Where is the list of CADA associated third countries published?

Summary The European Commission publishes the official list of "associated third countries" on its website, as mandated by Article 18(3) of the proposed Cloud and AI Development Act (CADA). This dynamic register identifies non-EU nations whose cloud providers may be audited for Union assurance level 3 despite third-country control. Crucially, the list includes both countries that currently meet the strict safeguards and those that no longer fulfil the requirements, ensuring public-sector procurers have real-time visibility into eligibility changes.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a nuanced framework for cloud sovereignty. While the general rule for higher assurance levels (3 and 4) is that providers must not be subject to third-country control, Article 18 introduces a specific derogation. This allows cloud computing service providers controlled by a third country to be audited for Union assurance level 3, provided that the third country itself has implemented specific safeguards. These safeguards must ensure there is no risk of unauthorised access to Union data or disruption of service quality.

To operationalise this, the Commission must identify which third countries qualify. This identification is not a one-time legislative act but an ongoing administrative process managed through a public register.

The Legal Basis: Article 18

Article 18(1) empowers the Commission to adopt implementing acts identifying third countries that meet a cumulative set of criteria. These criteria include:

• The existence of a relevant adequacy decision under Article 45 of the GDPR (Regulation (EU) 2016/679).
• The absence of measures enabling the third country to exercise control over the provider in a way that conflicts with EU data access laws.
• The absence of measures compelling the provider to degrade service continuity or comply with restrictive measures (e.g., sanctions) unless legitimate under EU law.
• The maintenance of an open market for Union cloud services and equivalent access to public procurement for EU entities.

However, the legal text does not list these countries in an annex. Instead, it mandates a specific publication mechanism to ensure transparency and legal certainty for market participants.

Where the List is Published

Article 18(3) of the proposal explicitly states:

"The Commission shall publish on its website a list of third countries that fulfil the requirements under paragraph 1 and those that no longer do so."

This provision confirms that the authoritative source for this information is the European Commission's official website. The list is not a static document attached to the regulation but a living register that the Commission is legally obliged to update.

What the List Contains

The list serves a dual purpose, reflecting the dynamic nature of international legal and political landscapes:

1. Countries that Fulfil Requirements: This section lists third countries where the Commission has determined, via implementing act, that the cumulative criteria of Article 18(1) are met. Cloud providers subject to the control of these countries are eligible to undergo the independent audit process for Union assurance level 3.
2. Countries that No Longer Fulfil Requirements: As explicitly required by Article 18(3), the list must also include countries that have lost their status. Under Article 18(2), if available information reveals that a third country no longer meets the requirements (e.g., due to new legislation allowing broader government data access), the Commission must repeal, amend, or suspend the decision. The website list must reflect this change immediately.

This inclusion of "disqualified" countries is a critical transparency feature. It prevents public-sector bodies from relying on outdated information and ensures that the risk assessment process (required under Article 29) is based on current facts.

Maintenance and Updates

The status of an associated third country is conditional. The Commission monitors the situation continuously. If a country's legal framework changes such that it no longer guarantees the necessary safeguards, the Commission is required to act. The website list acts as the single source of truth for this status.

For cloud providers, this means that eligibility for the level 3 derogation is not permanent. A provider that was eligible yesterday may become ineligible tomorrow if their country is removed from the "fulfil" list and added to the "no longer fulfil" list. For public procurers, this necessitates a proactive monitoring strategy rather than a one-off check at the start of a procurement procedure.

What this means for you

For public-sector procurement officers, IT directors, and compliance teams, the publication mechanism of Article 18(3) has direct operational consequences for your cloud strategy, particularly when aiming for Union assurance level 3.

1. Mandatory Verification Before Procurement

Before engaging a cloud provider that is subject to third-country control, you must verify the country's status on the Commission's website.

• If the country is listed as "fulfilling requirements": The provider is eligible to be audited for level 3. You can proceed to request their audit report and recognition decision.
• If the country is listed as "no longer fulfilling requirements" or is absent: The provider cannot qualify for the level 3 derogation. You must either procure a provider not subject to third-country control (to meet level 3) or downgrade your requirement to level 1 or 2 if your risk assessment permits.

2. Dynamic Risk Management

CADA requires Member States and Union entities to conduct risk assessments to determine the appropriate assurance level for their activities (Article 29). If your assessment dictates that a specific activity (e.g., law enforcement or critical infrastructure) requires level 3, you are legally bound to procure only services meeting that level. Because the list is dynamic, a country that was compliant at the time of your risk assessment might be disqualified later. You should establish a periodic review mechanism to check the Commission's website, ensuring that your long-term contracts do not inadvertently rely on a provider whose country has lost its status.

3. Migration Planning and Transition

If a country is moved to the "no longer fulfil" list, existing contracts with providers from that jurisdiction may face compliance gaps. While Article 29(6) allows for a reasonable transition period (not exceeding 12 months) for migrations required by risk assessments, early detection is vital. Monitoring the Commission's website allows you to anticipate disqualifications and initiate migration to sovereign or level 1/2 providers before a sudden regulatory breach occurs.

4. Audit and Accountability

In the event of an audit or legal challenge regarding your procurement choices, relying on the Commission's published list is your primary defence. It demonstrates that you exercised due diligence by consulting the official EU register. Relying on internal notes, third-party reports, or outdated news articles would not satisfy the transparency and compliance standards expected under CADA.

Common misconceptions

Misconception 1: The list is a static annex in the regulation. Many assume the list of associated third countries is fixed in the text of CADA. In reality, Article 18(3) mandates a dynamic list published on the Commission's website. The regulation sets the criteria, but the Commission manages the list.

Misconception 2: Only "approved" countries are listed. It is a common error to assume the website only lists countries that are currently qualified. Article 18(3) explicitly requires the publication of countries that no longer fulfil the requirements. This "negative list" is essential for risk management, alerting procurers to immediate disqualifications.

Misconception 3: Being on the list guarantees certification. Inclusion on the list means a country is eligible for the derogation. It does not mean every provider from that country is automatically certified. Providers must still undergo the independent third-party audit process under Article 20 and obtain a positive audit opinion to be recognised as offering Union assurance level 3.

Misconception 4: This status applies to all assurance levels. The associated third country derogation applies only to Union assurance level 3. It does not apply to level 4, which generally requires that the provider and subcontractors are not subject to third-country control. It also does not replace the requirements for level 1 or 2, which have their own distinct criteria regarding infrastructure and personnel.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Why does CADA only allow associated third countries at Level 3?
• CADA Article 18: Lawful Access Conditions for Associated Third Countries
• CADA Article 18: How the Commission designates associated third countries
• CADA Associated Third Countries vs. GDPR Adequacy: Key Differences
• Associated Third Countries under CADA: Article 18 and Level 3 Eligibility

This is general information about a draft EU regulation, not legal advice.