Does CADA require risk assessments for defence cloud systems?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) explicitly requires Member States and Union entities to conduct risk assessments for public sector activities that contribute to the preservation of public order, a category that expressly includes defence. Under Article 29, these assessments determine the necessary Union assurance level for cloud computing services. Crucially, Article 29(3) mandates that the Commission's methodology for these assessments must specify how Member States apply the highest level of assurance to the most critical public sector activities, "including, but not limited to, defence." This creates a binding framework where defence cloud systems would be subject to the strictest sovereignty requirements (Levels 3 or 4) to safeguard operational autonomy and prevent third-country interference.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen the European Union's cloud and AI ecosystem. A central pillar of this framework is the requirement for public sector bodies to assess risks associated with their use of cloud computing services. This is not a blanket requirement for all IT systems, but a targeted obligation for activities deemed critical to public order.

Defence as an Explicit Public-Order Area

The cornerstone of CADA's risk assessment regime is Article 29, titled "Risk assessments." This article mandates that Member States and Union entities carry out risk assessments to identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order.

Article 29(1)(a) explicitly lists the sectors and areas covered by these assessments. It states that assessments must identify activities contributing to the preservation of public order in sectors falling under Annex I or II of the NIS2 Directive, and specifically in the areas of:

• National security
• Internal security
• External border management
• Defence
• Justice
• Law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

By explicitly naming "defence" alongside national security and law enforcement, the proposal makes clear that cloud systems supporting defence operations are not peripheral; they are central to the sovereignty framework. The legislative intent, as outlined in the recitals, is to mitigate risks such as misuse, unauthorized access, and dependency vulnerabilities that could arise from using cloud services controlled by third countries. For defence systems, the stakes are particularly high, involving sensitive operational data, strategic planning, and critical infrastructure that must remain under strict Union control.

The Role of the Risk Assessment

The purpose of the risk assessment under Article 29 is twofold:

1. Identification: To pinpoint which specific public sector activities fall into the public-order category.
2. Classification: To determine which Union assurance level (Level 2, 3, or 4) is appropriate for those activities.

It is important to note that while all public sector bodies must use at least Union Assurance Level 1 services (as per Article 30(2)), only those activities identified through the Article 29 risk assessment as contributing to public order are subject to the stricter requirements of Levels 2, 3, or 4. Defence activities, by their nature, will almost invariably be classified as contributing to public order, thereby triggering the need for higher assurance levels.

Methodology and the Mandate for Highest Assurance

The proposal does not leave the determination of assurance levels entirely to the discretion of individual Member States, especially for critical areas like defence. Article 29(3) grants the Commission the power to adopt implementing acts that specify the methodology for these risk assessments.

Crucially, Article 29(3) states: "The methodology shall specify how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence."

This provision is significant for several reasons:

• Harmonization: It prevents a fragmented approach where one Member State might apply a lower assurance level to defence systems than another. The Commission's methodology will provide a baseline for how "criticality" is assessed.
• Presumption of High Assurance: The phrasing "including, but not limited to, defence" strongly suggests that defence activities are presumed to be among the "most critical." Consequently, the methodology is expected to guide Member States toward using the highest available Union assurance levels (likely Level 4, or Level 3 where Level 4 is not feasible or necessary) for defence cloud systems.
• Dynamic Updates: The methodology will also specify the elements to be taken into account, ensuring that the assessment remains relevant as threats evolve. This includes considering the sensitivity of data, the potential impact on public order of unlawful access by third countries, and the risk of service disruption.

The Assurance Levels in Context

The Union assurance levels (defined in Annex II of the proposal) range from Level 1 (basic sovereignty guarantees) to Level 4 (the highest level of sovereignty and security).

