Does CADA require multi-cloud strategies for public bodies?

Summary The proposed Cloud and AI Development Act (CADA) does not mandate that public bodies adopt multi-cloud or multi-vendor strategies. Instead, as proposed in COM(2026) 502 final, it requires Member States and Union entities to consider whether such strategies are appropriate as part of their mandatory risk assessments under Article 29. The final decision to implement a multi-cloud architecture rests on a context-specific evaluation of operational, regulatory, and resilience needs, with the explicit aim of limiting dependency on a single cloud computing service provider and enhancing overall system resilience.

Detail

Under the proposed Cloud and AI Development Act (CADA), the European Commission is establishing a comprehensive framework to strengthen the EU's cloud and AI ecosystem, with a specific focus on sovereignty, strategic autonomy, and the mitigation of operational risks for public sector bodies. A critical component of this framework is the management of dependencies on third-country providers and the prevention of single points of failure that could undermine public order or service continuity.

The Role of Article 29: Mandatory Consideration, Not Mandate

Article 29 of the CADA proposal establishes the obligation for Member States and Union entities to carry out risk assessments. These assessments are designed to identify public sector activities that use or will use cloud computing services and determine the appropriate "Union assurance level" (levels 1 through 4) required for those activities based on their contribution to the preservation of public order.

Crucially, Article 29(9) explicitly addresses the architectural strategy of these cloud environments. It states:

"In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."

This provision makes the consideration of multi-cloud strategies a mandatory element of the risk assessment process, but it does not prescribe a one-size-fits-all solution. The text uses the verb "consider," indicating that the adoption of a multi-cloud approach is discretionary and dependent entirely on the outcome of the specific assessment. The law requires the decision-making process to include this evaluation, but it does not force the outcome.

Recital 65: The Rationale for Multi-Cloud Consideration

The legislative intent behind Article 29(9) is further clarified in Recital 65 of the explanatory memorandum. The recital provides the policy context for why this consideration is necessary:

"To enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate. The decision to adopt and implement a multi-cloud architecture should be based on a context-specific risk assessment. The assessment should identify any relevant operational, regulatory or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy."

This recital underscores two primary objectives that drive the requirement to consider multi-cloud strategies:

1. Enhancing Resilience: By diversifying providers, public bodies can reduce the impact of service disruptions, outages, or cyberattacks affecting a single vendor. This ensures that critical public services remain operational even if one provider faces technical or geopolitical challenges.
2. Limiting Dependency: Reducing reliance on a single provider mitigates the risk of vendor lock-in and ensures that the public sector retains agency and control over its digital infrastructure. This is particularly relevant in the context of reducing strategic dependencies on non-EU providers, a core objective of CADA.

Context-Specific Risk Assessment

The CADA framework emphasizes that the decision to pursue a multi-cloud strategy must be "context-specific." This means that the risk assessment conducted under Article 29 must evaluate several distinct factors before a conclusion is reached. The assessment is not a theoretical exercise but a practical evaluation of the specific public sector activity in question.

The factors to be considered include:

• Operational Circumstances: The technical complexity, cost implications, and management overhead of operating multiple cloud environments versus the benefits of redundancy. For some smaller or less critical services, the operational burden of a multi-cloud strategy might outweigh the resilience benefits.
• Regulatory Requirements: Specific data sovereignty, security mandates, or public order requirements that may necessitate isolation from certain providers or jurisdictions. In some cases, a single highly sovereign provider might be sufficient; in others, a split architecture might be required to meet specific assurance levels.
• Resilience Needs: The criticality of the public service in question. For instance, a system handling emergency response data, law enforcement intelligence, or critical infrastructure control may have higher resilience requirements that justify a multi-cloud approach. Conversely, an internal administrative tool might not require such redundancy.

The risk assessment itself, as outlined in Article 29(1) and (2), must consider the sensitivity, criticality, and magnitude of the data processed, as well as the risk of unlawful access by third countries or service disruption. The consideration of a multi-cloud strategy is one tool within this broader assessment to mitigate identified risks. If the assessment determines that a single provider poses an unacceptable risk of disruption or dependency, the "context-specific" nature of the assessment would support a multi-cloud decision.

Interaction with Procurement Rules

The consideration of multi-cloud strategies also intersects with the procurement rules set out in Title IV of the CADA. Article 30 mandates that public sector bodies procure cloud services that meet the Union assurance levels determined by their risk assessments. If a risk assessment concludes that a multi-cloud strategy is necessary to achieve the required resilience or assurance level, this will directly influence the procurement process.

Contracting authorities may need to structure tenders to allow for multiple providers or to include specific requirements for interoperability and data portability to facilitate a multi-cloud environment. This aligns with the broader CADA goals of fostering a competitive market and reducing lock-in.

