Summary As proposed in the Cloud and AI Development Act (CADA), foreign ownership risk is the legal and operational exposure created when a cloud computing service provider is subject to the control of a third country or a legal entity established in a third country. As the proposal frames it, such control creates critical strategic dependencies and concentration risks — unauthorised data access, service disruption and undue economic or political influence. Under CADA's sovereignty framework, providers under such control would face stricter audit criteria and could be excluded from the most sensitive public-sector activities unless specific safeguards are met.

Detail

The proposed CADA, COM(2026) 502 final, treats dependence on cloud providers controlled by third countries as a primary threat to the Union's economic security and technological autonomy. As proposed, the risk turns not on where a company is incorporated, but on who effectively controls its strategic decisions and operational continuity.

The nature of the risk. Recital 46 states that the Union "still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries," exposing it to several risks:

  • Extraterritorial laws: third-country laws may mandate data access or transfer, conflicting with EU fundamental rights and data-protection frameworks.
  • Operational discontinuity: unilateral third-country decisions could disrupt continuity, quality and resilience of services.
  • Loss of control: reduced oversight over personal and non-personal data, infrastructure and technology systems under Union jurisdiction.

Defining "control." CADA does not restate a standalone definition in its operative articles. Article 2, point (21), defines "control" by reference to Article 2, point (6), of Regulation (EU) 2021/697. As generally understood, that concept captures the ability to exercise decisive influence over an undertaking — directly or indirectly, through ownership, financial participation, voting rights, or contractual or other arrangements.

Impact on Union assurance levels. The sovereignty framework in Article 16 (with criteria in Annex II) creates four Union assurance levels (1–4). Foreign ownership and control directly affect which levels a provider can reach:

  • Union assurance level 1: where the provider is subject to third-country control, it must guarantee that no laws or practices in that country require it to report software vulnerabilities to that country's authorities before those vulnerabilities are known to have been exploited (Annex II, 1.1(g)).
  • Union assurance levels 2 and 3: where the provider (and relevant subcontractors) is subject to third-country control, it must demonstrate that legal, technical and organisational measures ensure that the control does not restrain its ability to perform the service, does not allow third-country access to customer data, does not enable disruption or degradation of the service, and does not oblige it to apply third-country sanctions or embargoes (Annex II, 2.1(g) and 3.1(g)).
  • Union assurance level 4: the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country (Annex II, 4.1(g)). There is no derogation at level 4, which makes it inaccessible to providers under such control.

Associated third countries. Article 18 introduces a mechanism for the Commission to identify third countries whose providers may, by way of derogation, be audited against the criteria for Union assurance level 3. The country must meet cumulative criteria, including a GDPR adequacy decision under Article 45 of Regulation (EU) 2016/679, no measures enabling control that conflicts with lawful access to non-personal data under Article 32 of Regulation (EU) 2023/2854, no measures to compel service degradation or disruption or to oblige the provider to apply sanctions or embargoes, no measures impeding state-of-the-art technologies, an open market to Union cloud services, and equivalent access to its public procurement.

What this means for you

For in-house counsel and compliance officers, CADA would shift the focus from simple data residency to corporate governance and supply-chain transparency. You would need to assess whether your organisation or its providers fall under third-country control.

1. Conduct a control assessment. Map ownership up to the ultimate owners. Under Annex III, Audit criterion G (absence of third-country control), auditing organisations analyse, among other things:

  • all direct and indirect shareholders, up to the ultimate owners;
  • the cap table and the voting rights;
  • the composition of governing bodies and the rules for their appointment, election or removal;
  • commercial and financial links that could confer control.

Where the provider is subject to third-country control, verify that it has implemented the Annex II measures needed to prevent that control from being exercised against EU interests.

2. Align procurement with risk assessments. Under Article 29, Member States and Union entities determine which assurance level is appropriate. For activities contributing to the preservation of public order, you may be required to procure only services recognised at level 2, 3 or 4 (Article 30(3)). A provider under third-country control would be ineligible for level 4 and may struggle to meet the criteria for levels 2 and 3.

3. Prepare for independent audits. Recognition at levels 2, 3 or 4 requires independent third-party audits (Article 20). Expect scrutiny of independence from third-country influence — separation between any EU parent and third-country subsidiaries, controls preventing remote access or control from third-country jurisdictions, and records of how third-country authority requests have been handled.

4. Monitor for penalties. Article 24 requires Member States to lay down effective, proportionate and dissuasive penalties. The criteria for imposing them include the nature, gravity, scale and duration of the infringement and any financial benefits gained. Supplying incorrect or misleading information about ownership or control can also lead to revocation of recognition (Article 17(11)).

Common misconceptions

"If our provider is incorporated in the EU, there is no foreign ownership risk." Incorporation is not enough. CADA looks at effective control. An EU-incorporated company can still be subject to control by a third-country entity that holds decisive influence over strategy, board composition or resources. Annex III, Audit criterion G requires analysis of ownership up to the ultimate owners, regardless of where the immediate provider is registered.

"Data localisation solves the sovereignty problem." Although higher levels require data to remain in the Union, localisation alone does not remove third-country control risk. Recital 48 notes that providers' tailored service versions "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service." A controller could still legally compel disruption or access even where data physically resides in the EU.

"Only non-EU companies face these restrictions." EU-based providers can also be subject to third-country control through foreign investment or ownership structures granting decisive influence. The criteria apply to any provider that is subject to the control of a third country or a legal entity established in a third country, regardless of headquarters location.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.