CADA risk assessment

Summary As proposed, the Cloud and AI Development Act (CADA) does not mandate a multi-cloud strategy for all public sector activities. Instead, Article 29(9) explicitly requires Member States and Union entities to evaluate whether such a strategy is "appropriate" as part of their mandatory risk assessments. This evaluation must be context-specific, weighing operational, regulatory, and resilience-related circumstances to determine if a multi-vendor approach mitigates critical dependencies. As clarified in Recital 65, this assessment directly informs public procurement decisions, ensuring that the choice between single-vendor and multi-cloud architectures is driven by a documented analysis of public order risks rather than vendor preference or technical habit.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a rigorous framework for managing strategic dependencies on cloud computing services. While the Act's primary mechanism for ensuring sovereignty is the "Union assurance level" framework (Levels 1–4), it explicitly recognizes that architectural choices—specifically the reliance on a single provider versus a multi-vendor ecosystem—are critical to resilience.

The Legal Basis: Article 29(9) and Recital 65

The core obligation is found in Article 29(9), which states: "In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."

This provision elevates the decision to adopt a multi-cloud architecture from a purely technical or commercial preference to a compliance-driven requirement. It mandates that the decision to adopt (or reject) a multi-cloud strategy must be explicitly considered and documented within the broader risk assessment framework required by Article 29(1).

Recital 65 provides the necessary interpretative context for this requirement. It clarifies that the decision to adopt a multi-cloud architecture "should be based on a context-specific risk assessment." The recital further specifies that this assessment must identify "any relevant operational, regulatory or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy."

This linkage ensures that the architecture of the cloud environment is aligned with the sovereignty and resilience goals of the Act. It prevents the arbitrary adoption of multi-cloud setups, which can unnecessarily increase complexity and cost, while simultaneously preventing the unchecked reliance on single vendors, which poses significant strategic risks to public order.

Context-Specific Assessment Factors

The requirement for a "context-specific" assessment means that there is no one-size-fits-all rule. Under Article 29(9), CTOs, architects, and risk managers must evaluate three primary dimensions when deciding if a multi-cloud approach is warranted for a specific public sector activity:

1. Operational Factors: The assessment must evaluate the technical complexity, integration challenges, and data portability requirements inherent to the specific activity. A multi-cloud strategy may be operationally justified if it allows for specialized workloads (e.g., using one provider for high-performance computing and another for general storage) or if it enables better geographic distribution of data to meet latency requirements. However, if the operational burden of managing multiple providers outweighs the benefits, the risk assessment may conclude that a single-vendor approach is more appropriate, provided other risks are mitigated. The assessment must document why the operational trade-offs favor one architecture over the other.

2. Regulatory Factors: This involves analyzing compliance obligations under CADA, the GDPR, and sector-specific regulations. For instance, if a public sector activity processes data that requires Union Assurance Level 3 or 4, the risk assessment must determine if a single provider can meet these stringent sovereignty criteria for all required workloads. If no single provider can offer the required assurance level for the entire scope of the activity, a multi-cloud strategy might be necessary to distribute risk across providers that meet different assurance levels. Additionally, regulatory requirements for data localization or specific cybersecurity certifications may influence the choice, necessitating a split architecture to satisfy conflicting or complementary regulatory demands.

3. Resilience Factors: This is the core of CADA's sovereignty objective. The assessment must evaluate the risk of vendor lock-in, service disruption, and geopolitical dependencies. A multi-cloud strategy enhances resilience by reducing dependence on a single provider's infrastructure, jurisdiction, or supply chain. If a single provider's failure or a third-country intervention would critically impact public order, the risk assessment should likely support a multi-vendor approach to ensure business continuity. Conversely, if the activity is low-risk and the provider offers robust disaster recovery mechanisms that are independent of the primary infrastructure, a single-vendor strategy might be deemed sufficient.

Integration with Public Procurement

The risk assessment is not an isolated exercise; it directly feeds into public procurement procedures under Article 30. Article 30 requires contracting authorities to procure cloud computing services that meet the assurance level determined by the risk assessment. If the risk assessment concludes that a multi-cloud strategy is appropriate to mitigate risks, the procurement process must reflect this.

