What must a US hyperscaler do to reach a CADA assurance level?

Summary As proposed in COM(2026) 502 final, a US hyperscaler is effectively barred from achieving Union assurance levels 1, 2, and 4 due to strict prohibitions on third-country control and infrastructure location. The only potential pathway is Union assurance level 3, but this is conditional on a political and legal prerequisite: the European Commission must first designate the United States as an "associated third country" under Article 18. This designation requires the US to meet cumulative criteria, including an EU adequacy decision and specific legal safeguards preventing unauthorized data access or service disruption. Without this designation, US-controlled providers cannot be audited for Level 3. Even with designation, the provider must prove robust, auditable measures to block extraterritorial access (e.g., under the US CLOUD Act) and prevent service disruption.

Detail

The Cloud and AI Development Act (CADA) establishes a "Union cloud computing sovereignty framework" with four assurance levels. For a US hyperscaler, the path to recognition is heavily constrained by the definition of "control" and the specific criteria for third-country providers found in Annex II. The framework is explicitly designed to mitigate risks arising from the extraterritorial application of third-country laws, such as the US CLOUD Act, which can compel US-based providers to disclose data stored anywhere in the world.

The Structural Barrier to Levels 1, 2, and 4

To understand why a US hyperscaler is largely excluded from levels 1, 2, and 4, one must examine the cumulative criteria in Annex II.

Union Assurance Level 1 is the baseline. While it allows for some third-country involvement in specific contexts, Annex II, Section 1.1(g) requires that if a provider is subject to third-country control, it must guarantee that no laws in that country require reporting software vulnerabilities to authorities before they are known to be exploited. However, Level 1 is generally insufficient for public-order-relevant procurement under Article 30(3), which mandates Level 2, 3, or 4 for activities contributing to public order.

Union Assurance Level 2 and Union Assurance Level 4 impose stricter prohibitions regarding control. Under Annex II, Section 2.1(g) and Section 4.1(g), providers must demonstrate that they are not subject to the control of a third country or a legal entity established in a third country.

• Level 2: While Section 2.1(g) allows a provider subject to third-country control to qualify if they demonstrate specific safeguards (preventing data access, service disruption, etc.), it does not provide a mechanism for an "associated third country" designation to override the control prohibition in the same way Level 3 does. The burden is entirely on the provider to prove safeguards exist, but the text of Level 2 does not explicitly reference the Article 18 derogation mechanism.
• Level 4: This is the highest tier. Annex II, Section 4.1(g) explicitly states that the audited provider and subcontractors "are not subject to the control of a third country or a legal entity established in a third-country." There is no derogation for associated third countries at Level 4. Therefore, a US hyperscaler, which is inherently subject to US jurisdiction and potentially the CLOUD Act, cannot meet the strict "no third-country control" requirement for Level 4.

Union Assurance Level 3 is the only tier that offers a potential, albeit conditional, pathway for US providers. Annex II, Section 3.1(g) states that providers subject to third-country control may be audited for Level 3 only if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances. This creates a unique "gatekeeper" mechanism: without the Commission's decision, the audit cannot even begin.

The Article 18 "Associated Third Country" Mechanism

Article 18 is the critical gatekeeper for US hyperscalers seeking Level 3 recognition. The Commission may adopt decisions, by means of implementing acts, identifying third countries for which providers subject to their control may be audited against Level 3 criteria. This is not automatic; the US must fulfill cumulative criteria set out in Article 18(1):

1. Adequacy Decision: The US must be subject to a relevant adequacy decision adopted under Article 45 of Regulation (EU) 2016/679 (GDPR).
2. No Conflicting Data Access Laws: The US must have no measures in place that enable it to exercise control over the provider in a way that conflicts with the requirements for lawful access to non-personal data set out in Article 32(2) and (3) of Regulation (EU) 2023/2854 (the Data Act).
3. No Service Disruption Measures: The US must have no measures to compel the provider to degrade or disrupt service continuity or provision. It must also have no measures to oblige the provider to implement, enforce, or comply with restrictive measures (sanctions, embargoes) unless these are legitimate under Member State or Union law.
4. No Tech Impediments: The US must have no measures to impede the provision of state-of-the-art technologies and services.
5. Open Market: The US must maintain an open market to Union cloud computing services.
6. Reciprocity: The US must grant equivalent levels of access to public procurement procedures for cloud services controlled by a Union Member State or entity.

If the Commission determines that the US meets these criteria, it will publish a list of associated third countries. Only then can a US hyperscaler apply for Level 3 recognition.

