Can the Commission override a Member State's CADA risk assessment conclusion?

Summary Yes, as proposed in the Cloud and AI Development Act (CADA), the European Commission has the authority to override a Member State's risk assessment conclusion regarding the required Union assurance level. Under Article 29(5), if the Commission concludes that the level identified by a Member State "is not appropriate or does not adequately address the public order concerns," it may adopt implementing acts to specify the required Union assurance levels for that public sector activity. This power is exercised through the examination procedure under Article 46(2), ensuring a harmonized baseline for sovereignty and security across the Union while preventing fragmentation in the internal market.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a comprehensive framework for cloud computing sovereignty, anchored by four distinct Union assurance levels. A pivotal component of this framework is the obligation for Member States and Union entities to conduct rigorous risk assessments to determine which assurance level is appropriate for specific public sector activities. While this process begins at the national level, the proposal explicitly grants the European Commission a supervisory "override" mechanism to ensure consistency and adequate protection of public order across the EU.

The Risk Assessment Obligation

Under Article 29(1) of the CADA proposal, Member States and Union entities are required to carry out risk assessments within one year of the Regulation's entry into force, and subsequently every two years or whenever necessary. These assessments serve two critical functions:

1. Identification: Identifying public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas such as national security, internal security, external border management, defence, justice, and law enforcement.
2. Determination: Determining which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

When conducting these assessments, Article 29(2) mandates that Member States consider specific risk factors, including:

• The sensitivity, criticality, and magnitude of non-personal data processed, as well as the nature, scope, context, and purpose of processing personal data.
• The risk of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk of possible service disruption and its consequent impact on public order.

Member States must communicate the results of these assessments to the Commission within three months of carrying them out, as stipulated in Article 29(4).

Commission Oversight and the Override Mechanism

While Member States retain the primary responsibility for conducting these risk assessments, the CADA proposal introduces a robust oversight mechanism to prevent fragmentation and ensure consistent protection of public order across the Union.

Article 29(3) establishes the foundational methodology. It mandates that the Commission shall, by means of implementing acts in accordance with Article 46(2), specify the methodology to be applied, the templates to be used, and the elements to be taken into account for these risk assessments. Crucially, this methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, including but not limited to defence.

The decisive override mechanism is codified in Article 29(5). The text states:

"If the Commission concludes, after reviewing the results of the risk assessment or assessments of a Member State, that the Union assurance level identified for the public sector activity in a risk assessment is not appropriate or does not adequately address the public order concerns, the Commission may adopt implementing acts in accordance with Article 46(2) specifying the Union assurance levels needed for the public sector activity."

This provision effectively empowers the Commission to supersede a Member State's determination. If the Commission reviews the submitted risk assessment results and finds that the chosen assurance level is insufficient to safeguard public order, it can unilaterally specify the required level through an implementing act. This ensures that national discretion does not lead to a "race to the bottom" in sovereignty standards.

Procedural Framework: Article 46 and the Examination Procedure

The Commission's power to specify assurance levels under Article 29(5) is not exercised in isolation; it is bound by the procedural safeguards of Article 46.

Article 46 of the CADA proposal outlines the committee procedure for implementing acts. Specifically, Article 46(2) states that where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. This refers to the "examination procedure," which involves a committee composed of representatives of Member States.

Under this procedure:

• The Commission submits a draft implementing act to the committee.
• The committee votes on the draft.
• If the committee delivers a positive opinion, the Commission adopts the act.
• If the committee delivers a negative opinion, the Commission cannot adopt the act.
• If no opinion is delivered, the Commission may still adopt the act, but Member States retain the right to appeal to the Appeal Committee.

This procedural framework ensures that while the Commission has the final legal authority to specify assurance levels when national assessments are deemed inadequate, the process involves consultation and potential objection from Member State representatives. It balances the need for EU-wide harmonization with the principle of subsidiarity and national input.

Implications for Procurement

The outcome of this risk assessment process, whether determined by the Member State or overridden by the Commission, directly dictates procurement obligations under Article 30.

