Which CADA tier protects against foreign sanction compulsion?

Summary Under the proposed Cloud and AI Development Act (CADA), protection against foreign sanction compulsion is a mandatory criterion for Union Assurance Level 2 and Union Assurance Level 3. Specifically, Annex II 2.1(g)(iv) and 3.1(g)(iv) require providers subject to third-country control to demonstrate that they cannot be compelled to "implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes." Crucially, this prohibition includes an exception: it does not apply if the restrictive measure is "legitimate under the national laws of Member States or Union law." This ensures that EU providers can still comply with EU sanctions while blocking extraterritorial foreign pressures. Level 4 avoids this risk entirely by prohibiting third-country control, while Level 1 does not contain this specific sanction-compulsion clause.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework under Article 16. This framework defines four assurance levels to mitigate risks associated with dependence on non-European providers, particularly regarding extraterritorial legal pressures. A critical component of this framework is the explicit prohibition against being compelled by a third country to enforce foreign sanctions or embargoes.

This protection is not uniform across all levels; it is specifically codified in the criteria for Union Assurance Level 2 and Union Assurance Level 3 for providers that remain subject to third-country control.

The Specific Legal Text: Annex II 2.1(g)(iv) and 3.1(g)(iv)

The core protection is found in Annex II of the proposal, which details the cumulative criteria for each assurance level. The text is identical for both Level 2 and Level 3 regarding the issue of sanction compulsion.

For Union Assurance Level 2, Annex II 2.1(g) addresses providers subject to the control of a third country or a legal entity established in a third country. Sub-point (iv) mandates that such providers must demonstrate that the third-country control is not exercised in a manner that obliges them to:

"implement, enforce, give effect to, or comply with restrictive measures such as sanction regimes, embargoes, or any equivalent legal or administrative measures adopted by a third country, unless these specific measures are legitimate under the national laws of Member States or Union law."

For Union Assurance Level 3, the requirement is reiterated with identical wording in Annex II 3.1(g)(iv). This ensures that even at the higher tier of assurance—where personnel must be Union citizens and infrastructure must be strictly within the Union—the legal shield against foreign sanction compulsion remains a prerequisite for providers under foreign control.

The "Legitimate Law" Exception

A vital nuance in these provisions is the exception clause: "unless these specific measures are legitimate under the national laws of Member States or Union law."

This exception serves two purposes:

1. Alignment with EU Law: It ensures that the CADA framework does not prevent EU providers from complying with sanctions legitimately adopted by the EU or its Member States. For instance, if the EU imposes sanctions on a specific entity, a cloud provider can legally comply with those sanctions without violating CADA.
2. Blocking Extraterritoriality: The primary intent is to block extraterritorial foreign sanctions that conflict with EU law or that the EU has not adopted. If a third country attempts to force an EU provider to enforce a sanction regime that the EU has not recognized, the provider must demonstrate that they are legally or technically prevented from doing so.

Context: Third-Country Control and the Levels

The applicability of this rule depends on the provider's control structure:

• Levels 2 and 3: These levels explicitly allow for providers to be subject to third-country control, provided they can prove they are insulated from compulsion. The criteria in Annex II 2.1(g) and 3.1(g) are the mechanism for this proof. Providers must implement "necessary legal, technical and organisational measures" to ensure that third-country control does not restrict their ability to deliver services or force compliance with foreign restrictive measures.
• Level 4: Under Annex II 4.1(g), the requirement is stricter: the provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third-country. Because Level 4 prohibits third-country control entirely, the specific sanction-compulsion clause (which applies if control exists) becomes moot. The risk is mitigated by the absence of foreign control rather than by a contractual or technical shield against it.
• Level 1: Annex II 1.1(g) contains a different requirement focused on vulnerability reporting (preventing third-country laws from forcing early disclosure of vulnerabilities). It does not contain the specific language regarding sanction regimes or embargoes found in Levels 2 and 3.

Verification and Audit

To achieve recognition at Level 2 or 3, providers must undergo independent third-party audits under Article 20. Auditing organisations will assess compliance with Annex II using evidence outlined in Annex III.

Specifically, auditors must examine:

• Ownership and Control Structures: To determine if third-country entities hold strategic decision-making power (Annex III, Criterion G).
• Legal and Technical Measures: Evidence that the provider has implemented measures to block foreign compulsion (Annex III, Criterion G, point 7.2).
• Record Keeping: Providers must maintain records of any requests from third countries to access data or disrupt service, and demonstrate that such requests were refused if they conflict with EU law (Annex III, Criterion G, point 7.2(e)-(f)).

