How does a CADA risk assessment account for economic coercion risk?

Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities are required to conduct risk assessments to determine the appropriate Union assurance level for cloud services. These assessments must explicitly evaluate "dependency vulnerabilities," which the proposal defines to include the risk of economic coercion through mechanisms such as embargoes, sanctions, and monopoly pricing. As outlined in Recital 50 and mandated by Article 29, these risks are not merely commercial concerns but are treated as threats to the Union's public order. If an assessment identifies that a provider is subject to third-country control capable of imposing such coercion, the procurement rules under Article 30 would likely require the use of cloud services recognised at Union assurance levels 2, 3, or 4 to mitigate the risk of service disruption or data exfiltration.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereignty framework designed to reduce the European Union's strategic dependence on non-European cloud computing providers. A critical component of this framework is the obligation for Member States and Union entities to conduct rigorous risk assessments. These assessments serve as the gatekeeper for public procurement, determining whether a specific public sector activity requires the heightened protections of the higher Union assurance levels.

The Legal Basis: Recital 50 and the Definition of Dependency Vulnerabilities

The conceptual foundation for evaluating economic coercion within CADA is found in Recital 50 of the proposal. This recital explicitly categorizes the risks that the sovereignty framework aims to mitigate, distinguishing between misuse, access to information, and dependency vulnerabilities.

Recital 50 states that dependency vulnerabilities include:

"political and/or economic coercion, for example by using vendor or technology lock-ins, embargos or sanctions, monopoly pricing damaging the financial interest of the Union and Member States."

This text is decisive. It confirms that the EU legislature views the risk of a third-country provider leveraging its market dominance or geopolitical leverage to coerce EU public bodies as a direct threat to public order. In the context of CADA, "economic coercion" is not an abstract concept; it encompasses specific, tangible mechanisms:

• Embargoes: The sudden, unilateral restriction or denial of access to cloud infrastructure, software updates, or support services by a third country.
• Sanctions: The imposition of restrictive measures by a third country that legally compel a provider to degrade, disrupt, or terminate service for EU entities, or to block access to specific data.
• Monopoly Pricing: The exploitation of a lack of competitive alternatives to impose unsustainable costs, thereby "damaging the financial interest of the Union and Member States."

These dependency vulnerabilities are the primary inputs for the risk assessment process mandated by Article 29. The proposal recognizes that reliance on providers subject to third-country jurisdictions creates a structural vulnerability where the continuity of essential public services could be held hostage to foreign political or economic decisions.

The Risk Assessment Process: Article 29

Article 29 of CADA sets out the specific obligation for Member States and Union entities to carry out risk assessments. The primary objective of these assessments is to identify public sector activities that contribute to the preservation of public order and to determine which Union assurance level (1, 2, 3, or 4) is appropriate for those activities.

While Article 29(1) focuses on identifying activities in sectors such as national security, internal security, external border management, defence, justice, and law enforcement, the methodology for these assessments must account for the specific risks identified in Recital 50. Specifically, Article 29(2) requires that risk assessments consider:

• The sensitivity, criticality, and magnitude of the non-personal data processed.
• The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country.
• The risk and consequent impact on public order of possible service disruption.

The criterion regarding "possible service disruption" is the direct operationalization of the economic coercion risks mentioned in Recital 50. If a cloud provider is subject to the jurisdiction of a third country that has laws or practices enabling the imposition of embargoes, sanctions, or disruptive sanctions, the risk of service disruption is elevated. Consequently, the risk assessment must reflect this heightened risk.

Furthermore, Article 29(3) mandates that the Commission will specify the methodology for these risk assessments via implementing acts. This methodology will detail how Member States should apply the highest levels of assurance for the most critical public sector activities. The assessment must therefore evaluate whether the current or proposed cloud provider exposes the public sector to the dependency vulnerabilities of economic coercion. If a provider is controlled by a third country that has measures in place to compel service degradation or disruption (as prohibited under certain Union assurance levels), the risk assessment will likely conclude that a higher assurance level is necessary to mitigate this coercion risk.

