Summary Yes, as proposed, the Cloud and AI Development Act (CADA) would require Member States and Union entities to conduct specific, recurring risk assessments for cloud computing services used in law enforcement, justice, and criminal investigations. Under Article 29(1)(a), these sectors are explicitly identified as areas where cloud usage contributes to the preservation of "public order." Consequently, once identified, these activities trigger a mandatory procurement obligation under Article 30(3) to use only cloud services recognized at Union assurance levels 2, 3, or 4, rather than the baseline level 1.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereignty framework designed to reduce the EU's dependence on third-country cloud providers. A critical component of this framework is the "risk assessment" mechanism, which acts as the gatekeeper for determining the required level of sovereignty for public-sector cloud procurement. For law enforcement, justice, and criminal investigation activities, the proposal imposes a strict, non-negotiable path from assessment to high-assurance procurement.

The Legal Trigger: Article 29(1)(a) and Public Order

The cornerstone of this obligation is Article 29, titled "Risk assessments." This article mandates that Member States and Union entities must systematically identify which of their public-sector activities rely on cloud computing and whether those activities are critical to the Union's public order.

Article 29(1)(a) provides the definitive list of sectors that automatically fall under this scrutiny. It requires risk assessments to:

"identify the public sector activities that use or will make use of cloud computing services, that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence;"

This text is exhaustive regarding law enforcement. It explicitly names "justice" and "law enforcement," and further clarifies that this includes the "prevention, investigation, detection and prosecution of criminal offence." Therefore, any cloud service used by a police force for case management, a prosecutor's office for evidence storage, a court for digital hearings, or a prison administration for inmate data is, by definition, an activity contributing to the preservation of public order under CADA.

From Identification to Higher Assurance Levels

Once an activity is identified under Article 29(1)(a), the process moves to Article 29(1)(b). The risk assessment must:

"determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

This creates a direct legal link between the nature of the work (e.g., criminal investigation) and the technical sovereignty requirements of the cloud provider. The proposal establishes four Union assurance levels:

  • Level 1: The baseline for general public sector use, requiring establishment in the Union and data residency, but allowing for some third-country control and non-Union personnel under specific conditions.
  • Levels 2, 3, and 4: These higher tiers impose significantly stricter criteria. As detailed in Annex II, these levels require, among other things, that infrastructure and personnel be located in the Union, that data remain exclusively within the Union, and that the provider is not subject to third-country control. Crucially, for Levels 3 and 4, personnel involved in the service provision must be Union citizens (Annex II 3.1(d) and 4.1(d)), and cybersecurity certification must be at least "substantial" (Levels 2/3) or "high" (Level 4).

Because law enforcement and justice activities are explicitly listed in Article 29(1)(a), they are legally barred from using Level 1 services. The risk assessment is not a suggestion; it is the mechanism that forces the upgrade to Level 2, 3, or 4.

The Procurement Consequence: Article 30(3)

The risk assessment under Article 29 is the prerequisite for the procurement rules found in Article 30. While Article 30(2) allows general public sector bodies to use Level 1 services if they are not identified as public-order relevant, Article 30(3) creates a strict prohibition for law enforcement:

"Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This means a police department cannot procure a standard cloud service that merely meets Level 1 criteria (e.g., an EU-based provider with some third-country ownership or non-Union support staff). They must procure a service that has undergone independent third-party auditing and been formally recognized by a national competent authority as meeting the rigorous criteria of Level 2, 3, or 4.

Scope, Frequency, and Commission Oversight

The obligation is ongoing. Article 29(1) stipulates that risk assessments must be carried out:

  1. By the date of entry into force plus one year.
  2. Thereafter, every two years.
  3. Whenever necessary (e.g., if the nature of the cloud workload changes).

The assessment must consider specific risk factors outlined in Article 29(2), including the sensitivity and criticality of data, the risk of unlawful access by third countries, and the risk of service disruption. For law enforcement, the "sensitivity" is inherently high, involving data on suspects, victims, and ongoing investigations.

The Commission retains oversight powers. Under Article 29(3), it will adopt implementing acts to specify the methodology and templates for these assessments. Furthermore, Article 29(5) empowers the Commission to intervene if a Member State's risk assessment identifies an assurance level that is "not appropriate or does not adequately address the public order concerns," allowing the Commission to specify the required level via implementing acts.

What this means for you

For public-sector procurement officers, IT directors in police forces, and legal teams in justice ministries, the proposed CADA introduces a fundamental shift in cloud procurement strategy.

  1. Mandatory Classification: You must immediately classify your cloud workloads. If your activity involves "prevention, investigation, detection and prosecution of criminal offence" or "justice," it is a public-order activity under Article 29(1)(a). You cannot opt-out of this classification.
  2. Exclusion of Level 1: You are legally prohibited from procuring Level 1 services for these activities. You must verify that your provider holds a valid recognition for Level 2, 3, or 4. This likely excludes many major global hyperscalers unless they have established fully EU-controlled subsidiaries with Union-citizen personnel and undergone the rigorous independent audits required by Article 20.
  3. Audit and Documentation: You must document your risk assessment process. This includes justifying why a specific level (2, 3, or 4) was chosen based on the sensitivity of the data. You must also verify the provider's status in the central repository established under Article 22.
  4. Migration Deadlines: If your current provider does not meet the required assurance level, Article 29(6) mandates a migration to a compliant provider within a "reasonable transition period that shall not exceed 12 months."
  5. Personnel and Control Checks: For Levels 3 and 4, you must ensure the provider can guarantee that personnel handling your data are Union citizens and that the provider is not subject to third-country control. This is a significant operational hurdle for many current providers.

Common misconceptions

"All public sector cloud use requires Level 2, 3, or 4." No. Only activities identified as contributing to the preservation of public order under Article 29(1)(a) (such as law enforcement, justice, defense, and national security) require these higher levels. General administrative tasks (e.g., HR, payroll for non-sensitive departments) may still use Level 1 services under Article 30(2).

"Law enforcement can use any EU-based provider." Being established in the EU is only the baseline for Level 1. For law enforcement, Levels 2, 3, and 4 require much more: data must remain exclusively in the Union, personnel must be Union citizens (for Levels 3/4), and the provider must be free from third-country control. An EU-based provider with US ownership or non-Union support staff would likely fail these criteria.

"The risk assessment is a one-time task." Article 29(1) explicitly requires assessments to be repeated every two years and "whenever necessary." The threat landscape and the nature of cloud services evolve; regular reassessment is mandatory.

"We can bypass this if no EU provider meets our needs." Article 30(4) provides extremely narrow derogations. You may only avoid procuring recognized services if: (a) no adequate alternative exists in the central repository; (b) the absence is not due to artificial narrowing of the procurement parameters; or (c) a similar procurement failed to receive suitable tenders. This is a high bar and not a general escape clause.

Related

This is general information about a draft EU regulation, not legal advice.