How does a CADA risk assessment determine the required Union assurance level?

Summary Under the proposed Cloud and AI Development Act (CADA), a risk assessment is the mandatory legal mechanism that determines whether a public sector activity requires a baseline Union assurance level 1 or a higher level (2, 3, or 4). Article 29 obliges Member States and Union entities to assess which activities contribute to the preservation of public order. Specifically, Article 29(1)(b) requires these bodies to determine "which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities." The assessment evaluates data sensitivity, the risk of third-country access, and the potential impact of service disruption. Only activities flagged as critical to public order trigger the procurement of higher assurance levels; all others default to level 1.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a "Union cloud computing sovereignty framework" consisting of four distinct assurance levels. This framework, defined in Article 16 and detailed in Annex II, is designed to provide a proportionate approach to cloud sovereignty. While Union assurance level 1 serves as the baseline for general public sector use, levels 2, 3, and 4 impose increasingly stringent requirements regarding establishment, infrastructure location, personnel citizenship, and third-country control.

The critical question for public sector bodies is: Which level applies to my specific activity? The answer is not determined by the cloud provider's marketing or a generic industry standard, but by a specific, legally mandated risk assessment conducted by the Member State or Union entity itself.

The Legal Mandate: Article 29

The core obligation to perform this mapping is found in Article 29 of the CADA proposal. This article establishes the "Risk assessments" procedure, which serves as the bridge between a public sector body's operational reality and the technical criteria of the sovereignty framework.

Article 29(1) sets the timeline and scope. Member States and Union entities must carry out these risk assessments within one year of the Regulation's entry into force, and subsequently every two years, or whenever necessary. The assessment has two distinct but linked outputs:

1. Identification: It must identify public sector activities that use or will use cloud computing services and that "contribute to the preservation of public order." This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2), as well as specific areas such as national security, internal security, external border management, defence, justice, and law enforcement.
2. Mapping: Crucially, Article 29(1)(b) mandates that the assessment must "determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

This provision is the legal pivot point. It explicitly excludes level 1 from the determination process for these specific activities, as level 1 is the default for everything not identified as contributing to public order. The risk assessment is therefore the gatekeeper that elevates an activity from the baseline to the higher tiers of sovereignty.

Criteria for Determining the Level

When conducting the assessment to map an activity to level 2, 3, or 4, the decision cannot be arbitrary. Article 29(2) outlines the specific aspects that Member States and Union entities must consider to justify their choice:

• Data Sensitivity and Criticality: The assessment must evaluate the "sensitivity, criticality, and magnitude of the non-personal data processed." It must also analyze the "potential impact on public order" and the nature, scope, context, and purpose of processing personal data. This includes assessing the risk to the rights and freedoms of data subjects.
• Risk of Third-Country Access: A primary driver for higher assurance levels is the risk of "unlawful access under Union law to such data by a third country or a legal entity established in a third country." If an activity involves data where foreign access would undermine public order, a higher level is required.
• Risk of Service Disruption: The assessment must weigh the "risk and consequent impact on public order of possible service disruption." If a cloud outage would severely hamper critical functions (e.g., emergency services or defence logistics), this supports the need for a higher Union assurance level.

Linking the Assessment to the Four-Tier Framework

The risk assessment acts as the selector for the criteria defined in Annex II, which operationalizes the framework established in Article 16. The mapping logic is as follows:

• The Default (Level 1): If an activity is not identified in the risk assessment as contributing to the preservation of public order, Article 30(2) mandates that the contracting authority must use cloud computing services recognised as having Union assurance level 1. This level requires the provider to be established in the Union and infrastructure to be located in the Union, but it does not require independent third-party audits or mandatory Union citizenship for personnel.
• The Elevated Tiers (Levels 2, 3, 4): If the risk assessment identifies an activity as critical to public order, Article 30(3) requires the authority to procure only services recognised at Union assurance level 2, 3, or 4. The specific level chosen depends on the severity of the risks identified in the Article 29 assessment:
  • Level 2: Requires independent third-party audits, strict data localisation, and guarantees that data is not used to train third-country AI systems. It allows for conditional personnel screening if the public body requires it.
  • Level 3: Adds the requirement that personnel (including subcontractors) must be Union citizens (mandatory, not conditional). It also introduces stricter controls on third-country control, though Article 18 allows for a derogation where the Commission has adopted an implementing act identifying a third country as providing sufficient assurances.
  • Level 4: The highest tier, designed for the most sensitive data (e.g., classified information). It requires that sensitive data remain exclusively within the Union, personnel must be Union citizens with necessary security clearances, and the provider must not be subject to the control of a third country. It also requires a European cybersecurity certificate of at least assurance level "high" (whereas levels 2 and 3 require "substantial").

