes, with the assistance of US electronic-communication and remote-computing providers. Because it can reach data held by US-controlled providers, European regulators see it as a sovereignty risk for EU data — a concern the proposed Cloud and AI Development Act (CADA) reflects when recital 46 lists "vulnerabilities arising from the extraterritorial application of third-country laws". CADA's answer is the four Union assurance levels (Article 16); the higher levels would require freedom from coercive third-country control, excluding many such providers from sensitive public-sector use. CADA is a proposal and not yet in force. (FISA Section 702 is US law and not part of CADA's text; this article describes the risk it creates, which CADA addresses.)

Detail

To understand the EU's proposed response to US surveillance authorities, start with the concern itself: Section 702 of the US Foreign Intelligence Surveillance Act.

What Section 702 does

Section 702 was added by the FISA Amendments Act of 2008 and has been reauthorised several times since. It permits US intelligence agencies, under court-approved procedures, to target non-US persons reasonably believed to be located outside the United States in order to acquire foreign-intelligence information, with the compelled assistance of US communications providers. Collection can include communications of those targets that involve US persons ("incidental" collection). It does not require an individualised judicial warrant for each foreign target in the way an ordinary domestic criminal warrant would. The practical effect for cloud computing is that data handled by US-controlled providers can, in certain circumstances, be acquired under this authority regardless of where it is stored — a form of extraterritorial reach over data of European individuals and organisations.

(Because Section 702 is a US statute and is not part of the CADA text or the materials CADA relies on, this account is necessarily a general description rather than a clause-by-clause reading; CADA itself addresses the risk such laws create, not their internal mechanics.)

For European regulators, two features make Section 702 a sovereignty concern distinct from ordinary law-enforcement cooperation. First, it operates programmatically: collection proceeds under annual court-approved certifications and targeting and minimisation procedures, rather than case-by-case judicial warrants naming each subject. Second, its targets are by definition non-US persons abroad — the very category into which most EU individuals and organisations fall — so EU data handled by US-subject providers is squarely within its potential scope. The combination of broad authority and limited individual redress for non-US persons is what European data-protection authorities and courts have repeatedly flagged in the context of transatlantic data transfers, and it is the same structural exposure CADA's sovereignty framework is built to neutralise for sensitive public-sector use.

Why this matters for CADA

CADA (COM(2026) 502 final) identifies dependence on providers subject to third-country control as a strategic risk. Recital 46 states that the Union "remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries", exposing it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws", and to reduced "control and oversight over personal and non-personal data". Recital 50 lists concrete risks the framework targets, including "access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage".

The explanatory memorandum makes the dependence concrete: three non-EU hyperscalers control over 70% of the European cloud market, EU providers' share fell from 29% in 2017 to 15% in 2022, and large incumbents "are subject to third-country jurisdictions where laws with an extraterritorial effect apply". Recital 47 adds that existing Union law on cybersecurity and data protection does not, on its own, establish "a harmonised understanding of what constitutes a trusted cloud computing service for mitigating such risks" — the gap CADA fills.

CADA's mechanism is the Union cloud computing sovereignty framework of four Union assurance levels (Article 16), with criteria in Annex II designed to filter out providers exposed to intrusive third-country laws.

  • Level 1 requires the provider to be established in the Union, with infrastructure, assets and customer data in the Union unless the public sector body explicitly requires otherwise, transparency on subcontractors, and — where the provider is under third-country control — a guarantee that no third-country law forces early reporting of software vulnerabilities to that country's authorities (Annex II, 1.1).
  • Levels 2, 3 and 4 add independent audits and stricter criteria on personnel, cybersecurity certification and third-country control. Level 2 prohibits using service data to train or fine-tune third-country-operated AI systems and requires support to be performed within the Union. Level 3 requires personnel involved in the service to be Union citizens and, in principle, no third-country control (with a narrow Article 18 derogation for designated associated third countries). Level 4 — the highest tier, for the most sensitive data — allows no third-country-control derogation and requires that no third country holds effective control over the software supply chain.

Under Article 29, Member States and Union entities would assess which level fits each activity, weighing among other things "the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country" (Article 29(2)(b)). Where an activity is critical to public order — national security, defence, justice and similar — Article 30(3) would require services recognised at levels 2, 3 or 4. A service exposed to authorities such as Section 702 would typically struggle to meet the higher criteria, because it could not guarantee protection against unauthorised third-country access.

The associated-third-country mechanism (Article 18) reinforces this. For a third country's providers to be eligible even for level 3, the Commission would have to find — cumulatively — a relevant GDPR adequacy decision, no measures enabling control that conflicts with lawful-access rules for non-personal data, and no measures to compel service degradation or disruption, among other conditions. A surveillance authority that reaches data held by a country's providers would weigh directly against several of these conditions, and the Commission "shall repeal, amend or suspend" a designation if a country ceases to meet them (Article 18(2)). The framework thus treats broad foreign-surveillance authority not as a fixed fact to be tolerated but as a continuously reassessed risk that can disqualify a provider's path to the higher levels.

What this means for you

For in-house counsel and compliance officers, especially those advising providers or large public buyers:

  1. Procurement exposure. If you supply EU public bodies, expect mandatory risk assessments to map data sensitivity and criticality to assurance levels. A service exposed to laws such as Section 702 may be excluded from contracts involving public-order activities (levels 2–4).
  2. Sovereignty audits. Recognition at levels 2–4 requires an independent audit and a "positive" opinion (Article 20). Auditors would examine legal structure, data flows and exposure to third-country laws. Be ready to show that foreign access demands can be resisted or are not technically feasible.
  3. Architecture and separation. Meeting higher levels may require restructuring — EU data residency, separation of EU operations from third-country subsidiaries (Annex II, 3.1(k)), and limits on third-country software components with remote-access capabilities.
  4. Private-sector readiness. Article 31 lets NIS2-scope private entities run similar impact assessments. Even where not mandatory, preparing is prudent: recital 66 anticipates that assurance-level requirements adopted by public authorities "tend to be mirrored by private-sector entities", so public-sector standards are likely to set the market baseline.
  5. Re-classification risk. Even after recognition, a provider's status is not static. Audit reports are reviewed annually (Article 20), providers must report material changes (Article 23), and the Commission may direct that a higher level applies to an activity (Article 29(5)). A change in a third country's surveillance posture could feed through into both the Article 18 designation and your own risk assessment.

Common misconceptions

  • GDPR compliance is enough to address FISA risk. The GDPR governs lawful processing of personal data; it does not prevent a foreign authority from reaching data held by a provider subject to its jurisdiction. CADA targets that "sovereignty gap" through operational autonomy and protection against extraterritorial orders.

  • Data localisation alone solves it. CADA requires data in the Union and, at higher levels, that the provider is not under coercive third-country control. A US provider storing data in Frankfurt remains subject to US law; assurance levels require structural and legal separation, not just location.

  • CADA would ban all US providers. It would not. US providers could qualify for level 1 if they meet the criteria, including the transparency and vulnerability-reporting guarantees, but they would likely be excluded from the higher levels required for critical public-sector functions.

  • Section 702 only matters for personal data. The sovereignty concern is broader. CADA's risk assessment weighs the sensitivity, criticality and magnitude of non-personal data too (Article 29(2)(a)), alongside personal data. Operationally critical or commercially sensitive non-personal data held by a US-subject provider can raise public-order concerns even where no personal data is in play — which is why CADA addresses control and autonomy generally, not just data-protection compliance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.