If an auditor cannot verify that the provider is effectively shielded from foreign sanction compulsion, they cannot issue a "positive" audit opinion, and the provider cannot be recognised at Level 2 or 3.

What this means for you

For legal counsel, compliance officers, and public procurement teams, the CADA proposal introduces a specific due diligence requirement regarding foreign sanction compulsion. You can no longer assume that a provider's standard terms of service or general cybersecurity certification is sufficient.

1. Procurement Obligations for Public Order Activities

Under Article 30(3), contracting authorities whose activities contribute to the preservation of public order (e.g., defence, justice, law enforcement, national security) must procure cloud services recognised at Union Assurance Level 2, 3, or 4.

• Action: If your organisation procures cloud services for public-order-relevant activities, you must verify that the vendor holds a valid recognition at Level 2, 3, or 4.
• Check: For Level 2 and 3 vendors, specifically request evidence of compliance with Annex II 2.1(g)(iv) or 3.1(g)(iv). Ask for the audit report section detailing how the provider prevents foreign sanction compulsion.

2. Vendor Due Diligence for Non-EU Hyperscalers

Many major cloud providers are subject to the laws of third countries (e.g., the US CLOUD Act). Under CADA, these providers can still serve the EU public sector at Level 2 or 3, but only if they can prove they are not compelled to enforce foreign sanctions.

• Action: Do not rely on general "sovereign cloud" marketing claims. Demand the specific audit opinion confirming that the provider has implemented measures to block foreign sanction compulsion.
• Risk: If a provider cannot demonstrate this, they cannot be recognised at Level 2 or 3. If you are a public body requiring Level 2+, you cannot legally procure from them for public-order activities.

3. Understanding the Exception

When reviewing vendor contracts or audit reports, be aware of the "legitimate law" exception.

• Clarification: A provider is not in breach of CADA if they comply with a sanction that is "legitimate under the national laws of Member States or Union law."
• Implication: This exception protects the integrity of EU sanctions policy. It does not, however, protect the provider from being compelled to enforce a foreign sanction that the EU has not adopted.

4. Transition and Migration

If your current provider fails to meet the Level 2 or 3 criteria regarding sanction compulsion, you may face a migration requirement.

• Timeline: Under Article 29(6), if a risk assessment determines that a migration is necessary, the Member State or Union entity must migrate within a "reasonable transition period that shall not exceed 12 months."
• Planning: Begin assessing your current providers' ability to meet Annex II 2.1(g)(iv) and 3.1(g)(iv) immediately to avoid last-minute migration costs.

5. Penalties and Liability

While Article 24 focuses on penalties for providers, public bodies face indirect risks. Procuring a non-compliant service for a public-order activity could lead to administrative scrutiny or the need to bear the costs of emergency migration. Furthermore, Article 24(3) grants recipients the right to seek compensation for damage caused by a provider's infringement of these obligations.

Common misconceptions

Misconception 1: "Level 4 is the only tier that blocks foreign sanctions." Incorrect. While Level 4 avoids the issue by banning third-country control entirely, Level 2 and Level 3 explicitly include the sanction-compulsion prohibition in their criteria (Annex II 2.1(g)(iv) and 3.1(g)(iv)). Providers under foreign control can still qualify at these levels if they prove they are shielded from compulsion.

Misconception 2: "The rule bans all foreign sanctions." Incorrect. The rule includes a critical exception: it only bans compulsion to comply with restrictive measures that are not "legitimate under the national laws of Member States or Union law." This means providers can still comply with EU sanctions.

Misconception 3: "Level 1 offers the same protection." Incorrect. Annex II 1.1(g) for Level 1 focuses on vulnerability reporting and does not contain the specific language regarding sanction regimes, embargoes, or restrictive measures found in Levels 2 and 3.

Misconception 4: "Cybersecurity certification (EUCS) covers this." Incorrect. Article 16 and Annex II treat cybersecurity certification (e.g., "substantial" or "high" assurance under the Cybersecurity Act) as a separate requirement (see Annex II 2.1(e) and 3.1(e)). A provider can be cyber-secure but still legally compelled by their home country to enforce foreign embargoes. CADA addresses this specific legal sovereignty gap.

Misconception 5: "This only applies to US providers." Incorrect. The criteria apply to any provider subject to the control of any third country or legal entity established in a third country, regardless of jurisdiction.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Which CADA tier suits defence and intelligence workloads?
• Which CADA tier suits a financial services workload?
• Which CADA tier should a public-sector buyer require? A guide to Union Assurance Levels
• CADA Sovereignty Tiers: Protection Against Foreign Law Explained
• Why is CADA Level 4 the highest sovereignty tier?

This is general information about a draft EU regulation, not legal advice.