How to use the Commission's methodology for CADA risk assessments

Summary Under the proposed Cloud and AI Development Act (CADA), public-sector bodies and Union entities must conduct risk assessments to determine the appropriate Union assurance level for their cloud services. As proposed in Article 29(3), the European Commission will adopt implementing acts specifying the mandatory methodology, templates, and elements to be used. Public bodies must follow this framework but are required to explicitly flag any departures from it when reporting results to the Commission within three months. Crucially, the methodology must specify how to apply the highest assurance levels to the most critical public sector activities, including defence.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a harmonised, risk-based framework for the procurement of cloud computing services by the public sector. The cornerstone of this framework is the risk assessment mechanism detailed in Article 29. While Member States and Union entities retain the responsibility for conducting these assessments, they do not have the discretion to invent their own procedures. To ensure a consistent single market and prevent fragmentation of sovereignty standards, the Commission retains central authority over the methodology used to reach conclusions on assurance levels.

The Commission's Implementing Acts: Methodology and Templates

The primary mechanism for standardising risk assessments is found in Article 29(3) of the proposal. This provision explicitly empowers the Commission to adopt implementing acts that define three critical components for all risk assessments:

1. The methodology to be applied by Member States and Union entities.
2. The templates to be used for documenting the assessment.
3. The specific elements that must be taken into account during the evaluation.

These implementing acts are not optional guidelines; they are binding procedural requirements. The Commission will adopt these acts using the examination procedure referred to in Article 46(2), ensuring they are technically robust and legally consistent with the Regulation.

The purpose of this centralised methodology is to guarantee comparability across the Union. Without a common template and methodological approach, 27 Member States could develop incompatible risk assessment frameworks, creating legal uncertainty for cloud providers and hindering the cross-border provision of sovereign cloud services. By mandating a specific methodology, the Commission ensures that a risk assessment conducted in one Member State yields results that are directly comparable to one conducted in another, facilitating the functioning of the internal market.

Mapping Assurance Levels to Critical Activities

A pivotal requirement of the Commission's methodology, as explicitly mandated by Article 29(3), is the specification of how Member States must apply the highest levels of assurance to the most critical public sector activities. The text of the proposal specifically cites defence as a primary example of such an activity.

Under CADA, there are four Union assurance levels. Level 1 serves as the baseline for all public sector procurement. Levels 2, 3, and 4 offer increasing degrees of sovereignty, data localisation, and personnel restrictions. The Commission's methodology will provide the technical and political criteria for mapping specific public sector functions to these levels.

For instance, the methodology will clarify that activities involving national security, defence, internal security, external border management, justice, or law enforcement likely require Union assurance levels 3 or 4. This ensures that the most sensitive data and operations are protected by services that are not subject to the control of third countries and that meet the strictest criteria for personnel citizenship and infrastructure location. The methodology will effectively operationalise the "public order" concept, translating abstract security concerns into concrete procurement requirements.

The Duty to Flag Departures

While the Commission provides the standard methodology, Article 29(4) recognises that Member States may have unique national security considerations or specific operational contexts that require deviation from the standard template. However, this deviation is not silent or unilateral; it is subject to strict transparency obligations.

Member States have a mandatory reporting duty: within three months of carrying out their risk assessments, they must provide the Commission with the results. Crucially, this submission must explicitly indicate where they depart from the implementing acts referred to in Article 29(3).

This creates a vital transparency loop. If a Member State decides that a specific defence-related activity requires a different assurance level than the Commission's methodology suggests, or if they modify the template to account for a specific national threat landscape, they must document and report this departure. This allows the Commission to monitor the consistency of the sovereignty framework across the Union and identify potential gaps or inconsistencies that could undermine public order protection.

Commission Oversight and Correction Powers

The Commission's role extends beyond merely providing templates; it includes active oversight and correction powers. Article 29(5) grants the Commission the authority to review the results of Member State risk assessments. If the Commission concludes that the Union assurance level identified for a public sector activity is not appropriate or does not adequately address the public order concerns, it may adopt further implementing acts.