The Commission supports this mapping process. Under Article 29(3), the Commission is empowered to adopt implementing acts specifying the methodology, templates, and elements to be taken into account. This guidance will help standardise how Member States map specific categories of information to the appropriate assurance levels, ensuring that the "sensitivity, criticality and magnitude" of data are assessed consistently across the Union.

Commission Oversight and Consistency

To prevent fragmentation where one Member State might underestimate a risk, Article 29(5) grants the Commission a supervisory role. If the Commission concludes that the Union assurance level identified in a Member State's risk assessment is "not appropriate or does not adequately address the public order concerns," it may adopt implementing acts specifying the required levels. This ensures that the four-tier framework is applied uniformly to protect the Union's public order.

Furthermore, the risk assessment is not limited to selecting a single level; it also informs procurement strategy. Article 29(9) requires Member States and Union entities to consider whether a "multi-vendor or multi-cloud strategy is appropriate" as part of their procurement. This ensures that the determination of the assurance level is accompanied by a resilience strategy to avoid single points of failure.

What this means for you

For public-sector procurement officers, IT leaders, and legal counsel, the CADA risk assessment is the foundational step that dictates your entire cloud procurement strategy. You cannot simply select a provider based on cost or technical features; you must first legally classify your activities.

1. Initiate the Article 29 Assessment: You must map your public sector activities against the criteria in Article 29(1). Identify which services fall under national security, defence, justice, or critical infrastructure (NIS2 sectors). Document the sensitivity of the data and the potential impact of a breach or outage on public order.
2. Determine the Required Level: Based on the assessment, decide if you need Union assurance level 1, 2, 3, or 4. Remember, Article 30(2) establishes level 1 as the default for non-critical activities. Only activities explicitly identified as contributing to public order trigger the requirement for levels 2–4 under Article 30(3).
3. Specify the Level in Procurement: When tendering, you must explicitly state the required Union assurance level in your procurement documents. If your risk assessment determines that an activity requires level 3, you are legally barred from procuring level 1 or 2 services for that specific activity.
4. Prepare for Higher Scrutiny: If you determine that levels 2, 3, or 4 are required, be aware that these levels demand independent third-party audits (unlike level 1's self-assessment) and strict compliance with personnel and infrastructure criteria. Ensure your internal processes can support the evidence required, such as data flow diagrams and personnel clearance records.
5. Monitor Commission Guidance: The Commission will issue detailed methodologies under Article 29(3). Monitor these updates to ensure your assessments align with Union-wide standards. Failure to align could lead to the Commission intervening under Article 29(5) to override your assessment.

Common misconceptions

"All public sector cloud use requires the highest assurance level." This is incorrect. The CADA proposal is designed to be proportionate. Article 30(2) clarifies that only activities identified as contributing to the preservation of public order via the risk assessment require levels 2, 3, or 4. General administrative tasks, such as internal HR portals or non-sensitive email services, can and should use Union assurance level 1.

"The risk assessment is a one-time box-ticking exercise." The assessment is dynamic and recurring. Article 29(1) requires it to be repeated every two years, or "whenever necessary." This ensures that changes in technology, the threat landscape, or the operational scope of a public body are reflected in the assurance level determination.

"Union assurance levels are determined by the cloud provider." The assurance level is determined by the user's risk assessment, not the provider's marketing claims. A provider may offer a service that could meet level 4 criteria, but if the public body's risk assessment determines that level 2 is sufficient for their specific activity, they are not required to procure level 4. Conversely, a provider cannot unilaterally claim a higher level to justify a higher price; the level must be mandated by the user's Article 29 assessment.

"Data protection compliance (GDPR) replaces the sovereignty risk assessment." While GDPR is crucial for personal data, it does not cover all sovereignty risks. The CADA risk assessment addresses broader public order concerns, such as operational autonomy, service continuity, and the risk of third-country interference, which go beyond individual privacy rights.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• Can a contracting authority skip the assurance level required by a CADA risk assessment?
• Can a CADA risk assessment require a higher assurance level over time?
• Can a CADA risk assessment lower the assurance level for an activity?
• How does a CADA risk assessment determine when to migrate cloud services?
• Why is the CADA risk assessment described as a risk-based and context-specific approach?

This is general information about a draft EU regulation, not legal advice.