Does CADA require public hospitals to use sovereign cloud?

Summary Under the proposed Cloud and AI Development Act (CADA), public hospitals are not automatically required to use the highest tiers of sovereign cloud for every operation. Instead, the proposal establishes a tiered, risk-based framework. Article 30(2) mandates that all public sector contracting authorities, including hospitals, must procure cloud services with at least Union assurance level 1 as a baseline. However, if a hospital's activities are identified as contributing to the preservation of public order—a category that can include critical healthcare functions under Article 29—the hospital must procure services recognised at Union assurance level 2, 3, or 4. The specific level required is not fixed by the Act itself but is determined by a mandatory risk assessment conducted by the Member State or the Union entity.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised framework for the public procurement of cloud computing services. Its primary aim is to reduce strategic dependencies and safeguard the Union's public order. For public hospitals and healthcare providers, the regulation does not impose a "one-size-fits-all" mandate for maximum sovereignty. Instead, it creates a graduated obligation structure driven by the criticality of the specific activity being supported.

The Baseline: Mandatory Level 1 for All Public Procurement

The foundational rule for public sector bodies is found in Article 30(2). This provision states that Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order shall use cloud computing services that have been recognised as having a Union assurance level 1.

This creates a universal floor for public procurement. Even for non-critical administrative tasks—such as HR management, general email services, or non-sensitive internal communications—a public hospital cannot procure cloud services that fail to meet the Level 1 criteria. As defined in Annex II, Level 1 requires the provider to be established in the Union, with infrastructure and customer data remaining exclusively within the Union (unless the public body explicitly requires otherwise), and compliance with state-of-the-art cybersecurity standards.

Crucially, Article 30(2) applies to "contracting authorities" as defined in Directive 2014/24/EU. Public hospitals, when acting as contracting authorities procuring cloud services for their exclusive use, fall squarely within this scope. Therefore, the first compliance step for any public hospital is to ensure that all its cloud providers meet the Level 1 baseline.

The Public Order Trigger: Escalation to Levels 2, 3, or 4

The obligation escalates significantly when a hospital's activities are deemed to contribute to the preservation of public order. Article 30(3) explicitly states that contracting authorities whose activities have been identified as contributing to the preservation of public order "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4."

This means that for these specific activities, Level 1 is insufficient. The hospital is legally barred from using Level 1 services for those functions and must seek providers recognised at a higher assurance level.

But what constitutes "public order" in a healthcare context? The Act does not provide a static list of "public order" hospitals. Instead, Article 29 delegates the identification of these activities to Member States and Union entities through a risk assessment process. Article 29(1) requires these assessments to identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive) and in areas including "national security, internal security, external border management, defence, justice or law enforcement."

While healthcare is not explicitly listed in the same breath as defence in the text of Article 29(1), the provision includes "sectors falling under Annex I or II of Directive (EU) 2022/2555." The NIS2 Directive explicitly includes "healthcare" as a critical sector. Consequently, if a Member State's risk assessment determines that a specific hospital activity (e.g., managing a national pandemic response database, operating critical emergency care infrastructure, or processing data vital for public health security) falls within the scope of NIS2 and contributes to public order, that activity triggers the Article 30(3) obligation.

The Determining Factor: The Article 29 Risk Assessment

The specific assurance level (2, 3, or 4) required for a public-order activity is not arbitrary; it is the output of the risk assessment mandated by Article 29.

Article 29(1) requires Member States and Union entities to carry out risk assessments to determine "which Union assurance level 2, 3, or 4... is appropriate for the identified public sector activities." This assessment must consider:

1. The sensitivity, criticality, and magnitude of the data processed (including personal health data).
2. The risk and impact of unlawful access by a third country.
3. The risk of service disruption.

Article 29(3) further empowers the Commission to specify the methodology for these assessments, including how to use the highest level of assurance for the most critical activities. The Commission may also adopt implementing acts to specify the Union assurance level needed for a public sector activity if it concludes that a Member State's assessment is inadequate (Article 29(5)).

Therefore, a public hospital does not unilaterally decide its cloud level. It must align with the national risk assessment. For example:

• A hospital's general administrative portal might be assessed as not contributing to public order, requiring only Level 1.
• The same hospital's real-time emergency trauma registry, deemed critical for public order under the NIS2 linkage, might be assessed as requiring Level 3 or Level 4.

