CADA vs DGA

Summary The proposed Cloud and AI Development Act (CADA) does not regulate the substantive rules of data altruism or public-sector data reuse; those remain governed by the Data Governance Act (DGA) and the Open Data Directive (2019/1024). CADA's role is strictly infrastructural: it mandates the sovereignty tier of the cloud hosting services used to store and process this data. If your public-sector body or data altruism intermediary hosts data on a cloud provider, CADA requires that provider to meet specific "Union assurance levels" based on a risk assessment, ensuring that the hosting environment is sovereign and resilient, even if the data sharing itself is driven by DGA or Open Data obligations.

Detail

To navigate the intersection of data sharing and cloud infrastructure, one must distinguish between the permission to share data and the security of the environment where that data resides. The Data Governance Act (DGA) establishes the legal framework for data altruism (non-profit data sharing) and mandates that public-sector bodies make non-personal data available for reuse. The Open Data Directive (Directive 2019/1024) underpins the definition of "public sector body" and sets the baseline for data availability. However, neither instrument dictates the technical sovereignty of the cloud infrastructure hosting that data. This is where the proposed CADA intervenes.

The Division of Labor: DGA vs. CADA

The DGA creates "data altruism intermediaries" and obliges public-sector bodies to provide access to documents and data. It focuses on interoperability, switching, and the removal of vendor lock-in to facilitate data flow. CADA, conversely, focuses on the resilience and sovereignty of the cloud computing services that underpin these flows.

CADA defines "cloud computing service" by referencing Article 6(30) of the NIS2 Directive, which covers on-demand access to scalable computing resources. When a public-sector body uses a cloud service to host data made available under the DGA or Open Data Directive, that service falls under CADA's sovereignty framework. The two regimes operate in parallel: the DGA ensures the data can be legally accessed and reused, while CADA ensures the infrastructure hosting that data is not subject to third-country control or disruption.

The Sovereignty Framework and Public Sector Obligations

CADA introduces a four-tier "Union cloud computing sovereignty framework" (Article 16). Public-sector bodies, including those defined by the Open Data Directive, must adhere to procurement rules tied to these tiers. The specific level required is not determined by the type of data (e.g., open vs. sensitive) alone, but by the risk assessment of the activity hosting it.

1. Risk Assessments (Article 29): By one year after entry into force, and every two years thereafter, Member States and Union entities must carry out risk assessments. These assessments must identify public-sector activities that "contribute to the preservation of public order." This includes sectors listed in Annex I or II of the NIS2 Directive, as well as areas of national security, internal security, external border management, defence, justice, or law enforcement.
2. Procurement Mandates (Article 30):
   • Baseline (Level 1): For public-sector activities not identified as contributing to the preservation of public order, contracting authorities must use cloud services recognised as having at least Union assurance level 1.
   • High Risk (Levels 2–4): For activities identified as contributing to the preservation of public order, authorities must only procure services recognised as having Union assurance levels 2, 3, or 4.

Data Altruism and Public-Sector Reuse Hosting

The application of CADA depends on the legal status of the entity hosting the data and the nature of the activity.

For Data Altruism Intermediaries: Under the DGA, data altruism intermediaries can be private entities. CADA's direct procurement mandates in Article 30 apply primarily to public contracting authorities. However, CADA Article 31 allows private sector entities within the meaning of the NIS2 Directive (Annex I) to carry out similar impact assessments. If a data altruism intermediary operates in a sector of high criticality, it may be required to conduct an impact assessment to determine appropriate sovereignty levels. Furthermore, if a private intermediary wishes to participate in the EuroCloud Federation (Article 34) to share capacity with public bodies, it must meet the federation's strict conditions, which effectively require high levels of sovereignty and control.

For Public-Sector Data Reuse: When a government body hosts open data or provides access to data under the DGA, the cloud service used must meet the assurance level dictated by the body's risk assessment under Article 29.

