Summary Under the proposed Cloud and AI Development Act (CADA), cloud providers seeking Union assurance levels 1 through 4 must guarantee that no laws in a controlling third country require them to report software vulnerabilities to foreign authorities before those vulnerabilities are known to have been exploited. This obligation, explicitly required in Annex II for levels 1, 2, and 3, must be "demonstrated by independent sources." While Level 4 generally prohibits third-country control entirely, the disclosure rule remains a critical compliance hurdle for providers at Levels 1, 2, and 3, ensuring that security flaws are patched before foreign intelligence services can exploit them.
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" comprising four assurance levels. A central pillar of this framework is the mitigation of risks arising from the extraterritorial reach of third-country laws. Specifically, the proposal addresses the risk that a cloud provider subject to third-country control might be legally compelled to disclose software vulnerabilities to foreign authorities before the provider or the EU customer has had the opportunity to remediate them.
This "vulnerability-disclosure rule" is not a general cybersecurity principle but a specific, cumulative criterion embedded in the legal text of Annex II. It applies to providers that are subject to the control of a third country or a legal entity established in a third country. The rule mandates that such providers guarantee the absence of any existing laws or practices in that third country that would require the reporting of software vulnerability information to authorities prior to the vulnerability being known to have been exploited.
The Rule Across Assurance Levels
The requirement is consistent across the tiers where third-country control is permitted, though the overall burden of proof and the strictness of the control test increase with each level.
Union Assurance Level 1 Level 1 serves as the baseline for public sector procurement. Under Annex II, Section 1.1(g), if a cloud computing service provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that there are no existing laws and practices in that third country requiring the provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited. Crucially, the proposal states this must be "demonstrated by independent sources." This criterion applies even though Level 1 relies on a self-assessment rather than a third-party audit.
Union Assurance Level 2 For Level 2, which requires independent third-party auditing, the vulnerability-disclosure rule is integrated into the software supply chain measures. Under Annex II, Section 2.1(i)(iii), if the cloud computing service provider is subject to the control of a third country or a legal entity established in a third country, it must guarantee that there are no existing laws and practices in that third country, "demonstrated by independent sources," that require the provider to report information on software vulnerabilities to authorities of that third country prior to those vulnerabilities being known to have been exploited. This ensures that even with higher assurance, the legal risk of early disclosure remains a disqualifying factor unless proven otherwise by independent evidence.
Union Assurance Level 3 The requirement remains verbatim for Level 3. Under Annex II, Section 3.1(i)(iii), providers subject to third-country control must demonstrate via independent sources that no such early-reporting laws exist. Level 3 is unique in that it allows for a derogation where the Commission may recognize a third country as providing sufficient assurances (under Article 18). However, even in such cases, the provider must still meet the specific criteria of Annex II, including the guarantee against early vulnerability reporting, to be recognized at this level.
Union Assurance Level 4 Level 4 represents the highest tier of sovereignty. Under Annex II, Section 4.1(g), the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. Consequently, the specific vulnerability-disclosure clause (which applies "where the provider is subject to control") is technically moot for Level 4, as the control itself is prohibited. However, the underlying principleβthat no foreign law should compromise the security of the serviceβremains the foundational logic of the highest tier.
The "Independent Sources" Requirement
The phrase "demonstrated by independent sources" is a critical safeguard against self-declaration. It means a provider cannot simply issue a statement of compliance or rely on internal legal opinions. The evidence must be objective and external.
In practice, this likely requires:
- Independent Legal Opinions: Formal analyses from law firms specializing in the relevant third-country jurisdiction, confirming the absence of such mandatory reporting laws.
- Public Records: References to specific statutes, or the lack thereof, in the third country's legal framework.
- Recognized Standards: Evidence from recognized cybersecurity standards or government reports that validate the absence of such requirements.
This requirement is designed to prevent "greenwashing" of sovereignty claims. A provider cannot claim to be compliant with CADA if the legal framework of its ultimate controlling jurisdiction allows for covert access to security flaws. The burden of proof lies with the provider to demonstrate, via these independent sources, that the risk of forced early disclosure does not exist.
Interaction with Third-Country Recognition (Article 18)
Article 18 of the CADA proposal allows the Commission to adopt implementing acts identifying third countries that provide sufficient assurances to allow cloud services controlled from that country to qualify for Union assurance level 3. To qualify, a third country must meet cumulative criteria, including having no measures that enable it to exercise control in a way that conflicts with EU data access rules or compels service degradation.
