Summary Under the proposed Cloud and AI Development Act (CADA), the distinction between "lawful" and "unlawful" foreign access is not a shield for compliance; rather, it is the core vulnerability the legislation seeks to close. While "unlawful" access refers to criminal hacking or unauthorized breaches, "lawful" access refers to data disclosure compelled by third-country laws with extraterritorial effect. CADA posits that even lawful access undermines EU sovereignty because it strips the Union of control and oversight over its data and infrastructure. As stated in Recital 46, dependence on providers subject to third-country control exposes the EU to risks regardless of whether the access is criminal or legally mandated. Consequently, CADA's sovereignty framework (Article 16) focuses on jurisdictional control rather than just preventing abuse, requiring public procurement to avoid providers subject to foreign legal compulsion unless strict safeguards (Article 18) are met.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, fundamentally reorients the EU's approach to cloud security. It moves beyond the traditional cybersecurity paradigm—which focuses on preventing unauthorized, criminal access—to a sovereignty paradigm that addresses the risks of lawful access by third-country authorities. This shift is critical because, in the context of cloud infrastructure, a government order that is "lawful" in a third country (e.g., under the US CLOUD Act or similar legislation) can still constitute a direct threat to EU public order, strategic autonomy, and the fundamental rights of EU citizens.

The Sovereignty Threat of Lawful Access

The proposal explicitly identifies that the primary risk to the EU is not merely the theft of data by bad actors, but the loss of control due to the legal jurisdiction of the service provider. Recital 46 states that the Union's dependence on cloud computing service providers subject to the control of third countries exposes it to "reduced control and oversight over personal and non-personal data and infrastructure."

This reduction in control is not contingent on the third country acting illegally. The proposal notes that large market incumbents are often subject to jurisdictions where "laws with an extraterritorial effect apply, including laws mandating data access and transfer that may conflict with EU fundamental rights and data protection frameworks."

Recital 50 further elaborates on the specific risks arising from this dependence. It categorizes the threats into three areas:

  1. Misuse: Including manipulation, remote access, control, sabotage, and weaponisation.
  2. Access to Information: Including access to sensitive information, unauthorised communication, technology leakage, data manipulation, exfiltration, and espionage.
  3. Dependency Vulnerabilities: Including political and/or economic coercion, such as vendor lock-ins, embargoes, sanctions, or monopoly pricing.

Crucially, the proposal frames these risks as stemming from the control exerted by the third country. If a third country has the legal power to compel a provider to disclose data (lawful access), the EU loses its ability to guarantee that data remains under its jurisdiction. This is distinct from "unlawful" access, which implies a breach of security protocols. "Lawful" access implies a breach of sovereignty: the provider is legally bound to obey a foreign authority, potentially against the will of the EU and its Member States.

Jurisdiction vs. Abuse: The Core of CADA

The CADA proposal makes a clear distinction between cybersecurity (protecting against abuse) and sovereignty (protecting against jurisdiction).

Recital 48 notes that existing cloud service offerings, even those tailored for the EU, "do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws." A provider might have perfect cybersecurity (preventing unlawful hacking) but still be legally obligated to hand over data to a foreign government upon request (lawful access).

Therefore, CADA's framework, established in Article 16, is not designed to stop hackers, but to stop jurisdictional overreach. The framework establishes four Union assurance levels (Levels 1–4) based on criteria in Annex II. These criteria are cumulative and increasingly strict, focusing on:

  • Establishment: The provider must be established in the Union.
  • Location: Infrastructure, assets, and personnel must be located in the Union.
  • Control: The provider must not be subject to the control of a third country in a way that allows that country to restrain the provider, access data, disrupt service, or compel compliance with restrictive measures (sanctions/embargoes).

The proposal explicitly states that "lawful" access is a risk if it undermines the provider's operational autonomy. For example, Annex II, Section 3.1(g) (Level 3) and Section 4.1(g) (Level 4) require that the provider is not subject to the control of a third country. If a third country has laws that compel the provider to disclose data, the provider is effectively under that country's control, failing the sovereignty test.

The Article 18 Derogation: A Narrow Exception

The proposal acknowledges that a complete ban on third-country control might be impractical for some global providers. Therefore, Article 18 ("Associated third countries") provides a narrow derogation mechanism.

Under Article 18, the Commission may adopt implementing acts to identify third countries that provide "sufficient assurances" to allow cloud services controlled from that country to qualify for Union Assurance Level 3. However, this is not a blanket approval. The third country must meet strict cumulative criteria, including:

  • Having an adequacy decision under Article 45 of the GDPR.
  • Having no measures that enable it to exercise control over the provider in a way that conflicts with EU law (specifically regarding lawful access to non-personal data).
  • Having no measures to compel the provider to degrade or disrupt service continuity.
  • Having no measures to oblige the provider to comply with restrictive measures (sanctions/embargoes) unless legitimate under EU law.

