Summary Under the proposed Cloud and AI Development Act (CADA), the Commission may designate an "associated third country" allowing its cloud providers to qualify for Union assurance level 3, despite being subject to third-country control. This designation is conditional on strict criteria, most notably Article 18(1)(b), which requires that the third country has "no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854 (the Data Act)." This mechanism is designed to shield EU public order from foreign government data demands and service disruptions, ensuring that even in partner jurisdictions, extraterritorial access laws cannot override EU sovereignty standards.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework comprising four assurance levels. While the general rule in Annex II prohibits cloud providers subject to third-country control from achieving Union assurance levels 3 and 4, Article 18 introduces a specific derogation mechanism. This allows the Commission to identify "associated third countries" whose providers may be audited for level 3 recognition, provided they meet a rigorous set of cumulative criteria.

The Core Condition: Article 18(1)(b) and the Data Act

The pivotal requirement for an associated third country is found in Article 18(1)(b). As proposed, the Commission may only adopt an implementing act identifying a third country if it fulfills the condition that:

"it has no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854."

This cross-reference is legally significant. Article 32 of the Data Act (Regulation (EU) 2023/2854) governs the access of public authorities in third countries to non-personal data held in the EU. Specifically:

  • Article 32(2) restricts public authorities from accessing non-personal data unless specific conditions are met, such as the existence of an international agreement or a judicial decision in a criminal investigation that is enforceable in the third country and subject to strict safeguards.
  • Article 32(3) further mandates that where no such agreement exists, access is only permitted if the third country's public authority provides a reasoned request and the data holder has the right to challenge the request before a court in the third country.

By embedding these requirements into Article 18(1)(b), CADA ensures that a third country cannot be designated as "associated" if its domestic laws or practices allow its government to compel cloud providers to hand over non-personal data in a manner that bypasses the safeguards of the Data Act. This effectively blocks "lawful access" regimes that are broader or less protective than the EU's own standards.

The Full Set of Cumulative Criteria

Article 18(1) lists six cumulative criteria. Failure to meet any single one disqualifies the third country. Beyond the Data Act condition in (b), the other requirements are:

  1. Adequacy: The country must be subject to a relevant adequacy decision under Article 45 of Regulation (EU) 2016/679 (GDPR).
  2. Service Continuity: The country must have no measures compelling the provider to degrade or disrupt service continuity or provision.
  3. Technology Access: The country must have no measures impeding the provision of state-of-the-art technologies.
  4. Market Openness: The country must maintain an open market to Union cloud computing services.
  5. Reciprocity: The country must grant equivalent levels of access to public procurement procedures for cloud services controlled by the Union.

Protection Against Foreign Government Data Demands

The primary policy driver for Article 18 is the mitigation of risks arising from the extraterritorial application of third-country laws. The explanatory memorandum highlights that dependence on providers subject to third-country jurisdictions exposes the Union to risks such as "unauthorised communication, technology leakage, data manipulation or exfiltration, espionage" and "political and/or economic coercion."

Even if a third country is designated as "associated," the provider must still satisfy the specific audit criteria for Union assurance level 3 set out in Annex II, Section 3. Crucially, Annex II, 3.1(g) requires that the provider demonstrates that:

  • Access by the third country to customer data is prevented.
  • The possibility of disruption of service continuity or degradation of service quality is prevented.
  • The third country cannot oblige the provider to comply with restrictive measures (e.g., sanctions) unless they are legitimate under EU law.

Furthermore, Annex II, 3.1(g)(i) explicitly requires the provider to allow reasonable access to the code to verify that third-country control does not restrain the provider's ability to perform the service. This creates a dual layer of protection: the country must not have conflicting laws (Article 18), and the provider must have technical and legal measures to resist any residual demands (Annex II).

Commission Oversight and Transparency

The mechanism is dynamic. Under Article 18(2), if information reveals that a third country no longer fulfills the requirements, the Commission must repeal, amend, or suspend the decision. Article 18(3) mandates the publication of a list of countries that fulfill the requirements and those that no longer do so. This ensures that contracting authorities and providers have real-time visibility into the sovereignty status of potential partners.

What this means for you

For legal counsel, compliance officers, and public procurement teams, Article 18 introduces a critical dependency on the Commission's implementing acts and the ongoing status of third-country jurisdictions.

1. Procurement Eligibility for Level 3 Services

If your public sector body has identified an activity as contributing to the preservation of public order under Article 29, you are required to procure only cloud services recognised at Union assurance levels 2, 3, or 4 (Article 30(3)). Many global hyperscalers are subject to third-country control (e.g., US CLOUD Act jurisdiction). Under the general rule, they would be ineligible for Level 3. However, if their home country is designated as an "associated third country" under Article 18, they may become eligible.

  • Action: Monitor the Commission's list of associated third countries. Do not assume that a GDPR adequacy decision is sufficient; verify that the country also meets the Data Act conflict test in Article 18(1)(b).

2. Due Diligence on Non-Personal Data

The explicit reference to Article 32(2)-(3) of the Data Act shifts the focus of due diligence from personal data (GDPR) to non-personal data. You must assess whether the third country's laws allow its government to access non-personal data (e.g., industrial data, metadata, telemetry) without the strict safeguards required by the Data Act.

  • Action: Review the provider's legal opinion on their home country's surveillance and data access laws. Ensure they confirm no conflict with Data Act Article 32.

3. Contractual Resilience

Even with an associated third country designation, the provider must prove in their audit that they can resist foreign demands. Your contracts should reflect this.

  • Action: Include clauses requiring the provider to:
    • Notify you immediately of any foreign government request for data access.
    • Challenge such requests before the relevant foreign court if permitted by local law.
    • Maintain a record of all such requests and responses, as required by Annex III, 7.2(f).

4. Risk of Status Revocation

The status of an associated third country is not permanent. A change in the third country's laws (e.g., a new surveillance act) could trigger a suspension under Article 18(2).

  • Action: Plan for contingency. If a country loses its status, your current provider may no longer meet the Level 3 requirement. Under Article 29(6), you would be required to migrate to a compliant service within a transition period not exceeding 12 months.

Common misconceptions

Misconception 1: "If a country has a GDPR adequacy decision, it automatically qualifies for CADA Article 18." Correction: No. GDPR adequacy is only one of six cumulative criteria under Article 18(1). The country must also satisfy the strict non-personal data access test in Article 18(1)(b) regarding the Data Act, ensure no service disruption measures exist, and guarantee market reciprocity. A country could have GDPR adequacy but fail the Data Act test.

Misconception 2: "Associated third country status means providers are exempt from sovereignty rules." Correction: No. Providers from associated third countries are still subject to the full audit requirements for Union assurance level 3 in Annex II. They must demonstrate effective separation from third-country control and prove that they can prevent foreign access to customer data. The designation only removes the automatic bar on third-country control; it does not remove the requirement to prove sovereignty.

Misconception 3: "This only protects personal data." Correction: A critical distinction of Article 18(1)(b) is its focus on non-personal data. The Data Act (Article 32) specifically governs non-personal data. CADA uses this to protect industrial, commercial, and operational data from extraterritorial access, ensuring that foreign governments cannot bypass EU sovereignty by claiming the data is not "personal."

Misconception 4: "Article 18 allows providers to ignore foreign data requests." Correction: The regulation does not grant providers the power to ignore laws. Instead, it requires the third country itself to have no measures enabling control that conflicts with the Data Act. If such measures exist, the country cannot be designated. If designated, the provider must still implement technical and legal measures to resist access, and the audit must verify this resistance.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.