How do health-sector bodies approach CADA risk assessments?

Summary Under the proposed Cloud and AI Development Act (CADA), public health bodies must conduct mandatory risk assessments to determine the appropriate Union assurance level for their cloud services. Because the healthcare sector is explicitly listed as a critical sector under Annex I of Directive (EU) 2022/2555 (NIS2), health-sector activities are presumed to contribute to the preservation of public order. Consequently, Article 29(1)(a) requires these bodies to assess whether their cloud services meet higher assurance levels (2, 3, or 4) rather than the baseline Level 1. This assessment must weigh the sensitivity of health data, the risk of third-country access (e.g., under foreign laws like the US CLOUD Act), and the potential for service disruption. While CADA operates alongside the GDPR and the proposed European Health Data Space (EHDS), it addresses a distinct gap: sovereignty and operational autonomy, not just data privacy.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework to reduce the EU's dependence on non-European cloud providers and mitigate risks to public order. For the health sector, the core mechanism for implementing this framework is the risk assessment mandated by Article 29. Unlike general procurement rules, this assessment is a statutory requirement for Member States and Union entities to determine the specific sovereignty level required for their cloud services.

The Legal Trigger: Article 29(1)(a) and NIS2

The starting point for any health-sector body is Article 29(1)(a). This provision obliges Member States and Union entities to carry out risk assessments to identify public sector activities that:

1. Use or will make use of cloud computing services; and
2. Contribute to the preservation of public order.

Crucially, the text specifies that this applies to activities in "sectors falling under Annex I or II of Directive (EU) 2022/2555" (the NIS2 Directive). The healthcare sector is explicitly listed in Annex I of NIS2 as a critical sector. Therefore, public hospitals, national health services, and public health insurance bodies are not merely encouraged to assess their cloud risks; they are legally required to do so under CADA.

The outcome of this assessment determines the Union assurance level required for procurement. As stated in Article 29(1)(b), the assessment must determine "which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

While Article 30(2) establishes Union assurance level 1 as the baseline for public sector activities not identified as contributing to public order, the inclusion of health in NIS2 Annex I strongly suggests that most core health activities will be identified as public-order relevant, thereby triggering the requirement for Level 2, 3, or 4 under Article 30(3).

Why Health Data Raises Assurance Needs

The risk assessment process is not a box-ticking exercise; it requires a granular analysis of specific risks outlined in Article 29(2). For health-sector bodies, three factors typically drive the need for higher assurance levels:

1. Sensitivity, Criticality, and Magnitude of Data Article 29(2)(a) mandates that assessors consider the "sensitivity, criticality, and magnitude of the non-personal data processed," as well as the "nature, scope, context and purpose of processing of personal data." Health data is inherently sensitive. It includes patient records, genomic data, and mental health histories. Under CADA, the "magnitude" of this data—its volume and the potential impact of its loss—combined with its "criticality" to patient safety, creates a high-risk profile. If a cloud outage or data breach were to occur, the consequences could range from individual privacy violations to the collapse of emergency response capabilities. This severity often necessitates moving beyond Level 1 to Level 2, 3, or 4, which impose stricter controls on data localisation and personnel.

2. Risk of Unlawful Third-Country Access Article 29(2)(b) requires an assessment of the "risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country." This is the core sovereignty concern. Health data hosted on infrastructure controlled by non-EU providers may be subject to extraterritorial laws (such as the US CLOUD Act) that allow foreign governments to compel data access. For health data, which is often considered a strategic asset and a target for espionage, the risk of such access is a direct threat to public order. Higher assurance levels (particularly 3 and 4) require that the provider and its subcontractors are not subject to the control of a third country (Annex II, 3.1(g) and 4.1(g)), or that specific safeguards are in place to prevent such access.

3. Risk of Service Disruption Article 29(2)(c) mandates an assessment of the "risk and consequent impact on public order of possible service disruption." In the health sector, cloud services are not just IT tools; they are critical infrastructure. A disruption in cloud availability can halt surgery scheduling, block access to electronic health records, or disable telemedicine services. The "consequent impact" on public order is immediate and severe. To mitigate this, CADA's higher assurance levels require guarantees of service continuity and the prevention of degradation of service quality by third-country actors (Annex II, 3.1(g)(iii)).

Interaction with GDPR and the EHDS

The CADA risk assessment does not replace existing data protection frameworks; it complements them. Health-sector bodies must navigate the intersection of CADA, the General Data Protection Regulation (GDPR), and the proposed European Health Data Space (EHDS).

