CADA Associated Third Countries vs. GDPR Adequacy

Summary Under the proposed Cloud and AI Development Act (CADA), an "associated third country" is a specific legal status that permits cloud providers controlled by that country to qualify for Union assurance level 3. This status is distinct from, and significantly stricter than, a standard data protection "adequacy" decision under the GDPR. While a GDPR adequacy decision is a mandatory prerequisite, it is only one of six cumulative criteria. To be designated as an associated third country, a nation must also demonstrate it does not compel service disruption, maintains an open market for EU services, and guarantees reciprocal access to public procurement. Without all six conditions met, providers controlled by that country cannot be audited for Level 3 recognition.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a nuanced sovereignty framework designed to protect the EU's public order and operational autonomy. A central component of this framework is the distinction between general data protection adequacy and the specific status of an "associated third country." Understanding this difference is critical for compliance officers, in-house counsel, and public procurement authorities managing cross-border cloud contracts.

The Role of Union Assurance Level 3 and the Control Prohibition

CADA establishes four Union assurance levels for cloud computing services. Union assurance level 3 is a high-assurance tier intended for activities contributing to the preservation of public order. Under the standard criteria set out in Annex II, Section 3.1(g), a cloud computing service provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country.

However, CADA provides a specific derogation to this strict prohibition. Article 18 allows a provider subject to the control of a third country to still be audited for and recognized at Union assurance level 3, provided that the controlling third country is formally designated as an "associated third country." This designation is not automatic; it is a complex, multi-factor assessment governed strictly by Article 18(1).

Article 18: The Six Cumulative Criteria

Article 18(1) of CADA states that the Commission may adopt decisions identifying third countries for which cloud computing service providers may be audited against the criteria for Union assurance level 3. Crucially, the third country must fulfill six cumulative criteria. This means that failing any single criterion disqualifies the country, regardless of how strong its performance is in the others.

The six criteria are:

1. Adequacy Decision (Article 18(1)(a)): The country must be subject to a relevant adequacy decision adopted under Article 45 of the GDPR. This is the foundational hurdle, ensuring the country provides a level of data protection essentially equivalent to that guaranteed within the EU.
2. No Extraterritorial Data Access Conflicts (Article 18(1)(b)): The country must have no measures in place that enable it to exercise control over the cloud provider in a way that conflicts with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of the Data Act. This ensures that foreign laws do not override EU rules on data access.
3. No Service Disruption or Degradation (Article 18(1)(c)): The country must have no measures in place to compel the cloud provider to degrade or disrupt service continuity or provision. Furthermore, it must not oblige the provider to implement, enforce, or comply with restrictive measures such as sanction regimes or embargoes, unless those measures are legitimate under the national laws of Member States or Union law.
4. No Impediment to Technology (Article 18(1)(d)): The country must have no measures in place to impede the provision of state-of-the-art technologies and services by the cloud provider.
5. Open Market (Article 18(1)(e)): The country must maintain an open market to Union cloud computing services. This criterion addresses market access and competition, ensuring EU providers are not blocked from operating in that jurisdiction.
6. Reciprocal Procurement Access (Article 18(1)(f)): The third country must grant equivalent levels of access to public procurement procedures of cloud computing services subject to the control of a Union Member State or entity. This ensures a level playing field for EU public sector bodies and providers.

Key Differences: Adequacy vs. Association

The primary confusion lies in assuming that an existing GDPR adequacy decision automatically qualifies a country for CADA's associated third country status. This is incorrect.

• Scope: GDPR adequacy focuses primarily on the protection of personal data and fundamental rights. CADA's association status focuses on sovereignty, operational continuity, market reciprocity, and the prevention of service disruption.
• Stringency: An adequate country may still have laws that allow for service disruption (e.g., via extraterritorial sanctions) or may restrict EU cloud providers from bidding on its public sector contracts. Such a country would fail the CADA test despite having a valid adequacy decision.
• Dynamic Assessment: Under Article 18(2), if available information reveals that a third country no longer fulfills the requirements, the Commission must repeal, amend, or suspend the decision. This creates a dynamic monitoring requirement that goes beyond the static nature of many adequacy assessments.

