Does the CADA methodology require the highest assurance level for defence?

Summary Yes, as proposed, the Cloud and AI Development Act (CADA) methodology requires Member States and Union entities to apply the highest level of Union assurance for the most critical public sector activities, explicitly including defence. Article 29(3) mandates that the Commission's implementing acts specify how risk assessments must use the "highest level of assurance" for these sectors. In the CADA framework, the highest level corresponds to Union assurance level 4. This ensures that defence-related cloud and AI procurement is subject to the strictest sovereignty, personnel, and cybersecurity criteria, preventing third-country interference in critical national security functions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a risk-based framework to determine which cloud computing services public authorities can procure. At the heart of this framework is the obligation for Member States and Union entities to conduct regular risk assessments to identify which activities require specific levels of "Union assurance."

The Mandate of Article 29

Article 29 of the CADA proposal sets out the obligations for these risk assessments. It requires Member States and Union entities to identify public sector activities that contribute to the preservation of public order. The text explicitly lists the sectors falling under this requirement: "sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."

The critical provision for defence and other high-security sectors is found in Article 29(3). This paragraph establishes the binding link between the risk assessment methodology and the assurance level required for the most sensitive activities. It states:

"The methodology shall specify how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence."

This clause is not merely a suggestion; it is a legislative instruction to the Commission. By naming defence as a primary example ("including, but not limited to, defence"), the proposal ensures that defence-related cloud and AI procurement is automatically subject to the strictest sovereignty requirements. The methodology to be adopted via implementing acts must explicitly direct Member States to apply the maximum assurance tier to these activities.

Linking "Highest Level" to Union Assurance Level 4

The CADA framework defines four Union assurance levels (1 through 4), with Level 4 being the highest. The criteria for these levels are detailed in Annex II of the proposal.

Because Article 29(3) mandates the use of the "highest level of assurance" for defence, procurement officers and risk assessors must interpret this as requiring Union assurance level 4. Level 4 imposes the most rigorous cumulative criteria on cloud computing service providers, far exceeding the baseline requirements of Level 1 or the "substantial" cybersecurity requirements of Level 2 and 3.

Key requirements for Union assurance level 4 include:

• Strict Data Localisation: Customer data, including metadata and telemetry, identified as sensitive through the risk assessment, must remain exclusively within the Union at all times, including before, during, or after the configuration or use of the service.
• Personnel Requirements: All personnel involved in providing the service, including those of subcontractors, must be Union citizens. Furthermore, where appropriate, they must hold necessary national security clearances issued by a Member State when handling classified information.
• No Third-Country Control: The audited provider and its subcontractors must not be subject to the control of a third country or a legal entity established in a third country. Unlike Level 3, there is no derogation for third-country control even if an implementing act exists for that country.
• Support within the Union: All technical and operational support, including subsequent sub-outsourcing, must be initiated and performed exclusively within the Union by Union residents and third parties not subject to third-country control.
• Cybersecurity Certification: The service must obtain a European cybersecurity certificate of at least assurance level 'high' under the European Cybersecurity Certification Scheme for Cloud Services (EUCS), once established. Until then, national schemes or the highest standards under applicable Union law apply.

The distinction between Level 3 and Level 4 is critical for defence. While Level 3 allows for a derogation where a third country is deemed "associated" (via an implementing act under Article 18), Level 4 strictly prohibits third-country control. Given the explicit reference to "defence" in Article 29(3) as a "most critical" activity, the legislative intent is to preclude any third-country control, thereby mandating Level 4.

The Methodology and Implementing Acts

While Article 29 sets the principle, the specific details of the risk assessment process are to be defined in secondary legislation. Article 29(3) explicitly empowers the Commission to adopt implementing acts to specify:

• The methodology to be applied.
• The templates to be used.
• The elements to be taken into account by Member States and Union entities.

Crucially, the text states: "The methodology shall specify how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence."

