Does CADA apply to national security activities? Scope, carve-outs and procurement rules

Summary As proposed, the Cloud and AI Development Act (CADA) does not regulate the conduct of national security activities themselves, as national security remains the sole responsibility of Member States under Article 4(2) of the Treaty on European Union (TEU). However, CADA would significantly impact the cloud and AI infrastructure that national security bodies procure. While the Act respects the competence carve-out, it imposes a mandatory "Union cloud computing sovereignty framework" on public sector bodies. Under Article 30, national security agencies must procure cloud services recognised at Union assurance levels 2, 3, or 4, based on national risk assessments. This means the activity is a national competence, but the infrastructure supporting it is subject to strict EU-wide sovereignty standards.

Detail

To determine the applicability of CADA to national security, one must distinguish between the regulation of the activity (excluded) and the regulation of the infrastructure used to support that activity (included). The proposal navigates this distinction by respecting EU competence boundaries while imposing strict procurement and sovereignty standards on the underlying technology stack.

The Legal Basis and the TFEU Competence Carve-Out

CADA is proposed as a Regulation of the European Parliament and the Council, establishing a framework of measures for strengthening Europe's cloud and AI ecosystem. Its legal basis is twofold: Article 114 TFEU (harmonisation of the internal market) and Article 173(3) TFEU (industrial policy and competitiveness).

Crucially, the proposal explicitly acknowledges the limits of EU competence regarding national security. The explanatory memorandum and recitals align with the broader EU digital policy framework, which respects that national security remains the sole responsibility of Member States. This is a direct reflection of Article 4(2) TEU, which states that "national security remains the sole responsibility of each Member State." Consequently, CADA does not attempt to harmonise national laws on national security itself, nor does it impose EU-wide rules on how national security operations, intelligence gathering, or defence strategies are conducted.

However, the infrastructure supporting these operations—specifically cloud computing services and AI systems—falls within the scope of CADA when procured by public sector bodies. Article 1 of the CADA proposal sets out the subject matter, establishing a framework that includes: (a) establishing the Cloud Leadership Initiative and the AI Leadership Initiative; (b) setting the framework for the accelerated deployment of data centres; (c) enabling the availability of a sovereign cloud and artificial intelligence (AI) offer to safeguard the Union's public order; (d) reducing dependencies on critical technologies; (e) fostering the adoption of cloud computing services across the public sector.

While Article 1 does not explicitly exclude national security, the operational provisions in Title IV (Autonomy) apply to "Union entities and public sector bodies." National security agencies, ministries of defence, and intelligence services typically qualify as public sector bodies under EU law. Therefore, when these entities procure cloud services, they are subject to CADA's sovereignty and procurement rules, even if the purpose of the service is national security.

The Sovereignty Framework and "Public Order"

The core mechanism through which CADA affects national security is the "Union cloud computing sovereignty framework" established in Chapter I of Title IV. This framework introduces four "Union assurance levels" (Level 1 to Level 4) that cloud computing service providers must meet to offer services to public sector bodies.

Article 29 requires Member States and Union entities to conduct risk assessments to determine which public sector activities contribute to the preservation of "public order." The proposal defines public order broadly to include areas of national security, internal security, external border management, defence, justice, and law enforcement.

For activities identified as contributing to the preservation of public order in these sensitive sectors, Article 30(3) mandates that contracting authorities must only procure cloud computing services that have been recognised as offering Union assurance levels 2, 3, or 4. Level 1 is insufficient for these critical functions. This means that national security bodies cannot simply use any cloud provider; they must use providers that have undergone rigorous independent audits and met strict criteria regarding data localisation, personnel citizenship, and absence of third-country control.

