Does a CADA risk assessment apply to Union institutions like the Commission?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly mandates that Union entities—including the European Commission, Parliament, Council, and EU agencies—must conduct risk assessments for their cloud computing services. Under Article 29(1), these entities must identify activities contributing to the preservation of public order and determine the appropriate Union assurance level (1–4) for procurement. This obligation operates alongside Article 136 of Regulation (EU, Euratom) 2024/2509 (the Financial Regulation), which governs sensitive public procurement. Recital 45 confirms the Regulation's direct application to Union institutions, ensuring that EU-level procurement aligns with strategic autonomy and sovereignty goals.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a unified framework to reduce the Union's dependence on third-country cloud providers. A cornerstone of this framework is the mandatory risk assessment mechanism, which applies with equal force to Member States and Union entities. Unlike voluntary guidelines, this is a binding procedural requirement that dictates which cloud services EU institutions may legally procure.

The Scope: Who is a "Union Entity"?

The definition of the obligated actor is precise. Article 2(7) defines "Union entities" as "the Union institutions, bodies, offices and agencies set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of the European Union (TFEU) or the Treaty establishing the European Atomic Energy Community." This definition explicitly encompasses the European Commission, the European Parliament, the Council of the European Union, the Court of Justice, the European Central Bank, and all decentralised agencies (e.g., Europol, EMA, ECHA).

Recital 45 reinforces this scope, stating unequivocally: "This Regulation should apply to Union institutions, bodies, offices and agencies ('Union entities') when carrying out procedures for the procurement of cloud computing services and AI systems falling within the scope of this Regulation." Consequently, the Commission cannot claim exemption from CADA obligations on the grounds that it is an EU institution rather than a Member State; it is a primary addressee of the sovereignty framework.

The Obligation Under Article 29(1)

Article 29, titled "Risk assessments," imposes a specific, recurring duty on these entities. Article 29(1) mandates that:

"By [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary, Member States and Union entities shall carry out risk assessments that shall: (a) identify the public sector activities that use or will make use of cloud computing services, that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence; (b) determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

This provision requires Union entities to perform a two-step analysis:

1. Identification: Map all cloud-dependent activities to determine if they contribute to "public order." This includes sectors listed in Annex I or II of the NIS2 Directive (e.g., energy, transport, banking) and specific areas like defence, justice, and law enforcement.
2. Determination: Assign the correct Union assurance level (2, 3, or 4) to those activities. This level dictates the strictness of the sovereignty criteria (e.g., personnel citizenship, infrastructure location, third-country control) the provider must meet.

The assessment is not a one-off event. It must be repeated every two years or "whenever necessary," ensuring that evolving threats or changes in service architecture trigger a re-evaluation.

Context: Article 136 of the Financial Regulation

The CADA risk assessment does not operate in a vacuum; it integrates directly with the EU's financial governance. Recital 49 clarifies this intersection: "In the context of Union entities, Article 136 of Regulation (EU, Euratom) 2024/2509 sets out the scope, rules and procedures for identifying and implementing sensitive public procurement procedures."

Article 136 of the Financial Regulation provides the procedural framework for "sensitive" procurement, allowing for specific security requirements. CADA's Article 29 provides the substantive criteria for what constitutes a "sensitive" activity in the cloud context. By linking the two, the proposal ensures that the technical and sovereignty-based risk assessment under CADA triggers the specific procurement safeguards allowed under the Financial Regulation. In practice, the CADA risk assessment result becomes the legal basis for invoking the sensitive procurement procedures under Article 136, ensuring that spending rules align with security and autonomy goals.

Consequences: From Assessment to Procurement

The output of the Article 29 assessment is the direct input for Article 30 (Public procurement). The link is rigid:

• If a Union entity's activity is not identified as contributing to public order, Article 30(2) requires the use of services recognised at Union assurance level 1 (the baseline).
• If the activity is identified as contributing to public order, Article 30(3) mandates that the entity "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

Failure to conduct the assessment or to procure at the determined level would constitute an infringement of the Regulation, subject to the penalty rules in Article 24 (as applied by Member States to providers) and internal financial discipline rules for the Union entities themselves.

What this means for you

For procurement officers, legal counsels, and IT directors within Union institutions like the Commission, the proposed CADA introduces a mandatory, structured compliance workflow.

1. Inventory and Mapping: You must immediately map all current and planned cloud computing services. Identify which specific business functions (e.g., HR data, research data, security operations) rely on these services.
2. Public Order Analysis: Apply the criteria in Article 29(1)(a) to determine if these functions contribute to the preservation of public order. This requires cross-referencing your activities with the NIS2 Directive sectors and the specific areas of national security, defence, and justice listed in the text.
3. Assurance Level Assignment: Based on the analysis, assign the required Union assurance level (2, 3, or 4). This is a strategic decision that will limit your pool of eligible vendors to those listed in the central repository (Article 22) with the corresponding recognition.
4. Financial Regulation Alignment: Coordinate with your finance department to ensure that the risk assessment outcome is formally recorded as the justification for invoking Article 136 of the Financial Regulation for sensitive procurement procedures.
5. Joint Assessments: If your institution shares responsibilities with a Member State (e.g., a joint research project or a shared security operation), Article 29(1) explicitly encourages carrying out the risk assessment jointly. This avoids duplication and ensures a consistent assurance level is applied across the shared activity.
6. Continuous Monitoring: Establish a calendar for the biennial review. The obligation is not static; significant changes in the threat landscape or service architecture trigger a "whenever necessary" reassessment.

Common misconceptions

Misconception 1: "The Commission is exempt because it is not a Member State." Incorrect. Article 29(1) explicitly lists "Union entities" alongside Member States as subjects required to carry out risk assessments. Recital 45 confirms the Regulation applies to Union institutions. The goal is a unified standard across the entire EU public sector, including Brussels-based institutions.

Misconception 2: "Only highly classified data triggers a risk assessment." Incorrect. While the highest assurance levels (3 and 4) are reserved for the most critical data, the assessment itself is required for all cloud procurement to determine the appropriate level. Even non-sensitive activities must be assessed to confirm they only require Union assurance level 1. The assessment determines the level of protection, not just whether protection is needed.

Misconception 3: "The risk assessment is a technical cybersecurity audit." Incorrect. The CADA risk assessment is a strategic, legal, and operational evaluation of sovereignty risks. It focuses on the potential impact on public order, data sovereignty, and operational autonomy. It is distinct from technical cybersecurity certifications (like EUCS), although those certifications are part of the evidence required to prove compliance with the higher assurance levels once the level is determined.

Misconception 4: "We can use any provider if they meet GDPR standards." Incorrect. GDPR compliance is necessary but not sufficient under CADA. The proposal addresses sovereignty and operational continuity risks that go beyond data protection. A provider may be GDPR-compliant but still fail to meet the Union assurance levels required for public order activities due to third-country control or lack of infrastructure localisation.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What penalties apply if a public body ignores its CADA risk assessment obligations?
• Must Member States report CADA risk assessment results to the Commission?
• How does the Commission review CADA risk assessment results?
• Does a CADA risk assessment apply to AI systems as well as cloud services?

This is general information about a draft EU regulation, not legal advice.