This means that while the requirement to use the highest assurance level for defence is clear in the legislative text, the exact procedural steps for conducting the risk assessment will be detailed in future Commission implementing acts. These acts will provide the standardized templates and guidelines to ensure consistent application across the EU, ensuring that no Member State can interpret "highest level" as anything other than Level 4 for defence.

Why This Matters for Defence

The explicit mention of defence in Article 29(3) addresses significant strategic concerns regarding the sovereignty of critical national functions. Defence activities often involve:

• Classified information requiring national security clearances.
• Sensitive operational data that could compromise national security if accessed by foreign actors.
• Critical infrastructure dependencies where service continuity is a matter of national survival.

By mandating the highest assurance level, CADA aims to prevent:

• Unauthorized access to defence data by third-country authorities via extraterritorial laws.
• Disruption of defence services due to political or economic coercion (e.g., sanctions or embargoes).
• Dependency on foreign technology stacks that could be compromised, backdoored, or withdrawn.

What this means for you

For public-sector and procurement officers, particularly those in defence ministries, intelligence agencies, or security-related public bodies, the CADA proposal introduces a clear, legally binding requirement for cloud sovereignty.

1. Mandatory Risk Assessments: You must conduct risk assessments for all public sector activities using cloud services. These assessments must identify activities contributing to public order, explicitly including defence.
2. Defence Requires Level 4: If your activity is classified as defence-related, your risk assessment must conclude that Union assurance level 4 is required. You cannot opt for a lower assurance level (1, 2, or 3) for these critical activities, as the methodology will specify the "highest level" for defence.
3. Procurement Restrictions: You can only procure cloud computing services that have been formally recognised as offering Union assurance level 4. This recognition involves a rigorous audit process by independent auditing organisations and subsequent approval by national competent authorities.
4. Check the Repository: Before issuing a tender, check the central repository of recognised cloud computing services (established under Article 22) to identify providers that hold Level 4 recognition. Currently, the pool of Level 4 providers may be limited, requiring early engagement.
5. Prepare for Implementing Acts: Stay informed about the Commission's implementing acts on risk assessment methodology. These will provide the specific templates and guidelines you must use to document your compliance and justify the selection of Level 4.
6. Transition Planning: If you currently use cloud services that do not meet Level 4 criteria for defence activities, you will need to plan a migration. Article 29(6) allows for a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability requirements.

Common misconceptions

Misconception 1: All public sector cloud services need Level 4. No. CADA uses a risk-based approach. Only activities identified as contributing to the preservation of public order in critical sectors (like defence, national security, justice) require Level 2, 3, or 4. Most standard public administration activities only require Union assurance level 1 (Article 30(2)). The highest level is reserved strictly for the most critical cases.

Misconception 2: "Highest level" is vague or open to interpretation. No. The CADA framework explicitly defines four levels. Level 4 is the highest. Article 29(3) explicitly links "highest level of assurance" to "most critical public sectors activities including... defence." There is no ambiguity that Level 4 is the target for defence, as it is the only level that prohibits third-country control entirely and requires Union citizen personnel with security clearances.

Misconception 3: Member States can choose their own criteria for defence. No. While Member States conduct the risk assessments, the criteria for Union assurance levels are harmonised EU-wide (Annex II). Article 29(3) mandates that the methodology shall specify the use of the highest level for defence. This ensures a consistent baseline of security across the Union for defence activities, preventing a "race to the bottom" or fragmented national standards.

Misconception 4: Level 4 is only about cybersecurity. No. Union assurance level 4 includes both cybersecurity (e.g., EUCS 'high' certification) and comprehensive sovereignty criteria (e.g., no third-country control, Union citizen personnel, data localisation). It is a holistic sovereignty framework designed to protect against political and legal interference, not just technical cyber threats.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• Can a CADA risk assessment require a higher assurance level over time?
• Which activities need Union assurance level 2, 3 or 4 under CADA?
• CADA Risk Assessments: How Article 29 Mandates Highest Assurance for Critical Sectors
• How does a CADA risk assessment determine the required Union assurance level?
• Does CADA require risk assessments for defence cloud systems?

This is general information about a draft EU regulation, not legal advice.