Summary Under the proposed Cloud and AI Development Act (CADA), Article 29 imposes a mandatory obligation on Member States and Union entities to conduct risk assessments to determine the required "Union assurance level" for cloud services supporting public order. In contrast, Article 31 provides a voluntary framework for private sector entities (specifically those in Annex I of the NIS2 Directive) to carry out "similar assessments." While both mechanisms target third-country dependencies and operational continuity, Article 29 is a binding procurement trigger, whereas Article 31 is currently a strategic resilience tool that could become mandatory if the Commission adopts a delegated act for sectors of "high criticality."

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a bifurcated approach to managing cloud sovereignty risks. This distinction is codified in the separation between Article 29 (public sector) and Article 31 (private sector). Understanding the legal mechanics of this split is essential for compliance planning, as the consequences of non-compliance differ fundamentally between the two tracks.

Article 29: The Mandatory Public Sector Track

Article 29 establishes a strict, recurring obligation for Member States and Union entities. As proposed, these bodies must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. The scope is broad, covering sectors listed in Annex I or II of Directive (EU) 2022/2555 (NIS2) and specific areas including national security, internal security, external border management, defence, justice, and law enforcement.

The primary function of an Article 29 assessment is to determine the appropriate Union assurance level (levels 2, 3, or 4) required for the identified activities. The assessment must evaluate:

  • The sensitivity, criticality, and magnitude of non-personal and personal data processed.
  • The risk of unlawful access by a third country or a legal entity established in a third country.
  • The risk of service disruption.

Crucially, the outcome of an Article 29 assessment is not merely advisory; it is the legal prerequisite for procurement. Under Article 30, if an activity is identified as contributing to public order, the contracting authority must procure only cloud services recognised at Union assurance levels 2, 3, or 4. If the activity does not meet this threshold, a minimum of Union assurance level 1 applies. Furthermore, Article 29(6) mandates that if a migration to a compliant service is required, it must occur within a transition period not exceeding 12 months. Thus, Article 29 acts as the gatekeeper for public procurement, directly linking risk analysis to market access for cloud providers.

Article 31: The Voluntary Private Sector Track

Article 31 addresses the private sector, specifically entities referred to in Annex I of the NIS2 Directive that are not public sector bodies. The text of Article 31(1) explicitly states that these entities "may carry out similar assessments as those set out in Article 29."

The use of the word "may" is legally significant. It establishes that, under the current proposal, conducting an impact assessment is voluntary for private firms. There is no immediate penalty for a private entity failing to conduct such an assessment. However, the assessment is designed to mirror the rigor of the public sector process, targeting the same risks: third-country control, data access, and service continuity.

The voluntary nature of Article 31 is conditional. Article 31(3) grants the Commission the power to intervene. If the Commission concludes, based on specific circumstances and in consultation with Member States, that entities in sectors of "high criticality" require an impact assessment, it may adopt delegated acts. These acts would specify the need for such assessments and the associated risk mitigation measures, effectively transforming the voluntary Article 31 track into a mandatory compliance obligation for specific private sectors.

Comparative Analysis

The following table summarises the structural differences between the two articles as proposed:

Feature Article 29 (Public Sector) Article 31 (Private Sector)
Legal Status Mandatory (Binding) Voluntary (unless delegated act applies)
Target Audience Member States and Union entities Private entities in NIS2 Annex I sectors
Trigger Entry into force of CADA Discretion of the entity; or Commission delegated act
Primary Purpose Determine procurement requirements (Assurance Levels 1–4) Manage dependency risks and operational continuity
Procurement Link Direct: Triggers Article 30 obligations Indirect: No direct procurement mandate for private buyers
Future Evolution Static mandate (recurring every 2 years) Dynamic: Can become mandatory via delegated act

The Role of Delegated Acts

The most critical divergence lies in the future-proofing mechanism. Article 29 is a fixed statutory requirement. Article 31, however, contains a "dynamic trigger." The Commission is empowered to use delegated acts to expand the scope of Article 31. If the EU identifies that private sector dependency in a specific sector (e.g., financial infrastructure, energy, or health) poses a systemic risk to public order, the Commission can mandate impact assessments for those private entities. This would bring them under a regime functionally similar to Article 29, requiring them to assess and mitigate sovereignty risks.