This means procurement documents may need to be structured to allow for the selection of multiple providers, potentially through separate lots or a federated approach. The procurement strategy must ensure that the chosen multi-cloud architecture can meet the required Union assurance levels for each component. For example, if the risk assessment dictates that sensitive data must be hosted on a Level 4 service, the procurement must ensure that at least one provider in the multi-cloud setup can offer this level, while other providers may offer lower levels for less sensitive workloads.

Furthermore, Article 32 introduces "Union added value" criteria in procurement. A multi-cloud strategy that leverages multiple European providers could enhance the Union added value score, as it strengthens the digital supply chain within the Union. However, this must be balanced against the technical and financial criteria, which remain decisive under Article 32(2).

What this means for you

For CTOs, architects, and SMEs involved in public sector cloud projects, the CADA risk assessment process introduces a new layer of documentation and justification for architectural decisions.

For CTOs and Architects:

• Document Your Architecture: You can no longer choose a cloud architecture solely based on technical preference or historical relationships. You must explicitly document why a single-vendor or multi-cloud approach was chosen, referencing the specific operational, regulatory, and resilience factors identified in Article 29(9).
• Align with Assurance Levels: Ensure that your multi-cloud design maps clearly to the required Union assurance levels. If you are using multiple providers, each must be assessed against the criteria in Annex II of CADA. A multi-cloud strategy does not lower the assurance requirements for the specific data being processed.
• Plan for Complexity: If the risk assessment supports a multi-cloud strategy, you must be prepared to manage the increased complexity of data integration, security management, and vendor coordination. The risk assessment should acknowledge these complexities and justify them as necessary for resilience.

For SMEs:

• Competitive Opportunities: A multi-cloud strategy can create opportunities for SMEs to provide specialized services within a larger ecosystem. If large incumbents cannot meet all assurance levels or operational requirements for a specific niche, SMEs may be able to fill gaps in specific areas (e.g., niche AI services or localized data storage).
• Compliance Readiness: Ensure your services can be clearly mapped to the CADA assurance levels. If you are a smaller provider, you may be more agile in meeting specific Union assurance level 1 or 2 requirements, making you an attractive partner in a multi-cloud setup where a "best-of-breed" approach is required.

For Procurement Officers:

• Structured Tendering: Design procurement processes that allow for multi-vendor selection if the risk assessment supports it. This may involve splitting contracts into lots or using dynamic purchasing systems to accommodate different assurance levels.
• Risk Documentation: Maintain clear records of the risk assessment that led to the procurement decision. This documentation will be subject to review by competent authorities and must demonstrate that the decision was driven by the "context-specific" factors outlined in Recital 65.

Common misconceptions

"CADA mandates multi-cloud for all public sector activities." No. Article 29(9) requires an assessment of whether it is appropriate. For many low-risk activities, a single-vendor strategy may be sufficient and more cost-effective. The decision must be justified by the risk assessment, not by a blanket mandate.

"Multi-cloud automatically ensures sovereignty." No. Multi-cloud only enhances sovereignty if the providers involved meet the required Union assurance levels. A multi-cloud setup using only non-Union providers or providers that do not meet the assurance criteria does not mitigate sovereignty risks. Each provider in the multi-cloud environment must be assessed individually against Annex II.

"The risk assessment is a one-time event." No. Article 29(1) requires risk assessments to be carried out at least every two years, or whenever necessary. As cloud technologies and geopolitical risks evolve, the appropriateness of a multi-cloud strategy may change, requiring updates to the assessment and potentially the procurement strategy.

"Only large enterprises need to worry about this." No. While the risk assessment obligation applies to Member States and Union entities, the implications ripple through the supply chain. SMEs providing services to these entities must understand the assurance levels and architectural requirements to remain competitive in a market where multi-cloud strategies are increasingly common.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• CADA Article 29 vs Article 30: Risk Assessment vs Procurement Rules
• Must a CADA risk assessment consider a multi-vendor or multi-cloud strategy?
• CADA Risk Assessment & Public Procurement: The Link Explained
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?

This is general information about a draft EU regulation, not legal advice.