Summary Under the proposed Cloud and AI Development Act (CADA), when Union entities and Member States share responsibilities for public sector activities involving cloud computing, they are required to consider carrying out joint risk assessments. Article 29(1) explicitly states: "Where Union entities and Member States share responsibilities in relation to the public sector activities, they shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly." This provision aims to prevent fragmented sovereignty determinations in cross-border operations such as law enforcement, border management, and defence. These joint assessments must align with Commission methodology and coordinate through established consistency mechanisms to ensure a harmonised Union assurance level is applied across all involved parties.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a Union cloud computing sovereignty framework designed to mitigate risks arising from dependence on third-country providers. A cornerstone of this framework is the obligation for public authorities to conduct risk assessments to determine the appropriate Union assurance level (2, 3, or 4) for their cloud services. While the primary duty to assess falls on individual Member States and Union entities, the legislation recognises that many critical public order activities are inherently collaborative.

The Obligation for Joint Assessment

Article 29(1) sets the baseline for risk assessments. It requires Member States and Union entities to carry out assessments by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. The purpose is to identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as in areas of national security, internal security, external border management, defence, justice, or law enforcement.

Crucially, the final subparagraph of Article 29(1) addresses the complexity of shared governance: "Where Union entities and Member States share responsibilities in relation to the public sector activities, they shall, where appropriate, consider carrying out the relevant risk assessment or assessments jointly."

This clause acknowledges that operational realities often blur the lines between national and Union competence. For instance, activities involving Frontex (border management), Europol (law enforcement), or the European Defence Agency often involve data flows and infrastructure managed jointly by national authorities and Union bodies. A unilateral assessment by a Member State might fail to capture the full risk profile of a shared activity, potentially leading to an assurance level that is insufficient for the Union entity's requirements, or conversely, an assurance level that is unnecessarily burdensome for the Member State.

By mandating that parties "consider" a joint approach, CADA encourages a holistic evaluation of the data's sensitivity, criticality, and magnitude, as well as the risks of unlawful access by third countries or service disruption. The phrase "where appropriate" provides flexibility, recognising that not all shared activities may warrant a single, unified assessment, but it imposes a procedural duty to evaluate the necessity of collaboration.

Methodology and Commission Oversight

To ensure that joint assessments do not result in divergent standards, Article 29(3) empowers the Commission to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. This ensures that whether an assessment is conducted individually or jointly, the underlying criteria for determining the Union assurance level remain consistent across the Union.

The Commission retains a supervisory role to safeguard public order. Under Article 29(5), if the Commission concludes, after reviewing the results of a risk assessment (including a joint one), that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the required level. This oversight mechanism ensures that joint assessments cannot be used to lower standards below what is necessary to protect the Union's public order.

Coordination via Consistency Mechanisms

The success of joint assessments relies on effective coordination. Article 29(7) explicitly obliges Member States to "cooperate with each other and with the Commission through established consistency mechanisms." These mechanisms are designed to promote the effective exchange of information and best practices.

In the context of shared responsibilities, these consistency mechanisms serve as the operational platform for aligning joint assessments. They facilitate the synchronization of national strategies with Union-level priorities. For example, if a joint assessment determines that a specific cross-border law enforcement activity requires Union assurance level 3, the consistency mechanisms ensure that this determination is communicated and understood by all relevant national competent authorities and Union entities involved. This prevents a scenario where one party procures a level 3 service while another procures a level 2 service for the same shared activity, which would create security gaps and operational friction.

Furthermore, Article 29(9) requires that in their risk assessments, Member States and Union entities consider whether a multi-vendor or multi-cloud strategy is appropriate. In a joint assessment, this consideration becomes even more critical, as the parties must evaluate how a multi-cloud architecture affects the overall risk profile of the shared activity and whether it enhances resilience against single points of failure or third-country control.

What this means for you

For legal counsel, compliance officers, and procurement teams within public sector bodies, Union agencies, and Member State authorities, the requirement to consider joint risk assessments introduces a new dimension of collaborative compliance.

  • Map Shared Responsibilities: Conduct an internal audit to identify all public sector activities where your organisation shares responsibilities with a Union entity or another Member State. Key areas include cross-border law enforcement operations, joint border control missions, shared defence projects, and collaborative digital infrastructure initiatives.
  • Initiate the Joint Process: Where shared responsibilities are identified, proactively engage with your counterparts to initiate a joint risk assessment. Do not assume that a national assessment is sufficient if a Union entity is involved. Document the decision-making process: if a joint assessment is deemed "appropriate," proceed collaboratively; if not, document the specific reasons why a joint approach was considered inappropriate to avoid future challenges.
  • Adopt Unified Methodologies: Prepare your teams to utilise the methodology and templates that the Commission will specify via implementing acts under Article 29(3). Ensure that all parties in a joint assessment apply the criteria for sensitivity, criticality, and magnitude of data uniformly to reach a consensus on the required assurance level.
  • Leverage Consistency Mechanisms: Actively participate in the consistency mechanisms referenced in Article 29(7). Use these forums to share best practices and ensure that your risk assessment conclusions are consistent with those of other Member States and Union entities. This proactive coordination is the best defence against a Commission intervention under Article 29(5) to impose a higher assurance level.
  • Synchronise Migration Plans: If a joint risk assessment determines that a higher assurance level is required, Article 29(6) mandates migration within a reasonable transition period not exceeding 12 months. Joint assessments allow all parties to synchronise their migration timelines and technical requirements, reducing the risk of operational disruption and ensuring that the shared activity remains compliant throughout the transition.

Common misconceptions

"Joint assessments are mandatory for all shared activities." No. The text of Article 29(1) states that entities "shall, where appropriate, consider" carrying out joint assessments. It is not an absolute mandate for every shared activity. However, the burden is on the parties to justify why a joint approach was not considered appropriate. Given CADA's goal of harmonisation, failing to consider a joint assessment without valid justification could lead to inconsistencies that the Commission might later correct.

"A joint assessment allows parties to negotiate a lower assurance level." Incorrect. The joint assessment must still adhere to the criteria set out in Annex II and the methodology defined by the Commission. If the Commission determines that a joint assessment has underestimated the risk to public order, it has the power under Article 29(5) to override the result and specify a higher Union assurance level. The joint nature of the assessment does not dilute the sovereignty requirements.

"Consistency mechanisms are only for high-risk sectors." While the highest assurance levels (3 and 4) are reserved for critical public order activities, the obligation to cooperate through consistency mechanisms under Article 29(7) applies broadly. These mechanisms are essential for maintaining the integrity of the digital single market and ensuring that risk management practices are aligned across all levels of public administration, not just the most sensitive sectors.

Related

This is general information about a draft EU regulation, not legal advice.