Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies and Union entities must conduct a mandatory risk assessment to determine the required Union assurance level (2, 3, or 4) for cloud computing services that impact public order. As proposed in Article 29, this assessment requires evaluating the sensitivity and criticality of processed data, the risk of unlawful third-country access, and the potential for service disruption. The resulting assurance level dictates which cloud providers your authority is legally permitted to procure from, with Union assurance level 1 serving as the mandatory baseline for non-critical activities.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a rigorous, harmonised framework for cloud sovereignty in the European Union. For public-sector procurement officers, IT directors, and legal counsel, the cornerstone of this framework is the risk assessment mechanism established in Article 29. This provision moves beyond general cybersecurity compliance to address strategic autonomy, data sovereignty, and operational resilience.

To comply with CADA as proposed, public authorities must move away from ad-hoc security evaluations and adopt a structured, legally defined risk assessment process. This process determines the minimum "Union assurance level" a cloud service must meet to be eligible for procurement. Failure to conduct this assessment correctly could render a procurement procedure non-compliant, as Article 30 ties procurement eligibility directly to the outcome of the Article 29 assessment.

The Legal Obligation: Article 29(1)

Article 29(1) mandates that Member States and Union entities carry out risk assessments "by [date of entry into force plus 1 year], and thereafter every two years, or whenever necessary."

This obligation is not optional. It applies to all public-sector activities that use or will use cloud computing services. The assessment has two primary objectives, as explicitly defined in Article 29(1):

  1. Identify Public-Order Activities: Determine which specific public-sector activities contribute to the preservation of public order. The text specifies sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as areas of "national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence."
  2. Determine the Assurance Level: For each identified activity, determine which Union assurance level 2, 3, or 4 is appropriate.

Note on Assurance Level 1: If an activity is not identified as contributing to the preservation of public order under this risk assessment, Article 30(2) mandates that the authority must use cloud computing services recognised as having Union assurance level 1. Level 1 is the baseline requirement for all public-sector cloud use. The risk assessment under Article 29 is specifically the gateway to determining if a higher level (2, 3, or 4) is required.

Core Assessment Factors: Article 29(2)

When conducting the assessment, Article 29(2) requires authorities to consider at least three specific aspects. These factors form the analytical core of your risk assessment documentation. The assessment must be evidence-based, considering the sensitivity, criticality, and magnitude of the data and the specific risks posed by the cloud environment.

1. Data Sensitivity, Criticality, and Magnitude

You must evaluate the nature of the data processed in the cloud environment. Article 29(2)(a) requires an assessment of:

  • Non-personal data: Assess its sensitivity and criticality to public order. This includes commercially sensitive information, operationally critical data, and data subject to sector-specific obligations under Union law (e.g., NIS2 or DORA).
  • Personal data: Evaluate the "nature, scope, context and purpose of processing of personal data," as well as the "risk of varying likelihood and severity for the rights and freedoms of data subjects."
  • Magnitude: Consider the volume and scale of the data processed.

The assessment must distinguish between ordinary business information and data that is operationally critical. As noted in Recital 63, this distinction is vital for determining whether the activity falls under the public-order umbrella requiring higher assurance levels.

2. Risk of Unlawful Third-Country Access

This is a sovereignty-focused risk factor central to CADA's purpose. Article 29(2)(b) requires you to assess the risk and consequent impact on public order of unlawful access under Union law to such data by:

  • A third country; or
  • A legal entity established in a third country.

This factor directly addresses the extraterritorial reach of foreign laws (such as the US CLOUD Act) and the risk of espionage or data leakage. If a cloud provider is subject to the control of a third country (or a legal entity established there), the risk of that third country compelling access to EU public-sector data increases. The assessment must weigh this risk against the sensitivity of the data identified in step 1. If the data is highly sensitive and the provider is subject to third-country control without adequate safeguards, the risk is deemed high, necessitating a higher assurance level.

3. Risk of Service Disruption

You must assess the risk and consequent impact on public order of possible service disruption. Article 29(2)(c) specifically requires evaluating:

  • Degradation of service quality.
  • Interruption of service continuity.

This factor addresses operational resilience. Even if data access is not compromised, the ability of a third-country actor (or a provider subject to their jurisdiction) to degrade or disrupt service continuity poses a threat to public order. For critical infrastructure or law enforcement activities, a service interruption could have immediate and severe consequences for public safety.

Selecting the Assurance Level: 2, 3, or 4

Once the factors above are evaluated, the assessment must map the results to one of the higher assurance levels. Article 29(1)(b) explicitly states the assessment must determine which of Union assurance levels 2, 3, or 4 is appropriate.

