Summary As proposed, the Cloud and AI Development Act (CADA) allows cloud providers subject to third-country control to achieve Union assurance level 2, but only if they implement strict, verifiable safeguards. Under Annex II 2.1(g), providers must demonstrate that foreign control does not restrain service delivery, prevent unauthorized access to customer data, disrupt service continuity, or compel compliance with unlawful third-country sanctions. These criteria are cumulative and must be verified through an independent third-party audit, not self-assessment.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. Union assurance level 2 represents a critical threshold for public sector procurement, requiring independent third-party audits and imposing rigorous requirements on data localization, personnel, and supply chain transparency.

A key feature of the proposal is that it does not automatically disqualify providers subject to the control of a third country or a legal entity established in a third country. Instead, it establishes a conditional pathway for such providers to qualify for level 2 recognition. This pathway is defined in Annex II, Section 2.1(g), which sets out four cumulative safeguards that must be met to ensure that foreign control does not undermine the Union's strategic autonomy.

These safeguards are designed to address specific risks associated with extraterritorial laws, political coercion, and operational dependency. They require providers to prove that their legal, technical, and organizational measures effectively neutralize the risks posed by third-country control.

The Four Cumulative Safeguards for Third-Country Control

To be recognized as offering Union assurance level 2, a provider subject to third-country control must demonstrate that the control is not exercised in a manner that violates the following four criteria. Failure to meet any single criterion precludes recognition at this level.

1. Non-Restraint of Service Delivery and Infrastructure

Per Annex II 2.1(g)(i), the provider must ensure that the third-country control does not "restrain or restrict the provider's ability to perform and deliver the service." This criterion specifically targets the risk that a foreign government or entity could limit the provider's operational capacity.

The text explicitly states that control must not:

  • "Impose limitations on the infrastructure, assets, and personnel required for the service provision."
  • "Undermine the capabilities and standards necessary to perform the audited service."

This safeguard ensures that political decisions or commercial leverage exercised by a third country cannot arbitrarily reduce the technical capacity, degrade the quality of service, or restrict the scope of operations within the EU. It requires providers to maintain full operational autonomy regardless of their ownership structure.

2. Prevention of Foreign Data Access

Per Annex II 2.1(g)(ii), the provider must implement measures to ensure that "access by a third country or by a legal entity established in a third-country to customer data is prevented."

This is a cornerstone of the sovereignty framework. It goes beyond standard data protection obligations (such as those in the GDPR) by explicitly targeting the risk of extraterritorial data access laws. For example, it addresses scenarios where a foreign government might compel a provider to hand over data stored in the EU to its authorities. The provider must demonstrate that robust legal, technical, and organizational barriers exist to effectively block such access, ensuring that customer data remains under the exclusive control of the EU-based provider and its customers.

3. Prevention of Service Disruption or Degradation

Per Annex II 2.1(g)(iii), the provider must ensure that the "possibility of disruption of the service continuity and/or the degradation of the service quality by a third country or a legal entity established in a third country is prevented."

This criterion addresses operational resilience and continuity. It requires providers to prove that their services cannot be remotely turned off, throttled, or degraded by foreign actors. This protection is vital for public sector bodies and critical infrastructure operators who rely on cloud services for essential functions. It ensures that the EU is not vulnerable to external operational shocks, whether caused by malicious intent, political coercion, or commercial leverage.

4. Protection Against Unlawful Sanction Compulsion

Per Annex II 2.1(g)(iv), the provider must ensure that control is not exercised in a manner that "obliges the audited provider to implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or any equivalent legal or administrative measures adopted by a third country."

This safeguard protects EU entities from being forced to comply with foreign extraterritorial sanctions that conflict with EU law. However, the proposal includes a crucial exception: this obligation does not apply if such measures are "legitimate under the national laws of Member States or Union law." This ensures that the provider's primary legal allegiance regarding restrictive measures remains with the Union, preventing foreign sanctions from overriding EU legal frameworks.

Audit and Verification Mechanisms

Unlike Union assurance level 1, which relies on a self-assessment and an EU statement of conformity under Article 19, Union assurance level 2 mandates an independent third-party audit. Article 20 requires providers seeking level 2 recognition to undergo an audit to obtain an audit report and a "positive" audit opinion.

The auditing organization must assess compliance with all criteria in Annex II, including the third-country control safeguards. Annex III of CADA outlines the specific audit evidence required. For Audit Criterion G (Absence of third-country control or third-country entity control), auditors must:

  • Analyze ownership structures, corporate governance, and commercial links to determine if control exists.
  • If control is identified, verify that the specific safeguards in Annex II 2.1(g) are effectively implemented.
  • Review evidence such as cap tables, board minutes, shareholders' agreements, and technical controls.

