Does EHDS secondary-use infrastructure need CADA recognition?

Summary The proposed Cloud and AI Development Act (CADA) does not explicitly name the European Health Data Space (EHDS) or its secondary-use infrastructure. However, because EHDS access bodies are public-sector entities, their procurement of cloud computing services falls squarely within CADA's sovereignty framework. Under Article 29, these bodies must conduct risk assessments to determine if their activities contribute to the preservation of public order. Given that the healthcare sector is listed in Annex I or II of the NIS2 Directive and involves highly sensitive personal data, these assessments will likely classify EHDS secondary-use activities as critical. Consequently, Article 30(3) would mandate that such bodies procure only cloud services recognised at Union Assurance Levels 2, 3, or 4. Therefore, EHDS secondary-use infrastructure would likely require CADA recognition to ensure compliance with EU public procurement sovereignty rules.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised Union cloud computing sovereignty framework. While the text does not explicitly reference the EHDS Regulation, the intersection of public procurement, data sovereignty, and critical infrastructure creates a de facto requirement for CADA recognition for EHDS secondary-use infrastructure. The mechanism is driven by the status of the buyer (public sector) and the nature of the activity (public order relevance), rather than a specific sectoral mention.

The Public Sector Procurement Obligation

CADA's core mechanism for reducing dependency on third-country providers is its sovereignty framework, which applies to all public sector bodies. Article 30 sets out strict procurement obligations for contracting authorities.

Article 30(2) establishes a baseline requirement: Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud computing services recognised at Union Assurance Level 1. This level requires a self-assessment by the provider and ensures basic establishment and data localisation within the Union.

However, Article 30(3) imposes significantly stricter requirements. It states that contracting authorities whose activities have been identified as contributing to the preservation of public order under Article 29(1) must only procure cloud computing services recognised as offering Union Assurance Levels 2, 3, or 4. The text of Article 30(3) explicitly links this obligation to sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive) and areas including national security, internal security, external border management, defence, justice, or law enforcement.

The Role of Risk Assessments (Article 29)

The trigger for these higher assurance levels is the risk assessment mandated by Article 29. Member States and Union entities must carry out these assessments to identify public sector activities that use cloud computing services and contribute to the preservation of public order.

Article 29(1) explicitly requires the identification of activities in sectors falling under Annex I or II of the NIS2 Directive. The healthcare sector is a designated essential entity under NIS2. Furthermore, Article 29(2) requires assessors to consider the sensitivity, criticality, and magnitude of the non-personal and personal data processed, as well as the risk of unlawful access by a third country.

EHDS secondary-use infrastructure involves the processing of vast amounts of sensitive health data for research, policy-making, and innovation. Given the critical nature of health data, its classification within the NIS2 framework, and the potential impact on public order if such data were compromised or accessed by third countries, it is highly probable that EHDS access bodies will classify their cloud dependencies as contributing to public order. Therefore, the risk assessment under Article 29 would likely mandate the use of services recognised at Union Assurance Levels 2, 3, or 4, rather than the baseline Level 1.

Recognition and Assurance Levels

To offer services at Levels 2, 3, or 4, cloud providers must undergo independent third-party audits and receive formal recognition from national competent authorities, as detailed in Articles 17 and 20 of CADA. These levels impose cumulative criteria that go beyond basic compliance:

• Union Assurance Level 2: Requires the provider and subcontractors to be established in the Union, with infrastructure, assets, and personnel located in the Union. It mandates a European cybersecurity certificate of at least assurance level 'substantial' (Annex II, 2.1(e)) and strict controls on third-country data access and AI training (Annex II, 2.1(f)).
• Union Assurance Level 3: Adds the requirement that personnel involved in the service must be Union citizens (Annex II, 3.1(d)) and maintains the 'substantial' cybersecurity certification. It also includes a derogation mechanism in Article 18 for third-country control, but only if the Commission has adopted an implementing act finding the third country provides sufficient assurances.
• Union Assurance Level 4: The highest tier, requiring a 'high' assurance level cybersecurity certificate (Annex II, 4.1(e)) and ensuring that sensitive data identified in the risk assessment remains exclusively within the Union.

For EHDS secondary-use infrastructure, which handles sensitive personal and non-personal health data, meeting these criteria is essential to ensure operational autonomy, data confidentiality, and protection against third-country interference.

