How to align CADA recognition with Data Act switching and portability duties

Summary As proposed, the Cloud and AI Development Act (CADA) does not override the Data Act's switching and portability obligations; instead, it layers sovereignty requirements on top of them. Public authorities and Union entities must conduct risk assessments under Article 29 to determine if a cloud service meets the required Union assurance level. If migration is required, Article 29(6) mandates that the transition occur within a reasonable period not exceeding 12 months, explicitly requiring that this migration respects "data portability requirements applicable to such migration." This creates a dual obligation: meet the CADA deadline while strictly adhering to the Data Act's technical and contractual switching duties. Furthermore, for higher assurance levels involving third-country control, Article 18(1)(b) requires that the third country has no measures conflicting with the lawful access to non-personal data rules in Article 32 of the Data Act (Regulation (EU) 2023/2854).

Detail

The proposed Cloud and AI Development Act (CADA) and the Data Act (Regulation (EU) 2023/2854) operate as complementary instruments within the EU's digital ecosystem. The Data Act is designed to foster competition and reduce vendor lock-in by granting users the right to switch cloud providers and ensuring data portability. CADA, conversely, addresses the strategic gap of sovereignty and public order, establishing a framework to ensure that cloud services used by the public sector are resilient against third-country interference.

To achieve compliance, legal and compliance teams must integrate CADA's sovereignty framework into existing Data Act switching strategies. The critical intersection lies in the migration process: CADA may mandate a switch to a sovereign provider, but the execution of that switch must be governed by the Data Act's portability and switching rules.

The Legal Basis for Alignment

The CADA proposal explicitly acknowledges its consistency with the Data Act. The Explanatory Memorandum notes that while the Data Act enables switching and removes lock-in, it "does not contain elements to shape up a more competitive offer of European cloud computing services" or address sovereignty risks. CADA fills this gap by establishing a "Union cloud computing sovereignty framework" with four assurance levels (Article 16).

Consequently, the Data Act provides the mechanism for switching (technical assistance, data formats, interoperability), while CADA provides the trigger and destination criteria (risk assessment results and required assurance levels).

Risk Assessments and the 12-Month Migration Deadline (Article 29)

The core demand-side obligation in CADA is the risk assessment for Member States and Union entities under Article 29. These entities must identify public sector activities that contribute to the preservation of public order and determine the appropriate Union assurance level (1, 2, 3, or 4) for those activities.

If a risk assessment concludes that a current cloud service does not meet the required assurance level, the entity is obligated to migrate. Article 29(6) sets a strict timeline for this transition:

"Where the risk assessment requires the migration to another cloud computing service, the Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service and data portability requirements applicable to such migration."

This provision is the linchpin for alignment. It does not merely set a deadline; it explicitly conditions the migration on "data portability requirements." This means the migration plan cannot simply be a technical transfer of data; it must be executed in full compliance with the Data Act's switching duties. Specifically:

• Technical Assistance: The migrating entity must ensure the current provider fulfills its Data Act obligation to provide necessary technical assistance to facilitate the switch.
• Data Portability: The transfer must respect the Data Act's requirements regarding data formats, structure, and accessibility, ensuring the data remains usable by the public authority upon arrival at the new sovereign provider.
• Continuity of Service: The migration must be planned to avoid service disruption, balancing the urgency of the CADA 12-month cap with the operational stability required by the Data Act.

For private sector entities operating in sectors listed in Annex I of the NIS2 Directive, Article 31 allows for similar impact assessments. While voluntary for most private entities, the Commission may adopt delegated acts to mandate such assessments for entities in sectors of high criticality. In these cases, the same alignment principles apply: any mandated migration must respect existing data portability and switching rights under the Data Act.

Third-Country Control and Lawful Access (Article 18)

A critical dimension of CADA's sovereignty framework is the restriction on cloud services controlled by third countries. Article 18 establishes a mechanism for the Commission to recognize third countries as providing "sufficient assurances" to allow services controlled from those countries to qualify for Union assurance level 3.

Article 18(1)(b) sets a specific, non-negotiable criterion for this recognition. It requires that the third country:

"has no measures in place that enable it to exercise control over the cloud computing service provider in a way that would conflict with the requirements for lawful access to non-personal data set out in paragraphs 2 and 3 of Article 32 of Regulation (EU) 2023/2854."

Regulation (EU) 2023/2854 is the Data Act. Article 32 of the Data Act governs the access to and use of data generated by the use of connected products and related services, establishing safeguards against unlawful access. By referencing Article 32(2) and (3) of the Data Act, CADA creates a direct legal link between sovereignty assurance and data access rights.

