TL;DR

FISA Section 702 worries European regulators because it lets US intelligence agencies compel US providers to hand over the communications of non-US persons abroad without individualised warrants — a bulk-surveillance risk the CJEU found incompatible with EU fundamental rights in Schrems II, which invalidated the EU–US Privacy Shield. The proposed Cloud and AI Development Act (CADA) responds not with new transfer mechanisms but with a structural "Union cloud computing sovereignty framework" (Article 16). Its higher assurance levels would require that the provider and its subcontractors are not subject to third-country control, and would be tied to mandatory public-sector procurement rules (Articles 29–30) — pressing providers to insulate EU public-sector data from extraterritorial reach.

Detail

Section 702 of the US Foreign Intelligence Surveillance Act (FISA) authorises the US government to compel electronic communication service providers to disclose the content and records of non-US persons located outside the US. Unlike traditional warrants requiring individualised suspicion and judicial approval, FISA 702 permits collection under targeting procedures for foreign-intelligence purposes. For European regulators this creates a systemic concern: personal data held by US-controlled providers may be accessed in ways not limited to what is strictly necessary and proportionate, and without effective judicial redress for EU data subjects.

This tension was central to the CJEU's Schrems II judgment (Case C-311/18). The Court found that US surveillance, including under FISA 702, interfered with the rights to privacy and data protection in the EU Charter, and that the redress available to EU data subjects under US law did not meet EU standards. The EU–US Privacy Shield was invalidated as a result.

The proposed CADA addresses these concerns structurally rather than through transfer law. It would establish a harmonised "Union cloud computing sovereignty framework" of four Union assurance levels (Article 16). The proposal's recitals explain the underlying worry: recital 46 identifies "vulnerabilities arising from the extraterritorial application of third-country laws," reduced control over data, and the risk of "undue economic or political influence." Recital 50 elaborates the specific risks of dependence on third-country-controlled providers, including "access to sensitive information, unauthorised communication, technology leakage, data manipulation or exfiltration, espionage," as well as "misuse" such as remote access and sabotage.

Under Article 16, providers seeking to serve Union entities and public sector bodies must meet criteria set out in Annex II. The higher levels target third-country interference directly. For Union assurance level 3 (Annex II, Section 3), the provider and the subcontractors involved in the service must not be subject to the control of a third country or a legal entity established in a third country — with a narrow derogation, available only where the Commission has recognised an "associated third country" (Article 18), under which a controlled provider must still demonstrate that the foreign control cannot enable access to customer data, disrupt service continuity, or compel sanction enforcement, and must allow reasonable access to code. For Union assurance level 4 (Annex II, Section 4) there is no such derogation: the provider and its subcontractors must not be subject to third-country control at all. Levels 3 and 4 also require that personnel involved in the service are Union citizens, and that data generated by using the service is not used to train or fine-tune any AI system operated by a third country and is not transferred outside the Union. Separately, every level (including level 1, Annex II, Section 1(g)) requires, where a provider is under third-country control, a guarantee that no laws or practices in that third country require reporting of software vulnerabilities to its authorities before those vulnerabilities are known to have been exploited.

CADA also targets US-style data-access laws through its recognition of associated third countries (Article 18). The Commission may identify a third country as one whose controlled providers may be audited for level 3 only if cumulative criteria are met — including a relevant adequacy decision under Article 45 GDPR, and the absence of measures that would let the country compel a provider to disrupt or degrade service, enforce sanctions, or access non-personal data in conflict with Article 32(2)–(3) of the Data Act (Regulation (EU) 2023/2854). This directly engages the legal uncertainty created by FISA 702 and the US CLOUD Act, which can compel US companies to produce data held anywhere.

The framework is tied to procurement. Under Article 30(3), contracting authorities whose activities have been identified — through the Article 29 risk assessment — as contributing to the preservation of public order must procure only services recognised at levels 2, 3 or 4. As proposed, this creates a strong incentive for providers to restructure so that EU public-sector data is insulated from extraterritorial surveillance demands.

What this means for you

For in-house counsel and compliance officers, CADA would shift the focus from managing transfer clauses to managing structural sovereignty risk.

  1. Conduct a sovereignty risk assessment. Evaluate your corporate structure and legal exposures. If your company is controlled by a US entity, achieving levels 3 or 4 would require demonstrating that US authorities cannot compel access to EU-hosted data — potentially through separate entities, technical barriers and governance changes.
  2. Prepare for independent audits. For levels 2, 3 and 4, you would undergo independent third-party audits (Article 20), which would scrutinise establishment, data localisation, personnel, third-country control, and software supply chain (including a complete SBOM and controls to block remote features that could tamper with or disrupt the service).
  3. Update public-sector contracts. Public-sector clients would increasingly require proof of recognition; failure to obtain it could cost contracts where Article 30(3) applies.
  4. Monitor Commission decisions on third countries. Whether and how the US is recognised under Article 18 would directly affect US-controlled providers' eligibility for level 3.
  5. Plan for penalties and liability. Under Article 24, Member States must lay down effective, proportionate and dissuasive penalties for infringements of the sovereignty chapter, and recipients of services would have a right to seek compensation from providers for damage caused by such infringements.

Common misconceptions

  • Misconception: CADA is just another data-transfer tool.
    • Reality: It is not a transfer mechanism like the EU–US Data Privacy Framework. As proposed, it regulates providers and infrastructure to prevent third-country access at the source.
  • Misconception: Only US companies are affected.
    • Reality: While US hyperscalers are a primary focus, the framework applies to any provider subject to the control of a third country whose laws could allow unauthorised access to EU data.
  • Misconception: Compliance is a one-time certification.
    • Reality: Recognition requires ongoing compliance. For levels 2–4 the audit report and positive opinion must be submitted for review annually (Article 20(8)), providers must report material changes (Article 23), and the Commission must review Annex II and III at least every 18 months (Article 16(3)).
  • Misconception: The EU–US Data Privacy Framework solves FISA 702 concerns.
    • Reality: The Explanatory Memorandum states that while the Data Privacy Framework addresses transatlantic transfers, it "does not remove sovereignty concerns about dependence on third-country providers," because sovereignty also relates to operational autonomy. CADA is presented as complementing it.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.