Can a CADA risk assessment lower the assurance level for an activity?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a risk assessment can determine that an activity requires a lower assurance level, or even the baseline Level 1, if it is not deemed critical to public order. Article 29(1)(b) requires Member States and Union entities to determine the appropriate Union assurance level based on the specific risk profile of their activities. Consequently, if an activity's public-order relevance falls or is initially assessed as low, the procurement requirements can be downgraded to the minimum standard, avoiding the stricter criteria of Levels 2, 3, or 4. This mechanism ensures that the sovereignty framework remains proportional to the actual risk.

Detail

The CADA establishes a tiered sovereignty framework designed to protect public order while maintaining proportionality. A core mechanism for this is the risk assessment mandated by Article 29. This assessment is not a static formality; it is a dynamic tool that dictates the level of trust required for cloud computing services used by public sector bodies. The framework explicitly acknowledges that a "one-size-fits-all" approach to sovereignty would be inefficient and disproportionate.

The Role of Article 29(1)(b)

Article 29(1) obliges Member States and Union entities to carry out risk assessments to identify public sector activities that use cloud computing services. Specifically, Article 29(1)(b) states that these assessments must "determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

This provision is critical because it places the onus on the public authority to justify why a higher assurance level is needed. The framework is designed so that the highest levels of assurance (Levels 3 and 4) are reserved for activities where the preservation of public order is at stake, such as national security, defense, or critical infrastructure. If the risk assessment concludes that an activity does not contribute to the preservation of public order in these sensitive sectors, it does not trigger the requirement for Levels 2, 3, or 4. Instead, the activity falls back to the general baseline.

Proportionality and the Level 1 Baseline

The principle of proportionality is central to the CADA's design. Recital 52 explicitly states: "Most public services would not require the highest levels of assurance. In some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order."

This recital clarifies that the default expectation for the vast majority of public sector cloud usage is Union assurance level 1. Level 1 is the baseline requirement for any public sector body whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment (as per Article 30(2)). Therefore, a "lowering" of the assurance level often means confirming that an activity remains at Level 1, rather than escalating to the more burdensome and restrictive Levels 2, 3, or 4.

The logic is straightforward: if a risk assessment determines that an activity does not pose a risk to public order, the strict criteria for Levels 2–4 (such as mandatory Union citizenship for personnel or strict prohibitions on third-country control) are not legally required. The procurement authority is then free to procure services meeting only the Level 1 criteria, which are less restrictive regarding establishment and infrastructure location, provided the public body does not explicitly require otherwise.

Dynamic Re-assessment and Downgrading

Risk assessments under CADA are not one-off events. Article 29(1) requires these assessments to be carried out "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." This periodic and event-driven re-evaluation allows for the downgrading of assurance levels.

If a public sector activity changes in nature, scope, or sensitivity such that it no longer poses a risk to public order, the subsequent risk assessment can determine that a lower assurance level is appropriate. For example, if a service previously handled sensitive law enforcement data (potentially requiring Level 3 or 4) is migrated to a non-sensitive administrative function, the risk assessment can downgrade the requirement to Level 1 or Level 2, depending on the residual risk. This flexibility ensures that public authorities are not locked into overly restrictive procurement criteria for services that no longer justify them.

The phrase "whenever necessary" in Article 29(1) is particularly significant. It implies that if a Member State or Union entity identifies a change in circumstances—such as a reduction in the sensitivity of data processed or a shift in the operational context—they are not required to wait for the biennial cycle to update their assessment. They can trigger an immediate re-assessment to lower the assurance level, thereby unlocking a broader market of potential providers and potentially reducing costs.

Commission Oversight and Guidance

While Member States have discretion in their risk assessments, the Commission retains oversight to ensure consistency. Article 29(5) allows the Commission to adopt implementing acts specifying the Union assurance levels needed for a public sector activity if it concludes that a Member State's assessment is inappropriate or does not adequately address public order concerns. However, this mechanism is primarily designed to raise standards where they are too low, rather than to prevent a legitimate downgrade. The Commission also provides guidance on the methodology for these assessments (Article 29(3)), helping authorities correctly map activities to the appropriate assurance levels and avoid unnecessary escalation.

The guidance is intended to ensure that the determination of "public order relevance" is consistent across the Union, preventing a situation where an activity is deemed low-risk in one Member State but high-risk in another without justification. However, within the bounds of this guidance, Member States retain the authority to conclude that a lower assurance level is sufficient.

What this means for you

For public-sector and procurement officers, understanding that CADA risk assessments can lower assurance levels is vital for efficient procurement and budget management.

1. Avoid Over-Procurement: Do not assume that all cloud services require high-assurance levels (2, 3, or 4). Start with the presumption that Level 1 is sufficient, as reinforced by Recital 52. Only escalate to higher levels if your risk assessment explicitly identifies a public-order risk. Over-classifying activities as "public order relevant" can unnecessarily restrict the pool of eligible providers.
2. Document the Justification: When conducting your Article 29 risk assessment, clearly document why an activity does not require a higher assurance level. This documentation protects you during audits and demonstrates compliance with the proportionality principle. Explicitly state that the activity does not fall under the sectors listed in Article 29(1)(a) (e.g., national security, defense, law enforcement) or that the data sensitivity is low.
3. Review Periodically: Use the two-year review cycle (or "whenever necessary" triggers) to re-evaluate your cloud services. If an activity's sensitivity has decreased, formally downgrade its required assurance level in your procurement specifications. This can open up a wider market of providers, potentially reducing costs and improving service options.
4. Align with National Strategies: Ensure your local risk assessments are consistent with your Member State's national cloud and AI strategy, which must align with CADA objectives. This consistency helps streamline compliance and reduces the risk of conflicting requirements.

Common misconceptions

Misconception 1: Higher assurance is always safer. While higher assurance levels offer more robust sovereignty guarantees, they are not always necessary. Applying Level 3 or 4 to a non-critical activity is disproportionate and may limit competition without adding meaningful security or sovereignty benefits. CADA emphasizes that most public services only need Level 1.

Misconception 2: Risk assessments are static. Some believe that once a service is classified at a certain assurance level, it remains there indefinitely. However, Article 29 mandates regular re-assessments. If the nature of the data or the activity changes, the required assurance level can and should be adjusted accordingly, including downgrades.

Misconception 3: The Commission sets the level for every activity. The Commission provides guidance and can intervene if a Member State's assessment is inadequate, but the primary responsibility for determining the appropriate assurance level lies with the Member States and Union entities through their own risk assessments. You have the discretion to determine that a lower level is appropriate, provided it is justified by the risk profile.

Related

• Can a contracting authority skip the assurance level required by a CADA risk assessment?
• Can a CADA risk assessment require a higher assurance level over time?
• How does a CADA risk assessment determine the required Union assurance level?
• Can the Commission override a Member State's CADA risk assessment conclusion?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?

This is general information about a draft EU regulation, not legal advice.