How do I set the required assurance level for a CADA tender?

Summary To set the required assurance level for a Cloud and AI Development Act (CADA) tender, you must first conduct a risk assessment under Article 29 to determine if the service supports public order. If the assessment concludes the activity does not contribute to public order, Article 30(2) mandates procuring only services recognized at Union assurance level 1. If the activity does contribute to public order, Article 30(3) requires procuring services recognized at Union assurance levels 2, 3, or 4. You must document this determination in your procurement file to ensure legal compliance.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a mandatory, risk-based framework for public procurement of cloud computing services. As proposed, the Act moves away from voluntary best practices toward binding assurance levels that dictate which providers can serve the public sector. For procurement officers, the core challenge is correctly mapping a specific use case to the appropriate "Union assurance level" (UAL) before launching a tender. The process is governed primarily by Article 29 (Risk assessments) and Article 30 (Public procurement).

Step 1: Conduct the Article 29 Risk Assessment

You cannot set an assurance level without first completing a formal risk assessment. Article 29(1) obliges Member States and Union entities to carry out risk assessments by one year after the Regulation's entry into force, and thereafter every two years or whenever necessary.

The purpose of this assessment is to identify which public sector activities contribute to the preservation of public order. Specifically, Article 29(1) requires you to assess activities in sectors falling under Annex I or II of the NIS2 Directive (Directive (EU) 2022/2555), as well as areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

When conducting this assessment, Article 29(2) requires you to consider at least the following aspects:

• The sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order.
• The nature, scope, context, and purpose of processing personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The outcome of this assessment is binary for procurement purposes: does the activity contribute to the preservation of public order? This determination is the switch that selects your mandatory assurance level.

Step 2: Apply Article 30 Procurement Rules

Once the risk assessment is complete, Article 30 dictates the minimum assurance level you must require in your tender documentation.

Scenario A: No Public Order Relevance (Level 1) If your risk assessment determines that the public sector activities do not contribute to the preservation of public order, Article 30(2) applies. In this case, you must use cloud computing services that have been recognized under Article 17 as having a Union assurance level 1. This is the baseline requirement for all public sector cloud procurement under CADA. It ensures a minimum standard of sovereignty, such as EU establishment and data localization within the Union, but does not require the rigorous third-party audits mandated for higher levels.

Scenario B: Public Order Relevance (Levels 2–4) If your risk assessment determines that the activities do contribute to the preservation of public order (e.g., healthcare data, justice systems, critical infrastructure), Article 30(3) applies. Here, you must only procure cloud computing services that have been recognized as having a Union assurance level 2, 3, or 4.

The specific level (2, 3, or 4) is determined by the depth of the risk assessment in Article 29. The Commission will provide implementing acts specifying the methodology for these assessments, including how Member States should use the highest level of assurance for the most critical activities, such as defence. Generally, higher assurance levels impose stricter criteria, such as:

• Level 2: Requires independent third-party audits, EU-based personnel and infrastructure, and restrictions on third-country control.
• Level 3: Adds requirements for Union citizenship for personnel and stricter separation from third-country subsidiaries.
• Level 4: The highest level, requiring EU-based personnel with national security clearances for classified information and absolute prohibition of third-country control.

Step 3: Document the Determination

While CADA does not prescribe a specific form, the legal necessity of the risk assessment means you must document the determination in your procurement file. This documentation serves as evidence that you correctly applied Article 30. If a procurement is challenged, you must be able to show that the assurance level required was directly derived from the Article 29 risk assessment. The procurement file should explicitly state the conclusion of the risk assessment and the resulting mandatory assurance level.

Derogations and Exceptions

Article 30(4) provides narrow derogations. You may decide not to procure a recognized assurance level only if:

• The subject matter of the tender cannot be supplied by recognized cloud computing services available in the central repository referred to in Article 22, and no adequate or reasonable alternative or comparable cloud computing service exists, and such absence is not the result of an artificial narrowing down of the parameters of the public procurement procedure.
• The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
• Applying the requirements of this Regulation would require the contracting authority to procure services at disproportionate cost.

These exceptions are exceptional and must be duly justified. They do not allow you to bypass the risk assessment; they only allow you to bypass the assurance level requirement in specific, documented failure scenarios.

What this means for you

For public-sector procurement officers, CADA fundamentally changes your tender preparation workflow. You can no longer treat cloud sovereignty as a "nice-to-have" or a purely technical specification. It is a legal prerequisite.

1. Integrate Risk Assessment Early: Do not wait until the tender is drafted. Initiate the Article 29 risk assessment with your data protection and security teams early in the project lifecycle. The assessment dictates the entire market approach.
2. Verify Recognition Status: When evaluating bids, you must check the central repository of recognized cloud computing services (maintained by the Commission under Article 22). A provider's claim of being "sovereign" is irrelevant; only formal recognition at UAL 1, 2, 3, or 4 matters.
3. Update Evaluation Criteria: Ensure your tender documents explicitly reference the required Union assurance level. For Level 1, you may rely on the provider's EU statement of conformity. For Levels 2–4, you must require evidence of a positive audit opinion from an accredited auditing organization.
4. Plan for Migration: If your current provider does not hold the required assurance level, Article 29(6) notes that migration should occur within a reasonable transition period that shall not exceed 12 months. Start planning this transition now.

Common misconceptions

Misconception 1: I can choose any level I want. No. CADA is mandatory, not voluntary. If your risk assessment says "public order," you must go to Level 2, 3, or 4. If it says "not public order," you must go to Level 1. You cannot downgrade to Level 1 if the risk assessment mandates Level 3.

Misconception 2: "Sovereign" means the same thing as "Union Assurance Level." No. Many providers market services as "sovereign" or "EU-hosted." Under CADA, these marketing terms have no legal weight. Only services formally recognized by a national competent authority under Article 17 and listed in the central repository count. A provider can host data in Frankfurt but still fail UAL 2 if they are controlled by a third-country entity or lack the required audit.

Misconception 3: The risk assessment is a one-time box-ticking exercise. No. Article 29(1) requires assessments every two years, or whenever necessary. If the nature of the data changes, or if new threats emerge, you must reassess. A static assessment from three years ago may no longer justify your current assurance level requirement.

Misconception 4: I can outsource the risk assessment to the cloud provider. No. The obligation to carry out the risk assessment lies with the Member State or Union entity (the buyer). The provider can supply information to help you, but they cannot determine your public order status. This is a sovereign decision.

Related

• What is CADA's Union assurance level 1 minimum procurement rule?
• What is the minimum cloud assurance level for an ordinary public body under CADA?
• CADA Procurement Derogations: When can a public buyer avoid assurance-level requirements?
• Which sectors trigger Level 2, 3 or 4 cloud procurement under CADA?
• When must public buyers procure level 2, 3 or 4 cloud under CADA?

This is general information about a draft EU regulation, not legal advice.