Can the Commission request information from cloud providers for CADA risk assessments?

Summary Yes, under the proposed Cloud and AI Development Act (CADA), the European Commission holds explicit power to request information directly from cloud computing service providers. Article 29(8) states: "For the purpose of paragraph 3, the Commission shall be empowered to request cloud computing service providers to provide all the necessary information." This power is strictly tied to the Commission's duty under Article 29(3) to adopt implementing acts that specify the methodology, templates, and elements for Member States and Union entities to carry out their mandatory risk assessments. This mechanism ensures the Commission can gather the technical and operational data required to create a harmonized, evidence-based framework for determining Union assurance levels.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive sovereignty framework for cloud computing services. A cornerstone of this framework is the requirement for Member States and Union entities to conduct risk assessments to identify public sector activities that contribute to the preservation of public order. These assessments determine whether a contracting authority must procure cloud services at the baseline Union assurance level 1, or at the higher levels 2, 3, or 4, which impose stricter requirements on establishment, data localization, personnel, and third-country control.

To prevent a fragmented internal market where every Member State applies a different standard for "public order" or "sensitivity," Article 29(3) empowers the Commission to adopt implementing acts. These acts will specify the methodology to be applied, the templates to be used, and the specific elements to be taken into account. Crucially, the methodology must specify how Member States use the highest level of assurance for the most critical public sector activities, including defence.

However, the Commission cannot draft a technically robust methodology in a vacuum. It requires accurate, up-to-date data on the capabilities, architectures, and security postures of the cloud services available in the Union market. To bridge this gap, Article 29(8) provides a specific legal instrument: "For the purpose of paragraph 3, the Commission shall be empowered to request cloud computing service providers to provide all the necessary information."

This provision creates a direct channel of inquiry between the Commission and cloud providers. While the actual execution of the risk assessment remains the responsibility of the Member State or Union entity (as mandated by Article 29(1)), the Commission's role in harmonizing the method of assessment requires factual inputs that only providers possess. The "necessary information" could encompass a wide range of technical and operational details, including:

• Specific mechanisms for data residency and localization.
• Technical measures implemented to prevent third-country access to data.
• Details on supply chain dependencies and software bill of materials (SBOM) management.
• Operational procedures for incident response and service continuity.
• Evidence of compliance with the criteria set out in Annex II for various assurance levels.

The scope of this power is purpose-limited. It is not a general surveillance tool for monitoring all cloud operations, nor is it an enforcement mechanism for detecting infringements. Instead, it is a rule-making and guidance-development tool. The information gathered is intended to ensure that the implementing acts adopted under Article 29(3) are technically viable, legally sound, and reflective of the actual market landscape. This ensures that when Member States apply the methodology to determine if an activity falls under sectors like national security, internal security, or law enforcement (as listed in Article 29(1)), they are working from a standardized, accurate baseline.

Furthermore, this power supports the broader objective of CADA to reduce dependencies on third-country providers and safeguard public order. By enabling the Commission to validate the technical realities of cloud services, the legislation aims to prevent Member States from adopting methodologies that are either too lenient (failing to protect public order) or too restrictive (creating artificial barriers to the single market). The data collected under Article 29(8) will directly inform the guidance that dictates how public bodies map their activities to the appropriate Union assurance levels, which in turn drives procurement obligations under Article 30.

What this means for you

For cloud computing service providers (CSPs), the inclusion of Article 29(8) in the proposed CADA text introduces a new layer of regulatory engagement. You must prepare for the possibility of direct information requests from the European Commission, distinct from interactions with national competent authorities or auditing organizations.

1. Anticipate Targeted Information Requests: As the Commission develops the implementing acts for risk assessment methodology, you may be asked to provide detailed technical documentation. This could include specifics on your data localization architecture, encryption standards, third-party subcontractor oversight, and measures to prevent third-country control. Ensure your internal teams are ready to respond to such requests efficiently.
2. Align Documentation with Assurance Criteria: The information requested will likely be cross-referenced against the criteria in Annex II. Providers should ensure their internal documentation clearly demonstrates how their services meet the cumulative criteria for Union assurance levels 1 through 4. Discrepancies between your public claims and the technical details provided to the Commission could undermine your recognition status.
3. Distinguish Between Methodology and Enforcement: Understand that a request under Article 29(8) is for the purpose of developing the methodology, not for immediate enforcement. However, the quality and accuracy of the information you provide will shape the rules that govern your future market access. Incomplete or misleading information could result in a methodology that inadvertently disadvantages your service model.
4. Manage Confidentiality and Trade Secrets: While the regulation empowers the Commission to request "all necessary information," this is subject to general EU principles regarding the protection of business secrets and confidential information. You should have clear protocols for identifying and marking sensitive data (e.g., specific source code details, proprietary algorithms) while still providing the necessary functional descriptions required for the methodology.
5. Coordinate with National Recognition Processes: The information you provide to the Commission for methodology development should be consistent with the evidence you submit to national competent authorities for recognition under Article 17. Inconsistencies could raise questions about the reliability of your compliance posture across the Union.
6. Monitor the Implementation Timeline: The Commission's power to request information is active once the regulation is adopted. As the Commission begins drafting the implementing acts under Article 29(3), providers should monitor official communications and be prepared to engage in consultations or provide data within the specified timeframes.

Common misconceptions

Misconception 1: The Commission conducts the risk assessments itself. Reality: No. Article 29(1) explicitly assigns the obligation to carry out risk assessments to Member States and Union entities. The Commission's power under Article 29(8) is strictly limited to gathering information to develop the methodology and templates for these assessments. The Commission does not perform the assessments for individual public bodies.

Misconception 2: This power applies to all cloud providers regardless of their market. Reality: While the text refers to "cloud computing service providers" generally, the context of Article 29 is the public sector procurement framework. The information requested is specifically to support the methodology for assessing public order risks. Providers operating exclusively in the private sector with no intention of serving public bodies may be less likely to be targeted, though the legal text does not explicitly exclude them from the Commission's broad request power if their data is deemed "necessary" for the methodology.

Misconception 3: The information request is an enforcement action. Reality: The power under Article 29(8) is a tool for rule-making, not enforcement. It is designed to ensure the methodology in Article 29(3) is accurate. Enforcement powers, such as imposing fines or ordering the cessation of infringements, are vested in national competent authorities under Articles 25 and 26.

Misconception 4: Providers can refuse to provide information if it is sensitive. Reality: The wording "shall be empowered to request" implies a mandatory obligation to comply with the request for "necessary information." While providers can and should protect trade secrets and confidential information in accordance with general EU law and specific confidentiality provisions, a blanket refusal to provide necessary technical data could hinder the Commission's ability to finalize the methodology and may negatively impact the provider's standing in the public procurement market.

Related

• CADA Risk Assessments: What Cloud Providers Must Know
• CADA Risk Assessments: Commission Guidance, Methodology & Data Mapping
• Can the Commission override a Member State's CADA risk assessment conclusion?
• Can private-sector entities carry out CADA-style risk assessments?
• Can Member States and Union entities carry out joint CADA risk assessments?

This is general information about a draft EU regulation, not legal advice.