Why does CADA treat dependence on non-EU providers as a strategic risk?

Summary The proposed Cloud and AI Development Act (CADA) treats dependence on non-EU cloud providers as a strategic risk because it exposes the Union to critical vulnerabilities in data sovereignty, operational autonomy, and public order. As proposed, the legislation identifies this concentration of market power not merely as an economic inefficiency, but as a systemic threat enabling third-country misuse, unauthorized information access, and dependency vulnerabilities such as coercion and sanctions. To mitigate these, Article 29 mandates risk assessments for public-sector activities, while Recitals 46 and 50 explicitly define the threats of extraterritorial laws, service disruption, and economic leverage.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, is founded on the premise that the European Union's current reliance on a limited number of non-EU cloud computing service providers constitutes a systemic threat to its economic security, technological sovereignty, and resilience. The proposal explicitly frames this dependence as a strategic vulnerability requiring a coordinated Union-level response, distinct from general market competition issues.

The Nature of the Strategic Risk

According to Recital 46, the Union remains "critically dependent on a limited number of cloud computing service providers subject to the control of third countries or legal entities established in third-countries." This concentration creates a specific set of risks that the legislation seeks to address through a harmonised sovereignty framework. The recital outlines three primary categories of exposure:

1. Vulnerabilities from Extraterritorial Laws: Providers controlled by third-country jurisdictions are subject to laws with extraterritorial effects. This includes legal mandates that may compel providers to grant authorities in their home countries access to data stored in the EU, or to transfer that data across borders. Such requirements can conflict with EU fundamental rights and data protection frameworks, such as the GDPR.
2. Operational Disruption and Quality Degradation: The proposal highlights the risk of unilateral decisions by third-country actors that could disrupt service provision, degrade service quality, or limit access to state-of-the-art technologies. This operational discontinuity poses a direct threat to the continuity of essential services.
3. Loss of Control and Oversight: Dependence reduces the Union's control and oversight over personal and non-personal data, as well as the underlying digital infrastructure. This lack of agency undermines the ability of public authorities to protect their own interests and those of EU citizens.

Categorizing the Threats: Misuse, Access, and Dependency

Recital 50 of the CADA proposal provides a detailed taxonomy of the risks associated with this dependence, categorizing them into three primary areas: misuse, access to information, and dependency vulnerabilities. Understanding these categories is essential for public-sector bodies when conducting the risk assessments required under Article 29.

1. Misuse

The proposal defines misuse as scenarios where third-country actors manipulate, remotely access, control, sabotage, or weaponize the cloud infrastructure. This includes the potential for unauthorized remote access to systems that manage critical public services, which could lead to operational paralysis or data corruption. The risk is not theoretical; it encompasses active interference where a third country could leverage its control over the provider to disrupt Union operations.

2. Access to Information

This category encompasses risks related to the unauthorized extraction or manipulation of data. Specific threats identified in Recital 50 include:

• Access to sensitive information: The risk that third-country actors could access sensitive information held by public authorities.
• Unauthorized communication: The establishment of communication channels that bypass EU security protocols.
• Technology leakage: The exfiltration of proprietary EU technologies or sensitive public data.
• Data manipulation or exfiltration: The alteration or theft of data for espionage purposes.

3. Dependency Vulnerabilities

Perhaps most critically, CADA identifies dependency vulnerabilities as a form of strategic leverage that third countries can exert over the EU. Recital 50 explicitly lists the following risks:

• Political and/or Economic Coercion: Third countries may use their control over critical cloud infrastructure to exert political pressure on the EU or individual Member States. This could involve threatening to cut off services to force policy changes.
• Vendor and Technology Lock-in: Deep integration with non-EU proprietary technologies can create significant switching costs and technical barriers, making it difficult for the EU to transition to sovereign alternatives without severe disruption. This lock-in effect reinforces the dependency.
• Sanctions and Embargoes: The risk that a third country could impose sanctions, embargoes, or other restrictive measures that deny EU public bodies access to essential cloud services, updates, or support.
• Monopoly Pricing: The potential for dominant non-EU providers to engage in monopoly pricing that damages the financial interests of the Union and its Member States.

The Legislative Response: Risk Assessments and Assurance Levels

To mitigate these risks, CADA introduces a "Union cloud computing sovereignty framework" comprising four "Union assurance levels" (detailed in Annex II). These levels provide a harmonized, auditable set of criteria for cloud services, ranging from basic conformity (Level 1) to high-security services free from third-country control (Level 4).