Proving Safeguards Against CLOUD Act Access

Even if the US is designated as an associated third country, the US hyperscaler must still prove it meets the substantive criteria of Annex II, Section 3.1. This involves demonstrating robust safeguards against the very risks the CADA seeks to mitigate, such as extraterritorial data access.

Under Annex II, Section 3.1(g)(ii), the provider must demonstrate measures that prevent access by a third country (the US) or a legal entity established in that country to customer data. This directly addresses the CLOUD Act's disclosure obligations. The provider must prove that it can legally and technically refuse US government requests for EU customer data, or that such requests are blocked by the safeguards.

Furthermore, Annex II, Section 3.1(g)(iii) requires preventing the disruption of service continuity or degradation of service quality by the third country. This targets the risk of unilateral US sanctions or executive orders forcing a provider to shut down services in the EU.

Annex II, Section 3.1(g)(iv) requires preventing the provider from being obliged to implement restrictive measures (sanctions/embargoes) adopted by the third country, unless legitimate under EU law.

To prove these safeguards, the provider must submit evidence to an auditing organization. Annex III details the required audit evidence. For Audit Criterion G (Absence of third-country control), the auditor must analyze ownership structures, corporate governance, and commercial links. If the auditor determines the provider is subject to third-country control (which a US hyperscaler is), they must request additional evidence under Annex III, Section 7.2:

• Proof that the Commission has adopted a decision under Article 18 for the US.
• Evidence of measures enforcing effective legal, technical, and organizational separation between the EU service and the third country.
• Evidence that the public sector body will be informed of any US request to access data and confirmation that the request was refused.
• An up-to-date record of any such requests and the responses to them.

The Recognition Process

Once a US hyperscaler satisfies the Article 18 condition and the Annex II/III criteria, it must undergo the recognition process under Article 17. The provider submits an application to the national competent authority of establishment. For Level 3, this requires a "positive" audit opinion from an independent auditing organization. The competent authority then assesses the evidence and, if satisfied, recognizes the service as offering Union assurance level 3 across the Union.

What this means for you

For US hyperscalers operating in the EU, the CADA proposal creates a bifurcated market. You cannot offer "sovereign" cloud services at Levels 2 or 4. Your only path to the high-assurance public sector market (Level 3) depends entirely on political and legal developments outside your direct control: the Commission's decision to designate the US as an associated third country under Article 18.

If you are preparing for this scenario, you must:

1. Monitor Article 18 Designations: Watch for Commission implementing acts listing associated third countries. Without this, Level 3 is closed to you.
2. Audit-Ready Safeguards: Begin documenting your refusal of US government data requests. Annex III requires a record of these refusals. You must prove to auditors that you have the legal and technical capability to block CLOUD Act warrants for EU-hosted data.
3. Separation Measures: Implement strict technical and organizational separation between your EU operations and US headquarters. Auditors will scrutinize your corporate governance to ensure US parent companies cannot compel EU subsidiaries to compromise EU data or service continuity.
4. Level 1 Strategy: If Level 3 is not achievable, assess if you can meet Level 1 criteria. Note that Level 1 still requires you to guarantee no third-country laws require premature vulnerability reporting. However, Level 1 is a self-assessment model, which is less rigorous than the third-party audit required for Level 3.

Common misconceptions

• "We can achieve Level 4 if we host data in the EU." Incorrect. Annex II, Section 4.1(g) explicitly prohibits providers subject to third-country control from achieving Level 4. There is no derogation for associated third countries at this level.
• "An adequacy decision is enough." Incorrect. While an adequacy decision under the GDPR is a prerequisite for Article 18 designation, it is not sufficient on its own. The US must also meet criteria regarding service disruption, restrictive measures, and market reciprocity.
• "We can self-certify for Level 3." Incorrect. Level 3 requires an independent third-party audit and a "positive" audit opinion from an auditing organization, as per Article 20 and Annex II. Only Level 1 allows for conformity self-assessment.
• "The CLOUD Act doesn't matter if we use encryption." Incorrect. The CADA framework looks at control and legal obligation. Even with encryption, if US law compels you to hand over keys or disrupt service, you fail the criteria in Annex II, Section 3.1(g). You must demonstrate legal and technical measures to prevent such access or disruption.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• What criteria must a provider meet for CADA assurance level 4?
• What criteria must a provider meet for CADA assurance level 3?
• What criteria must a provider meet for CADA assurance level 2?
• What criteria must a provider meet for CADA assurance level 1?
• What contractual terms must reflect a CADA assurance level?

This is general information about a draft EU regulation, not legal advice.