GDPR and Data Subject Rights The GDPR remains the primary law for personal data protection. Article 29(2)(a) explicitly references the "risk of varying likelihood and severity for the rights and freedoms of data subjects." Health data is classified as "special category data" under Article 9 of the GDPR, requiring enhanced protection. However, GDPR focuses on privacy and lawful processing. CADA focuses on sovereignty and operational autonomy. A cloud provider may be fully GDPR-compliant (e.g., using Standard Contractual Clauses for transfers) but still be subject to foreign laws that allow data access, thereby failing CADA's higher assurance levels. The CADA risk assessment must therefore evaluate whether the chosen cloud provider's sovereignty level adequately supports GDPR compliance by eliminating the risk of unauthorised third-country access that GDPR alone cannot prevent.

European Health Data Space (EHDS) The EHDS proposal aims to facilitate cross-border health data exchange for care and research. While EHDS sets strict security and governance requirements for data sharing, it relies on the underlying infrastructure being secure and sovereign. CADA's sovereignty framework ensures that the cloud infrastructure hosting EHDS-compliant data meets the necessary assurance levels. A health body might use EHDS-compliant protocols for data exchange, but if the cloud infrastructure itself does not meet the CADA assurance level determined by the risk assessment (e.g., Level 3 for genomic data), the overall system remains vulnerable to sovereignty risks that could undermine the EHDS objectives.

The Assurance Levels in Practice

The outcome of the Article 29 risk assessment dictates the procurement requirements under Article 30:

• Level 1: The baseline for non-critical activities. Requires establishment in the Union and data localisation, but allows for some third-country control if safeguards exist.
• Levels 2–4: Required for activities identified as contributing to the preservation of public order.
  • Level 2: Requires "substantial" cybersecurity certification (Annex II, 2.1(e)) and strict data localisation.
  • Level 3: Requires "substantial" cybersecurity certification, Union citizenship for personnel (conditional on public body requirement), and no third-country control (unless a derogation under Article 18 applies).
  • Level 4: The highest tier. Requires "high" cybersecurity certification (Annex II, 4.1(e)), mandatory Union citizenship for personnel, and absolute prohibition of third-country control.

For health sectors, Level 2 may suffice for administrative data, while Level 3 or 4 may be required for critical clinical systems, genomic databases, or systems handling classified health security information.

What this means for you

For public-sector procurement officers, IT directors, and Data Protection Officers (DPOs) in the health sector, the implementation of CADA requires a structured, evidence-based approach:

1. Conduct Formal Risk Assessments: You must document a risk assessment for each cloud-based health service, explicitly referencing Article 29. This assessment must evaluate the sensitivity of the health data, the criticality of the service to patient care, and the risks of third-country access. Do not rely on generic templates; tailor the assessment to the specific data types (e.g., genomic vs. administrative).
2. Map Data to Assurance Levels: Not all health data requires the same level of protection. Differentiate between administrative data (which may meet Level 1) and clinical/critical data (which likely requires Level 2–4). Document the rationale for each classification, citing the specific factors in Article 29(2).
3. Update Procurement Specifications: Use the outcome of your risk assessment to define mandatory cloud sovereignty criteria in tenders. If your assessment identifies a need for Level 3, you must only procure services recognised as offering Union assurance level 3 or higher, as per Article 30(3).
4. Coordinate with Data Protection Officers: Ensure your CADA risk assessment aligns with GDPR Data Protection Impact Assessments (DPIAs). The DPO should verify that the chosen cloud provider's data governance practices meet both CADA sovereignty criteria and GDPR requirements for special category data.
5. Prepare for Transition: If current cloud contracts do not meet the required assurance level, you must plan a migration. Article 29(6) allows a reasonable transition period (not exceeding 12 months) for migration to a compliant provider, balancing technical feasibility with service continuity.

Common misconceptions

"GDPR compliance is enough for cloud sovereignty." No. GDPR focuses on individual privacy rights and lawful data processing. CADA focuses on national security, operational autonomy, and protection from extraterritorial access. A cloud provider may be GDPR-compliant but still subject to foreign laws that allow data access, failing CADA's higher assurance levels.

"All health data requires the highest assurance level." CADA promotes proportionality. While critical clinical systems may need Level 3 or 4, less sensitive administrative functions might only require Level 2 or even Level 1. The risk assessment must justify the level based on specific data sensitivity and criticality, as required by Article 29(2).

"CADA replaces NIS2 cybersecurity obligations." CADA and NIS2 are complementary. NIS2 sets cybersecurity risk management standards, while CADA sets sovereignty and trust standards. Health-sector bodies must comply with both. NIS2 ensures the system is secure; CADA ensures the system is sovereign.

"The risk assessment is a one-time event." Article 29(1) requires Member States and Union entities to carry out risk assessments "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." This is an ongoing obligation, not a one-off compliance task.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How do finance-sector bodies approach CADA risk assessments?
• Can private-sector entities carry out CADA-style risk assessments?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?

This is general information about a draft EU regulation, not legal advice.