Summary Under the proposed Cloud and AI Development Act (CADA), a mandatory risk assessment acts as the critical bridge between public-sector activities and cloud procurement obligations. Member States and Union entities must conduct these assessments to determine if their activities contribute to the "preservation of public order" (Article 29). If an activity is identified as public-order relevant, the contracting authority is legally required to procure cloud services recognized at Union assurance levels 2, 3, or 4 (Article 30(3)). Conversely, for activities not identified as contributing to public order, the law mandates a baseline procurement of Union assurance level 1 (Article 30(2)). This mechanism ensures that procurement decisions are strictly aligned with sovereignty and security requirements, preventing the use of non-compliant infrastructure for critical functions.

Detail

The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, introduces a structured, risk-based framework for public procurement of cloud computing services. Unlike previous regulations that focused primarily on technical cybersecurity or data protection, CADA explicitly ties procurement eligibility to a sovereign risk assessment. The core of this approach lies in the direct linkage between the findings of a mandatory risk assessment and the specific Union assurance levels a contracting authority must procure. This linkage is designed to safeguard public order while maintaining a consistent baseline of trust for all public-sector cloud usage across the Union.

The Risk Assessment Requirement (Article 29)

The entire procurement process under CADA begins with the obligation to conduct a risk assessment. This is not a voluntary best practice but a statutory requirement that dictates the subsequent legal obligations of the contracting authority.

Article 29(1) mandates that Member States and Union entities carry out these risk assessments within one year of the Regulation's entry into force, and thereafter every two years, or whenever necessary. The primary objective of this assessment is twofold. First, under Article 29(1)(a), entities must identify public sector activities that contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive) and specific areas such as national security, internal security, external border management, defence, justice, and law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

Second, and crucially for procurement, Article 29(1)(b) requires entities to "determine which Union assurance level 2, 3, or 4 set out in Annex II of this Regulation is appropriate for the identified public sector activities."

When conducting these assessments, Member States and Union entities must consider specific factors outlined in Article 29(2). These include the sensitivity, criticality, and magnitude of the non-personal and personal data processed, the potential impact on public order, and the risk of unlawful access by a third country or a legal entity established in a third country. They must also assess the risk of service disruption. The Commission is empowered to provide implementing acts to specify the methodology and templates for these assessments, ensuring consistency across the Union.

The Procurement Obligation (Article 30)

Once the risk assessment is completed and the activities are classified, the findings directly trigger specific procurement obligations under Article 30. CADA establishes a tiered system where the level of assurance required is entirely dependent on the outcome of the risk assessment.

1. Non-Public-Order Activities: The Level 1 Baseline

For the majority of public sector activities that are not identified as contributing to the preservation of public order, CADA sets a mandatory minimum standard. Article 30(2) explicitly states: "Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This provision ensures that even for routine administrative tasks or non-critical digital services, public authorities cannot simply choose any cloud provider. They must procure from providers that have successfully undergone the conformity self-assessment and recognition process for Union assurance level 1. As detailed in Annex II, Level 1 requires providers to be established in the Union, keep infrastructure and data within the Union (unless explicitly required otherwise by the public sector body), and demonstrate compliance with state-of-the-art cybersecurity standards. This creates a "sovereign baseline" for the entire public sector.

2. Public-Order Activities: Assurance Levels 2–4

For activities identified as contributing to the preservation of public order, the requirements are significantly stricter and more rigorous. Article 30(3) mandates: "Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

These higher assurance levels require independent third-party audits rather than self-assessment and impose stricter criteria regarding personnel citizenship, data localization, and the absence of third-country control.

  • Level 2 requires that infrastructure, assets, and personnel are located in the Union, and the service obtains a European cybersecurity certificate of at least assurance level 'substantial'.
  • Level 3 adds the requirement that personnel involved in the provision of the service are Union citizens (where appropriate, with security clearance) and generally prohibits control by a third country, unless a specific derogation under Article 18 applies.
  • Level 4 is the highest tier, requiring a 'high' cybersecurity certificate and strict controls for sensitive data identified through the risk assessment.

Exceptions and Derogations

CADA recognizes that strict adherence to these rules may not always be feasible in the short term. Article 30(4) provides for exceptional derogations. On an exceptional basis and where duly justified, contracting authorities may decide not to procure recognized services if:

  • The subject matter of the tender cannot be supplied by recognized cloud computing services available in the central repository, and no adequate or reasonable alternative exists.
  • The contracting authority has launched a similar procurement process within the previous year but did not receive any suitable tenders or suitable participants.
  • Applying the requirements would require the contracting authority to procure services at disproportionate cost.

These exceptions are narrow and require due justification, ensuring that the sovereignty framework remains the default rule and is not bypassed for convenience.