The audit report must include a "positive" or "negative" opinion. A "positive" opinion is issued only if all evidence shows compliance with the audit criteria. If the auditing organization cannot reach a conclusion on specific aspects, it must explain why in the opinion. This rigorous verification process ensures that the safeguards are not merely theoretical but are operationally effective.

The Role of Article 18 (Third-Country Derogation)

It is important to distinguish the safeguards for Level 2 from the derogation mechanism for Level 3. Article 18 of CADA establishes a mechanism for the Commission to adopt implementing acts identifying specific third countries for which providers subject to their control may be audited against the criteria for Union assurance level 3.

This derogation is not available for Level 2. For Level 2, the provider must simply demonstrate that the four safeguards in Annex II 2.1(g) are met, regardless of the third country involved. The Article 18 mechanism is a separate, higher-level pathway that allows for Level 3 recognition in specific third countries that meet additional criteria (such as having an adequacy decision under the GDPR and no measures enabling control that conflicts with EU law).

What this means for you

For in-house counsel, compliance officers, and public sector buyers, the introduction of Union assurance level 2 creates a new compliance landscape for cloud providers with foreign ownership structures.

For Cloud Providers

If your organization is subject to third-country control and seeks to serve EU public sector bodies, you must:

  • Implement Robust Safeguards: Ensure that your legal, technical, and organizational measures effectively meet the four criteria in Annex II 2.1(g). This includes preventing data access, ensuring service continuity, and blocking unlawful sanction compulsion.
  • Prepare for Independent Audits: Unlike Level 1, you cannot self-certify. You must engage an independent auditing organization to verify your compliance. Be prepared to grant auditors access to all relevant data, premises, and governance documents (Article 20(2)).
  • Maintain Continuous Compliance: The audit is not a one-time event. Article 20(8) requires annual reviews. You must also notify auditors and competent authorities of any material changes that could affect your status (Article 23).

For Public Sector Buyers

If you are a contracting authority or public sector body:

  • Verify Recognition Status: Under Article 30(3), you must procure cloud services recognized as having Union assurance level 2, 3, or 4 for activities contributing to the preservation of public order. You cannot rely on a provider's self-declaration; you must verify their recognition status in the central repository established under Article 22.
  • Conduct Risk Assessments: Member States and Union entities must conduct risk assessments (Article 29) to determine which activities require which assurance levels. For many public sector activities, Level 2 may be the minimum viable option.
  • Check for Third-Country Control: If a provider is subject to third-country control, verify that they have successfully demonstrated compliance with the Annex II 2.1(g) safeguards. This is a prerequisite for their Level 2 recognition.

Penalties and Consequences

Non-compliance with CADA carries significant risks. Article 24 requires Member States to lay down rules on penalties for infringements, which must be "effective, proportionate and dissuasive." Factors considered include the nature, gravity, and duration of the infringement, as well as the financial benefits gained. Additionally, Article 24(3) grants recipients of cloud services the right to seek compensation for any damage or loss suffered due to a provider's infringement. This opens the door for civil liability claims if a provider fails to maintain the required safeguards.

Common misconceptions

"Self-assessment is sufficient for Level 2." Incorrect. Union assurance level 1 allows for self-assessment and an EU statement of conformity (Article 19). However, Union assurance level 2 mandates an independent third-party audit (Article 20). Providers cannot self-certify level 2 status.

"Third-country control automatically disqualifies a provider." Incorrect. CADA does not ban providers subject to third-country control from offering level 2 services. Instead, it imposes stricter conditions. If the provider can demonstrate that the four safeguards in Annex II 2.1(g) are effectively implemented, they can still achieve recognition. The key is proof of mitigation, not absence of control.

"GDPR compliance is enough to satisfy these safeguards." Incorrect. While GDPR protects personal data, CADA's sovereignty framework addresses broader operational and strategic risks, including non-personal data access, service disruption, and compulsion to comply with foreign sanctions. The safeguards in Annex II 2.1(g) are distinct and more stringent than standard data protection obligations.

"Level 2 is the highest level of assurance." Incorrect. CADA establishes four levels. Level 2 is an intermediate tier. Levels 3 and 4 impose even stricter requirements, such as Union citizenship for personnel (Annex II 3.1(d)) and higher cybersecurity certification standards. Level 2 is often the baseline for many public sector activities, but critical functions may require levels 3 or 4.

"The third-country derogation in Article 19 applies to Level 2." Incorrect. The derogation mechanism for third-country control is located in Article 18, which applies specifically to Union assurance level 3. Article 19 covers conformity self-assessment for Level 1. For Level 2, providers must meet the safeguards in Annex II 2.1(g) without needing a specific third-country derogation.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.