The Commission's Assessment Process

When evaluating a country, the Commission must assess whether the adequacy decision applies generally to the country or is limited to specific sectors. It must also determine if the adequacy decision covers the specific processing activities involved in the cloud service provision (Recital 61). If transfers remain subject to additional safeguards, the country may still qualify, but the assessment becomes more complex. The Commission publishes a list of third countries that fulfill the requirements and those that no longer do so, ensuring transparency.

What this means for you

For in-house counsel, compliance officers, and public procurement authorities, the distinction between an adequate country and an associated third country has direct implications for procurement strategy, risk assessment, and contract management.

1. Procurement Strategy and Assurance Levels

If your organization is a public sector body or a Union entity, you must determine the required Union assurance level for your cloud services based on your risk assessment under Article 29. If your activities are deemed to require Union assurance level 3 (e.g., due to public order relevance in sectors like law enforcement or defence), you can only procure from providers that are either:

• Not controlled by a third country; or
• Controlled by a country officially designated as an "associated third country" under Article 18.

Relying solely on a GDPR adequacy decision is insufficient to meet the procurement requirements for Level 3 services. You must verify the current status of the provider's controlling jurisdiction in the Commission's official list of associated third countries.

2. Contractual Due Diligence

When negotiating with cloud providers established in or controlled by third countries, you must include specific due diligence clauses. You need to verify not just their data protection compliance, but also:

• Whether their home country has laws that could compel service degradation or data access in conflict with EU law (Article 18(1)(b) and (c)).
• Whether the provider is subject to extraterritorial sanctions regimes that could disrupt service.
• Whether the provider can demonstrate that their controlling jurisdiction maintains an open market for EU services (Article 18(1)(e)).

3. Monitoring for Changes

Because the Commission can suspend association status if a country no longer meets the criteria (Article 18(2)), you must implement a monitoring mechanism. If a provider's controlling country loses its associated status, your contract may no longer satisfy the sovereignty requirements of your risk assessment. You should include clauses that allow for renegotiation or termination if the provider's sovereignty status changes, ensuring continuity of compliance.

4. Reciprocity and Market Access

For EU-based cloud providers looking to expand, understanding Article 18(1)(f) is vital. To help your home country achieve associated status, you must demonstrate that you have access to public procurement markets in that third country. Lack of reciprocity can block the entire country from achieving status, thereby blocking all providers controlled by that country from offering Level 3 services in the EU. This makes market access a strategic lever for EU digital sovereignty.

Common misconceptions

Misconception 1: "If a country has a GDPR adequacy decision, its cloud providers automatically qualify for Union assurance level 3." Reality: No. Adequacy is only one of six cumulative criteria. A country can have an adequacy decision but still fail the CADA test if it restricts EU market access, compels service disruption, or lacks reciprocal procurement access.

Misconception 2: "Associated third country status applies to all assurance levels." Reality: Article 18 specifically allows providers from these countries to be audited against the criteria for Union assurance level 3. It does not automatically grant access to Level 4 (which maintains a strict prohibition on third-country control without derogation) nor does it simplify the requirements for Level 1 or 2.

Misconception 3: "The Commission assesses these countries annually." Reality: The regulation does not set a fixed annual review cycle for Article 18 designations. Instead, the Commission acts when "available information reveals that the third country no longer fulfills the requirements" (Article 18(2)). This implies a continuous, event-driven monitoring process rather than a periodic checklist.

Misconception 4: "Only the cloud provider's location matters." Reality: CADA focuses on control. Even if a provider is established in the EU, if it is controlled by a legal entity in a third country that is not an associated third country, it may be excluded from Union assurance level 3. The status of the controlling jurisdiction is paramount.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA Associated Third Countries: Why GDPR Adequacy Is Not Enough
• Does CADA require GDPR adequacy for associated third countries?
• CADA Associated Third Country: What if GDPR Adequacy is Lost?
• Why does CADA only allow associated third countries at Level 3?
• Where is the list of CADA associated third countries published?

This is general information about a draft EU regulation, not legal advice.