Summary Under the proposed Cloud and AI Development Act (CADA), Union assurance level 4 would offer the most robust protection against the extraterritorial reach of laws like the US CLOUD Act by prohibiting any third-country control over the provider and its subcontractors, with no derogation. Level 3 also requires freedom from third-country control, but includes a narrow derogation where the Commission has recognised an "associated third country" under Article 18. Levels 1 and 2 permit third-country control subject to safeguards, so they mitigate rather than remove exposure to foreign legal compulsion. CADA is a proposal and not yet in force.
Detail
The EU's dependence on non-European cloud providers exposes Union entities to extraterritorial legal reach, most prominently the US CLOUD Act. CADA would address this through a four-tier "Union cloud computing sovereignty framework" (Article 16). Which tier protects against the CLOUD Act turns on how each handles third-country control and data access.
The problem: extraterritorial reach
Recital 48 of the CADA proposal identifies the core vulnerability: "Cloud computing service providers have launched tailored versions of their service offerings in response to the Union's growing concerns over sovereignty. However, those versions do not address the core sovereignty issues allowing for the extraterritorial reach of third-country laws and the possible degradation or disruption of the service."
The US CLOUD Act (18 U.S.C. ยง 2713) requires a provider of electronic communication service or remote computing service subject to US jurisdiction to preserve, back up or disclose data "regardless of whether such communication, record, or other information is located within or outside of the United States." CADA's framework is designed to break this link by ensuring that the entity controlling the infrastructure and data is not subject to such extraterritorial laws.
Union assurance level 4: no third-country control
Level 4 provides the most absolute protection. Annex II, paragraph 4.1(g) requires that:
"the audited provider and the subcontractors which are involved in the provision of the audited service are not subject to the control of a third country or a legal entity established in a third-country."
This is cumulative with other criteria, including keeping customer data identified as sensitive exclusively within the Union (4.1(c)) and ensuring that technical and operational support is performed exclusively within the Union by personnel who are Union residents and by parties not subject to third-country control (4.1(h)). By requiring that neither the provider nor its subcontractors are controlled by a third country, level 4 removes the jurisdictional hook the CLOUD Act relies on: a provider not subject to US control cannot be compelled under the CLOUD Act to produce data.
Union assurance level 3: the derogation route
Level 3 also requires freedom from third-country control but admits one exception. Annex II, paragraph 3.1(g) states that providers and subcontractors must not be subject to third-country control, then adds:
"By way of derogation to this criterion, a cloud computing service provider and its subcontractors which are involved in the provision of the audited service that are subject to the control of a third country or a legal entity established in a third-country may be audited for Union assurance level 3 where the Commission has adopted an implementing act..."
The mechanism for that implementing act is Article 18 ("Associated third countries"). The Commission may identify third countries whose providers may be audited for level 3, but only where the country meets cumulative criteria, including that:
- it is subject to a relevant adequacy decision under Article 45 of the GDPR (Article 18(1)(a));
- it has no measures enabling it to exercise control over the provider in a way that would conflict with the lawful-access rules for non-personal data in Article 32(2)โ(3) of the Data Act, Regulation (EU) 2023/2854 (Article 18(1)(b));
- it has no measures to compel the provider to degrade or disrupt service, or to enforce restrictive measures such as sanctions or embargoes unless legitimate under Member State or Union law (Article 18(1)(c)); and
- it grants equivalent access to its public-procurement procedures for Union providers (Article 18(1)(f)).
A country whose laws allow compelled access of the CLOUD Act kind would not, on the face of these criteria, qualify. So unless and until the Commission designates a specific third country, level 3 would in practice operate as a "no third-country control" tier, mirroring level 4's protection against the CLOUD Act. (This is an assessment of how the criteria would apply, not a designation the proposal itself makes.)
Levels 1 and 2: mitigation, not immunity
Levels 1 and 2 do not prohibit third-country control.
- Level 1 (Annex II, 1.1(g)) requires that, where the provider is under third-country control, it guarantees there are no laws in that country requiring it to report software vulnerabilities to that country's authorities before they are known to have been exploited. This does not address data-access compulsion of the CLOUD Act kind.
- Level 2 (Annex II, 2.1(g)) requires a third-country-controlled provider to implement legal, technical and organisational measures so that the foreign control cannot restrict the service, that third-country access to customer data is prevented, and that service disruption is prevented. These barriers do not, however, remove the provider's underlying legal obligation to comply with its home country's law: the provider remains under third-country control, so the extraterritorial reach of the CLOUD Act still applies in principle.
What this means for you
For in-house counsel and compliance officers, choosing the right Union assurance level is a strategic risk-mitigation exercise against foreign legal compulsion.
1. Procurement strategy for sensitive data
Where you process data sensitive to foreign legal access (personal data of EU citizens, trade secrets, or national-security-related information), consider specifying level 4 in your tender. Under Article 30(3), contracting authorities whose activities contribute to the preservation of public order must procure services recognised at levels 2, 3, or 4 โ but for categorical exclusion of third-country control, level 4 is the only tier with no derogation.
2. Risk assessments under Article 29
Member States and Union entities must carry out risk assessments under Article 29 to set the appropriate level. The factors to consider include the risk and impact on public order of "unlawful access under Union law to such data by a third country" (Article 29(2)(b)) and of "possible service disruption" (Article 29(2)(c)). If your assessment concludes that CLOUD Act exposure is an unacceptable threat, you would specify level 4 (or level 3, where no Article 18 derogation applies to the relevant country).
3. Monitoring third-country recognition (Article 18)
Compliance teams should monitor the Commission's Article 18 decisions, which it must publish (Article 18(3)). If a country were recognised as an associated third country, providers controlled from it could offer level 3 despite being under that country's control, provided they meet the Article 18 criteria. Until then, levels 3 and 4 would both effectively exclude third-country-controlled providers.
4. Penalties and enforcement
Providers that supply incorrect or misleading information risk revocation of recognition by the evaluating national competent authority (Article 17(11)). Member States must also lay down penalties for infringements that are "effective, proportionate and dissuasive" (Article 24). A provider claiming level 4 while secretly subject to third-country control would breach the Annex II criteria.
Common misconceptions
"Level 2 is sufficient because it requires technical measures to block third-country access." Level 2 requires measures to prevent access, but it explicitly allows the provider to remain under third-country control (Annex II, 2.1(g)). A provider subject to the CLOUD Act has a legal obligation to disclose; technical barriers may slow this but do not confer legal immunity. Only levels 3 and 4 remove the legal compulsion by excluding third-country control.
"GDPR adequacy decisions protect against the CLOUD Act." Adequacy decisions and the EUโUS Data Privacy Framework provide a basis for transferring personal data; they do not prevent US authorities from accessing data held by US-controlled companies under the CLOUD Act. Recital 48 notes that tailored "sovereign" editions do not address the core extraterritoriality problem.
"Level 3 and level 4 are identical." They are not. Level 4 has no derogation for third-country control. Level 3 admits the Article 18 associated-third-country derogation, under which a provider from a recognised country could reach level 3 while remaining subject to that country's laws.
Official sources
Related
- Why most public services don't need the highest CADA sovereignty tier
- CADA Level 4: Why EU Control is Mandatory for the Highest Sovereignty Tier
- How CADA cloud sovereignty interacts with the EU Data Act
- How do I choose the right CADA sovereignty tier for a workload?
- Why is cloud sovereignty important for critical infrastructure? CADA
This is general information about a draft EU regulation, not legal advice.