This mechanism reinforces the principle that lawful access is only acceptable if the third country's legal framework explicitly prevents it from being used to undermine EU sovereignty. If a third country's laws allow for extraterritorial data access (like the US CLOUD Act), it would likely fail the criteria of Article 18 unless specific bilateral safeguards are in place.

The Vulnerability Reporting Criterion

A specific example of how CADA addresses the "lawful" nature of third-country demands is the requirement regarding software vulnerabilities. Annex II, Section 1.1(g) (Level 1), 2.1(i)(iii) (Level 2), and 3.1(i)(iii) (Level 3) all require that if a provider is subject to third-country control, it must guarantee that "there are no existing laws and practices in that third country... that require the cloud computing service provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited."

This criterion targets the "lawful" obligation to report vulnerabilities. If a third country legally requires a provider to report a zero-day vulnerability before it is fixed, the provider cannot guarantee the security and autonomy of the service. This is a "lawful" act that creates a "sovereignty" risk.

Risk Assessments and Procurement

The practical application of this distinction is found in Article 29 and Article 30.

  • Article 29 requires Member States and Union entities to conduct risk assessments to determine which assurance level is appropriate. These assessments must consider the risk of "unlawful access under Union law to such data by a third country" but also the broader risk of "possible service disruption" and "dependency vulnerabilities."
  • Article 30 mandates that for activities contributing to the preservation of public order (e.g., law enforcement, defence), contracting authorities must procure only services recognized at Union Assurance Levels 2, 3, or 4.

This means that for critical public functions, the EU will not accept cloud services where the provider is subject to third-country jurisdiction that could lead to lawful foreign access. The procurement rules effectively ban providers who cannot guarantee that their home country's laws will not compel them to disclose data or disrupt service.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the CADA proposal signals a paradigm shift. You can no longer rely on "lawful" foreign access as a compliant alternative to "unlawful" access. In fact, the existence of lawful access mechanisms in a provider's home country may disqualify them from serving EU public bodies.

  • Audit for Jurisdiction, Not Just Security: When evaluating cloud providers, do not just check their cybersecurity certifications (e.g., ISO 27001). You must audit their jurisdictional exposure. Does the provider's home country have laws that compel data disclosure? If yes, can they guarantee that such laws will not be used to access EU data?
  • Verify Article 18 Status: If a provider is subject to third-country control, verify whether the Commission has adopted an implementing act under Article 18 recognizing that third country as providing sufficient assurances for Level 3. Without this specific recognition, the provider cannot meet the Level 3 criteria, which are often required for public-order-relevant activities.
  • Review Contractual Clauses: Ensure that contracts explicitly address third-country legal compulsion. Providers must demonstrate that they have measures to resist unlawful compulsion and, crucially, that they have no legal obligation to comply with foreign orders that conflict with EU sovereignty.
  • Conduct Risk Assessments: If you are a public sector body, you must conduct risk assessments under Article 29 every two years. These assessments must explicitly evaluate the risk of lawful foreign access and dependency vulnerabilities, not just technical security breaches.
  • Prepare for Migration: If your current provider is subject to third-country control and cannot meet the required assurance level, Article 29(6) requires you to migrate to a compliant service within a reasonable transition period not exceeding 12 months.

Common misconceptions

"Lawful foreign access is acceptable if it's for national security." No. Under CADA, even lawful access by a third country is considered a sovereignty risk if it undermines EU control. The framework aims to prevent any third country from exercising control over EU cloud services, regardless of the legal basis for that control in the third country. The "lawfulness" of the foreign order is irrelevant if it conflicts with EU public order.

"Sovereignty is just about data localization." While data localization (keeping data in the EU) is a requirement, CADA's sovereignty framework is broader. It includes operational autonomy, personnel screening (Union citizenship requirements for higher levels), and freedom from third-country legal compulsion. A provider can store data in the EU but still fail the sovereignty test if they are legally compelled by a foreign government to access that data.

"Cybersecurity certification equals sovereignty." The proposal explicitly distinguishes between cybersecurity and sovereignty. While cybersecurity certifications (like the EUCS) are required for higher assurance levels, they do not address the non-technical risks of third-country jurisdiction and legal compulsion. A provider can be "secure" against hackers but "unsovereign" due to foreign laws.

"The US CLOUD Act is a solution, not a problem." The US CLOUD Act is cited in the context of extraterritorial effects. While it provides a mechanism for resolving conflicts of law, CADA views the existence of such laws as a potential threat to EU sovereignty unless specific safeguards (Article 18) are in place. The mere existence of a law that allows foreign access is a risk factor that must be mitigated.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.