How do Member States and Union entities carry out a joint CADA risk assessment?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities may conduct joint risk assessments when they share responsibilities for specific public sector activities, as explicitly permitted by the final subparagraph of Article 29(1). This collaborative approach allows for a unified determination of the required Union assurance level, streamlining compliance and ensuring consistent protection of public order. Joint assessments must still adhere to the mandatory biennial cycle, consider specific risk factors such as data sensitivity and third-country control, and be reported to the Commission within three months of completion. Crucially, the Commission retains the power to override inappropriate joint determinations via implementing acts.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous sovereignty framework designed to mitigate the risks associated with the EU's dependence on non-European cloud computing service providers. Central to this framework is the obligation for Member States and Union entities to conduct regular risk assessments to determine the appropriate level of sovereignty assurance required for their cloud computing services. While the default procedure is for each entity to conduct its own assessment, the proposal explicitly anticipates scenarios where responsibilities are shared, allowing for a more efficient, joint approach.

Legal Basis for Joint Assessments

The primary legal basis for this process is found in Article 29 of the CADA proposal. Paragraph 1 establishes the general obligation: by one year after the regulation enters into force, and thereafter every two years (or whenever necessary), Member States and Union entities must carry out risk assessments. These assessments must identify public sector activities that contribute to the preservation of public order in sensitive sectors (such as those listed in Annex I or II of the NIS2 Directive, national security, defence, justice, etc.) and determine which Union assurance level (2, 3, or 4) is appropriate for those activities.

Crucially, the final subparagraph of Article 29(1) provides the mechanism for collaboration: "Where Union entities and Member States share responsibilities in relation to the public sector activities, they shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly."

This provision acknowledges the complex reality of modern public administration, where tasks are often distributed across national, regional, and EU-level bodies. For example, a cybersecurity initiative might involve data processing by a national agency that feeds into a Union-level entity, or a cross-border judicial cooperation project might involve shared infrastructure. In such cases, conducting separate, siloed risk assessments could lead to inconsistent assurance levels, operational friction, and redundant administrative burdens. The joint assessment mechanism allows these entities to align their risk appetites and sovereignty requirements from the outset.

Scope and Methodology of the Joint Assessment

When deciding to carry out a joint assessment, the participating entities must still adhere to the substantive requirements laid out in Article 29(2). The assessment must consider:

1. Data Sensitivity and Criticality: The sensitivity, criticality, and magnitude of the non-personal data processed, as well as the nature, scope, and context of personal data processing. This includes evaluating the risk to the rights and freedoms of data subjects.
2. Third-Country Access Risks: The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country. This directly addresses the core sovereignty concern of extraterritorial data access laws.
3. Service Disruption Risks: The risk and consequent impact on public order of possible service disruption.

The joint nature of the assessment does not dilute these requirements; rather, it requires the participating entities to agree on a common risk profile for the shared activity. If one entity has a higher risk tolerance or different security clearances, the joint assessment must resolve these discrepancies, typically by adopting the highest common denominator of assurance required to protect public order.

Commission Guidance and Oversight

To ensure consistency across the Union, the Commission plays a supervisory role. Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account for these risk assessments. This includes specifying how Member States should use the highest level of assurance for the most critical public sector activities, including defence.

Furthermore, Article 29(5) provides a corrective mechanism: if the Commission concludes, after reviewing the results of a risk assessment (joint or individual), that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required levels. This ensures that joint assessments cannot be used to artificially lower sovereignty standards through mutual agreement if the Commission deems it necessary for the protection of public order.

Reporting and Cooperation

The results of any risk assessment, including joint ones, must be reported to the Commission within three months of completion, as per Article 29(4). Member States must indicate where their assessment departs from the Commission's implementing acts.

Article 29(7) reinforces the collaborative spirit by requiring Member States to cooperate with each other and with the Commission through established consistency mechanisms. They must promote the effective exchange of information and best practices. This clause is vital for joint assessments, as it provides the procedural backbone for the ongoing dialogue between national and Union authorities needed to maintain the assessment's validity over time.

Migration and Multi-Cloud Strategies

If a joint risk assessment determines that a migration to a different cloud computing service is required to meet the appropriate assurance level, Article 29(6) mandates that the migration occur within a reasonable transition period not exceeding 12 months. This timeline must account for technical feasibility, continuity of service, and data portability requirements.

Additionally, Article 29(9) requires that risk assessments consider whether a multi-vendor or multi-cloud strategy is appropriate. In a joint assessment, this means the participating entities must collectively evaluate whether relying on a single provider poses an unacceptable concentration risk, even if that provider meets the required assurance level.

What this means for you

For public-sector procurement officers and IT directors operating at the intersection of national and EU interests, the possibility of joint risk assessments offers both a strategic opportunity and a procedural responsibility.

1. Identify Shared Responsibilities Early: Map your procurement projects to identify where your national entity shares operational or data-processing responsibilities with a Union entity (e.g., Europol, Frontex, or the Commission itself). If shared responsibilities exist, proactively discuss the possibility of a joint risk assessment during the project's early planning phases.
2. Align Risk Appetites: Joint assessments require consensus. You must align your national security classifications and risk tolerances with those of the Union partner. This may involve negotiating which assurance level (2, 3, or 4) applies to the shared service, ensuring that the final determination satisfies the strictest public order requirements of either party.
3. Leverage Consistency Mechanisms: Utilize the cooperation frameworks mentioned in Article 29(7). Engage with your national competent authority and relevant Union bodies to share templates and methodologies. This reduces the administrative burden of creating assessment frameworks from scratch.
4. Prepare for Commission Review: Remember that joint assessments are not exempt from Commission oversight. Ensure your documentation clearly demonstrates how the joint conclusion addresses the specific risks outlined in Article 29(2), particularly regarding third-country access and service disruption.
5. Plan for Migration: If the joint assessment reveals that your current cloud provider does not meet the agreed assurance level, begin planning for migration immediately. The 12-month maximum transition period under Article 29(6) is a hard limit, and coordinating migration across multiple jurisdictions requires significant lead time.

Common misconceptions

• "Joint assessments replace individual ones entirely." Incorrect. Joint assessments are only appropriate where responsibilities are shared. If a public sector activity is exclusively under the purview of a Member State or a Union entity, the respective entity must conduct its own assessment. The joint option is a tool for coordination, not a blanket exemption.

• "Joint assessments allow for lower assurance levels through averaging." Incorrect. The goal of the risk assessment is to preserve public order. If one entity involved in the shared activity handles highly sensitive data (e.g., classified defence information), the joint assessment must likely adopt the higher assurance level required by that entity. You cannot "average down" sovereignty requirements.

• "The Commission approves joint assessments beforehand." Incorrect. The Commission does not pre-approve the decision to conduct a joint assessment. However, it reviews the results of the assessment after the fact. If the Commission finds the outcome inappropriate, it can intervene via implementing acts under Article 29(5).

• "Joint assessments only apply to new procurements." Incorrect. Risk assessments must be carried out every two years or whenever necessary. If responsibilities change or new risks emerge, a joint reassessment may be required even for existing contracts, potentially triggering migration obligations.

Related

• How private critical entities can carry out a CADA-style impact assessment
• How does an SME rely on EU-wide CADA level 1 recognition across Member States?
• CADA SME Target: How Member States Must Reach the 25% Innovation Goal
• How do I plan a cloud migration required by a CADA risk assessment?
• How to conduct a CADA risk assessment for public-sector cloud use

This is general information about a draft EU regulation, not legal advice.