Does CADA allow data localisation as an outcome of a risk assessment?

Summary As proposed, the Cloud and AI Development Act (CADA) explicitly prohibits Member States from confining data to the territory of a single Member State. Recital 64 and Article 29 mandate that risk assessments must determine the appropriate Union assurance level for cloud services, not impose data localisation mandates. The mechanism for managing sovereignty risks is the four-tier assurance framework, which allows data to flow freely across the EU while ensuring specific security and operational autonomy standards are met for critical public sector activities.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a nuanced framework for cloud sovereignty that deliberately avoids data localisation in favour of harmonised assurance levels. A core tension in EU digital policy is balancing the "free flow of data" within the internal market against the need for technological sovereignty and public order protection. CADA resolves this by explicitly prohibiting national data localisation laws while introducing a robust, EU-wide risk assessment mechanism.

The Prohibition on Data Localisation

Recital 64 of the CADA proposal states unequivocally: "To promote the free flow of data within the Union and to support the functioning of the internal market, it is appropriate that Member States ensure that data is not confined to the territory of a single Member State and may be stored and processed across the Union without unjustified restrictions."

This provision is critical for in-house counsel and compliance officers. It signals that Member States cannot use sovereignty or public order arguments to justify keeping data within national borders if the service provider meets the required Union assurance levels. The free flow of data remains a foundational principle, and CADA reinforces this by ensuring that once a cloud service is recognised at a specific assurance level, it can be used across the entire Union without additional national data residency requirements.

The proposal further clarifies that while data must remain within the Union (i.e., not transferred outside the EU), it must not be restricted to a specific Member State. This distinction is vital: the sovereignty requirement is Union-wide, not national.

Risk Assessments Determine Assurance Levels, Not Location

The primary mechanism for managing risk under CADA is the risk assessment required by Article 29. Member States and Union entities must carry out these assessments to identify public sector activities that contribute to the preservation of public order. The purpose of these assessments is not to decide where data should physically reside, but to determine the necessary Union assurance level (Level 1, 2, 3, or 4) for the cloud computing services supporting those activities.

Article 29(1) requires these assessments to:

• Identify public sector activities using cloud services that contribute to preserving public order in sectors falling under Annex I or II of the NIS2 Directive, or in areas of national security, defence, justice, or law enforcement.
• Determine which Union assurance level (2, 3, or 4) is appropriate for these activities.

Article 29(2) further specifies that in carrying out these assessments, Member States and Union entities must consider:

• The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order.
• The nature, scope, context, and purpose of processing personal data, and the risk to the rights and freedoms of data subjects.
• The risk of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk of possible service disruption.

The outcome of this assessment is a mapping of activities to assurance levels. For example, an activity deemed critical to public order might require a service at Union Assurance Level 3 or 4. These levels impose strict criteria on the provider regarding infrastructure location, personnel citizenship, and third-country control, but they do not restrict the data from flowing between Member States. As long as the provider meets the criteria for the required assurance level, the data can be stored and processed anywhere in the Union.

Assurance Levels as the Sovereignty Mechanism

CADA replaces fragmented national sovereignty approaches with a harmonised framework of four Union assurance levels (detailed in Annex II of the proposal). These levels define the criteria for trusted cloud computing services:

• Level 1: Basic requirements, including establishment in the Union and infrastructure located in the Union. This is the minimum baseline for all public sector procurement (Article 30).
• Level 2: Adds requirements for cybersecurity certification (at least "substantial" assurance), prohibition of using data to train third-country AI systems, and stricter controls on third-country control.
• Level 3: Requires personnel to be Union citizens (conditional at L2, mandatory at L3/L4), more stringent cybersecurity certification ("substantial"), and explicit prohibitions on third-country control over the provider and subcontractors (with limited exceptions for associated third countries under Article 18).
• Level 4: The highest level, requiring "high" assurance cybersecurity certification, strict separation from third-country entities, and mandatory Union citizenship for all personnel.

By focusing on these assurance levels, CADA ensures that sovereignty risks (such as unauthorized access by third countries or service disruption) are mitigated through provider compliance and auditing, rather than through geographic data confinement. This approach supports the internal market by allowing EU-based providers to scale services across borders without facing 27 different data localisation regimes.

Implications for Procurement and Migration

Article 30 ties the risk assessments directly to procurement. Contracting authorities whose activities have been identified as contributing to the preservation of public order must only procure cloud computing services recognised at the appropriate assurance level (2, 3, or 4). This creates a clear compliance obligation for public sector bodies: they must align their procurement specifications with the results of their risk assessments.

Furthermore, Article 29(6) addresses migration. If a risk assessment determines that a current service does not meet the required assurance level, the Member State or Union entity must migrate to a compliant service within a reasonable transition period, not exceeding 12 months. This timeline underscores the practical impact of these assessments on IT infrastructure planning.

What this means for you

For in-house counsel and compliance officers in the public sector or those providing services to the public sector, the implications of CADA's approach to data localisation and risk assessment are significant:

1. Shift from Residency to Assurance: Stop designing contracts and architectures around national data residency requirements. Instead, focus on understanding the four Union assurance levels and the criteria required to achieve them. Your compliance strategy should centre on demonstrating compliance with the specific assurance level mandated by the relevant risk assessment.
2. Participate in Risk Assessments: Public sector entities must conduct risk assessments as per Article 29. These assessments are not one-off exercises; they must be updated every two years or whenever necessary. Ensure your legal and technical teams are prepared to evaluate data sensitivity, criticality, and third-country access risks accurately.
3. Procurement Alignment: Review your cloud procurement processes. Article 30 mandates that procurement for public order-relevant activities must be restricted to services at the appropriate assurance level. Ensure your tender documents explicitly require providers to hold the necessary recognition in the central repository.
4. Migration Planning: If your current cloud provider does not meet the required assurance level following a risk assessment, you have a maximum of 12 months to migrate. Begin planning for this potential transition now, including data portability and service continuity strategies.
5. Penalties and Enforcement: While CADA focuses on provider obligations, public sector bodies face operational risks if they fail to comply with procurement rules. Ensure your internal controls align with the risk assessment outcomes to avoid non-compliance with public procurement laws and CADA requirements.

Common misconceptions

• Misconception: CADA requires data to stay within national borders.
  • Reality: CADA explicitly prohibits confining data to a single Member State (Recital 64). Data can flow freely across the EU, provided the service meets the required Union assurance level.
• Misconception: Risk assessments are about deciding where data is stored.
  • Reality: Risk assessments under Article 29 are about determining the appropriate assurance level based on data sensitivity and public order impact. They do not dictate geographic location.
• Misconception: Assurance levels are just another certification.
  • Reality: Assurance levels are a comprehensive sovereignty framework that includes criteria on third-country control, personnel citizenship, and AI training data usage, going far beyond standard cybersecurity certifications.

Related

• How does data sensitivity factor into a CADA risk assessment?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?

This is general information about a draft EU regulation, not legal advice.