Do AI Act high-risk systems need a specific CADA sovereignty tier?

Summary No, the proposed Cloud and AI Development Act (CADA) does not automatically assign a specific sovereignty tier based on an AI system's classification as "high-risk" under the AI Act. Instead, the required Union assurance level is determined by a public-order risk assessment under CADA Article 29, which evaluates the sensitivity of the data and the criticality of the hosting use case. While high-risk AI systems in sectors like defence or justice may require Union assurance level 3 or 4, the tier requirement flows from the nature of the public sector activity, not the AI Act risk category itself.

Detail

The intersection of the EU AI Act (Regulation (EU) 2024/1689) and the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final) creates a dual-compliance landscape for providers and deployers of artificial intelligence systems. A frequent point of confusion for in-house counsel and compliance officers is whether an AI system classified as "high-risk" under the AI Act automatically triggers a specific sovereignty tier (Union assurance level) under CADA. The short answer is no. CADA does not key its sovereignty tiers to the AI Act's risk categories. Instead, CADA establishes a distinct, use-case-driven framework for determining the required level of assurance for cloud computing services.

CADA's Sovereignty Framework is Use-Case Driven, Not AI-Risk Driven

CADA establishes a Union cloud computing sovereignty framework comprising four Union assurance levels, the criteria for which are set out in Annex II of the proposal. These levels range from Union assurance level 1 (the baseline) to Union assurance level 4 (the highest level of sovereignty). Article 16 of CADA sets out the scope of this framework, requiring cloud computing service providers to meet these criteria to provide services to Union entities and public sector bodies.

However, the determination of which level is required does not stem from the technical characteristics of the AI system (e.g., whether it is high-risk under the AI Act). Instead, it stems from a risk assessment conducted by the public sector body or Union entity using the service. The AI Act governs the safety and fundamental rights of the system, while CADA governs the sovereignty and resilience of the infrastructure hosting it.

The Role of Article 29: Public-Order Risk Assessment

The cornerstone of CADA's tier determination is Article 29, which mandates that Member States and Union entities carry out risk assessments to determine the appropriate Union assurance level for their public sector activities. This assessment must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary.

The risk assessment under Article 29(1) must identify public sector activities that contribute to the preservation of public order. This includes activities in sectors falling under Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement. The assessment must determine whether Union assurance level 2, 3, or 4 is appropriate for these identified activities.

Crucially, Article 29(2) requires the assessment to consider:

1. The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context, and purpose of processing of personal data.
2. The risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
3. The risk and consequent impact on public order of possible service disruption.

This mechanism ensures that the sovereignty requirement is proportional to the risk posed to the Union's public order, rather than being a blanket rule based on the AI system's classification.

High-Risk AI in Defence and Justice May Require Higher Assurance Levels

While the AI Act and CADA operate on different axes, they intersect in practice. An AI system classified as high-risk under the AI Act (e.g., for law enforcement, migration, or judicial administration) is often used in contexts that CADA identifies as critical to public order.

For example, an AI system used by a law enforcement authority to assess the risk of a natural person offending (a high-risk use case under AI Act Annex III) will likely be hosted on cloud infrastructure. Under CADA, the law enforcement authority must conduct an Article 29 risk assessment for this activity. Given that law enforcement is explicitly listed in Article 29(1) as an area contributing to the preservation of public order, and considering the high sensitivity of the data involved, the risk assessment may conclude that Union assurance level 3 or 4 is required.

Union assurance level 3 and 4 have stringent criteria. For instance, Annex II of CADA requires that for Union assurance level 3 and 4, the audited provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country (with limited exceptions for level 3 under Article 18). Additionally, personnel involved in the provision of the service must be Union citizens, and for level 4, the cybersecurity certificate must be at least at the 'high' assurance level.

Therefore, while the AI Act classification does not mandate a specific CADA tier, the nature of the high-risk AI use case often leads to a CADA risk assessment that results in a requirement for Union assurance level 3 or 4.

Distinction Between AI Act Obligations and CADA Obligations

It is vital to distinguish between the obligations imposed by the AI Act and those imposed by CADA. The AI Act focuses on the safety, fundamental rights, and transparency of the AI system itself. It imposes obligations on providers and deployers regarding risk management, data governance, transparency, and human oversight. CADA, on the other hand, focuses on the sovereignty and resilience of the underlying cloud computing infrastructure.

