Does health data under EHDS need a CADA sovereignty tier?

Summary The proposed Cloud and AI Development Act (CADA) does not explicitly name the European Health Data Space (EHDS) regulation, but its sovereignty framework directly governs the infrastructure hosting health data. Under Article 29, Member States and Union entities must assess whether health-related activities contribute to the "preservation of public order." Given that healthcare is a critical sector under the NIS2 Directive, these assessments will likely mandate that public health authorities and EHDS access bodies procure cloud services meeting at least Union Assurance Level 2, 3, or 4 as defined in Article 16 and Annex II. Consequently, hosting sensitive health data on non-compliant infrastructure would constitute a procurement violation, subject to penalties under Article 24.

Detail

The intersection of the proposed European Health Data Space (EHDS) and the Cloud and AI Development Act (CADA) creates a mandatory, risk-based compliance landscape for health data infrastructure. While the EHDS (Regulation (EU) 2024/3088) establishes the legal framework for the exchange and secondary use of health data, CADA (COM(2026) 502 final) establishes the mandatory sovereignty criteria for the cloud infrastructure underpinning these exchanges. CADA contains no specific exemption for health data; instead, it subjects health-related cloud services to a rigorous tiering system driven by public-order risk assessments.

The Trigger: Article 29 Public-Order Risk Assessments

The primary mechanism activating CADA's sovereignty requirements for the health sector is Article 29 of the CADA proposal. This article obliges Member States and Union entities to carry out risk assessments to determine which public sector activities "contribute to the preservation of public order."

Article 29(1) explicitly requires these assessments to identify activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2). Healthcare is listed as a critical sector in Annex I of the NIS2 Directive. Therefore, cloud computing services supporting health data processing—whether for primary care, hospital management, or the cross-border exchange facilitated by EHDS access bodies—are automatically within the scope of this assessment.

The risk assessment must evaluate specific factors outlined in Article 29(2):

1. Sensitivity and Criticality: The nature of the data processed, including the magnitude of personal and non-personal data. Health data, classified as "special category data" under the GDPR, inherently carries high sensitivity.
2. Public Order Impact: The potential impact on public order if data were accessed unlawfully by a third country or if service continuity were disrupted.

If the risk assessment concludes that a specific health data activity is critical to the preservation of public order, the contracting authority is legally restricted in its procurement choices.

The Mandate: Article 30 and Union Assurance Levels

Once a health activity is identified as contributing to public order under Article 29, Article 30(3) of CADA mandates that the contracting authority must procure cloud computing services recognized as offering Union Assurance Level 2, 3, or 4.

These levels are defined in Article 16 and detailed in Annex II of the CADA proposal. They represent a hierarchy of sovereignty, security, and operational autonomy:

• Union Assurance Level 1: The baseline for all public sector cloud procurement. It requires the provider to be established in the Union, with infrastructure and data remaining exclusively within the Union (Annex II, Section 1).
• Union Assurance Level 2: Requires stricter controls, including that subcontractors are established in the Union, data is not used to train AI systems operated by third countries, and the service obtains a European cybersecurity certificate of at least "substantial" assurance (Annex II, Section 2.1(e)).
• Union Assurance Level 3: Implies a higher degree of sovereignty. It requires that all personnel involved are Union citizens (Annex II, Section 3.1(d)) and, crucially, that the provider and its subcontractors are not subject to the control of a third country (Annex II, Section 3.1(g)). A derogation exists only if the Commission has adopted an implementing act under Article 18 identifying a third country as providing sufficient assurances. This level is likely necessary for highly sensitive health data where extraterritorial access risks (such as those under the US CLOUD Act) are deemed unacceptable.
• Union Assurance Level 4: The highest tier, allowing for the hosting of EU classified information. It requires the provider to be free from third-country control and to hold a European cybersecurity certificate of "high" assurance (Annex II, Section 4.1(e)).

Application to EHDS Access Bodies

The EHDS regulation designates "access bodies" and "secondary use bodies" to manage health data requests and exchanges. These entities are typically public sector bodies or bodies governed by public law. As such, they fall squarely within the scope of CADA's public procurement rules.

When an EHDS access body selects a cloud provider to host patient records or facilitate cross-border data exchanges, it must first complete the Article 29 risk assessment. Given the sensitive nature of health data and the critical nature of healthcare under NIS2, it is highly probable that national authorities will classify these activities as requiring Union Assurance Level 3 or 4.

This classification effectively bars many non-EU hyperscalers from hosting these specific workloads unless they can demonstrate compliance with the strict third-country control criteria in Annex II. For instance, a provider subject to the control of a third country (e.g., a US parent company subject to the CLOUD Act) would generally fail the criteria for Level 3 and 4 unless the Commission has specifically recognized that third country under Article 18 and the provider can prove effective legal and technical separation.

