Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities are required to conduct risk assessments to determine the appropriate "Union assurance level" for cloud services used in public-order-relevant activities. Crucially, these assessments are not isolated national exercises. Article 29(7) explicitly mandates that Member States cooperate with each other and with the Commission through established consistency mechanisms. This cooperation is designed to promote the effective exchange of information and best practices, ensuring that the sovereignty framework is applied consistently across the Union to prevent market fragmentation and safeguard public order uniformly.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty based on four distinct Union assurance levels. The mechanism for determining which level applies to a specific public sector activity is the risk assessment, mandated by Article 29. However, the proposal recognises that a fragmented approach to these assessments would undermine the single market and the Union's strategic autonomy. Consequently, the legislation embeds a robust requirement for cross-border coordination.

The Legal Obligation: Article 29(7)

The cornerstone of this cooperative framework is Article 29(7). This provision states: "Member States shall cooperate with each other and with the Commission through established consistency mechanisms and promote cooperation and effective exchange of information and best practices."

This is not a voluntary guideline but a binding obligation. The text explicitly links the act of cooperation to two specific outcomes:

  1. Effective exchange of information: Ensuring that data regarding threats, vulnerabilities, and assessment outcomes flows between national authorities and the Commission.
  2. Exchange of best practices: Allowing Member States to learn from one another's methodologies and experiences in assessing risks to public order.

The goal of this cooperation is to ensure the "consistent application" of the Regulation. Without such mechanisms, divergent national interpretations of what constitutes a risk to public order could lead to a patchwork of sovereignty standards, where a cloud service deemed "sovereign" in one Member State might be considered insufficient in another, creating legal uncertainty and security gaps.

The Scope of Cooperation: Public Order and Shared Responsibilities

The risk assessments themselves, defined in Article 29(1), are high-stakes exercises. They require Member States and Union entities to identify public sector activities that contribute to the preservation of public order. These activities span sectors listed in Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive) and cover critical areas such as national security, internal security, external border management, defence, justice, and law enforcement.

Because these domains often involve cross-border operations or shared EU competencies, a siloed national approach is inherently insufficient. Article 29(1) further reinforces the need for cooperation by stating that where Union entities and Member States share responsibilities regarding public sector activities, they "shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly."

This joint assessment provision ensures that when an activity involves both national and Union-level interests, the risk determination is unified. It prevents scenarios where a Union entity might rely on a lower assurance level than a Member State requires for the same activity, or vice versa, thereby ensuring a seamless security posture across the governance divide.

Consistency Mechanisms and the Commission's Role

The phrase "established consistency mechanisms" in Article 29(7) refers to the formal governance structures that will operationalise this cooperation. While the Regulation does not list every specific body, the context of the proposal and the involvement of the Commission suggest these mechanisms will likely leverage existing EU digital governance bodies, such as the European Artificial Intelligence Board (AI Board) established under the AI Act, or new working groups specifically for cloud sovereignty.

The Commission plays a pivotal vertical role in this ecosystem to ensure that horizontal cooperation yields consistent results:

  • Methodology and Templates: Under Article 29(3), the Commission is empowered to adopt implementing acts to specify the methodology, templates, and elements to be taken into account for risk assessments. This ensures that all Member States are working from the same foundational framework.
  • Reporting and Monitoring: Article 29(4) requires Member States to provide the Commission with the results of their risk assessments within three months of carrying them out. This reporting obligation feeds directly into the consistency mechanisms, allowing the Commission to monitor the landscape for divergences.
  • Intervention Power: If the Commission concludes, after reviewing a Member State's assessment, that the identified Union assurance level is "not appropriate or does not adequately address the public order concerns," Article 29(5) empowers the Commission to adopt implementing acts specifying the required Union assurance levels for that specific activity. This "backstop" power reinforces the necessity of cooperation; Member States are incentivised to align their assessments with shared best practices to avoid Commission intervention.

The Goal: Preventing Fragmentation and Ensuring Uniformity

The ultimate objective of the cooperation mandated by Article 29(7) is to preserve the integrity of the digital single market. If Member States were to apply the sovereignty framework in isolation, they could inadvertently create barriers to the free movement of cloud services or, conversely, leave critical infrastructure exposed to third-country risks due to inconsistent risk tolerance.

By promoting the exchange of information and best practices, the Regulation aims to:

  • Harmonise Risk Interpretation: Ensure that "public order" is interpreted consistently across the EU, particularly in sensitive sectors like defence and law enforcement.
  • Accelerate Learning: Allow Member States to rapidly adopt successful risk mitigation strategies developed elsewhere in the Union.
  • Strengthen Strategic Autonomy: Present a unified front in determining which cloud services are trustworthy, thereby reducing the leverage of third-country providers who might otherwise exploit regulatory divergences.

What this means for you

For public-sector bodies, contracting authorities, and legal teams involved in cloud procurement, the cooperation requirement in Article 29(7) has significant practical implications:

  • Align with Emerging Standards: Do not treat your risk assessment as a purely internal document. Your national authority is likely participating in consistency mechanisms where methodologies are being refined. Ensure your internal processes are flexible enough to align with the "best practices" emerging from these exchanges.
  • Prepare for Joint Assessments: If your organisation engages in cross-border projects or shared responsibilities with Union entities (e.g., joint research, shared security operations), proactively initiate dialogue for a joint risk assessment as suggested by Article 29(1). This can prevent conflicting assurance level requirements later in the procurement process.
  • Expect Commission Scrutiny: Be aware that your national risk assessment results will be reported to the Commission under Article 29(4). If your assessment deviates significantly from the Commission's methodology or the consensus of other Member States, be prepared to justify your decision, as the Commission has the power to override your assessment under Article 29(5).
  • Monitor Implementing Acts: The "consistency mechanisms" will likely result in Commission implementing acts that specify technical templates and mandatory assurance levels. Staying informed about these acts is crucial, as they will effectively standardise the risk assessment process across the Union.

Common misconceptions

  • "Risk assessments are purely national decisions." While Member States conduct the assessments, they are not isolated. Article 29(7) creates a binding obligation to cooperate, and the Commission retains the power to intervene if an assessment is deemed inappropriate. National discretion is bounded by the requirement for EU-wide consistency.
  • "Cooperation is optional or informal." The use of the word "shall" in Article 29(7) makes cooperation a legal requirement, not a suggestion. Member States must actively engage in established consistency mechanisms and promote the exchange of information.
  • "Best practices are just recommendations." While "best practices" themselves may not be directly binding in the same way as the Regulation's articles, they form the basis of the "consistency" that the Commission monitors. Significant deviation from shared best practices without robust justification increases the risk of the Commission adopting implementing acts to override national assessments under Article 29(5).

Official sources

Related

This is general information about a draft EU regulation, not legal advice.