Summary Under the proposed Cloud and AI Development Act (CADA, COM(2026) 502 final), Member States and Union entities would carry out risk assessments to identify which public-sector activities contribute to the preservation of public order, and then set the cloud assurance level those activities need. Article 29(1) ties this directly to the sectors in Annexes I and II of the NIS2 Directive (Directive (EU) 2022/2555), alongside national security, internal security, external border management, defence, justice and law enforcement. Activities flagged in those areas must be served by cloud services recognised at Union assurance level 2, 3 or 4; all other public-sector procurement defaults to level 1. NIS2 supplies the sector list; CADA supplies the sovereignty consequence.

Detail

CADA's demand-side architecture rests on a sector-specific, risk-based assessment rather than a blanket rule. The assessment dictates the minimum sovereignty assurance a provider must hold for a given activity.

The link between Article 29 and NIS2 sectors

The cornerstone is Article 29(1). It requires Member States and Union entities to carry out risk assessments that:

"(a) identify the public sector activities that use or will make use of cloud computing services, that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence;"

and "(b) determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

By referencing NIS2 Annexes I and II, CADA imports a ready-made list of critical sectors — among them energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, and public administration. CADA then extends beyond NIS2: even where a function is not listed in those Annexes, its connection to national security, defence, justice or law enforcement also triggers a sovereignty assessment.

Determining the required assurance level

Once an activity is identified within these sectors or security areas, Article 29(1)(b) requires determining the appropriate level. The procurement consequences follow in Article 30:

  • Level 1 — the baseline. Under Article 30(2), Union entities and public sector bodies whose activities have not been identified as contributing to public order must use services recognised at level 1.
  • Levels 2, 3 or 4 — public-order activities. Under Article 30(3), contracting authorities whose activities have been identified as contributing to public order in the specified NIS2 sectors or security areas must procure only services recognised at level 2, 3 or 4.

The exact level (2, 3 or 4) is set by the risk assessment, which under Article 29(2) weighs three aspects: the sensitivity, criticality and magnitude of the non-personal data processed (including the potential impact on public order and the nature, scope, context and purpose of processing of personal data, plus the risk to the rights and freedoms of data subjects); the risk and consequent public-order impact of unlawful third-country access to such data; and the risk and consequent public-order impact of possible service disruption. Recital 62 indicates the upper tiers are reserved for the most sensitive uses: levels 3 and 4 "should allow for the secure hosting of EU classified information." Recital 62 also confirms that determining the sensitivity of information that may be hosted "lies within the competence and discretion of the Member States," with the Commission providing guidance to keep practice consistent.

Shared responsibilities, multi-cloud and limited derogations

Article 29 anticipates real-world complexity. Where Union entities and Member States share responsibility for an activity, Article 29(1) invites them to consider carrying out the relevant assessment jointly. Article 29(9) requires them, in their assessments, to consider whether a multi-vendor or multi-cloud strategy is appropriate — a resilience measure echoed in Recital 65, which frames the choice as the product of a context-specific risk assessment of operational, regulatory and resilience factors.

The procurement obligation is not absolute. Article 30(4) allows contracting authorities, on an exceptional and duly justified basis, to depart from the level otherwise required where, for example, no recognised service in the central repository (Article 22) can supply the subject-matter and no adequate alternative exists, a similar procurement in the previous year drew no suitable tenders, or applying the requirement would force procurement at disproportionate cost. These are narrow escape valves, not a general opt-out.

"Public order" as the trigger — and its limits

The pivotal concept is "preservation of public order." Recital 64 fleshes it out: identifying and addressing "critical dependencies, unauthorised access to Union data, technology leakage, sabotage and espionage by third-country actors is fundamental for preserving Union public order," and protecting it "requires a prudent but firm political, legal and operational response." That same recital explains why level 1 is mandated as a floor: "[a] minimum assurance level, by mandating Union assurance level 1 across the Union, is necessary to establish a consistent baseline of safeguards for the public sector." The framework is thus two-pronged — a universal level-1 baseline plus a graduated escalation to levels 2–4 wherever the public-order trigger is met in the NIS2 sectors or the listed security areas. Recital 64 also situates the procurement restrictions within the Union's international commitments, noting the right under Article III:2(a) of the WTO Government Procurement Agreement to adopt measures necessary to protect public morals, order or safety. The aim is a proportionate, defensible escalation, not a blanket exclusion of non-EU providers.

The Commission's role and methodology

To keep approaches consistent, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates and elements to be used — including how Member States apply the highest level to the most critical activities, "including, but not limited to, defence." Member States must report their results to the Commission within three months (Article 29(4)), indicating any departures from that methodology. If the Commission concludes a Member State's assessment assigned an inappropriate level or did not adequately address public-order concerns, Article 29(5) lets it adopt implementing acts specifying the levels needed. This top-down check prevents divergent national readings of "public order" from undermining the framework.

Timelines and migration

The clock is set by Article 29(1): assessments by entry into force plus one year, then every two years, or whenever necessary. Where an assessment requires migration to another service, Article 29(6) requires it within a reasonable transition period not exceeding 12 months, taking account of technical feasibility, continuity of service and data portability.

What this means for you

For public-sector counsel and compliance officers — especially in NIS2 Annex I and II sectors — the implications are operational.

  1. Map activities to the sectors. Audit your cloud use and identify which services support activities in the NIS2 Annexes or in defence, justice or law enforcement.
  2. Run a real risk assessment. This is a formal Article 29 exercise weighing data sensitivity, criticality, third-country-access risk and disruption risk — not a checklist. Its outcome decides whether you may stay with a level-1 provider or must move to level 2, 3 or 4.
  3. Adjust procurement. If your activities preserve public order, you would be barred from procuring services below the required level, narrowing your vendor pool to providers recognised after independent audit.
  4. Plan migration early. If your current provider does not qualify, you would have at most 12 months to migrate (Article 29(6)) — start exit, portability and continuity planning now.
  5. Track Commission guidance. Watch the implementing acts on methodology and templates (Article 29(3)); aligning with them reduces the risk of the Commission overriding your level under Article 29(5).

Common misconceptions

"All public-sector cloud use needs the highest level." No. CADA is proportionate. Only activities identified as contributing to public order in the specified sectors require level 2, 3 or 4; everything else defaults to level 1, which rests on self-assessment rather than independent audit.

"NIS2 compliance equals CADA sovereignty compliance." No. CADA borrows NIS2's sector definitions, but the two address different risks — NIS2 cybersecurity, CADA sovereignty and operational autonomy. A NIS2-compliant provider may still not meet the level required for a public-order activity.

"Private entities in NIS2 sectors have the same obligations." No. Private Annex I entities are not bound by the Article 30 procurement mandates, but under Article 31 they "may carry out similar assessments," and the Commission may require impact assessments for sectors of high criticality. Public demand also creates de facto market pressure.

"The risk assessment is a one-off." No. Article 29(1) requires reassessment every two years, or whenever necessary — the appropriate level can change as risks evolve.

Related

This is general information about a draft EU regulation, not legal advice.