Summary As proposed in COM(2026) 502 final, the Cloud and AI Development Act (CADA) establishes Union Assurance Level 4 as the apex of the sovereignty framework, explicitly prohibiting any cloud computing service provider or subcontractor from being subject to the control of a third country or a legal entity established in a third country. This strict exclusion, codified in Annex II, Section 4.1(g), is deliberate: Level 4 is reserved exclusively for the most sovereignty-critical public sector workloads where operational autonomy and data confidentiality are paramount. Unlike Level 3, which permits a derogation if a third country meets specific adequacy and safeguard criteria under Article 18, Level 4 admits no such exceptions. This ensures absolute insulation from extraterritorial legal reach, service disruption risks, and foreign political leverage for the EU's most sensitive functions.

Detail

The CADA proposal introduces a harmonised Union cloud computing sovereignty framework comprising four Union Assurance Levels (UALs). These levels are designed to mitigate the risks associated with the EU's current dependence on non-European cloud providers, particularly regarding the extraterritorial application of third-country laws, potential service disruptions, and the loss of control over critical digital infrastructure. The framework is structured to be proportionate: lower levels address general public sector needs, while higher levels address activities critical to public order.

The Absolute Prohibition in Level 4 Union Assurance Level 4 represents the maximum standard of trust and sovereignty. It is intended for public sector activities identified through risk assessments as being of critical importance to public order, such as those involving national security, defence, justice, or the processing of highly sensitive classified information.

Under Annex II, Section 4.1(g), the criteria for Union Assurance Level 4 state unequivocally that the audited provider and the subcontractors involved in the provision of the audited service "are not subject to the control of a third country or a legal entity established in a third-country." This is a cumulative criterion; failure to meet it precludes recognition at Level 4 entirely.

The definition of "control" is broad, aligning with Article 2(21) of CADA, which references the definition in Article 2(6) of Regulation (EU) 2021/697. It encompasses not just direct ownership but also indirect influence through voting rights, board composition, commercial links, or financial dependencies that could allow a third country to exercise effective control over the provider's strategic decisions, infrastructure, or personnel. The text of Annex II 4.1(g) contains no qualifying language or "unless" clauses, establishing a hard floor for sovereignty at this tier.

Contrast with Level 3 and the Article 18 Derogation A critical distinction between Level 3 and Level 4 lies in the treatment of third-country control. Annex II, Section 3.1(g) also generally prohibits third-country control for Level 3, but it explicitly includes a derogation mechanism. A provider subject to third-country control may still be audited for Level 3 if the Commission has adopted an implementing act under Article 18 identifying that third country as providing sufficient assurances.

Article 18 allows the Commission to designate third countries whose cloud computing service providers may be audited against Level 3 criteria, provided the country meets strict cumulative criteria. These include having an adequacy decision under the GDPR, no measures enabling control that conflicts with lawful access to non-personal data, and no measures to compel service disruption or degradation.

However, Article 18 does not apply to Union Assurance Level 4. The text of Annex II, Section 4.1(g) contains no derogation clause. This structural choice is intentional: it ensures that Level 4 services are entirely free from the risk of a third country exercising legal or operational leverage, regardless of any bilateral agreements, adequacy decisions, or political assurances. The rationale is that for the most critical public order activities, the EU requires absolute operational autonomy that cannot be contingent on the political or legal stability of a third jurisdiction. The risk of a third country changing its laws or imposing sanctions is deemed unacceptable at this level.

Subcontractor Chain Integrity The prohibition extends to the entire supply chain. Annex II, Section 4.2 clarifies that subcontractors contributing to the provision and delivery of the cloud computing service, particularly those requiring access to classified or sensitive information, must also meet the Level 4 criteria. This means a Level 4 provider cannot outsource critical components of its service to a third-country-controlled entity, even if that entity is a subsidiary.

The provider must demonstrate effective legal, technical, and organisational separation between the Union parent company and any third-country subsidiary. Crucially, the subsidiary must have no access to systems processing customer data, no privileged accounts in Union production environments, and no authority to instruct Union operational staff. The audit evidence required under Annex III, Section 11 mandates verification that foreign government requests received by the subsidiary are formally redirected to the competent Union entity for legal assessment under Union law.