Linking Risk Assessment to Procurement: Article 30

The outcome of the Article 29 risk assessment directly dictates procurement obligations under Article 30. The logic is linear: if the risk assessment identifies a threat to public order (including economic coercion), the procurement rules tighten.

• Article 30(2) states that public sector bodies whose activities have not been identified as contributing to the preservation of public order must use cloud services with at least Union assurance level 1.
• Article 30(3) mandates that contracting authorities whose activities have been identified as contributing to the preservation of public order (based on the Article 29 assessment) must only procure cloud services recognised as having Union assurance levels 2, 3, or 4.

Union assurance levels 2, 3, and 4 impose strict criteria regarding third-country control, as detailed in Annex II. For example:

• Level 2 requires that if a provider is subject to third-country control, specific legal and technical measures must be in place to prevent that control from restricting service delivery or accessing data.
• Level 3 and Level 4 generally require that the provider and its subcontractors are not subject to the control of a third country, unless a specific derogation under Article 18 applies (where the Commission has determined the third country provides sufficient safeguards).

Therefore, if a risk assessment identifies a high risk of economic coercion—for instance, a provider subject to extraterritorial laws that could compel service disruption—the entity is effectively barred from procuring that service for critical public order activities unless the service meets the stringent sovereignty criteria of levels 2–4. This mechanism ensures that procurement decisions are not driven solely by price or technical features, but by a strategic assessment of resilience against economic coercion.

What this means for you

For in-house counsel, compliance officers, and procurement teams within public sector bodies or entities providing services to the public sector, the implications of CADA's risk assessment framework are significant and require proactive planning.

1. Mandatory Risk Assessments: By the date of entry into force plus one year (and thereafter every two years), your organization must conduct or participate in risk assessments as required by Article 29. These assessments must explicitly document the evaluation of dependency vulnerabilities, including the specific risk of economic coercion via embargoes, sanctions, or monopoly pricing.
2. Documenting Coercion Risks: You must ensure that your risk assessment methodology aligns with the Commission's future implementing acts. This means you cannot simply assess technical cybersecurity; you must assess geopolitical and economic dependencies. If your current cloud provider is controlled by a third country with laws that could compel data access or service disruption, you must document this as a dependency vulnerability.
3. Procurement Restrictions: If your activities are deemed to contribute to the preservation of public order, you are legally required to procure only services with Union assurance levels 2, 3, or 4 (Article 30(3)). This likely means moving away from non-EU hyperscalers unless they can demonstrate compliance with the strict sovereignty criteria of Annex II, which may require structural separation from third-country control.
4. Transition Periods: If a risk assessment requires migration to a more sovereign cloud service, Article 29(6) provides a reasonable transition period that shall not exceed 12 months. You must plan your migration strategies accordingly to avoid non-compliance.
5. Penalties and Enforcement: Member States will designate national competent authorities to enforce these rules (Article 25). While specific fines are to be determined by Member States, Article 24 mandates that penalties be effective, proportionate and dissuasive. Failure to conduct proper risk assessments or procure non-compliant services could result in significant legal and financial repercussions.

Common misconceptions

"Economic coercion risk is only a concern for defence and intelligence agencies." No. Recital 50 and Article 29 apply to a broad range of public sector activities, including those in sectors falling under Annex I or II of the NIS2 Directive, as well as internal security, border management, and law enforcement. Any public sector body using cloud services for critical functions must assess these risks.

"We can mitigate coercion risk through contractual clauses alone." No. While contractual measures are part of the solution, CADA recognizes that contractual clauses cannot fully override third-country laws that compel data access or service disruption. The risk assessment must evaluate the actual legal and technical safeguards in place, which is why higher Union assurance levels require independent audits and strict criteria regarding third-country control.

"Monopoly pricing is just a commercial issue, not a security risk." No. Recital 50 explicitly lists "monopoly pricing damaging the financial interest of the Union and Member States" as a dependency vulnerability. This is treated as a risk to public order because it can undermine the financial sustainability and operational continuity of critical public services.

Related

• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
• What public sector activities must be identified in a CADA risk assessment?

This is general information about a draft EU regulation, not legal advice.