Summary Under the proposed Cloud and AI Development Act (CADA), a risk assessment is a strategic tool designed to identify and mitigate operational dependency on single cloud providers, rather than merely a data protection exercise. Article 29(9) explicitly obliges Member States and Union entities to consider whether a "multi-vendor or multi-cloud strategy is appropriate" when evaluating reliance on a single provider. Guided by Recital 65, this assessment must weigh the risks of concentration against the need for service continuity and sovereignty. If the assessment reveals that a single point of failure could undermine public order, a multi-vendor approach becomes a necessary mitigation measure to ensure resilience.
Detail
The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework for strengthening Europe's cloud and AI ecosystem. Central to this framework is the requirement for Member States and Union entities to conduct regular risk assessments to determine the appropriate Union assurance level for their cloud services. While the assurance levels (1 through 4) define the technical and legal criteria for sovereignty, the process of selecting the right level relies heavily on an evaluation of operational resilience, specifically regarding market concentration and single-provider dependency.
The Legal Basis: Article 29 and the Mandate to Assess Dependency
Article 29 of the proposal sets out the obligations for Member States and Union entities to conduct risk assessments. These assessments must identify public sector activities that contribute to the preservation of public order and determine which Union assurance level (2, 3, or 4) is appropriate for those activities.
The specific mechanism for identifying single-provider dependency is found in Article 29(9), which states:
"In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."
This provision transforms the risk assessment from a static compliance check into a dynamic architectural review. It requires the assessor to evaluate whether relying on a single cloud computing service provider creates an unacceptable level of risk to public order, operational continuity, or strategic autonomy. The assessment is not merely about whether a provider meets the technical criteria for a specific assurance level, but whether the structure of the procurement itself introduces systemic vulnerabilities.
Recital 65: The Rationale for Multi-Vendor Strategies
The legislative intent behind Article 29(9) is clarified in Recital 65 of the CADA proposal. The recital explicitly addresses the dangers of concentration:
"To enhance resilience and limit dependency on a single cloud computing service provider, Union entities and Member States should, as part of their public procurement procedures, consider whether a multi-vendor or multi-cloud strategy may be appropriate."
Recital 65 further specifies that the decision to adopt a multi-cloud architecture must be based on a "context-specific risk assessment." This assessment should identify "operational, regulatory, or resilience-related circumstances that would support the adoption of a multi-vendor or multi-cloud strategy."
This language is critical. It means that a single-provider dependency is not automatically prohibited, but it must be rigorously justified. If the risk assessment reveals that a single provider's failure, geopolitical pressure, or service disruption could critically impair public order, a multi-vendor approach becomes a necessary mitigation measure. The recital emphasizes that the decision is not a blanket mandate for multi-cloud, but a requirement to consider it based on the specific risks identified.
How the Assessment Identifies Single-Provider Dependency
When conducting a CADA risk assessment under Article 29, public sector bodies and Union entities must evaluate several specific factors to identify if a single-provider dependency exists and whether it is acceptable. The assessment must weigh the following:
-
Operational Criticality and Public Order: The assessment must first determine if the service supports essential public functions. Article 29(1) requires identifying activities that contribute to the preservation of public order in sectors such as national security, internal security, defence, justice, or law enforcement. If a service is critical to these areas, the tolerance for a single point of failure is significantly lower. The assessment must ask: "If this single provider fails, does public order collapse?"
-
Provider Concentration and Market Structure: The assessment must quantify the concentration risk. The explanatory memorandum of the proposal notes that the current landscape is characterized by a "pronounced dependence on a limited pool of third-country providers," with three non-EU hyperscalers controlling over 70% of the European cloud market. A risk assessment must evaluate whether the specific service being procured is dominated by one or two providers. If the market is highly concentrated, the risk of a single-provider failure is inherently higher, necessitating a multi-vendor strategy.
-
Exit Strategy and Portability: The assessment must evaluate the ability to move workloads. If a workload cannot be moved to another provider without significant loss of data, functionality, or excessive cost, the dependency is high. The risk assessment must consider whether the technical architecture allows for interoperability and data portability, as required by the broader CADA framework and the Data Act.
-
Geopolitical and Legal Exposure: The assessment must weigh the risk that a single provider's legal obligations in a third country could undermine EU sovereignty. This includes the risk of extraterritorial laws compelling data access or service disruption. If a single provider is subject to such laws, the concentration of risk is amplified. The assessment must determine if a multi-vendor strategy, potentially involving providers from different jurisdictions or assurance levels, is necessary to mitigate this exposure.
