Can private clinics run CADA impact assessments like hospitals?

Summary Under the proposed Cloud and AI Development Act (CADA), private clinics are not automatically subject to mandatory impact assessments for cloud procurement. However, if a private clinic is classified as an "essential" or "important" entity under the NIS2 Directive, it may voluntarily conduct impact assessments similar to those required for public hospitals under Article 31. This mechanism mirrors the mandatory risk assessments for public sector bodies under Article 29, allowing critical private entities to determine the appropriate Union assurance level for their cloud services to mitigate sovereignty and operational risks. While currently permissive, the Commission retains the power to mandate these assessments for high-criticality sectors via delegated acts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a nuanced framework for cloud sovereignty that distinguishes between rigid public sector obligations and flexible private sector capabilities. To understand whether private clinics can—and should—run impact assessments like hospitals, one must analyze the interplay between CADA's sovereignty framework and the existing cybersecurity classification of healthcare providers under the NIS2 Directive.

The Public Sector Baseline: Article 29

For public sector bodies, such as public hospitals, CADA imposes a mandatory obligation. Article 29 requires Member States and Union entities to carry out risk assessments to determine which public sector activities contribute to the preservation of public order. These assessments identify whether a cloud computing service must meet Union assurance levels 2, 3, or 4, rather than just the baseline level 1.

This process is rigorous. Public authorities must assess the sensitivity, criticality, and magnitude of data processed, including personal health data. If a public hospital's activities are deemed to have public order relevance, it is legally bound to procure only from cloud providers recognized at the appropriate higher assurance level. This ensures that critical healthcare infrastructure is insulated from third-country control and potential service disruptions. The assessment must consider risks such as unlawful access by third countries, service disruption, and the impact on public order.

The Private Sector Mechanism: Article 31

For the private sector, CADA takes a different approach. Article 31 of the proposal states that entities referred to in Annex I of Directive (EU) 2022/2555 (the NIS2 Directive) who are not public sector bodies may carry out similar assessments to those set out in Article 29.

This is a permissive, not mandatory, provision for most private entities. It allows private organizations to voluntarily adopt the same risk-based methodology used by the public sector. The purpose is to enable private entities operating in sectors of high criticality to make informed decisions about their cloud dependencies, particularly regarding data sovereignty and operational resilience. The text explicitly grants these entities the right to conduct assessments "with a similar purpose to the ones conducted by Union entities and public sector bodies."

Why Healthcare Matters: The NIS2 Connection

The applicability of Article 31 to private clinics hinges entirely on their status under the NIS2 Directive. Healthcare is explicitly listed in Annex I of the NIS2 Directive as an essential sector. Under NIS2, entities in essential sectors are classified as either "essential" or "important" entities based on their size and activity.

Large private hospital groups and certain specialized private clinics often meet the thresholds to be classified as essential or important entities under NIS2. Consequently, these private healthcare providers fall within the scope of Article 31 of CADA. They are eligible to conduct impact assessments to evaluate their exposure to risks such as:

• Unlawful access to data by third countries.
• Service disruption or degradation.
• Loss of operational autonomy due to vendor lock-in or extraterritorial legal reach.

By opting into this framework, a private clinic can align its procurement strategy with the same high standards of sovereignty applied to public hospitals, even if not strictly compelled to do so by national law at this stage.

Commission Guidance and Future Delegated Acts

While Article 31 provides the option to assess, the proposal acknowledges that the Commission may issue guidance on the methodology for these assessments. Furthermore, Article 31(3) empowers the Commission to adopt delegated acts specifying the need for impact assessments and risk mitigation measures for private sector entities operating in sectors of high criticality, if deemed necessary.

This creates a dynamic regulatory landscape. While the current text is permissive, the regulatory trajectory could move toward mandatory assessments for critical private infrastructure if the Commission determines that voluntary measures are insufficient to protect Union interests. The Commission may also issue guidance on the methodology for carrying out the impact assessments and possible mitigation measures to be adopted by private sector entities operating in sectors of high criticality.