What this means for you

For in-house counsel, compliance officers, and risk managers, the distinction between Article 29 and Article 31 requires a dual-strategy approach.

1. For Public Sector Entities and Union Bodies

If you operate within a Member State's public sector or as a Union entity, Article 29 is an immediate compliance deadline. You must:

  • Map Activities: Identify which of your cloud activities contribute to the preservation of public order under Article 29(1).
  • Conduct Assessments: Perform the risk assessment considering data sensitivity and third-country access risks.
  • Align Procurement: Ensure your procurement strategies under Article 30 match the outcome. If you require assurance levels 2, 3, or 4, you cannot procure services recognised only at level 1.
  • Plan Migration: If your current provider does not meet the required assurance level, you must plan for migration within the 12-month transition period allowed by Article 29(6). Failure to align procurement with the risk assessment outcome could constitute a breach of the Regulation.

2. For Private Sector Entities (NIS2 Scope)

If you are a private entity listed in Annex I of the NIS2 Directive, you are not yet legally required to conduct an Article 31 impact assessment. However, relying on the voluntary nature of Article 31 carries strategic risk.

  • Proactive Compliance: The Commission's power to issue delegated acts under Article 31(3) means this obligation could become mandatory. Conducting a "similar assessment" now allows you to identify dependencies on third-country providers and evaluate risks of service disruption.
  • Market Differentiation: Public sector buyers are increasingly prioritising suppliers who can demonstrate sovereignty compliance. Having an Article 31-style assessment ready can facilitate B2G sales by proving you understand and mitigate the risks your public-sector clients are mandated to assess.
  • Monitor Delegated Acts: Legal teams must monitor the Commission's exercise of delegated powers. If your sector is identified as "high criticality," the timeline for compliance will be defined in those secondary acts.

3. For Cloud Service Providers

While Article 31 targets the buyer (the private entity), the provider is indirectly affected. If a private entity conducts an Article 31 assessment and decides to mitigate risks by switching to a sovereign provider, the provider must hold the relevant Union assurance recognition (Articles 17–23) to be eligible. Furthermore, if the Commission mandates Article 31 assessments for a sector, providers serving that sector will face increased demand for high-assurance services.

Common misconceptions

"Article 31 is identical to Article 29." While Article 31(1) calls for "similar assessments," the legal consequences differ. Article 29 directly triggers procurement restrictions under Article 30. Article 31, in its current form, does not impose procurement restrictions on private entities. It is a risk management tool, not a procurement mandate, unless amended by a delegated act.

"Private companies are exempt from CADA sovereignty rules." This is incorrect. While Article 31 assessments are voluntary, private companies providing services to the public sector are indirectly affected. If a public sector body determines via Article 29 that it needs Union assurance level 3, it can only buy from providers recognised at that level. Private cloud providers must therefore pursue recognition under Articles 17–23 to remain eligible for public contracts. Additionally, the Commission's power to mandate Article 31 assessments means private firms in critical sectors are not entirely outside the regulatory perimeter.

"The assessments are one-time events." Article 29 requires assessments to be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. Article 31, while voluntary, should be treated as an ongoing process given the dynamic nature of cloud dependencies and the potential for delegated acts to change the compliance landscape.

"Only data protection is assessed." Both Article 29 and the similar assessments under Article 31 go beyond GDPR compliance. They explicitly assess "operational autonomy," "service disruption," and "unlawful access" by third countries. This includes risks related to extraterritorial laws (such as the US CLOUD Act) that could compel a provider to degrade service or hand over data, which are sovereignty risks distinct from data privacy violations.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.