CADA and the corporate veil

Summary As proposed in the Cloud and AI Development Act (CADA), the "corporate veil" problem arises when a cloud provider's local EU subsidiary is legally distinct but operationally or financially controlled by a third-country parent, allowing foreign laws to reach EU data. Under Article 16 and Annex II, CADA would require strict legal, technical, and organisational separation between the EU entity and any third-country subsidiary to qualify for higher sovereignty assurance levels. Without this separation, the subsidiary cannot guarantee that foreign governments cannot compel access to data or disrupt services, rendering the service non-sovereign for critical public sector use. Crucially, Recital 50 highlights that dependence on providers "subject to the control of third countries" exposes the Union to risks of "misuse," "access to information," and "dependency vulnerabilities," regardless of where the data physically resides.

Detail

The concept of the "corporate veil" in cloud sovereignty refers to the legal fiction that separates a parent company from its subsidiaries. In a traditional corporate structure, a subsidiary is a distinct legal entity with its own liabilities and obligations. However, in the context of cloud computing and data sovereignty, this separation is often illusory. If a third-country parent company holds controlling interests, appoints key board members, or controls the underlying software and infrastructure, a foreign government can potentially compel the parent to access data stored in the EU subsidiary or degrade the service. This creates a critical vulnerability for EU public order and data confidentiality.

The Problem of Third-Country Control

CADA explicitly addresses the risk that cloud services provided by entities subject to third-country control may be susceptible to extraterritorial laws. Recital 46 of the proposal states that the Union remains critically dependent on providers "subject to the control of third countries or legal entities established in third-countries." This dependence exposes the Union to risks such as "misuse (i.e. manipulation, remote access and control, sabotage, weaponisation), access to information... and dependency vulnerabilities (i.e. political and/or economic coercion... vendor or technology lock-ins)."

The core issue is that even if a cloud provider operates a local entity within the EU, that entity may not be able to resist a lawful order from its home jurisdiction if it is under the effective control of a third-country parent. This is exemplified by the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act). Under Section 2713 of the US Stored Communications Act (as amended by the CLOUD Act), a provider of electronic communication service shall comply with obligations to disclose the contents of communications "regardless of whether such communication... is located within or outside of the United States," provided the data is in the provider's "possession, custody, or control."

If a US parent company controls the technical architecture, administrative access, or key personnel of its EU subsidiary, the US government may argue that the data is under the control of the US entity, thereby piercing the corporate veil. The subsidiary's local incorporation becomes irrelevant if the parent can remotely access the data or force the subsidiary to comply with US orders. CADA recognises this gap: mere data localisation is insufficient if the control over that data remains with a third-country entity.

CADA's Sovereignty Framework and Assurance Levels

To mitigate these risks, CADA establishes a Union cloud computing sovereignty framework in Article 16, comprising four assurance levels. The criteria for these levels, detailed in Annex II, impose increasingly stringent requirements to prevent third-country control from compromising EU data.

• Union Assurance Level 1: This baseline level requires that if the provider is subject to third-country control, it must guarantee that no existing laws in that third country require it to report software vulnerabilities to foreign authorities before they are exploited (Annex II, Section 1.1(g)). However, it does not strictly prohibit third-country control, making it insufficient for high-risk public order activities.
• Union Assurance Level 2: This level introduces stricter controls. If the provider or its subcontractors are subject to third-country control, they must demonstrate that the control is not exercised in a manner that restricts the provider's ability to perform services, imposes limitations on infrastructure, or undermines capabilities (Annex II, Section 2.1(g)). Crucially, it requires measures to prevent access by a third country to customer data and to prevent disruption of service continuity (Annex II, Section 2.1(g)(ii)-(iii)).
• Union Assurance Level 3: This level is significantly more restrictive. Annex II, Section 3.1(g) states that the audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. There is a narrow derogation: a provider subject to third-country control may still be audited for Level 3 only if the Commission has adopted an implementing act under Article 18 (Associated third countries) confirming that the third country provides sufficient safeguards. Even then, strict separation measures must be proven. Note that Article 18 is the correct cross-reference for third-country derogations, correcting a common drafting slip that might mis-reference Article 19.
• Union Assurance Level 4: Similar to Level 3, Annex II, Section 4.1(g) mandates that the provider and subcontractors are not subject to third-country control, with no derogation for associated third countries. This level is reserved for the most sensitive public order activities.