These subsequent implementing acts can specify the Union assurance levels needed for the specific public sector activity in question. This is a powerful oversight mechanism designed to prevent Member States from artificially lowering assurance levels to reduce costs or from failing to protect critical public order interests. It ensures that the "public order" rationale for the sovereignty framework is applied consistently and rigorously across the EU, overriding national discretion where necessary to safeguard Union security.

Integration with the Risk Assessment Content

The methodology provided by the Commission will guide how public-sector bodies evaluate the specific factors listed in Article 29(2). These factors include:

• The sensitivity, criticality, and magnitude of non-personal data processed, including the potential impact on public order.
• The nature, scope, context, and purpose of processing personal data, as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.
• The risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The Commission's templates will likely structure the assessment around these elements, requiring procurement officers to document evidence and reasoning for each factor. This structured approach ensures that the final determination of the assurance level is defensible, auditable, and reproducible, aligning with the broader goals of the Regulation to enhance resilience and strategic autonomy.

What this means for you

As a public-sector procurement officer or a legal advisor to a Union entity, your workflow for cloud procurement will change significantly under the proposed CADA. You can no longer rely on internal, ad-hoc risk assessments or legacy national frameworks. You must wait for and strictly adhere to the Commission's implementing acts.

Actionable steps:

1. Monitor for Implementing Acts: Keep a close watch on the publication of implementing acts under Article 29(3). These will provide the mandatory templates and methodological steps you must follow. Until these are adopted, existing national frameworks may apply, but they will eventually need to align.
2. Use the Standard Template: When conducting your risk assessment, use the Commission's template. Do not create your own unless you have a specific, justified reason to depart from it.
3. Document Departures Rigorously: If national security or specific operational requirements force you to deviate from the Commission's methodology, document this clearly. You must report these departures to the Commission within three months of your assessment, as required by Article 29(4).
4. Prioritise Critical Sectors: For activities in defence, national security, or critical infrastructure, assume the highest assurance levels (3 or 4) are required unless the Commission's methodology specifies otherwise. The methodology will explicitly guide you on using the highest levels for these critical areas, as mandated by Article 29(3).
5. Prepare for Commission Review: Understand that your risk assessment results are subject to review by the Commission. If they deem your chosen assurance level inappropriate for the public order risks involved, they can issue binding specifications to correct it under Article 29(5).

Common misconceptions

Misconception 1: Member States can design their own risk assessment methodologies.

• Reality: No. While Member States conduct the assessments, the methodology, templates, and elements to be considered are specified by the Commission via implementing acts under Article 29(3). Deviations are allowed but must be reported and are subject to Commission correction.

Misconception 2: The Commission's methodology is merely advisory.

• Reality: No. Implementing acts adopted under Article 29(3) are binding. They establish the standard procedure for all risk assessments under CADA, ensuring harmonisation across the single market.

Misconception 3: Only the public sector needs to worry about the Commission's methodology.

• Reality: While Article 29 focuses on public sector and Union entities, the Commission's guidance and methodology set the standard for what constitutes a robust risk assessment. Private sector entities in critical sectors (under Article 31) may carry out similar assessments, and the Commission may issue guidance or delegated acts requiring impact assessments for them, drawing on the same logical framework.

Misconception 4: Defence activities are automatically exempt from the standard methodology.

• Reality: No. Defence is explicitly mentioned in Article 29(3) as an area where the methodology must specify the use of the highest assurance levels. It is not exempt from the methodology; rather, it is the primary use case for the most stringent application of it.

Related

• When are CADA risk assessments due and how often must they be repeated?
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• How to handle multi-vendor cloud strategies under CADA risk assessments
• How to conduct a CADA risk assessment for public-sector cloud use
• How can a Member State buyer use the Commission's central procurement under CADA?

This is general information about a draft EU regulation, not legal advice.