How do I check if my public-sector activity contributes to public order under CADA?

Summary Under the proposed Cloud and AI Development Act (CADA), determining whether a public-sector activity contributes to "public order" is a mandatory legal test, not a voluntary best practice. Article 29(1)(a) requires Member States and Union entities to conduct risk assessments to identify activities that contribute to the preservation of public order. This test specifically covers sectors listed in Annex I or II of the NIS2 Directive (e.g., energy, health, transport) as well as activities in national security, internal security, external border management, defence, justice, and law enforcement. If an activity is identified as contributing to public order, Article 30(3) imposes a strict obligation: the contracting authority shall only procure cloud computing services recognised at Union assurance level 2, 3, or 4. Failure to conduct this assessment or procure at the correct level would constitute a breach of the proposed regulation.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a sovereignty framework designed to protect the EU's public order by ensuring that critical digital infrastructure is resilient, autonomous, and free from undue third-country interference. For public-sector bodies, the linchpin of this framework is the risk assessment mandated by Article 29. This process is the definitive mechanism for determining the appropriate level of trust required for cloud computing services.

The Legal Basis: Article 29(1)(a) and the Scope of "Public Order"

The obligation to assess your activities is codified in Article 29(1)(a). As proposed, by the date of entry into force plus one year, and thereafter every two years (or whenever necessary), Member States and Union entities must carry out risk assessments. These assessments must specifically identify public sector activities that use or will use cloud computing services and that "contribute to the preservation of public order."

The proposal defines "preservation of public order" through two distinct, cumulative categories of activities. An activity falls within the scope if it meets the criteria of either category:

1. Sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2 Directive): This category captures essential and important entities across the economy. It includes sectors such as energy, transport, banking, financial market infrastructure, health, drinking water supply and distribution, digital infrastructure, public administration, and space. If a public-sector body operates within any of these sectors and uses cloud services, it must assess whether those specific activities contribute to public order.
2. Specific Security and Justice Areas: This category explicitly covers activities in the areas of national security, internal security, external border management, defence, justice, or law enforcement. The text of Article 29(1)(a) further clarifies that this includes "the prevention, investigation, detection and prosecution of criminal offence."

It is critical to note that the scope is not limited to the core functions of police or military. A public hospital managing patient data falls under the "health" sector of NIS2 Annex I. A regional transport authority managing traffic control systems falls under "transport." If the risk assessment determines that the cloud services used in these contexts contribute to the preservation of public order, the higher assurance requirements are triggered.

The Consequence: Article 30(3) Procurement Obligations

The outcome of the Article 29 risk assessment directly dictates the procurement strategy under Article 30. The regulation creates a strict, binary tiered procurement obligation based on the results of the assessment:

• Non-Public Order Activities: If the risk assessment concludes that a public sector activity does not contribute to the preservation of public order, the contracting authority must procure cloud computing services that have been recognised as having Union assurance level 1 (as per Article 30(2)). Level 1 serves as the baseline for general administrative functions.
• Public Order Activities: If the risk assessment identifies that the activities do contribute to the preservation of public order (as defined in Article 29(1)), the contracting authority shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3, or 4 (as per Article 30(3)).

This is a mandatory prohibition. For high-stakes activities identified under Article 29(1)(a), a public buyer is legally barred from using standard commercial cloud offerings that only meet the baseline Level 1 criteria. They must source services that have undergone independent third-party audits and meet stricter criteria regarding data localisation, personnel citizenship, and supply chain transparency.

How to Conduct the Test: A Step-by-Step Approach

To determine if a specific activity triggers the higher assurance requirements, public-sector bodies should follow this structured approach, grounded in the text of Article 29:

1. Map Your Services: List all cloud computing services currently used or planned for future use within the department or agency. This includes Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
2. Cross-Reference with NIS2: Check if the sector in which the activity operates is listed in Annex I (Essential Entities) or Annex II (Important Entities) of the NIS2 Directive. For example, if you are a regional health authority managing patient data, or a transport authority managing traffic systems, you likely fall under NIS2. If the activity is in these sectors, it is a candidate for public order relevance.
3. Check Security and Justice Mandates: If the activity is not in an NIS2 sector, determine if it relates to national security, internal security, external border management, defence, justice, or law enforcement. This includes activities by police forces, customs agencies, judicial bodies, and intelligence services. The prevention, investigation, detection, and prosecution of criminal offences are explicitly included.
4. Assess Sensitivity and Criticality: As per Article 29(2), the risk assessment must consider the sensitivity, criticality, and magnitude of the non-personal and personal data processed. This includes the potential impact on public order, the nature of the data, and the risk of unlawful access by a third country. Even if an activity is on the borderline, the high sensitivity of the data (e.g., classified information or critical operational data) may push the assessment toward a higher assurance level.
5. Document the Conclusion: The result of this assessment determines the "required conformity." If the assessment identifies public order relevance, this conclusion must be documented. Procurement specifications must then be updated to require Union assurance levels 2, 3, or 4.

The Role of the Commission and Member States

While the initial risk assessment is conducted by the Member State or Union entity, the Commission plays a supervisory role to ensure consistency. Article 29(5) states that if the Commission concludes, after reviewing the results of a Member State's risk assessment, that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required Union assurance levels for that public sector activity. This ensures a harmonized approach across the EU, preventing individual Member States from underestimating risks.

Furthermore, Article 29(9) requires that in these risk assessments, Member States and Union entities consider whether a multi-vendor or multi-cloud strategy is appropriate. This is a key resilience measure; relying on a single provider for public-order-critical services increases systemic risk.

Migration Obligations

If a risk assessment determines that a current cloud service is insufficient (e.g., only Level 1 is available, but Level 2-4 is required), Article 29(6) mandates a migration. The Member State or Union entity shall migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability requirements.

What this means for you

For procurement officers, legal counsel, and public-sector leaders, this shift from voluntary best practices to mandatory legal compliance requires immediate action.

• Update Your Procurement Templates: Standard cloud procurement templates that do not specify Union assurance levels will be non-compliant for a significant portion of public-sector activities. You must create distinct procurement pathways: one for Level 1 (general administration) and one for Levels 2-4 (critical/public order activities).
• Engage Early with Competent Authorities: The national competent authority designated by your Member State will oversee the recognition of cloud providers. Engage with them early to understand how they interpret "public order" in your specific sector and to align your risk assessment methodology.
• Prepare for Migration: If your current cloud provider only offers Level 1 assurance, and your activities are deemed to contribute to public order, you face a migration obligation. Start planning your exit strategies and data portability plans now to meet the 12-month transition window.
• Audit Your Data Flows: To support your risk assessment, you need a clear inventory of what data is processed. Ensure you have the technical visibility to demonstrate the sensitivity and criticality of your data, as this evidence will be scrutinized during the assessment process.
• Consider Multi-Cloud: Do not rely on a single vendor for critical services. Article 29(9) explicitly encourages considering multi-vendor or multi-cloud strategies to enhance resilience.

Common misconceptions

Misconception 1: "Only the military and police need high-assurance cloud." This is incorrect. The definition of public order under Article 29(1)(a) explicitly includes sectors listed in NIS2 Annex I and II. This means that energy providers, water management authorities, major financial market infrastructures, and public health bodies operating in the public sector are also subject to the Level 2-4 procurement obligation if their activities are deemed critical to public order.

Misconception 2: "I can choose Level 1 if I implement strong internal security measures." No. The assurance level is a property of the provider's service and its legal/operational structure (e.g., location of infrastructure, citizenship of personnel, absence of third-country control), not just the customer's internal security. If your activity contributes to public order, Article 30(3) mandates Level 2, 3, or 4. Internal security measures are necessary but insufficient to override the procurement requirement.

Misconception 3: "The risk assessment is a one-time event." Article 29(1) requires assessments to be carried out "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary." Technological changes, new threats, or shifts in the nature of your data processing may trigger an immediate reassessment.

Misconception 4: "Level 1 is only for private companies." Incorrect. Article 30(2) explicitly states that public sector bodies whose activities have not been identified as contributing to public order must use services with Union assurance level 1. Level 1 is the baseline for all public-sector cloud usage, but it is not sufficient for critical activities.

Related

• What should a public-sector body do before CADA's application date?
• How do I share and reuse public-sector software under CADA?
• How do I list public-sector software on the EU Open Source Solutions Catalogue?
• How do I license public-sector software for reuse under CADA?
• How to conduct a CADA risk assessment for public-sector cloud use

This is general information about a draft EU regulation, not legal advice.