Understanding the Assurance Levels in a Healthcare Context

While the technical criteria are detailed in Annex II, the practical implications for healthcare providers vary by level:

• Union Assurance Level 1: The baseline. Requires EU establishment, data localisation in the EU, and cybersecurity compliance. Suitable for non-critical administrative functions.
• Union Assurance Level 2: Adds stricter requirements. Personnel must be located in the Union (unless the public body explicitly requires otherwise), and the service must obtain a European cybersecurity certificate of at least "substantial" assurance. It also imposes strict controls on third-country control and software supply chains.
• Union Assurance Level 3: Requires that personnel handling the service are Union citizens (conditional at Level 2, mandatory at Level 3 if the public body requires it, but mandatory for Level 3/4 generally under Annex II 3.1(d)). It also requires a "substantial" cybersecurity certificate. Crucially, Article 18 allows for a derogation where a third-country controlled provider can be recognised at Level 3 if the Commission adopts an implementing act confirming the third country provides sufficient safeguards.
• Union Assurance Level 4: The highest tier. Requires a "high" cybersecurity certificate (Annex II 4.1(e)), Union citizenship for personnel, and strict prohibitions on third-country control. This level is typically reserved for activities involving classified information or the highest levels of public order sensitivity.

What this means for you

For procurement officers, IT directors, and legal counsel in public hospitals, the proposed CADA introduces a structured due diligence process that goes beyond standard data protection compliance.

1. Immediate Baseline Compliance (Level 1)

Regardless of the risk assessment outcome, your hospital must ensure that all cloud providers currently in use meet the Union assurance level 1 criteria. If your current provider is established outside the EU or allows data to leave the Union without explicit public body consent, you are already in a position of non-compliance with the proposed Article 30(2). You must initiate migration or renegotiation plans immediately.

2. Map Activities to Public Order

You cannot wait for the national risk assessment to begin your internal planning. Start mapping your hospital's cloud-dependent activities against the criteria in Article 29.

• Identify Critical Systems: Which systems, if disrupted, would threaten public health, safety, or the continuity of essential services? (e.g., emergency department triage systems, national vaccine distribution databases).
• Link to NIS2: Determine if these systems fall under the NIS2 Directive's critical sector definition.
• Prepare Evidence: Document the sensitivity and criticality of the data processed by these systems to support the national risk assessment.

3. Engage with National Competent Authorities

The determination of which activities constitute "public order" and the assignment of the specific assurance level (2, 3, or 4) is a national responsibility under Article 29.

• Monitor National Strategies: Member States must adopt national cloud and AI strategies within one year of the Act's entry into force (Article 7). These strategies will likely include the risk assessment outcomes.
• Participate in Consultations: Engage with your national competent authority to ensure your hospital's critical functions are correctly classified. If a critical system is misclassified as non-critical, your hospital could be forced to migrate to a higher-assurance provider later, causing disruption.

4. Prepare for Tiered Procurement

Your procurement strategy must become granular. You may need to run separate tenders for different assurance levels:

• Level 1 Tenders: For general IT, HR, and non-sensitive administrative workloads.
• Level 2/3/4 Tenders: For critical clinical systems, emergency response infrastructure, and sensitive health data processing.
• Multi-Cloud Architecture: Article 29(9) encourages Member States and Union entities to consider multi-vendor or multi-cloud strategies. A hospital might use a Level 1 provider for email and a Level 4 provider for patient records to balance cost and sovereignty.

5. Update Tender Documentation

When drafting future tenders, you must explicitly state the required Union assurance level. Article 30(3) prohibits the procurement of Level 1 services for public-order activities. Your tender documents must reference the specific assurance level determined by the national risk assessment and require bidders to provide evidence of recognition under Article 17.

Common misconceptions

"All hospital data must be on Level 4 sovereign cloud." Reality: No. CADA is designed to be proportionate. Only activities identified as contributing to public order require Levels 2–4. Routine administrative data (e.g., staff rosters, non-sensitive scheduling) likely only requires Level 1. Level 4 is reserved for the most critical, often classified, information.

"CADA bans all non-EU cloud providers." Reality: CADA does not ban non-EU providers outright. A provider subject to third-country control can still qualify for Level 3 if the Commission adopts an implementing act under Article 18 recognising that third country as providing sufficient safeguards. However, for Level 4, the criteria in Annex II 4.1(g) strictly prohibit third-country control.

"The hospital decides the assurance level unilaterally." Reality: While the hospital conducts the initial risk assessment, it must align with national and EU guidance. The Commission can specify assurance levels if it concludes a Member State's assessment is inadequate (Article 29(5)). The process is collaborative and regulated, not entirely discretionary.

"CADA replaces the GDPR." Reality: CADA complements, not replaces, existing data protection laws. While CADA focuses on sovereignty and operational autonomy, the GDPR remains the primary law for personal data protection. A cloud service must comply with both frameworks. The risk assessment under Article 29 explicitly considers the risk to the rights and freedoms of data subjects under the GDPR.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Does CADA require telecoms to use EU sovereign cloud?
• Does CADA require energy operators to use EU sovereign cloud?
• Does CADA require banks to use EU sovereign cloud providers?
• Does CADA require automotive firms to use EU sovereign cloud?
• What sovereign-cloud pressure does CADA place on the public sector?

This is general information about a draft EU regulation, not legal advice.