Summary The US CLOUD Act and FISA Section 702 are distinct but complementary mechanisms that create extraterritorial exposure for data held by US-based cloud providers. The CLOUD Act (18 U.S.C. § 2713) compels providers to produce data in their "possession, custody, or control" regardless of location, mainly for law enforcement. FISA 702 authorises the US intelligence community to target non-US persons reasonably believed to be outside the US for foreign-intelligence purposes. One is targeted compelled production; the other is programmatic surveillance, often without the target's knowledge. Both expose EU data to access—a risk the proposed Cloud and AI Development Act (CADA) addresses through its sovereignty framework (Article 16) rather than through data location alone.

Detail

The CLOUD Act: compelled production for law enforcement

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act), enacted in 2018, amended the Stored Communications Act. Its core provision, 18 U.S.C. § 2713, requires a provider of electronic communication or remote computing service to comply with obligations to preserve, back up, or disclose communications and records "within such provider's possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

So if a US cloud provider (or a subsidiary subject to US jurisdiction) holds EU data on servers in Frankfurt, a US legal process can compel production. The CLOUD Act also adds a "comity" mechanism (18 U.S.C. § 2703(h)) letting providers move to quash where disclosure would conflict with the laws of a "qualifying foreign government" that has an executive agreement with the US under 18 U.S.C. § 2523. That protection is narrow and applies only to countries with such bilateral agreements.

FISA 702: intelligence collection on non-US persons

Foreign Intelligence Surveillance Act (FISA) Section 702 operates differently. It does not compel production in the same direct, case-by-case way as the CLOUD Act. Instead it authorises the US government to target non-US persons reasonably believed to be located outside the United States for foreign-intelligence purposes, with US electronic communication service providers required to assist in collection. Unlike a CLOUD Act demand tied to a specific investigation, FISA 702 is a programmatic authority, and it permits "incidental" collection of communications involving US persons who communicate with a target.

The intersection: extraterritorial exposure

For EU entities, the combined effect matters more than the distinction. Both regimes can reach data connected to US providers outside the ordinary mutual legal assistance treaty (MLAT) channels, creating a dual threat:

  1. Law enforcement access via the CLOUD Act.
  2. Intelligence access via FISA 702.

This dual exposure is a primary driver of CADA. Recital 46 identifies that the Union "remains critically dependent on a limited number of cloud computing service providers subject to the control of third countries," exposing it to "critical strategic dependencies and concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws." Recital 50 lists the related harms, including "access to information (i.e. access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage)" and "dependency vulnerabilities."

As proposed, CADA would mitigate these through a sovereignty framework (Article 16) defining four Union assurance levels. Where a provider is subject to third-country control, Annex II, Section 2.1(g) (Union assurance level 2) requires the provider to demonstrate that legal, technical, and organisational measures are in place to ensure, among other things, that access by a third country to customer data is prevented (2.1(g)(ii)) and that disruption or degradation of the service by a third country is prevented (2.1(g)(iii)). At the highest level, Annex II, Section 4.1(g) requires that the provider and its subcontractors are not subject to third-country control at all.

What this means for you

For in-house counsel and compliance officers, the distinction is the foundation of vendor-risk assessment and CADA readiness.

1. Vendor risk assessments must look beyond GDPR compliance

A standard GDPR data processing agreement does not neutralise CLOUD Act or FISA 702 exposure. A US-headquartered provider may be GDPR-compliant yet remain legally bound by US process. As proposed, to meet Annex II, Section 2.1(g), a third-country-controlled provider would have to demonstrate that third-country access to customer data is prevented—difficult to reconcile with the breadth of § 2713 and FISA 702.

2. Procurement strategy for public sector and critical infrastructure

For EU contracting authorities, Article 30 would impose tiered procurement rules. Activities identified as contributing to the preservation of public order—in sectors under the NIS2 Directive (Directive (EU) 2022/2555) or in national security, defence, justice, or law enforcement—could only procure services recognised at Union assurance level 2, 3, or 4. Given the extraterritorial reach of US law, US hyperscalers may find the higher levels hard to reach absent genuine legal and technical separation. Your risk assessments under Article 29 must expressly weigh the risk of third-country access.

3. Data localisation is not sovereignty

Storing data in EU data centres does not, by itself, solve the problem: under the CLOUD Act, location is irrelevant where the provider is subject to US jurisdiction, and FISA 702 targets non-US persons regardless of where data sits. CADA reflects this by focusing on control and assurance levels. Even at Union assurance level 1, Annex II, Section 1.1(c) requires customer data to remain exclusively within the Union unless the public sector body explicitly requires otherwise—but higher levels add controls on third-country control and access. The question shifts from "where is the data?" to "who controls the provider, and what laws bind it?"

4. Private sector entities

CADA's binding procurement rules target the public sector, but Article 31 allows private entities in NIS2 sectors to carry out similar impact assessments, and the Commission may issue guidance or—where duly justified—require such assessments by delegated act. Proactive alignment with the sovereignty framework can be both a risk-mitigation measure and a competitive signal.

Common misconceptions

"If our data is stored in Europe, the CLOUD Act doesn't apply." Correction: § 2713 reaches data in the provider's "possession, custody, or control" regardless of physical location. A US company can be compelled to produce data sitting in a Dublin data centre.

"GDPR adequacy / the Data Privacy Framework protects us from FISA 702." Correction: The EU-US Data Privacy Framework addresses transatlantic transfers of personal data. As the CADA explanatory memorandum notes, it "does not remove sovereignty concerns about dependence on third-country providers." FISA 702 is an intelligence authority outside standard transfer mechanisms.

"CADA bans US cloud providers." Correction: It does not. CADA would create a tiered assurance system. A provider can pursue Union assurance level 1 via self-assessment; levels 2–4 require independent audit. Under Article 18, the Commission may recognise a third country as providing sufficient assurances to allow providers controlled from there to be audited against the Union assurance level 3 criteria—a high, cumulative bar (including a GDPR adequacy decision). Level 4 permits no third-country control at all.

"FISA 702 is just another warrant like the CLOUD Act." Correction: FISA 702 is not a crime-specific warrant; it is a programmatic surveillance authority targeting non-US persons abroad, with incidental collection of US/EU-person data. The CLOUD Act is a tool for compelled production of specific data. The nature of the risk differs.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.