The Requirement for Separation: Piercing the Veil

For providers that maintain a global presence with subsidiaries in third countries, CADA imposes a specific burden to prove effective separation. Annex II, Section 2.1(k) requires that if an audited provider provides services globally and maintains a subsidiary in a third country, it must demonstrate that it has implemented necessary measures to ensure and enforce the effective legal, technical and organisational separation between the Union parent company (or the EU entity providing the service) and the third-country subsidiary.

This separation must be verifiable through audits. Annex III (Audit Evidence) details that auditing organisations must verify:

• The subsidiary is legally and operationally independent.
• The subsidiary has no access to systems processing or storing EU customer data.
• The subsidiary has no privileged accounts within EU production environments (e.g., Identity and Access Management, Privileged Access Management).
• Personnel of the subsidiary cannot obtain access to EU customer data.
• All foreign government requests received by the subsidiary are formally redirected to the competent Union entity for legal assessment under Union law.

Failure to demonstrate this separation means the provider cannot achieve Assurance Levels 2, 3, or 4, effectively excluding them from procuring for critical public sector activities. The "corporate veil" is only respected if the provider can prove that the foreign parent has no effective control over the EU operations.

What this means for you

For in-house counsel and compliance officers, the proposed CADA framework transforms corporate structure from a matter of tax and liability into a critical compliance and market access issue.

1. Risk Assessments are Mandatory: Under Article 29, Member States and Union entities must conduct risk assessments to determine which assurance level is required for their cloud services. If your organisation processes data relevant to public order (e.g., healthcare, energy, justice), you will likely be required to procure services at Assurance Levels 2, 3, or 4 (Article 30(3)).
2. Audit Readiness: If you are a cloud provider aiming for Assurance Levels 2–4, you must be prepared for independent third-party audits (Article 20). You must have documented evidence of the separation between your EU operations and any third-country subsidiaries. This includes technical logs, access control policies, and legal structures proving that foreign parents cannot remotely access or disrupt EU-hosted data.
3. Procurement Implications: Contracting authorities must only procure services meeting the required assurance level. If a provider cannot prove separation from a third-country controller, it will be ineligible for these contracts. This creates a significant competitive disadvantage for global hyperscalers that cannot decouple their EU operations from their foreign parent structures.
4. Penalties and Compensation: Non-compliance with the sovereignty framework can lead to penalties. Article 24 requires Member States to lay down rules on penalties that are effective, proportionate and dissuasive. Additionally, recipients of cloud services have the right to seek compensation for damages suffered due to infringements of these obligations (Article 24(3)).

Common misconceptions

• "An EU subsidiary is automatically sovereign." This is incorrect under CADA. A local legal entity does not guarantee sovereignty if it is controlled by a third-country parent. The proposal explicitly targets the control relationship, not just the location of the entity. Without proven separation, the subsidiary is viewed as an extension of the foreign controller.

• "The GDPR adequacy decision solves the sovereignty problem." No. While an adequacy decision (under GDPR Article 45) allows for data transfers, it does not prevent a third country from accessing data for national security or law enforcement purposes that may conflict with EU interests. CADA's assurance levels go beyond data transfer legality to address operational autonomy and the risk of service disruption or coercion.

• "Only US providers are affected." While the US CLOUD Act is a primary driver, the CADA framework applies to any third-country control. Providers from any jurisdiction that lacks the safeguards defined in Article 18 (Associated third countries) will face the same restrictions if they cannot prove separation from their foreign controllers.

• "L3 cybersecurity certification is 'high'." Under Annex II, Level 3 requires a cybersecurity certificate of at least assurance level 'substantial'. Only Level 4 requires a 'high' assurance level. Confusing these levels can lead to non-compliance.

• "Third-country derogations are in Article 19." The mechanism for recognising third countries with sufficient safeguards is found in Article 18, not Article 19. Article 19 relates to conformity self-assessment for Level 1.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• Why data residency is not enough for cloud sovereignty under CADA
• Does a US company's EU subsidiary make a cloud sovereign under CADA?
• Why is cloud sovereignty important for critical infrastructure? CADA
• Why is sovereignty described as layered or nuanced in CADA?
• CADA Sovereignty: Why Assessment is Per Service, Not Per Provider

This is general information about a draft EU regulation, not legal advice.