Can a CADA risk assessment require a higher assurance level over time?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), a risk assessment can require a higher assurance level over time. As proposed in Article 29(1), Member States and Union entities must conduct these risk assessments at least every two years, or whenever necessary. If a reassessment determines that a public sector activity presents a greater risk to public order, the required Union assurance level may be raised. This triggers a mandatory migration obligation under Article 29(6) to move to a more sovereign cloud service within a reasonable transition period that shall not exceed 12 months.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a dynamic framework for cloud sovereignty designed to adapt to evolving security landscapes, geopolitical shifts, and operational needs. A core component of this framework is the risk assessment mechanism, which dictates which level of sovereign cloud computing services public sector bodies must use. Contrary to a static "set and forget" approach, CADA explicitly allows—and in fact mandates—regular reviews that can result in an increase in the required assurance level.

The Obligation for Regular Re-assessment

Under Article 29(1) of the proposal, Member States and Union entities are obligated to carry out risk assessments "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." This biennial cycle ensures that the classification of public sector activities is not permanent. The assessment identifies which activities contribute to the preservation of public order—such as those in national security, defence, justice, or critical infrastructure sectors covered by Annex I or II of the NIS2 Directive—and determines the appropriate Union assurance level (Level 2, 3, or 4) for those activities.

Because the threat landscape, technological dependencies, and the sensitivity of processed data can change, the "whenever necessary" clause allows for ad-hoc reassessments outside the two-year cycle. For example, if a new geopolitical threat emerges, if a third-country law changes to allow broader data access, or if the nature of the data processed by a specific cloud service becomes more sensitive, a reassessment may be triggered immediately.

Escalating the Assurance Level

If a reassessment concludes that the current level of assurance is no longer sufficient to protect public order, the required Union assurance level can be raised. For instance, a service previously deemed suitable for Union Assurance Level 2 might be reclassified to require Level 3 or 4 if the risk assessment identifies new vulnerabilities related to third-country control, data access risks, or service continuity threats.

This escalation is driven by the specific criteria in Article 29(2), which requires assessors to consider at least the following aspects:

• The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data.
• The risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

If these factors indicate a heightened risk, the assessment must reflect a higher assurance tier. The Commission also retains oversight powers under Article 29(5); if it concludes that a Member State's identified assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the correct Union assurance levels needed for the activity. This ensures a harmonised approach across the Union, preventing Member States from underestimating risks.

The Migration Obligation

A change in the required assurance level is not merely a theoretical classification; it carries binding operational consequences. Article 29(6) explicitly addresses the scenario where a risk assessment requires a change in the cloud computing service provider. It states: "Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This means that if a reassessment raises the bar from Level 2 to Level 3, the public sector body is legally obligated to migrate its workloads to a service provider recognised at Level 3. The 12-month deadline provides a structured timeframe for this transition, balancing the urgency of security needs with the practical realities of IT migration. The obligation applies regardless of the remaining term of existing contracts, effectively overriding commercial agreements to ensure compliance with the public order requirements.

Procurement Implications

These assessments directly feed into procurement rules under Article 30. If a risk assessment identifies an activity as contributing to public order, the contracting authority must procure services recognised at Level 2, 3, or 4. If the reassessment raises the required level, future procurement tenders must reflect this higher standard. Furthermore, existing contracts may need to be renegotiated or terminated in favor of more sovereign providers to meet the new assurance requirements. The dynamic nature of the assessment ensures that public procurement remains aligned with the current risk profile of the Union's public order.

What this means for you

For public-sector procurement officers, IT decision-makers, and legal counsel, the dynamic nature of CADA risk assessments means that cloud strategy must be agile and forward-looking. You cannot assume that a current cloud contract will remain compliant indefinitely.

1. Plan for Periodic Reviews: Integrate the biennial risk assessment cycle into your IT governance calendar. Ensure that your legal, security, and procurement teams collaborate to review the sensitivity of data and the criticality of services every two years. Do not treat the initial assessment as a one-off compliance task.
2. Prepare for Migration: When selecting a current cloud provider, consider the ease of exit. If a reassessment raises your required assurance level, you may need to migrate within 12 months. Choose providers that offer robust data portability tools, clear exit clauses, and interoperability standards to facilitate this transition.
3. Monitor for "Whenever Necessary" Triggers: Stay alert to changes in the threat landscape or data sensitivity. If a service begins processing more critical data, or if a new threat vector emerges (such as a change in third-country legislation), be prepared to trigger an ad-hoc reassessment immediately rather than waiting for the biennial cycle.
4. Budget for Sovereignty Upgrades: Higher assurance levels (3 and 4) often come with higher costs due to stricter infrastructure, personnel (Union citizenship), and cybersecurity certification requirements. Ensure your budgeting processes account for potential upgrades in assurance levels over the lifecycle of your cloud services.
5. Engage Early with Competent Authorities: If you anticipate a need to raise an assurance level, engage with your national competent authority early. They can provide guidance on the specific criteria for higher levels and help streamline the migration process to ensure the 12-month deadline is met without service disruption.

Common misconceptions

Misconception 1: Risk assessments are one-time events. Many assume that once a cloud service is classified, it remains so for the duration of the contract. CADA explicitly rejects this, mandating reviews every two years and allowing for ad-hoc reassessments. The required assurance level is a living classification, not a permanent label.

Misconception 2: Raising an assurance level is optional. Some believe that if a reassessment suggests a higher level, the public sector body can choose to ignore it if the current service is performing well. Under CADA, the risk assessment determines the legal requirement. If the assessment concludes that a higher level is needed to protect public order, the migration is mandatory under Article 29(6).

Misconception 3: Migration can take as long as needed. While the 12-month deadline considers technical feasibility, it is a strict outer limit. Organizations cannot use technical complexity as an indefinite excuse to delay migration. Planning must begin immediately upon the conclusion of the reassessment to ensure the transition is completed within the statutory timeframe.

Misconception 4: Only national security services are affected. While national security and defence are high-priority areas, the risk assessment applies to any public sector activity contributing to public order, including healthcare, education, and critical infrastructure. Any of these sectors could see a rise in required assurance levels if data sensitivity or threat profiles change.

Related

• Can a contracting authority skip the assurance level required by a CADA risk assessment?
• Can a CADA risk assessment lower the assurance level for an activity?
• How does a CADA risk assessment determine the required Union assurance level?
• Does the CADA methodology require the highest assurance level for defence?
• Can the Commission override a Member State's CADA risk assessment conclusion?

This is general information about a draft EU regulation, not legal advice.