This implies that when evaluating a cloud provider for CADA recognition, particularly one subject to third-country control, you must verify that the provider's jurisdiction does not possess laws that would compel access to non-personal data in a manner that violates the Data Act's safeguards. If a third country has been recognized under Article 18(1), services controlled from that country may be eligible for Union assurance level 3, provided all other cumulative criteria are met. If not recognized, or if the country's laws conflict with the Data Act's lawful access provisions, services controlled from that third country are generally excluded from higher assurance levels. This exclusion could trigger a mandatory migration under Article 29 for public sector bodies.

Practical Steps for Alignment

1. Audit Current Contracts against the Data Act: Before initiating CADA risk assessments, ensure existing cloud contracts fully comply with the Data Act's switching and portability provisions. Identify any gaps in technical assistance clauses or data format specifications.
2. Conduct CADA Risk Assessments: Perform the risk assessments required by Article 29 for all public sector activities. Determine the necessary Union assurance level for each workload based on public order relevance.
3. Evaluate Providers against CADA and Data Act Criteria: Assess current and potential cloud providers against the Union assurance levels. For providers subject to third-country control, verify their status under Article 18(1)(b). Ensure their jurisdiction complies with the Data Act's lawful access requirements for non-personal data (Article 32).
4. Plan Migrations with Portability in Mind: If a migration is required, develop a plan that respects the 12-month limit in Article 29(6) while fully executing the Data Act's switching procedures. Engage with the current provider early to secure technical assistance and ensure data is prepared for portability in the required format.
5. Monitor Third-Country Recognition Status: Keep abreast of the Commission's implementing acts under Article 18. A change in a third country's recognition status could trigger a need to reassess a provider's assurance level and potentially initiate a migration.

What this means for you

For in-house counsel and compliance officers, the primary takeaway is that CADA adds a sovereignty dimension to your existing data governance framework. You cannot treat CADA compliance in isolation from your Data Act obligations.

• Deadlines: Be acutely aware of the 12-month migration limit in Article 29(6). Start risk assessments and provider evaluations early to avoid last-minute rushes that could compromise data portability or service continuity. The "reasonable transition period" cannot exceed this cap.
• Penalties: While CADA proposes penalties for non-compliance (Article 24), the Data Act also carries significant fines for failing to comply with switching and portability duties. Non-compliance with either regime can result in substantial financial and reputational risk.
• Contractual Negotiations: When negotiating with cloud providers, ensure that your contracts explicitly address both CADA's sovereignty requirements and the Data Act's switching obligations. Include clauses that guarantee the provider's cooperation in migration scenarios, including technical assistance and data portability in standard formats.
• Third-Country Providers: If you rely on cloud services from third countries, verify their status under Article 18. If their country is not recognized, or if their laws conflict with the Data Act's lawful access provisions (Article 32), you may need to plan a migration to an EU-based or recognized provider.

Common misconceptions

"CADA replaces the Data Act." No. CADA complements the Data Act. The Data Act provides the mechanism for switching and portability; CADA provides the criteria for determining which provider you must switch to based on sovereignty and public order risks.

"The 12-month migration period is flexible." No. Article 29(6) states the transition period "shall not exceed 12 months." While it must be "reasonable" and consider technical feasibility, it is a strict maximum deadline. Delays beyond this period could constitute non-compliance.

"Only public sector entities need to worry about CADA." While Article 29 targets public sector bodies, Article 31 extends impact assessment obligations to private sector entities in high-criticality sectors (NIS2 Annex I). Furthermore, public procurement requirements under CADA will drive market demand for sovereign services, indirectly affecting private providers and their customers.

"Data portability under CADA is the same as under the GDPR." No. CADA references "data portability requirements applicable to such migration," which includes the Data Act's specific provisions on switching and technical assistance. The Data Act's portability obligations are broader and more technically specific than the GDPR's, particularly regarding B2B data and connected products.

Official sources

• GDPR (Regulation (EU) 2016/679)
• Data Act (Regulation (EU) 2023/2854)

Related

• CADA vs GDPR: How to Align Cloud Sovereignty with Data Localisation
• Which National Competent Authority Do I Apply to for CADA Recognition?
• What is the timeline and deadlines for getting CADA recognition?
• What is the data centre permit timeline under CADA?
• CADA Compliance Checklist for Cloud Providers: Steps to Recognition

This is general information about a draft EU regulation, not legal advice.