What Is Jurisdictional Risk in Cloud Computing? CADA Explained

Summary Jurisdictional risk in cloud computing is the exposure of EU data and operations to foreign legal systems, especially when a provider is controlled by a third-country entity. As proposed in the Cloud and AI Development Act (CADA), this risk would be addressed through a sovereignty framework that requires public sector bodies to assess whether a provider is subject to third-country control and, where activities matter for public order, to procure services meeting stricter Union assurance levels designed to block extraterritorial access and service disruption.

Detail

Defining jurisdictional risk

Jurisdictional risk is not only about where data is stored, but about who controls the infrastructure and who can legally compel access to it. It arises when a provider is subject to the laws of a non-EU country, creating a vulnerability where foreign authorities could access EU data or disrupt services in ways that conflict with EU fundamental rights and public order.

Recital 46 of the CADA proposal identifies this threat directly, noting that the Union "still remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries", which exposes the Union to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws".

CADA's response: the sovereignty framework

To address these risks, CADA would introduce a Union cloud computing sovereignty framework (Article 16), categorising services into four Union assurance levels with criteria set out in Annex II. The level required would depend on a risk assessment conducted by the Member State or Union entity regarding the sensitivity of the data and the importance of the activity to public order (Article 29).

The core mechanism for mitigating jurisdictional risk lies in the criteria for Union assurance levels 2, 3 and 4:

• Union assurance level 2: if a provider (or relevant subcontractor) is subject to third-country control, it must demonstrate legal, technical and organisational measures ensuring that the control does not restrict its ability to perform the service or undermine the capabilities and standards needed, that access by the third country to customer data is prevented, and that disruption of service continuity or degradation of service quality by the third country is prevented (Annex II, point 2.1(g)).
• Union assurance level 3: the provider and its subcontractors must, in principle, not be subject to third-country control. By way of derogation, a third-country-controlled provider may be audited for level 3 only where the Commission has adopted an implementing act recognising that third country as providing sufficient assurances (Article 18); even then, the provider must still demonstrate the safeguards in point 3.1(g).
• Union assurance level 4: the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country, with no derogation at this highest level (Annex II, point 4.1(g)).

The role of risk assessments

Member States and Union entities would conduct risk assessments to identify which public sector activities contribute to the preservation of public order and which Union assurance level is appropriate (Article 29). These assessments must consider at least:

1. The sensitivity, criticality and magnitude of the data processed (Article 29(2)(a)).
2. The risk and impact on public order of unlawful access to that data by a third country or a legal entity established in a third country (Article 29(2)(b)).
3. The risk and impact on public order of possible service disruption (Article 29(2)(c)).

Based on these assessments, contracting authorities whose activities contribute to public order would be required to procure services recognised at Union assurance levels 2, 3 or 4 (Article 30).

What this means for you

For in-house counsel and compliance officers, CADA as proposed would turn jurisdictional risk from a theoretical concern into a concrete procurement and compliance obligation.

1. Conduct rigorous risk assessments

Public sector bodies would perform risk assessments within one year of entry into force and every two years thereafter (Article 29). You would need to evaluate whether your cloud use involves data or activities contributing to public order. If so, standard commercial contracts would not suffice; you would need a provider recognised at the required assurance level.

2. Scrutinise third-country control

Look beyond the EU subsidiary to determine whether the provider is subject to the control of a third-country entity. CADA defines "control" by reference to Regulation (EU) 2021/697 (Article 2, point (6) of that Regulation). If a provider is third-country-controlled, verify that it has implemented the legal, technical and organisational measures required by Annex II to block extraterritorial access and service disruption.

3. Verify recognition, not marketing

Before procurement, confirm the service is recognised as offering the required Union assurance level. Recognition would be granted by the national competent authority of the provider's establishment, after a conformity self-assessment (level 1) or an independent third-party audit (levels 2–4) (Article 17). Look for the service in the Commission's central repository (Article 22) rather than relying on marketing claims.

4. Prepare for penalties

Member States would lay down rules on penalties for infringements of the sovereignty chapter by providers; these must be effective, proportionate and dissuasive (Article 24). National law would set the specifics. Recipients of cloud services would also have a right to seek compensation for damage caused by a provider's infringement (Article 24(3)). Monitor national transposition to gauge financial exposure.

Common misconceptions

Misconception 1: Data localisation solves jurisdictional risk. Keeping data in the EU does not eliminate jurisdictional risk. Even with EU-resident data, a third-country-controlled provider may be compelled by foreign law to grant remote access or disrupt the service. Annex II addresses this by requiring measures to prevent third-country access and disruption regardless of physical data location.

Misconception 2: A GDPR adequacy decision is sufficient. CADA's Article 18 pathway for third countries does require a relevant adequacy decision under Article 45 of the GDPR — but it also requires additional cumulative criteria, including the absence of measures that would conflict with lawful-access rules, no measures to compel service degradation or disruption, and equivalent market and procurement access. Adequacy alone would not satisfy CADA's sovereignty criteria.

Misconception 3: Only non-EU providers are at risk. An EU-established provider can still be subject to third-country control if it is owned or controlled by non-EU entities. CADA's criteria turn on the control structure, not just the legal seat.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• What is foreign ownership risk in cloud computing under CADA?
• Why is EU dependence on foreign cloud providers seen as a risk under CADA?
• Why does CADA treat cloud computing as a public-order issue?
• Vendor Lock-In and Cloud Sovereignty: Why CADA Treats It as a Risk
• What is technical sovereignty in the cloud stack? CADA explained

This is general information about a draft EU regulation, not legal advice.