Multi-Vendor Mitigation as a Strategic Requirement
The CADA does not mandate a multi-cloud strategy for every use case. Instead, it requires that the possibility of such a strategy be evaluated. Article 29(9) and Recital 65 establish a "consideration obligation." If the risk assessment determines that a multi-vendor approach is necessary to mitigate the risks identified, this conclusion must influence the procurement strategy.
For example, if the assessment concludes that a single-provider model poses a disproportionate risk to public order, the procurement requirements must shift. Tender documents might specify interoperability standards, require bidders to demonstrate how their services can coexist with other providers, or explicitly mandate a multi-vendor architecture. This approach aligns with the broader CADA objective of reducing dependencies on critical technologies and fostering a competitive EU cloud market.
By forcing a rigorous evaluation of single-provider risks, CADA encourages public sector bodies to diversify their supplier base. This diversification strengthens the overall resilience of the EU's digital infrastructure, ensuring that no single point of failure can compromise the Union's public order or strategic autonomy.
What this means for you
For CTOs, architects, and cloud service providers (including SMEs) operating in the EU public sector, the CADA risk assessment process has profound practical implications:
-
Document Your Dependency Analysis Explicitly: Your risk assessment under Article 29 must explicitly address single-provider dependency. Do not assume that using a leading global provider is sufficient. You must document why a single-provider model is or is not appropriate for your specific use case, referencing the criteria in Article 29(9) and Recital 65. If you choose a single provider, you must demonstrate that the risk has been assessed and that a multi-vendor strategy was considered and deemed unnecessary or impractical for your specific context.
-
Design for Portability and Interoperability: If you are an SME offering cloud services to the public sector, ensure your solutions are interoperable and avoid vendor lock-in. Public sector buyers will increasingly favor providers that facilitate multi-cloud strategies, as required by the risk assessment outcomes. Your architecture should support data portability and standard interfaces to make it easier for clients to adopt a multi-vendor approach if their risk assessment dictates it.
-
Prepare for Multi-Cloud Procurement: Public sector tenders may increasingly specify multi-vendor architectures. Ensure your technical architecture can integrate with other providers and that your contract terms allow for flexible data portability. Be prepared to demonstrate how your service fits into a broader, resilient ecosystem rather than acting as a siloed solution.
-
Leverage Union Assurance Levels: Understanding the Union assurance levels (1-4) is crucial. Higher assurance levels often come with stricter requirements on data localization and provider control. A multi-vendor strategy might be used to distribute risk across providers with different assurance levels, depending on the sensitivity of the data. For instance, a public body might use a Level 2 provider for general operations and a Level 4 provider for highly sensitive data, thereby mitigating the risk of a single point of failure while meeting specific sovereignty requirements.
Common misconceptions
"CADA bans single-provider contracts." No. CADA does not ban single-provider contracts. It requires that the risk of such contracts be assessed. If the risk assessment determines that a single-provider model is acceptable given the context (e.g., low criticality, high portability, or lack of viable alternatives), it can be used. However, the burden of proof is on the public sector body to demonstrate that the risk is managed and that a multi-vendor strategy was considered.
"Multi-cloud is mandatory for all public sector bodies." No. Multi-cloud is a mitigation strategy to be considered, not a blanket requirement. Recital 65 states that the decision should be based on a "context-specific risk assessment." For less critical services, or where a single provider offers superior resilience and portability, a single-provider model may be sufficient. The key is the assessment, not the outcome.
"Risk assessments are only about data privacy." No. While data protection is a component, CADA risk assessments under Article 29 are broader. They include operational continuity, sovereignty, and public order. Single-provider dependency is a key operational and sovereignty risk, not just a privacy issue. The assessment must weigh the risk of service disruption, geopolitical coercion, and market concentration, in addition to data protection concerns.
Official sources
Related
- Why is the CADA risk assessment described as a risk-based and context-specific approach?
- When is the first CADA risk assessment due?
- What triggers cloud migration after a CADA risk assessment?
- CADA Risk Assessment Reports: What Must Be Submitted to the Commission?
- What public sector activities must be identified in a CADA risk assessment?
This is general information about a draft EU regulation, not legal advice.