• Level 1: Requires the provider to be established in the Union, with infrastructure and data remaining in the Union.
• Level 2: Adds requirements for personnel location, cybersecurity certification (at least "substantial" assurance), and strict controls on third-country influence.
• Level 3: Implies no third-country control over the provider or subcontractors (unless a derogation under Article 18 applies), Union citizenship for personnel, and higher cybersecurity standards.
• Level 4: The highest tier, requiring effective legal, technical, and organizational separation from third-country subsidiaries, and ensuring that sensitive data never leaves the Union.

For defence systems, the risk assessment under Article 29 will likely conclude that Levels 3 or 4 are required to ensure that no third country can access sensitive defence data or disrupt services. The "highest level of assurance" mandate in Article 29(3) reinforces this expectation.

Implementation and Oversight

Member States must carry out these risk assessments within one year of the Regulation's entry into force and thereafter every two years, or whenever necessary (Article 29(1)). The results of these assessments must be communicated to the Commission within three months (Article 29(4)). If the Commission concludes that the assurance level identified in a Member State's assessment is not appropriate or does not adequately address public order concerns, it can adopt implementing acts to specify the required assurance levels (Article 29(5)). This oversight mechanism ensures that national assessments align with the Union's broader sovereignty goals.

What this means for you

For public-sector procurement officers and defence IT planners, the proposed CADA introduces a structured, mandatory process for evaluating cloud dependencies. Here is how it impacts your operations:

1. Mandatory Documentation: You cannot assume that existing cloud contracts automatically comply with future CADA requirements. You will need to document risk assessments for any cloud services supporting defence activities. These assessments must clearly link the service to the preservation of public order and justify the chosen assurance level.
2. Higher Assurance Requirements: Be prepared to procure cloud services that meet Union Assurance Levels 3 or 4. This may limit the pool of eligible vendors, as only providers recognized by national competent authorities (under Article 17) can offer these levels. You may need to initiate migration plans to move defence workloads from non-compliant third-country providers to sovereign European alternatives.
3. Collaboration with National Competent Authorities: The recognition of assurance levels is handled by national competent authorities. You will need to engage with these bodies early to understand which providers are recognized for Levels 3 and 4, and to ensure your risk assessments align with the Commission's forthcoming methodology.
4. Budget and Timeline Planning: The transition to higher assurance levels may involve significant costs and time. Article 29(6) allows for a reasonable transition period (up to 12 months) for migration if the risk assessment requires moving to a different cloud service. Plan your procurement cycles to account for these transition windows.
5. Multi-Cloud Strategies: Article 29(9) encourages Member States to consider multi-vendor or multi-cloud strategies as part of their risk assessments. For defence, this could mean distributing workloads across multiple sovereign providers to enhance resilience and reduce single points of failure.

Common misconceptions

Misconception 1: All public sector cloud use requires the highest assurance levels. Reality: No. CADA introduces a tiered approach. Only activities identified through the Article 29 risk assessment as contributing to public order (like defence, national security, etc.) require Levels 2, 3, or 4. Standard administrative tasks may only require Level 1.

Misconception 2: Member States have full discretion to choose assurance levels for defence. Reality: While Member States conduct the initial assessments, Article 29(3) mandates that the Commission's methodology specifies the use of the highest assurance levels for critical activities like defence. This limits national discretion and ensures a high baseline of security across the EU.

Misconception 3: Existing cybersecurity certifications are sufficient. Reality: CADA's sovereignty framework goes beyond technical cybersecurity. While Levels 2-4 require cybersecurity certifications (e.g., under the Cybersecurity Act), they also impose strict requirements on legal control, data localization, personnel citizenship, and third-country influence. A provider can be secure but not sovereign under CADA definitions.

Misconception 4: Risk assessments are a one-time event. Reality: Article 29(1) requires assessments to be repeated every two years or whenever necessary. The dynamic nature of threats and cloud services means that assurance levels may need to be re-evaluated regularly.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Does CADA require risk assessments for law enforcement cloud use?
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?
• CADA Risk Assessments: What Cloud Providers Must Know

This is general information about a draft EU regulation, not legal advice.