Article 29 mandates that Member States and Union entities conduct risk assessments to determine which public sector activities require which level of assurance. Specifically, Article 29(1) requires these assessments to:

• Identify public sector activities that use cloud computing services and contribute to the preservation of public order.
• Determine the appropriate Union assurance level (2, 3, or 4) for these activities.

The risk assessments must consider the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by third countries and the risk of service disruption (Article 29(2)). If a risk assessment determines that an activity has "public order relevance," Article 30 mandates that contracting authorities must only procure services recognized as offering Union assurance levels 2, 3, or 4. This effectively bars the use of non-EU providers that cannot meet these stringent sovereignty criteria for critical functions.

Furthermore, Article 29(9) encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. This is designed to limit dependency on a single provider, thereby reducing the concentration risk and enhancing resilience against the coercion and disruption risks outlined in the recitals.

What this means for you

For public-sector procurement officers, legal teams, and IT strategists, CADA's treatment of non-EU dependence as a strategic risk translates into concrete operational changes:

• Mandatory Risk Assessments: You will be required to conduct formal risk assessments for all cloud computing services used by your authority. These assessments must explicitly evaluate the risks of third-country access, service disruption, and dependency vulnerabilities as defined in Recital 50. You cannot rely on standard vendor questionnaires; the assessment must address the specific threats of misuse, espionage, and coercion.
• Shift in Procurement Criteria: For activities deemed to have public order relevance, you will likely be prohibited from procuring services from non-EU providers that cannot achieve Union assurance levels 2, 3, or 4. This means moving away from purely price-based evaluations toward sovereignty and security-based criteria. The "lowest price" option may no longer be compliant if it fails the sovereignty test.
• Documentation and Auditability: You must document your risk assessment methodology and the rationale for selecting specific assurance levels. The Commission will provide guidance on this methodology, but your decisions must be defensible and consistent with the Union's sovereignty objectives. The assessment serves as the legal basis for your procurement decisions.
• Multi-Cloud Strategies: Consider adopting multi-cloud architectures to distribute risk. Article 29(9) explicitly encourages this approach to avoid over-reliance on a single provider, which is a key tactic for mitigating the coercion and lock-in risks identified in the proposal. A single-provider strategy may now be viewed as a strategic vulnerability.

Common misconceptions

"CADA bans all non-EU cloud providers." No. CADA does not ban non-EU providers outright. Article 18 allows for the recognition of third countries that meet specific safeguards (such as adequacy decisions and lack of coercive data access laws). Providers from these "associated third countries" may still qualify for Union assurance level 3. However, providers subject to extraterritorial laws that conflict with EU sovereignty goals will be excluded from higher assurance levels. The focus is on the control and legal environment of the provider, not just its nationality.

"This is just about data privacy." No. While data privacy is a component, CADA addresses broader sovereignty issues, including operational autonomy, supply chain resilience, and protection against economic coercion and sanctions. The GDPR addresses data protection; CADA addresses strategic dependence and public order. The risks of misuse (sabotage) and dependency vulnerabilities (coercion) go far beyond the scope of privacy regulations.

"Only national security agencies are affected." No. The risk assessments under Article 29 apply to all public sector bodies. While the highest assurance levels are reserved for critical functions (such as defence, justice, or law enforcement), even general public services must meet at least Union assurance level 1, which includes criteria on data localization and transparency regarding subcontractors. Any public body using cloud services must assess its exposure to third-country control.

"CADA replaces existing cybersecurity rules." No. CADA complements existing frameworks like NIS2 and the Cybersecurity Act. While NIS2 focuses on technical cybersecurity risk management, CADA addresses the sovereignty and control aspects that technical certification alone cannot resolve. As noted in the explanatory memorandum, certification under the Cybersecurity Act addresses technical criteria but is "not suited for addressing sovereignty concerns that go beyond these technical elements."

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• What is concentration risk on non-EU cloud providers under CADA?
• CADA Risk Assessments: What Cloud Providers Must Know
• How does a CADA risk assessment treat subcontractors and the cloud supply chain?
• Can the Commission request information from cloud providers for CADA risk assessments?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?

This is general information about a draft EU regulation, not legal advice.