• Article 30(2) mandates that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognized as having at least Union assurance level 1.
• Article 30(3) requires that contracting authorities whose activities have been identified as contributing to public order (as determined by the risk assessment under Article 29(1)) must only procure cloud computing services recognized as having Union assurance levels 2, 3, or 4.

Therefore, if the Commission overrides a Member State's assessment under Article 29(5) to specify a higher assurance level (e.g., mandating Level 3 instead of the nationally assessed Level 2), the corresponding contracting authorities are legally bound to procure services meeting that higher standard. Failure to comply would constitute a breach of the Regulation.

Migration and Transition

The proposal acknowledges that a Commission override may necessitate significant operational changes. Article 29(6) addresses the practical implications of a changed assessment. If a risk assessment (whether national or Commission-specified) requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period.

This transition period shall not exceed 12 months. The regulation requires that this period take into account technical feasibility, continuity of service, and data portability requirements applicable to such migration. This provision ensures that while the Commission can enforce higher standards, public services are not disrupted by abrupt or impossible transitions.

What this means for you

For in-house counsel, compliance officers in the public sector, and cloud service providers supplying public sector entities, the Commission's override power under Article 29(5) introduces a layer of legal uncertainty that must be managed proactively.

1. Strict Adherence to Commission Methodology: The Commission will issue methodologies and templates under Article 29(3). Compliance officers must ensure their internal risk assessments strictly adhere to these templates. Any deviation must be rigorously justified and reported, as deviations are the primary trigger for Commission review and potential override.
2. Prepare for Higher Assurance Levels: The proposal emphasizes that the highest levels of assurance (3 and 4) may be necessary for critical public order activities. Even if a Member State initially assesses a lower level, be prepared for the Commission to specify a higher level. Ensure your cloud providers can scale to meet Levels 2, 3, or 4 criteria, which include stringent requirements on data localization, personnel citizenship, and third-country control.
3. Plan for Migration Scenarios: If the Commission overrides an assessment, you have a maximum of 12 months to migrate. Compliance teams should begin identifying alternative providers that hold recognition for higher assurance levels now, to avoid rushed and costly transitions later.
4. Document Rigorously: The Commission's review under Article 29(5) is based on the results submitted by Member States. Ensure your risk assessments are meticulously documented, considering all factors in Article 29(2) (sensitivity, criticality, third-country access risks). Poor documentation increases the likelihood of a Commission finding that the level is "not appropriate."
5. Engage with National Authorities: Since the Commission reviews Member State submissions, maintain open lines of communication with national competent authorities. They are the interface between your organization's risk assessment and the Commission's oversight.

Common misconceptions

Misconception 1: Member States have final discretion over assurance levels. While Member States conduct the initial risk assessments, they do not have absolute discretion. Article 29(5) explicitly allows the Commission to specify the level if the national assessment is deemed inappropriate. This is a key mechanism to prevent a "race to the bottom" in sovereignty standards.

Misconception 2: The override applies to all cloud services. The override power specifically targets public sector activities identified as contributing to public order under Article 29(1). It does not apply to private sector entities, although private entities in high-criticality sectors may be required to conduct impact assessments under Article 31.

Misconception 3: The Commission can arbitrarily change levels. The Commission's power is not arbitrary; it is triggered by a conclusion that the identified level "is not appropriate or does not adequately address the public order concerns." Furthermore, the decision is made through implementing acts under the examination procedure of Article 46(2), providing a structured legal process rather than a unilateral administrative decree.

Misconception 4: Level 1 is sufficient for all public services. Article 30(2) sets Level 1 as the minimum for activities not identified as contributing to public order. However, for activities that are identified (which include many critical infrastructure and security-related functions), Levels 2, 3, or 4 are mandatory. The Commission's oversight ensures that critical functions are not inadvertently downgraded to Level 1.

Related

• CADA Risk Assessment: What happens if a Member State departs from the methodology?
• Must Member States report CADA risk assessment results to the Commission?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• CADA Risk Assessment Consistency: How Member States Cooperate
• CADA Risk Assessment Frequency: How Often Must Member States Assess?

This is general information about a draft EU regulation, not legal advice.