Summary Under the proposed Cloud and AI Development Act (CADA), the European Commission may designate specific "associated third countries" through implementing acts adopted under the examination procedure set out in Article 46(2). This mechanism, defined in Article 18, allows cloud computing service providers subject to third-country control to be audited for Union assurance level 3 recognition, provided the third country meets six strict cumulative criteria. Once adopted, the Commission is required to publish and maintain a public list of these countries, which serves as the definitive reference for eligibility. This is a derogation from the general rule that Level 3 providers must not be subject to third-country control.

Detail

The Cloud and AI Development Act (CADA) establishes a four-tier Union cloud computing sovereignty framework. Generally, Union assurance level 3 requires that the provider and its subcontractors are not subject to the control of a third country or a legal entity established in a third country. However, recognizing the complexity of global supply chains and international partnerships, Article 18 introduces a specific derogation. This article creates a pathway for providers controlled by a third country to still qualify for Level 3 recognition if that third country is formally designated as "associated" by the Commission.

The Legal Instrument: Implementing Acts under Article 46(2)

The designation of an associated third country is not a unilateral decision by the Commission; it is a formal legislative act subject to Member State oversight. Article 18(1) explicitly mandates that the Commission "may adopt decisions, by means of implementing acts, identifying third countries" that meet the necessary conditions.

Crucially, the text of Article 18(1) concludes with the procedural requirement: "Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 46(2)."

This procedural choice is legally significant. Under the examination procedure (governed by Regulation (EU) No 182/2011), the Commission must submit its draft implementing act to a committee composed of representatives from the Member States. The committee votes on the draft; if a qualified majority supports the draft, the Commission adopts it. If the committee delivers a negative opinion, the Commission cannot adopt the act. This ensures that the designation of a third country as "associated" reflects a collective political and technical judgment by the Member States, rather than a purely administrative decision.

The Six Cumulative Criteria for Designation

For the Commission to adopt an implementing act designating a third country, that country must fulfill six cumulative criteria listed in Article 18(1)(a) through (f). The failure to meet even one criterion prevents designation. These criteria are:

  1. GDPR Adequacy: The third country must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (the GDPR). This ensures a baseline of data protection.
  2. No Conflicting Access Measures: The country must have no measures enabling it to exercise control over the provider in a way that conflicts with lawful access to non-personal data under Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act).
  3. No Compulsion to Disrupt Service: The country must have no measures compelling the provider to degrade or disrupt service continuity, or to implement restrictive measures (such as sanctions or embargoes), unless those measures are legitimate under the national laws of Member States or Union law.
  4. No Impediment to Technology: The country must not have measures in place to impede the provision of state-of-the-art technologies and services by the provider.
  5. Open Market: The country must maintain an open market to Union cloud computing services.
  6. Reciprocal Access: The third country must grant equivalent levels of access to public procurement procedures for cloud services subject to the control of a Union Member State or entity.

Dynamic Management and the Public List

The status of an associated third country is not permanent. Article 18(2) establishes a dynamic review mechanism: "Where available information reveals that the third country no longer fulfils the requirements under paragraph 1, the Commission shall repeal, amend or suspend the decision." This ensures the framework remains responsive to geopolitical shifts or changes in a third country's legal landscape.

Transparency is a core requirement. Article 18(3) obliges the Commission to "publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so." This list is the authoritative source for cloud providers and public sector contracting authorities to verify eligibility.

Interaction with Assurance Level 3 Criteria

It is vital to distinguish between the country's status and the provider's status. Even if a third country is designated under Article 18, providers from that country are not automatically recognized at Level 3. They must still undergo an independent third-party audit under Article 20.

As per Annex II, Section 3.1(g), providers subject to third-country control (but from an associated country) must demonstrate that specific legal, technical, and organizational measures are in place to ensure:

  • Third-country control does not restrict the provider's ability to perform the service.
  • Access by the third country to customer data is prevented.
  • Disruption of service continuity or degradation of quality is prevented.
  • The provider is not obliged to comply with restrictive measures (sanctions/embargoes) unless legitimate under EU law.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the Article 18 mechanism introduces a critical, conditional pathway for sovereign cloud adoption.

  • Verify the List Before Procurement: Public sector bodies procuring at Union assurance level 3 must verify that the provider's country of control is currently listed on the Commission's website under Article 18(3). Relying on a country's GDPR adequacy decision alone is insufficient; the specific CADA implementing act must be in force.
  • Monitor for Repeals: Because Article 18(2) allows for the repeal or suspension of a designation, compliance teams must monitor the Commission's list continuously. A sudden removal of a country from the list could immediately disqualify a provider from Level 3 recognition, potentially triggering contract breaches or the need for migration.
  • Audit Evidence for Associated Countries: If your provider is from an associated third country, the audit under Article 20 will focus heavily on the specific safeguards required by Annex II, Section 3.1(g). You must ensure the provider can demonstrate concrete measures (e.g., technical barriers to data access, legal refusal mechanisms) that neutralize the third-country control risk.
  • Level 4 is Inaccessible: Remember that the Article 18 derogation applies only to Union assurance level 3. Annex II, Section 4.1(g) explicitly states that for Level 4, the provider and subcontractors must not be subject to the control of a third country. No implementing act can override this requirement for the highest assurance level.

Common misconceptions

"GDPR Adequacy automatically qualifies a country for CADA Level 3." This is incorrect. While an adequacy decision under Article 45 of the GDPR is the first criterion in Article 18(1)(a), it is only one of six cumulative requirements. A country must also meet the criteria regarding service disruption, market openness, and reciprocal access. A country with an adequacy decision but no reciprocal market access cannot be designated.

"Once a country is designated, the status is permanent." The designation is dynamic. Article 18(2) explicitly empowers the Commission to repeal, amend, or suspend the decision if the country no longer fulfills the requirements. This could happen due to new laws in the third country or changes in geopolitical relations.

"Associated third countries can provide Union assurance level 4." No. The derogation in Article 18 is strictly limited to Union assurance level 3. Annex II, Section 4.1(g) mandates that for Level 4, the provider must not be subject to third-country control under any circumstances. There is no implementing act mechanism to bypass this for Level 4.

"The Commission decides alone." The Commission cannot act unilaterally. Article 18(1) requires the adoption of implementing acts under the examination procedure of Article 46(2). This means the Member States, via the committee procedure, have the power to block a designation if they deem the third country's safeguards insufficient.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.