Audit and Evidence Requirements To verify compliance with this exclusion, Article 20 mandates independent third-party audits for Levels 2, 3, and 4. For Level 4, auditing organisations must assess the "absence of third-country control" using the evidence criteria in Annex III, Section 7. This involves a deep dive into the provider's ownership structure, cap tables, corporate governance, and commercial/financial links.

The auditor must verify that no third-country entity holds more than 5% of capital or voting rights, and that no strategic decisions can be blocked or imposed by foreign shareholders. The audit must also assess "commercial links conferring control" and "financial links conferring control." If the auditor determines the provider is subject to third-country control, the audit opinion will be negative, and the service cannot be recognised as Level 4. This rigorous scrutiny ensures that the "control" prohibition is not merely formal but substantive.

What this means for you

For in-house counsel, compliance officers, and cloud computing service providers, particularly those with multinational structures, the Level 4 exclusion has significant operational and strategic implications.

Structural Separation is Non-Negotiable If your organisation aims to offer services to EU public sector bodies at Level 4, you must ensure that neither your parent company nor any critical subcontractor is subject to third-country control. This may require complex corporate restructuring. For example, if a US-based parent company owns an EU subsidiary, the subsidiary may not qualify for Level 4 unless it can demonstrate absolute operational and legal independence, with the parent having no ability to influence strategic decisions, access data, or disrupt services. The "control" definition is broad enough to capture indirect influence, so mere formal separation may not suffice; you must demonstrate de facto autonomy.

No Reliance on Article 18 Derogations Do not assume that an adequacy decision or a future Article 18 designation for your home country will allow your services to qualify for Level 4. Article 18 only facilitates access to Level 3. If your client's risk assessment under Article 29 determines that their workload requires Level 4 assurance (e.g., for defence, high-level national security, or processing of classified information), your service will be ineligible if any element of third-country control exists. You must design your Level 4 offering as a standalone, EU-controlled entity, potentially requiring a "clean room" structure with no third-country equity or board representation.

Audit Preparedness Prepare for rigorous audits under Article 20. Auditors will scrutinise your entire ownership chain, board composition, and financial dependencies. Ensure your documentation clearly demonstrates the absence of third-country influence. This includes proving that third-country subsidiaries have no access to Union customer data, no privileged administrative accounts, and no authority to instruct Union staff. Failure to provide this evidence will result in a negative audit opinion, barring you from Level 4 recognition.

Procurement Implications Public sector clients will conduct risk assessments under Article 29 to determine the required assurance level. For activities contributing to the preservation of public order in sectors like defence, justice, or national security, they may be mandated to procure only Level 2, 3, or 4 services. If Level 4 is required, your service must meet the strictest criteria. Ensure your marketing and technical documentation clearly articulates how your service meets the Level 4 criteria, particularly the absence of third-country control, to facilitate client compliance.

Common misconceptions

Misconception 1: Level 4 is just a "higher security" version of Level 3. While Level 4 does require higher cybersecurity certification (at least 'high' assurance under the EUCS scheme, per Annex II 4.1(e)), the defining feature is not just technical security but legal and operational sovereignty. The absolute ban on third-country control is a legal and structural requirement, not a technical one. A highly secure service controlled by a third country cannot be Level 4.

Misconception 2: An adequacy decision under the GDPR allows Level 4 compliance. An adequacy decision ensures data protection standards are met for personal data transfers, but it does not address operational autonomy or the risk of service disruption. CADA explicitly separates data protection from sovereignty. Even if your home country has an adequacy decision, your service cannot qualify for Level 4 if it is subject to third-country control. Article 18 derogations, which consider adequacy, do not apply to Level 4.

Misconception 3: Joint ventures with third-country entities can qualify for Level 4. Joint ventures are permissible only if the Union entity can demonstrate effective control and that the third-country partner has no ability to influence strategic decisions, access data, or disrupt services. In practice, this is extremely difficult to prove for Level 4, as the definition of control includes indirect influence. Most joint ventures with significant third-country equity or board representation will fail the Level 4 audit.

Misconception 4: Only the direct provider needs to be EU-controlled. The prohibition extends to all subcontractors involved in the provision of the service, especially those accessing sensitive information. If your Level 4 service relies on a third-country-controlled subcontractor for critical infrastructure or support, you will fail the Level 4 criteria. You must ensure your entire supply chain is insulated from third-country control.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.