Can Member States and Union entities carry out joint CADA risk assessments?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), Member States and Union entities are explicitly permitted to carry out joint risk assessments. Article 29(1) states that where responsibilities for public sector activities are shared, these entities "shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly." This provision is designed to streamline compliance, avoid duplicative administrative burdens, and ensure consistent sovereignty standards across shared public order activities.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a Union cloud computing sovereignty framework comprising four assurance levels. A critical prerequisite for applying this framework is the obligation for public bodies to assess the risks associated with their use of cloud services to determine the appropriate level of assurance required. This process is governed primarily by Article 29 of the proposal.

The Legal Basis for Joint Assessments

Article 29 mandates that Member States and Union entities must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine which Union assurance level (Level 2, 3, or 4) is appropriate for specific activities, particularly those in sectors falling under Annex I or II of the NIS2 Directive, or in areas such as national security, internal security, external border management, defence, justice, or law enforcement.

The specific provision enabling joint action is found in the final subparagraph of Article 29(1). It reads:

"Where Union entities and Member States share responsibilities in relation to the public sector activities, they shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly."

This clause acknowledges the complex reality of modern public administration, where tasks are often not siloed strictly within national or EU boundaries. Instead, many critical functions involve collaboration between national authorities and EU institutions, agencies, or bodies. By explicitly allowing—and encouraging—joint assessments, CADA provides a legal mechanism for these entities to align their sovereignty requirements.

Why Joint Assessments Matter: Avoiding Duplication

The primary benefit of a joint risk assessment is efficiency and consistency. Without this provision, a Member State and a Union entity sharing a specific public order activity might conduct separate, parallel assessments. This could lead to significant operational friction:

1. Duplication of Effort: Both entities would expend resources analyzing the same data sensitivity, criticality, and potential third-country risks. A joint assessment consolidates this work into a single, unified process.
2. Inconsistent Outcomes: Separate assessments might result in different conclusions regarding the necessary Union assurance level. For example, a Member State might determine Level 2 is sufficient while a Union entity determines Level 3 is required for the same shared activity. This would create procurement conflicts and operational fragmentation.
3. Fragmented Sovereignty Standards: Inconsistent risk profiles could undermine the harmonized nature of the Union cloud computing sovereignty framework, which aims to provide a uniform legal framework across the single market.

By carrying out a joint assessment, entities can pool their expertise, share intelligence on data sensitivity and criticality, and arrive at a unified determination of the required assurance level. This ensures that the cloud services procured for shared activities meet a consistent standard of sovereignty and security.

Scope and Application

The joint assessment mechanism applies specifically to activities where responsibilities are shared. This is common in areas such as:

• Border Management: Where national border guards work in coordination with Frontex (the European Border and Coast Guard Agency).
• Law Enforcement: Where national police forces collaborate with Europol.
• Civil Protection: Where national disaster response teams operate alongside the European Civil Protection Mechanism.
• Justice: Where national judicial authorities collaborate with EU bodies on cross-border criminal investigations.

In these scenarios, the data processed, the systems used, and the public order implications are often interconnected. A joint assessment allows the participating entities to evaluate the sensitivity, criticality, and magnitude of the data (both personal and non-personal) collectively, as required by Article 29(2).

Procedural Considerations and Commission Oversight

While Article 29(1) permits joint assessments, it uses the phrase "where appropriate." This suggests that the decision to assess jointly should be based on practical considerations, such as the degree of operational integration and the feasibility of coordinating the assessment process.

Furthermore, the results of these assessments must still comply with the broader requirements of Article 29. For instance, Member States must still provide the Commission with the results of their risk assessments within three months of carrying them out (Article 29(4)). If a joint assessment is conducted, it is likely that the results would be shared with the Commission by the participating Member State, potentially with coordination from the Union entity.

The Commission retains oversight powers. If the Commission concludes that a Union assurance level identified in a risk assessment (whether joint or individual) is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the required levels (Article 29(5)). Therefore, joint assessments do not remove entities from the supervisory framework; they simply optimize the internal process of reaching the assessment conclusion.

What this means for you

For public-sector procurement officers and legal teams in both Member States and Union entities, this provision offers a valuable tool for managing complex, cross-border procurement projects.

1. Identify Shared Responsibilities Early Review your current and planned cloud procurement projects. Identify instances where your entity works closely with a counterpart (national or EU) on activities related to public order, security, or critical infrastructure. If responsibilities are shared, initiate discussions about conducting a joint risk assessment.

2. Align Procurement Requirements If you proceed with a joint assessment, ensure that the resulting Union assurance level is clearly documented and agreed upon by all parties. This alignment will simplify the procurement process, as you can issue a single, coherent set of sovereignty requirements for the cloud services being purchased. This avoids situations where one entity requires Level 3 assurance while the other requires Level 2, which could complicate vendor selection and contract negotiation.

3. Leverage Expertise Joint assessments allow for the pooling of technical and legal expertise. Member States may have deep insights into national security classifications, while Union entities may have broader perspectives on cross-border data flows. Collaborating on the assessment can lead to a more robust and comprehensive evaluation of risks.

4. Maintain Documentation Even when assessing jointly, ensure that the documentation meets the standards set by the Commission's implementing acts on risk assessment methodology (Article 29(3)). Keep clear records of the joint decision-making process, the factors considered, and the final determination of the assurance level. This documentation will be crucial if the Commission reviews the assessment or if questions arise during procurement audits.

Common misconceptions

Misconception 1: Joint assessments are mandatory for all shared activities. Correction: Article 29(1) states that entities "shall, where appropriate, consider" carrying out joint assessments. This is not an absolute mandate for every shared activity. The decision depends on what is appropriate given the specific circumstances, such as the nature of the shared responsibility and the feasibility of coordination.

Misconception 2: Joint assessments remove the need to report to the Commission. Correction: No. Member States are still required to provide the Commission with the results of their risk assessments within three months (Article 29(4)). A joint assessment does not exempt entities from this reporting obligation; it may simply streamline the preparation of the report.

Misconception 3: Only Member States can conduct risk assessments. Correction: Article 29(1) explicitly places the obligation on both "Member States and Union entities." Union entities (such as EU agencies and institutions) are equally subject to these requirements and can participate in joint assessments with Member States.

Misconception 4: Joint assessments apply to private sector entities. Correction: No. Article 29 applies specifically to Member States and Union entities. Private sector entities operating in sectors of high criticality (as defined in Annex I of the NIS2 Directive) may carry out "impact assessments" under Article 31, but these are distinct from the public sector risk assessments governed by Article 29.

Related

• Can private-sector entities carry out CADA-style risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• How do Member States cooperate on CADA risk assessments?
• CADA Risk Assessment Consistency: How Member States Cooperate
• Must Member States report CADA risk assessment results to the Commission?

This is general information about a draft EU regulation, not legal advice.