Criteria for High-Assurance Levels in Security Contexts

The criteria for these assurance levels are detailed in Annex II of the proposal. For national security contexts, Level 3 or Level 4 is likely required. These levels impose stringent conditions:

• Establishment and Location: The provider and its subcontractors must be established in the Union, and infrastructure, assets, and personnel must be located in the Union (Annex II, Section 3(b) and 4(b)).
• Personnel: Personnel involved in the service must be Union citizens. For Level 4, personnel must also have the necessary national security clearance issued by a Member State when handling classified information (Annex II, Section 4(d)). Note that for Level 2, Union citizenship is conditional (only if the public body requires it), but for Levels 3 and 4, it is mandatory.
• No Third-Country Control: For Level 3 and 4, the provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country. A derogation exists for Level 3 if the Commission has adopted an implementing act identifying an "associated third country" (the substantive mechanism is set out in Article 18, although the cross-reference in Annex II, Section 3(g) points to Article 19).
• Cybersecurity Certification: Services must obtain a European cybersecurity certificate of at least "substantial" (Level 3) or "high" (Level 4) assurance under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), where available (Annex II, Section 3(e) and 4(e)).

Risk Assessments and Member State Discretion

While CADA sets the framework, the specific application to national security activities rests with Member States. Article 29(1) requires Member States to carry out risk assessments to identify public sector activities that use cloud computing services and contribute to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, as well as in areas of national security, defence, etc.

These risk assessments determine which assurance level is appropriate. For example, a national security agency might determine that its intelligence processing requires Level 4 assurance, while its general administrative IT might only require Level 2. The Commission will provide guidance on these assessments, but the final mapping of activities to assurance levels is a national competence, ensuring that Member States retain control over their security needs while adhering to the EU's harmonised trust framework.

What this means for you

For in-house counsel and compliance officers in the public sector, particularly those working with defence, intelligence, or national security agencies, CADA introduces several critical obligations and deadlines:

1. Procurement Policy Updates: You must review your cloud procurement policies to ensure they align with Article 30. Any tender for cloud services supporting national security activities must specify a minimum Union assurance level (2, 3, or 4) based on your national risk assessment. You cannot award contracts to providers that do not hold valid recognition in the central repository maintained by the Commission (Article 22).
2. Risk Assessment Deadlines: Member States must carry out initial risk assessments by the date of entry into force plus one year (Article 29(1)). You must be prepared to identify which of your agency's activities fall under "national security" or "public order" and document the rationale for the required assurance level.
3. Vendor Due Diligence: Your due diligence process must verify that cloud providers meet the specific criteria for the required assurance level. This includes checking for third-country control, verifying the location of data and personnel, and ensuring valid cybersecurity certifications. For Level 3 and 4, this requires reviewing independent audit reports (Article 20).
4. Transition Planning: If your current cloud provider does not meet the required assurance level, you must plan for migration. Article 29(6) states that if a risk assessment requires migration, it must occur within a reasonable transition period not exceeding 12 months. You should begin identifying compliant providers and assessing migration feasibility immediately.
5. National Security Clearance Requirements: For Level 4 services, ensure that your contracts include clauses requiring personnel to hold necessary national security clearances. Verify that your provider has the processes in place to screen and maintain these clearances for all staff involved in the service.

Common misconceptions

"CADA regulates national security operations." No. CADA does not regulate how national security activities are conducted. It only regulates the cloud and AI infrastructure procured by public bodies supporting those activities. National security remains a Member State competence under Article 4(2) TEU.

"National security agencies are exempt from CADA." No. National security agencies are public sector bodies and are subject to CADA's procurement and sovereignty rules when buying cloud services. They are not exempt; rather, they are subject to the highest assurance requirements (Levels 3 or 4).

"Any EU-based cloud provider is sufficient for national security." No. Merely being established in the EU is not enough. Providers must meet specific assurance levels (2, 3, or 4) and pass independent audits. For national security, Level 3 or 4 is typically required, which imposes strict rules on third-country control, personnel citizenship, and data localisation.

"The EU dictates which activities are 'national security'." No. The classification of activities as contributing to "public order" or "national security" is done through national risk assessments by Member States (Article 29). The EU provides the framework and guidance, but Member States determine the sensitivity of their own operations.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Does CADA procurement apply to public universities?
• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• What procurement monitoring and reporting does CADA require of Member States?
• CADA Article 32: What is the Union added value criterion in public procurement?
• What is the minimum cloud assurance level for public-sector procurement under CADA?

This is general information about a draft EU regulation, not legal advice.