A high-risk AI system can be compliant with the AI Act while being hosted on a cloud service that does not meet the highest CADA sovereignty tiers, provided the public sector user's risk assessment under Article 29 determines that a lower tier is sufficient for that specific use case. Conversely, a non-AI workload (e.g., standard email hosting) in a highly sensitive public sector context may require Union assurance level 4 under CADA, even though no AI Act obligations are triggered.

Implications for Procurement

Article 30 of CADA sets out public procurement rules based on the outcomes of the Article 29 risk assessment. Article 30(2) states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised as having Union assurance level 1. However, Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order (e.g., in defence or justice) must only procure cloud computing services recognised as having Union assurance level 2, 3, or 4.

This means that in-house counsel must ensure that procurement specifications for cloud services hosting high-risk AI systems align with the outcome of the organisation's Article 29 risk assessment. Failure to procure a service at the required assurance level could constitute a breach of CADA obligations.

What this means for you

For in-house counsel and compliance officers, the decoupling of AI Act risk categories from CADA sovereignty tiers requires a two-track compliance approach:

1. Conduct a Robust Article 29 Risk Assessment: Do not assume that an AI Act high-risk classification automatically dictates your CADA tier. Instead, conduct a thorough risk assessment under Article 29 for each public sector activity using cloud services. Document the sensitivity of the data, the criticality of the activity, and the potential impact of third-country access or service disruption. This documentation will justify the required Union assurance level.
2. Align Procurement Specifications: Ensure that your cloud procurement specifications explicitly require the Union assurance level determined by your risk assessment. For high-stakes activities in defence, justice, or law enforcement, be prepared to require Union assurance level 3 or 4, which entails strict criteria regarding third-country control, personnel citizenship, and cybersecurity certification.
3. Monitor for Changes: Article 29 requires risk assessments to be updated every two years or whenever necessary. If the nature of your AI use case changes, or if the sensitivity of the data evolves, you must reassess the required assurance level. A change in tier may require migration to a different cloud provider or service offering, which Article 29(6) allows within a reasonable transition period not exceeding 12 months.
4. Coordinate with Cloud Providers: Engage with cloud providers early to understand their certification status under CADA. Providers must submit applications for recognition to the national competent authority of establishment (Article 17). Ensure that your provider has the necessary evidence (e.g., audit reports for levels 2-4, or EU statement of conformity for level 1) to meet the tier required by your risk assessment.

Common misconceptions

Misconception 1: High-risk AI systems always require Union assurance level 4. This is incorrect. The required tier depends on the public-order risk assessment under Article 29, not the AI Act classification. While high-risk AI in sensitive sectors may often lead to a requirement for level 3 or 4, it is not automatic. A high-risk AI system used in a less sensitive context (e.g., certain educational or vocational training contexts) might only require Union assurance level 1 or 2, depending on the risk assessment outcome.

Misconception 2: CADA replaces the AI Act's risk management obligations. CADA does not replace the AI Act. The AI Act's requirements for risk management, data governance, and transparency remain fully applicable to high-risk AI systems. CADA adds a layer of sovereignty and resilience requirements for the underlying cloud infrastructure. Compliance with one does not exempt you from the other.

Misconception 3: Only EU-based providers can meet CADA requirements. While Union assurance levels 3 and 4 have strict requirements regarding third-country control, they do not explicitly ban all third-country providers. Article 18 allows for the possibility of recognising third countries as providing sufficient assurances for Union assurance level 3, provided specific criteria are met (e.g., adequacy decisions, no measures enabling control over data access). However, for Union assurance level 4, providers must not be subject to third-country control.

Misconception 4: The AI Act defines what "high-risk" means for CADA purposes. The AI Act and CADA use different definitions and frameworks. The AI Act defines high-risk systems based on their intended purpose and potential impact on health, safety, and fundamental rights. CADA defines sovereignty levels based on the sensitivity of the data and the criticality of the public sector activity to public order. These are distinct concepts that must be managed separately.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)

Related

• Does the AI Act's high-risk hosting need CADA tier 4 for defence AI?
• Does health data under EHDS need a CADA sovereignty tier?
• Do financial entities need a CADA sovereignty tier in addition to DORA due diligence?
• Do EU common data spaces need a CADA sovereignty tier?
• Why is CADA part of the EU tech sovereignty package with the Chips Act 2.0?

This is general information about a draft EU regulation, not legal advice.