Implications for EHDS Access Bodies

EHDS access bodies, whether established at national or Union levels, will need to align their cloud procurement strategies with CADA's requirements. This means they cannot simply procure any cloud service; they must verify that the provider holds a valid recognition for the appropriate Union Assurance Level.

Article 30(4) provides limited derogations, allowing contracting authorities to decide not to procure recognised services only on an exceptional basis where:

1. The subject matter cannot be supplied by recognised services available in the central repository (Article 22);
2. No adequate or reasonable alternative exists; and
3. The absence of such services is not the result of an artificial narrowing of the procurement parameters.

If an EHDS body fails to procure at the required assurance level without a valid derogation, it would be in breach of CADA's public procurement rules.

What this means for you

For in-house counsel, compliance officers, and procurement teams at EHDS access bodies or national health data authorities, the immediate priority is to integrate CADA's sovereignty requirements into your cloud procurement and risk management processes.

1. Conduct Risk Assessments: Initiate or update risk assessments under Article 29 immediately. Determine whether your cloud-dependent activities, particularly those involving the secondary use of health data, contribute to the preservation of public order. Given the sensitivity of health data and its NIS2 classification, you should assume that higher assurance levels (2, 3, or 4) will be required.
2. Verify Provider Recognition: Ensure that any cloud computing service provider you engage holds a valid recognition for the appropriate Union Assurance Level. Do not rely on general cybersecurity certifications alone; request and verify their specific recognition status in the central repository maintained by the Commission under Article 22.
3. Update Procurement Criteria: Incorporate CADA's Union Assurance Level requirements into your tender documents as a mandatory eligibility criterion. Additionally, Article 32 allows for the inclusion of non-price award criteria that evaluate a tenderer's contribution to the European cloud ecosystem, which can help prioritize sovereign providers.
4. Monitor Regulatory Developments: CADA is a proposal and may change during legislative proceedings. Stay informed about updates to the assurance level criteria in Annex II and the implementation of delegated acts that will specify risk assessment methodologies.
5. Plan for Transition: If your current cloud infrastructure does not meet the required assurance levels, begin planning a migration strategy. Article 29(6) allows for a reasonable transition period, not exceeding 12 months, for migration to compliant services, taking into account technical feasibility and continuity of service.

Common misconceptions

"CADA does not mention EHDS, so it does not apply." This is incorrect. CADA applies to all public sector bodies procuring cloud computing services. EHDS access bodies are public sector entities, and their procurement falls under CADA's scope. The lack of explicit mention does not exempt them from the general obligations defined in Articles 29 and 30.

"Level 1 recognition is sufficient for health data." This is likely incorrect for secondary-use infrastructure. While Level 1 is the baseline for non-critical public sector activities, health data is highly sensitive and falls under NIS2 critical sectors. Article 29 risk assessments will likely classify these activities as contributing to public order, triggering the requirement for Levels 2, 3, or 4 under Article 30(3).

"Cybersecurity certification replaces CADA recognition." No. While CADA references cybersecurity certifications (e.g., EUCS) as part of the criteria for higher assurance levels (Annex II, 2.1(e) and 4.1(e)), it does not replace the need for CADA-specific recognition. CADA addresses broader sovereignty concerns, including operational autonomy, personnel citizenship, and third-country control, which go beyond technical cybersecurity.

"Private cloud providers are exempt." No. CADA applies to all cloud computing service providers, regardless of whether they are public or private, if they are procured by public sector bodies. Private providers must meet the assurance level criteria to be eligible for public contracts.

"The AI Act covers this." The AI Act regulates the AI systems themselves, not the underlying cloud infrastructure or the sovereignty of the provider. As the CADA explanatory memorandum states, the AI Act "does not cover aspects of sovereignty." CADA is the instrument proposed to address the infrastructure layer beneath the AI.

Official sources

• EU AI Act (Regulation (EU) 2024/1689)
• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• How does CADA support EHDS and FIDA AI use cases through compute access?
• Does health data under EHDS need a CADA sovereignty tier?
• Does FIDA financial data infrastructure need a CADA tier?
• CADA Repositories & Interoperable Europe: Do they need an assessment?
• CADA and EHDS: What hospitals must know about sovereign cloud for health data

This is general information about a draft EU regulation, not legal advice.