The criteria for these levels are detailed in Annex II of the proposal. While the final selection is at the discretion of the Member State or Union entity (guided by Commission methodology), the levels generally correspond to the following risk profiles:

  • Union Assurance Level 2: Typically involves stricter requirements on infrastructure location, personnel screening, and cybersecurity certification (e.g., EUCS "substantial" assurance). It requires independent third-party audits. It is suitable for activities where data sensitivity or third-country risk is moderate but requires enhanced safeguards beyond the baseline.
  • Union Assurance Level 3: Introduces stricter controls on third-country control. Generally, providers and subcontractors must not be subject to the control of a third country, unless a specific Commission decision (under Article 18) grants an exception for an "associated third country." It also requires Union citizenship for personnel (conditional at Level 2, mandatory at Level 3/4). This level is appropriate for activities involving sensitive data or significant sovereignty risks.
  • Union Assurance Level 4: The highest level of assurance. It is designed for the most sensitive data and critical operations, such as defence or classified information handling. It requires EUCS "high" assurance certification, strict separation from any third-country control, and mandatory Union citizenship for all personnel handling the service.

Methodology and Guidance: Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. These acts will specify how Member States use the highest level of assurance for the most critical activities, including defence. Until these implementing acts are finalised, authorities should use the criteria in Annex II of the proposal as a baseline for understanding the technical and organisational differences between levels 2, 3, and 4.

Multi-Cloud and Migration Strategies

Article 29(9) requires that, in their risk assessments, Member States and Union entities consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. This is a proactive resilience measure. By distributing workloads across multiple providers (potentially at different assurance levels or from different jurisdictions), authorities can mitigate the risk of single-point failure or vendor lock-in.

If the risk assessment determines that a current cloud service no longer meets the required assurance level, Article 29(6) mandates migration. The Member State or Union entity must migrate within a "reasonable transition period that shall not exceed 12 months," taking into account technical feasibility, continuity of service, and data portability requirements applicable to such migration.

Reporting and Commission Oversight

The risk assessment is not an internal document alone. Article 29(4) requires Member States to provide the Commission with the results of these risk assessments within three months of carrying them out. They must indicate where they depart from the Commission's implementing acts on methodology.

Furthermore, Article 29(5) gives the Commission oversight power. If the Commission concludes that the Union assurance level identified for a public-sector activity is not appropriate or does not adequately address public-order concerns, it may adopt implementing acts specifying the required Union assurance levels for that activity. This ensures a baseline of consistency across the EU, preventing Member States from under-assessing risks in critical sectors.

What this means for you

For public-sector procurement officers, IT directors, and legal counsel, the introduction of CADA's risk assessment framework represents a significant shift in how cloud services are evaluated and purchased. The proposed regulation creates a direct link between your internal risk analysis and your external procurement obligations.

  1. Mandatory Documentation: You must document your risk assessment formally. This is not a one-time checkbox but a recurring obligation (every two years or upon significant change). Keep detailed records of your evaluation of data sensitivity, third-country access risks, and disruption risks. This documentation will be the primary evidence if your procurement decisions are challenged.
  2. Link to Procurement: The outcome of this assessment directly restricts your procurement pool. Under Article 30(3), if an activity is identified as contributing to public order, you must procure only services recognised at the level determined by your assessment (2, 3, or 4). You cannot procure a Level 1 service for an activity deemed to require Level 3 assurance. Ensure your tender documents explicitly reference the specific Union assurance level determined by your risk assessment.
  3. Cross-Functional Collaboration: This assessment requires input from data protection officers (for personal data risks), cybersecurity teams (for disruption and access risks), and legal teams (for public-order definitions). Do not treat this as an IT-only task. The assessment covers legal sovereignty risks that IT teams may not fully appreciate.
  4. Watch for Secondary Legislation: The Commission will issue detailed guidance and templates under Article 29(3). Subscribe to updates from the European Commission and your national competent authority to ensure your assessment methodology aligns with the final implementing acts.
  5. Plan for Migration: If your current cloud provider does not meet the assurance level required by your new risk assessment, you have a 12-month window to migrate. Start planning exit strategies and data portability protocols now. The 12-month limit in Article 29(6) is strict, and technical feasibility is the only potential mitigating factor.

Common misconceptions

Misconception 1: "All public-sector cloud use requires Level 3 or 4." Correction: No. Article 30(2) states that activities not identified as contributing to public order must use Union assurance level 1. Level 1 is the default baseline for general administrative tasks. Only activities identified in the Article 29 risk assessment as critical to public order require levels 2, 3, or 4.

Misconception 2: "This is just a cybersecurity assessment." Correction: While cybersecurity is a component (especially for Levels 2-4), CADA's risk assessment is broader. It explicitly includes sovereignty risks (third-country access and control) and operational resilience (service disruption). A provider may be highly secure but still fail to meet Level 3 or 4 if it is subject to the control of a third country that lacks sufficient safeguards.

Misconception 3: "We can outsource this assessment to the cloud provider." Correction: The obligation lies with the Member State or Union entity (the buyer). The provider can provide evidence and information to support your assessment, but the responsibility for determining the appropriate assurance level rests with the public authority. The provider cannot decide for you whether your activity is "public order" relevant.

Misconception 4: "Once assessed, the assurance level is fixed." Correction: Assessments must be repeated every two years or whenever necessary (e.g., if the nature of the data changes, or if new geopolitical risks emerge). A service that was Level 2 appropriate today may require Level 3 tomorrow if the sensitivity of the data increases or if the provider's ownership structure changes.

Official sources

Related

This is general information about a draft EU regulation, not legal advice.