The Sovereignty Framework Context

These assessments are not standalone exercises; they feed into the broader CADA sovereignty framework established in Article 16. This framework defines four Union assurance levels (1 through 4) based on criteria such as:

• Location of infrastructure and personnel.
• Control by third-country entities.
• Cybersecurity certification levels.

By conducting an Article 31 assessment, a private clinic can determine if its specific use case (e.g., storing sensitive genomic data or managing life-support systems) requires a cloud provider recognized at Assurance Level 2, 3, or 4. This allows private clinics to align their procurement with the same high standards of sovereignty applied to public hospitals, even if not strictly compelled to do so by national law. The assessment helps the entity determine the appropriate level of conformity against the Union assurance levels to ensure data confidentiality and operational autonomy.

What this means for you

For in-house counsel and compliance officers at private healthcare organizations, the implications of CADA's Article 31 are strategic rather than immediately punitive. Here is how to operationalize this:

1. Verify NIS2 Classification: Confirm whether your organization is classified as an essential or important entity under the NIS2 Directive. If you are not in this category, Article 31 does not directly apply to you, though you may still choose to adopt its methodology as a best practice. The definition of "essential" or "important" entities is found in the NIS2 Directive, not CADA itself.
2. Voluntary Risk Assessment: Even if not mandated, consider conducting an impact assessment modeled on Article 29. Map your cloud workloads to identify those handling sensitive health data or supporting critical clinical operations. Evaluate the risk of third-country access and service disruption. The assessment should consider the sensitivity, criticality, and magnitude of the data processed.
3. Procurement Alignment: Use the results of your assessment to inform your cloud procurement strategy. If your assessment reveals high sensitivity, prioritize cloud providers that have been recognized under the CADA framework at higher Union assurance levels. This future-proofs your compliance as the EU moves toward stricter sovereignty requirements.
4. Monitor Delegated Acts: Stay alert for Commission guidance and delegated acts under Article 31(3). The Commission may specify mandatory impact assessments for critical private sectors, including healthcare, in the future. Early adoption of Article 31 methodologies will position your organization ahead of any such regulatory shifts.
5. Vendor Due Diligence: Engage with cloud providers to understand their CADA readiness. Ask for evidence of their compliance with Union assurance levels, particularly regarding data localization, personnel citizenship, and absence of third-country control.

Common misconceptions

• "Article 31 makes impact assessments mandatory for all private clinics." Incorrect. Article 31 is permissive ("may carry out"). It does not impose a blanket obligation on all private entities. However, the Commission retains the power to make these assessments mandatory for high-criticality sectors via delegated acts.

• "Only public hospitals need to worry about CADA sovereignty levels." Incorrect. While public hospitals are subject to mandatory risk assessments under Article 29, private clinics classified under NIS2 can and should use Article 31 to assess their own risks. The sovereignty risks (e.g., data access by foreign governments) apply equally to private and public health data.

• "NIS2 compliance covers all CADA requirements." Incorrect. NIS2 focuses on cybersecurity risk management. CADA addresses broader sovereignty concerns, including operational autonomy, data localization, and third-country control. Article 31 bridges this gap by allowing private entities to assess sovereignty risks specifically, which are not fully covered by NIS2.

• "Impact assessments are a one-time exercise." Incorrect. Like the public sector assessments under Article 29, these assessments should be dynamic. Changes in technology, geopolitical risks, or the clinic's data processing activities may require reassessment to ensure the chosen cloud assurance level remains appropriate.

Related

• Can telecom providers run CADA impact assessments?
• Can energy operators run CADA impact assessments?
• Can a bank use CADA impact assessments instead of public-sector risk assessments?
• CADA for Water & Waste Utilities: Article 31 Impact Assessments Explained
• CADA for Pharma: Frontier AI, Health Data Reuse & NIS2 Impact Assessments

This is general information about a draft EU regulation, not legal advice.