While Article 18 does not explicitly repeat the text of the vulnerability-disclosure rule, the logic is consistent. The Commission's assessment of a third country under Article 18 would inherently consider whether that country's laws pose a risk of unauthorized access or service disruption. If a third country has laws forcing early vulnerability reporting, it would likely fail the Article 18 test. Therefore, providers from recognized third countries would still need to ensure they meet the Annex II criteria, including the specific guarantee against early reporting, to be formally recognized at Level 3.
What this means for you
For in-house counsel, compliance officers, and public procurement teams, the vulnerability-disclosure rule has immediate and practical implications for vendor selection and risk management.
1. Deep-Dive Vendor Due Diligence You must look beyond the immediate legal entity of the cloud provider. You need to map the entire ownership chain to identify the "ultimate owners" and any third countries or legal entities that exercise control. If a provider is controlled by a non-EU entity (e.g., a US-based parent company), you must verify the laws of that specific jurisdiction. Do not assume that a provider's home country laws are benign; you must specifically check for statutes mandating early vulnerability reporting.
2. Demanding Independent Evidence Do not accept a simple "yes" from the vendor's legal team or a standard compliance questionnaire. Under CADA, the guarantee must be "demonstrated by independent sources." You should explicitly request:
- Legal Opinions: Formal, written opinions from independent counsel specializing in the relevant third-country jurisdiction.
- Statutory Analysis: References to specific laws or a clear statement of the absence of such laws.
- Mechanism for Refusal: Evidence that the provider has mechanisms to refuse or delay compliance with foreign requests if they conflict with EU law, though the primary goal is to prove the law does not exist.
3. Procurement Strategy by Tier
- Level 1: Most public sector bodies will procure at Level 1. Ensure your chosen provider has completed the conformity self-assessment and has attached the independent evidence for the vulnerability-disclosure rule if they are third-country controlled. Without this evidence, they cannot be recognized at Level 1.
- Levels 2-4: These levels require independent audits. The auditing organization will assess the provider's compliance with the vulnerability-disclosure criterion. As a buyer, you can check the central repository (established under Article 22) to see if a service has been recognized at the required level. If a provider fails to provide the independent evidence, they cannot be recognized, and you cannot procure from them for activities requiring higher assurance.
4. Contractual Safeguards and Monitoring Ensure your contracts include clauses that require the provider to notify you immediately if any change in third-country law affects their ability to comply with the vulnerability-disclosure guarantee. Article 23 requires providers to report any material changes in circumstances that may affect their recognition status. If a third country enacts a new law forcing early reporting, the provider's recognition could be revoked, and you would need to migrate to a compliant provider.
Common misconceptions
Misconception 1: Only US providers are affected. While the rule is often discussed in the context of the US CLOUD Act (which allows US authorities to compel US-based providers to disclose data), it applies to any third country. If a provider is controlled by a legal entity in any non-EU jurisdiction, the rule applies. You must assess the laws of that specific jurisdiction, not just the US.
Misconception 2: "Independent sources" means any third party. The source must be independent and credible. Internal audits, self-assessments, or statements from the provider's own legal department do not count. The CADA proposal emphasizes "independent sources" to ensure objectivity. This typically means external legal experts, recognized industry bodies, or public government analyses.
Misconception 3: The rule only applies to Level 4. The vulnerability-disclosure requirement is explicitly present in Level 1, 2, and 3. Level 4 generally excludes providers subject to third-country control altogether, but the explicit textual guarantee is a key hurdle for Levels 1-3. Ignoring this for Level 1 procurement could lead to non-compliance with CADA's minimum assurance requirements.
Misconception 4: It's about data access, not security flaws. While related to data sovereignty, this specific rule is about software vulnerabilities. It prevents a scenario where a foreign government learns of a security bug in the cloud infrastructure before the EU customer does, allowing them to exploit the bug before it is patched. It is a technical security guarantee with legal underpinnings, distinct from general data transfer rules.
Related
- How do software supply-chain controls differ across CADA tiers?
- CADA personnel requirements: How Union citizenship and support location escalate across tiers
- CADA Recognition: When is a cloud service deemed accepted across the EU?
- CADA Sovereignty Tiers: Protection Against Foreign Law Explained
- CADA Audit Rule: Why Higher Assurance Levels Require Lower-Tier Compliance
This is general information about a draft EU regulation, not legal advice.