• Scenario A (General Open Data): If a public body hosts general administrative data for reuse that does not touch on public order, national security, or critical infrastructure, the risk assessment may conclude that Union assurance level 1 is sufficient. This level requires the provider to be established in the Union and for data to remain within the Union, unless explicitly required otherwise.
• Scenario B (Critical Infrastructure Data): If the data being reused relates to energy grids, transport, or health systems (sectors under NIS2), the risk assessment will likely identify the activity as contributing to public order. Consequently, the public body must procure cloud services at Union assurance levels 2, 3, or 4. These higher levels impose stricter requirements, such as Union citizenship for personnel (conditional at L2, mandatory at L3/L4), "substantial" cybersecurity certification (L2/L3) or "high" certification (L4), and strict prohibitions on third-country control.

This ensures that while the data is open or shared, the control over that data remains within the Union's sovereign boundary, preventing third-country access or service disruption.

Penalties and Enforcement

CADA empowers national competent authorities to enforce these rules. Under Article 24, Member States must lay down the rules on penalties applicable to infringements of the sovereignty chapter by cloud computing service providers. These penalties must be "effective, proportionate and dissuasive." Member States must consider criteria such as the nature, gravity, scale, and duration of the infringement, as well as the infringing party's annual turnover in the Union.

Crucially, Article 24(3) grants recipients of cloud computing services (i.e., the public-sector bodies) the right to seek compensation from providers for any damage or loss suffered due to an infringement. This creates a direct liability channel for public bodies that rely on non-compliant providers for their DGA-mandated data services.

What this means for you

For In-House Counsel and Compliance Officers:

1. Map Your Data Flows to Cloud Services: Identify all cloud computing services used to host data shared under the DGA or Open Data Directive. Do not assume that "open data" automatically implies low risk.
2. Conduct Risk Assessments (Article 29): If you are a public-sector body, ensure you have conducted the required risk assessments to determine if your data reuse activities contribute to the preservation of public order. This dictates whether you need Level 1 or Levels 2–4 assurance.
3. Audit Your Cloud Providers: Verify that your cloud providers are recognised under the CADA framework. For Level 1, this may involve a self-assessment statement (with automatic recognition for SMEs). For Levels 2–4, you need a positive audit opinion from an independent auditing organisation.
4. Review Procurement Contracts: Ensure your procurement processes explicitly require the relevant Union assurance level. CADA Article 32 allows for "Union added value" criteria in procurement, which can favor providers strengthening the EU digital supply chain.
5. Prepare for Penalties: Be aware that non-compliance with sovereignty requirements can lead to significant fines and compensation claims. Ensure your vendor management processes include continuous monitoring of providers' assurance status.

Common misconceptions

• Misconception: "The DGA handles all data sharing security, so CADA is irrelevant."
  • Reality: The DGA focuses on data access, interoperability, and the legal framework for altruism. CADA focuses on the sovereignty of the infrastructure. A cloud provider can be DGA-compliant (interoperable) but fail CADA's sovereignty tests if it is subject to third-country control or lacks Union-based data residency guarantees.
• Misconception: "Open data must always be hosted on the lowest assurance level."
  • Reality: The assurance level depends on the risk assessment of the public-sector activity, not just the openness of the data. If the data relates to critical infrastructure or national security, even if made available for reuse, it may require Level 2–4 hosting to protect public order.
• Misconception: "Private data altruism intermediaries are exempt from CADA."
  • Reality: While direct procurement mandates target public bodies, private intermediaries in critical sectors (NIS2 Annex I) can be required to conduct impact assessments (Article 31). Furthermore, if they partner with public bodies or join the EuroCloud Federation, they must meet the public body's sovereignty requirements.

Official sources

• Data Governance Act (Regulation (EU) 2022/868)

Related

• DGA Data Intermediaries and CADA: Do Sovereignty Rules Apply?
• CADA and EHDS: What hospitals must know about sovereign cloud for health data
• DGA vs CADA: Does Data Governance Act compliance satisfy CADA?
• How does CADA support AI-driven health data reuse compatibly with EHDS?
• CADA and State Aid: How EU Cloud Funding Rules Apply

This is general information about a draft EU regulation, not legal advice.