Furthermore, Article 32 introduces "Union added value" criteria for public procurement. While not directly mandating multi-cloud architectures, the emphasis on strengthening the digital supply chain and reducing dependencies aligns with the strategic goal of diversifying providers. A multi-cloud strategy that incorporates European providers could be viewed favorably under these criteria, provided it meets the technical and financial requirements of the tender. The proposal encourages contracting authorities to evaluate the extent to which a tenderer contributes to strengthening the digital technology supply chain in the Union, which a multi-vendor approach often supports.

What this means for you

For CTOs, architects, public procurement officers, and cloud providers evaluating the practical impact of CADA, the requirement to "consider" multi-cloud strategies introduces a new layer of due diligence in public sector engagements.

For Public Sector CTOs and Architects

• Mandatory Evaluation: You must now formally document whether a multi-cloud or multi-vendor strategy is appropriate for each cloud procurement project. This is not optional; it is a required component of the Article 29 risk assessment. Failure to document this consideration could lead to compliance issues during audits or reviews.
• Documentation of Rationale: If you decide against a multi-cloud strategy, you must be able to justify this decision based on your risk assessment. This could involve demonstrating that the operational costs, technical complexity, or specific nature of the service outweigh the resilience benefits for that specific use case. The "context-specific" nature of the law means that a single-cloud strategy is permissible if justified.
• Interoperability Focus: If a multi-cloud strategy is adopted, your architecture must prioritize interoperability and data portability. This aligns with the broader CADA goals and complements the switching provisions in the Data Act. Ensure your technical specifications include standards for seamless data migration and service integration across providers to avoid creating new forms of lock-in.
• Resilience Planning: Use the risk assessment to identify critical services that require high availability. For these services, a multi-cloud approach may be the most effective way to meet the required Union assurance levels and protect public order. The assessment should explicitly link the chosen architecture to the identified resilience risks.

For SMEs and Cloud Providers

• Competitive Landscape: The requirement to consider multi-cloud strategies may open significant opportunities for smaller European providers. Public bodies seeking to reduce dependency on large hyperscalers may look to integrate niche or regional providers into a multi-cloud ecosystem to meet their resilience and sovereignty goals.
• Interoperability as a Selling Point: Highlight your service's interoperability and ease of integration with other platforms. Compliance with open standards and support for multi-cloud management tools will be increasingly important differentiators. Providers that can demonstrate how they fit into a broader, resilient architecture will have a competitive edge.
• Assurance Levels: Ensure your services can meet the specific Union assurance levels (1–4) required by public sector clients. If you are part of a multi-cloud strategy, your service must still independently satisfy the relevant assurance criteria. A multi-cloud strategy does not lower the bar for individual providers; each must meet the level required for the data they handle.
• Risk Assessment Support: Offer tools and documentation that help public sector clients conduct their Article 29 risk assessments. Providing clear information on your security posture, data location, resilience capabilities, and ability to operate in a multi-vendor environment will make it easier for clients to consider you as part of a multi-vendor strategy.

Common misconceptions

Misconception 1: CADA forces all public bodies to move to a multi-cloud architecture.

• Correction: CADA does not mandate a multi-cloud architecture. It requires public bodies to consider whether such a strategy is appropriate. A single-cloud strategy may still be chosen if the risk assessment determines it is sufficient for the specific operational and resilience needs of the public service. The law mandates the process of consideration, not the outcome.

Misconception 2: Multi-cloud strategies are only about avoiding US providers.

• Correction: While reducing dependency on third-country providers is a key goal of CADA, the consideration of multi-cloud strategies is also driven by broader resilience and operational concerns. Recital 65 explicitly mentions "operational, regulatory or resilience-related circumstances," which include avoiding single points of failure, regardless of the provider's nationality. Even a purely EU-based single provider could pose a resilience risk if it represents a single point of failure.

Misconception 3: The decision to adopt multi-cloud is made solely by the technical team.

• Correction: The decision is part of a formal risk assessment conducted by Member States and Union entities, as required by Article 29. This assessment involves evaluating public order, data sensitivity, and criticality, which are strategic and legal considerations, not just technical ones. The risk assessment must be documented and reported to the Commission, ensuring a holistic view of the risks.

Misconception 4: Multi-cloud strategies are incompatible with Union assurance levels.

• Correction: Multi-cloud strategies can coexist with the Union assurance levels. Each provider in a multi-cloud environment must independently meet the required assurance level (e.g., Level 2, 3, or 4) for the specific data or service they handle. The risk assessment will determine the appropriate level for each component of the architecture, and the procurement process must ensure that all selected providers meet these standards.

Official sources

• Data Act (Regulation (EU) 2023/2854)

Related

• When must public administrations comply with CADA? Entry into force, strategies and procurement deadlines
• EuroCloud Federation: How CADA enables public bodies to share sovereign cloud
• CADA concentration risk: multi-cloud strategies for financial cloud users
• What are high-risk cloud dependencies for public bodies under CADA?
• How does CADA affect public administration and government bodies?

This is general information about a draft EU regulation, not legal advice.