The Role of the Central Repository

To facilitate this linkage and ensure transparency, the Commission is required to establish and maintain a central repository of cloud computing services that have been recognized as offering Union assurance levels 1-4 (Article 22). Procurement officers will use this repository to identify providers that have been officially recognized at the specific assurance levels required by their risk assessment. This creates a transparent market where public buyers can easily verify that a provider meets the necessary sovereignty and security criteria before awarding a contract. The repository will be publicly available and regularly updated.

Migration and Multi-Cloud Strategies

If a risk assessment determines that a current cloud service does not meet the required assurance level, Article 29(6) stipulates that the Member State or Union entity must migrate to a compliant service within a reasonable transition period that shall not exceed 12 months. This timeline takes into account technical feasibility, continuity of service, and data portability requirements.

Furthermore, Article 29(9) encourages Member States and Union entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. This approach can enhance resilience and reduce dependency on a single provider, aligning with the broader objectives of the Act to reduce strategic dependencies.

What this means for you

For public-sector procurement officers, legal counsel, and IT directors, CADA fundamentally changes how cloud vendors are evaluated. You can no longer treat cloud procurement as a purely technical or financial exercise; it is now a compliance-driven process anchored in a formal risk assessment.

1. Conduct and Document Risk Assessments Early Before drafting any tender for cloud services, your organization must have a valid risk assessment in place. You need to clearly categorize your activities: do they contribute to public order? If yes, which assurance level (2, 3, or 4) is appropriate? This classification must be documented and aligned with the methodology provided by the Commission. Without this classification, you cannot legally define the minimum requirements for your tender. Failure to conduct this assessment could render your procurement process non-compliant.

2. Adjust Your Technical Specifications Your procurement documents must explicitly require Union assurance levels. For non-public-order activities, specify that the provider must hold recognition for Union assurance level 1. For public-order activities, specify the required level (2, 3, or 4) based on your risk assessment. You should reference the central repository as the source of truth for verified providers. This shifts the burden of proof to the provider to demonstrate their recognized status. Your tender documents must state that only services listed in the central repository at the required level will be considered.

3. Plan for Migration and Transition If your current cloud providers do not meet the required assurance levels, you face a migration challenge. Article 29(6) notes that if a risk assessment requires migration, it must occur within a reasonable transition period not exceeding 12 months. Procurement officers must start planning these transitions early, considering technical feasibility and data portability. You may need to initiate parallel procurement processes to ensure continuity of service during the migration.

4. Monitor the Central Repository Stay engaged with the Commission's central repository of recognized services. As a procurement officer, this tool will be essential for verifying vendor eligibility. It will also help you gauge market availability for higher assurance levels, which may initially be limited. If the repository shows a lack of providers at Level 3 or 4, you may need to consider the derogation for "unavailability" carefully, but only after demonstrating that no suitable tenders were received.

5. Consider Multi-Cloud Strategies Article 29(9) encourages entities to consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement. This can enhance resilience and reduce dependency on a single provider. Your risk assessment should evaluate whether a multi-cloud approach mitigates specific risks identified in your activities, particularly regarding service continuity and third-country control.

Common misconceptions

Misconception 1: Only high-security sectors need to worry about CADA. Reality: CADA applies to all public-sector cloud procurement. Even if your department does not handle sensitive national security data, you must still procure at least Union assurance level 1 (Article 30(2)). The risk assessment is mandatory for all Member States and Union entities, not just defence or justice departments. The baseline requirement ensures a minimum level of sovereignty across the entire public sector.

Misconception 2: The risk assessment is a one-time task. Reality: Article 29(1) requires risk assessments to be carried out initially, and then every two years, or whenever necessary. Technology, threats, and operational contexts change. Your procurement strategy must be flexible enough to adapt to updated risk assessments. A classification made today may need to be revised in two years if the risk landscape evolves.

Misconception 3: I can choose any provider if I justify the cost. Reality: The derogations in Article 30(4) are exceptional and narrow. You cannot bypass assurance level requirements simply because a non-compliant provider is cheaper. You must demonstrate that no recognized provider can supply the subject matter, or that previous tenders failed to yield suitable participants. "Disproportionate cost" is a high bar and requires rigorous justification, not just a budget constraint.

Misconception 4: Union assurance level 1 is just a self-declaration with no oversight. Reality: While level 1 relies on a conformity self-assessment (Article 19), it is not without accountability. Providers must issue an EU statement of conformity and assume responsibility for compliance. Furthermore, national competent authorities supervise the framework, and providers must report material changes that could affect their status (Article 23). Penalties for infringements are effective, proportionate, and dissuasive (Article 24).

Misconception 5: Private sector entities have the same obligations. Reality: CADA's mandatory procurement rules (Article 30) apply to contracting authorities and Union entities. However, Article 31 allows private sector entities operating in sectors of high criticality (as listed in Annex I of the NIS2 Directive) to carry out similar impact assessments. The Commission may also issue guidance or, in specific cases, require impact assessments for private entities through delegated acts. While not mandatory procurement rules, this creates a strong market signal for private buyers in critical sectors to follow similar assurance practices.

Related

This is general information about a draft EU regulation, not legal advice.