Penalties and Enforcement

Compliance is not voluntary. Article 24 of CADA empowers Member States to impose penalties for infringements by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." While specific fine amounts are left to national implementation, Article 24(2) lists criteria for imposing penalties, including the nature, gravity, scale, and duration of the infringement, as well as the financial benefits gained by the infringing party.

Furthermore, Article 30(4) provides limited derogations. A contracting authority may only decide not to procure a recognized sovereign service if:

• The subject matter cannot be supplied by recognized services available in the central repository;
• No adequate or reasonable alternative exists; or
• Applying the requirements would require the authority to procure services at disproportionate cost.

This narrow exception means that health authorities cannot simply default to non-compliant providers due to convenience, legacy contracts, or cost without rigorous justification and documentation.

What this means for you

For in-house counsel, compliance officers, and IT directors in the health sector, the interaction between CADA and EHDS requires immediate strategic action.

1. Audit Your Cloud Contracts

Review existing contracts with cloud service providers. Determine if your current provider can meet Union Assurance Level 3 or 4. Key questions include:

• Is the provider subject to third-country control (e.g., via ownership or legal jurisdiction)?
• Are all subcontractors established in the Union?
• Can the provider produce a valid European cybersecurity certificate of at least "substantial" (Level 2/3) or "high" (Level 4) assurance?
• Does the provider guarantee that data is not used to train AI systems operated by third countries?

2. Prepare for Article 29 Assessments

Engage with your national competent authority to understand how health data activities are being classified in the national risk assessment. If your entity is a public body or an EHDS access body, you must document the rationale for your chosen assurance level. The assessment must be updated every two years or whenever necessary (Article 29(1)).

3. Evaluate Vendor Lock-in Risks

The shift to sovereign providers may require significant migration efforts. CADA encourages multi-cloud strategies to enhance resilience (Recital 65). Ensure your data architecture supports portability to avoid being locked into a provider that may lose its sovereign recognition or fail to meet future delegated acts.

4. Monitor Delegated Acts and Article 18 Decisions

The specific technical criteria for the assurance levels will be refined in delegated acts under Article 16(2). Stay alert to updates in Annex II, particularly regarding the definition of "control" by third countries. Additionally, monitor the Commission's implementing acts under Article 18, which may identify specific third countries as providing sufficient assurances for Level 3, potentially opening the door for certain non-EU providers.

5. Budget for Compliance Costs

Independent audits are required for Levels 2, 3, and 4 (Article 20). These audits must be performed by independent auditing organizations and will incur additional costs. Factor these into your operational budgets for EHDS implementation. Note that for Level 1, a self-assessment is sufficient (Article 19), but for higher levels, third-party verification is mandatory.

Common misconceptions

Misconception 1: "GDPR compliance is sufficient for sovereignty." Many assume that adhering to the GDPR and the EU-US Data Privacy Framework is enough. CADA explicitly states that while the Data Privacy Framework addresses transatlantic data transfers, it does not remove sovereignty concerns about dependence on third-country providers (Recital 5). CADA adds a layer of operational autonomy, infrastructure location, and personnel citizenship requirements that GDPR does not cover.

Misconception 2: "Health data is exempt from CADA." There is no exemption for health data in the CADA text. On the contrary, because healthcare is a critical sector under NIS2, it is a primary target for the risk assessment mechanism in Article 29. The sensitivity of health data makes it more likely to trigger the highest assurance levels (3 and 4), not less.

Misconception 3: "We can use any EU-based subsidiary of a US provider." Having an EU subsidiary is not enough for Union Assurance Levels 3 and 4. Annex II requires that the provider and its subcontractors are not subject to the control of a third country. This includes assessing corporate governance, ownership structures, and the ability of a third country to compel data access or service disruption. If the parent company is subject to US laws like the CLOUD Act (§2713), the EU subsidiary may still fail the sovereignty criteria unless specific legal and technical separation measures are proven effective and recognized by the Commission.

Misconception 4: "This only applies to new contracts." While CADA applies to new procurement procedures, existing contracts may need to be migrated if they are renewed or if the risk assessment reveals a higher required assurance level. Article 29(6) mandates migration within a reasonable transition period that shall not exceed 12 months if a risk assessment requires moving to a different cloud service.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• EHDS vs CADA: Does health data compliance cover cloud sovereignty?
• Do EU common data spaces need a CADA sovereignty tier?
• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• How does CADA support AI-driven health data reuse compatibly with EHDS?
• CADA vs EHDS: How the Cloud Act governs health data hosting

This is general information about a draft EU regulation, not legal advice.