How does a CADA risk assessment quantify the impact of a cloud outage?

Summary As proposed, the Cloud and AI Development Act (CADA) does not prescribe a specific mathematical formula or quantitative metric for calculating the financial or operational impact of a cloud outage. Instead, Article 29 requires Member States and Union entities to conduct risk assessments that determine the appropriate Union assurance level based on the sensitivity, criticality, and magnitude of the data processed, and the risk of service disruption to public order. The assessment focuses on qualitative and contextual factors—such as the impact on national security, healthcare, or justice—rather than a standardized numerical score. Crucially, Article 29(2)(c) mandates evaluating the "risk and consequent impact on public order of possible service disruption," while Article 29(9) explicitly requires considering multi-vendor or multi-cloud strategies as a mitigation measure.

Detail

The Cloud and AI Development Act (CADA), as set out in the proposal COM(2026) 502 final, introduces a rigorous framework for evaluating the risks associated with cloud computing services in the public sector. For CTOs, architects, and compliance officers, the core mechanism for this evaluation is the risk assessment mandated by Article 29. It is crucial to understand that CADA does not define a universal "outage impact score" or a standardized financial loss calculator. Instead, it establishes a risk-based approach where the severity of a potential outage is determined by its effect on "public order."

The Legal Basis: Article 29 and Public Order

Under Article 29(1), Member States and Union entities must carry out risk assessments to identify public sector activities that contribute to the preservation of public order. This obligation specifically covers sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as activities in the areas of national security, internal security, external border management, defence, justice, and law enforcement, including the prevention, investigation, detection, and prosecution of criminal offences.

The assessment must determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities. The "impact" of a cloud outage is not measured in lost revenue or SLA penalties alone, but in the degree to which the disruption undermines these critical functions. The goal is to ensure that the supply of cloud computing services is resilient enough to prevent harm that could undermine public order.

Assessing Continuity, Quality, and Resilience

Article 29(2) outlines the specific aspects that must be considered during the risk assessment. While Article 29(2)(a) and (b) focus on the sensitivity of data and the risk of unlawful access, Article 29(2)(c) is the provision directly relevant to cloud outages and service continuity:

"(c) the risk and consequent impact on public order of possible service disruption;"

This provision requires evaluators to analyze how a loss of service continuity, a degradation of service quality, or a breach of resilience would affect public order. The text of the proposal does not distinguish between a total outage and a partial degradation; both fall under the umbrella of "service disruption."

For example, a cloud outage affecting a non-critical administrative database may have a low impact on public order. However, an outage affecting emergency response dispatch systems, judicial case management, or healthcare data processing could have a severe impact, thereby necessitating a higher Union assurance level (such as Level 3 or 4). The assessment must consider the "risk and consequent impact," implying a two-step analysis: first, the likelihood of the disruption, and second, the severity of its consequences for public order.

Recital 46 of the CADA proposal further contextualizes this by highlighting the risks associated with dependence on a limited number of cloud providers. It states that this dependence exposes the Union to "concentration risks, including vulnerabilities arising from the extraterritorial application of third-country laws, potential disruptions affecting the continuity, quality and resilience of cloud computing services." Therefore, the risk assessment must evaluate not just the technical likelihood of an outage, but the strategic vulnerability created by relying on providers that may not guarantee sufficient resilience or autonomy. The recital underscores that the "continuity, quality and resilience" of the service are the key metrics for public order protection, not merely uptime percentages.

Quantifying vs. Qualifying Impact

Since CADA does not provide a quantitative formula, "quantifying" the impact in a CADA context means qualitatively mapping the outage scenario to the defined assurance levels. The process involves:

1. Identifying the Activity: Determine if the cloud service supports a function critical to public order (e.g., justice, defence, healthcare, border management).
2. Evaluating Disruption Scenarios: Analyze the consequences of a total outage, partial degradation, or latency increase. The assessment must consider the "magnitude" of the data and the "criticality" of the activity.
3. Mapping to Assurance Levels: If the disruption would significantly hinder public order, the activity likely requires Union Assurance Level 2, 3, or 4. Level 1 is the minimum baseline for all public sector procurement, but higher levels are required for critical activities where the risk of disruption is high.

The Commission will provide guidance via implementing acts (as noted in Article 29(3)) to specify the methodology to be applied, the templates to be used, and the elements to be taken into account. The methodology will specify how Member States use the highest level of assurance for the most critical public sector activities, including defence. Until these acts are adopted, organizations must develop their own robust frameworks for evaluating these risks based on the qualitative criteria in Article 29.

Mitigation Through Multi-Cloud Strategies

CADA explicitly encourages architectural decisions that mitigate outage risks. Article 29(9) states that Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services.

A multi-cloud approach can reduce the impact of a single-provider outage by distributing workloads across different providers. However, the risk assessment must determine if this strategy is sufficient to maintain public order. For instance, if a multi-cloud setup still relies on providers subject to similar third-country controls or shared infrastructure risks, the assessment might still conclude that a higher assurance level or additional safeguards are necessary. The decision to adopt a multi-vendor or multi-cloud strategy should be based on a context-specific risk assessment that identifies any relevant operational, regulatory, or resilience-related circumstances.

The Role of Data Sensitivity and Magnitude

While Article 29(2)(c) focuses on service disruption, it must be read in conjunction with Article 29(2)(a), which requires assessing the "sensitivity, criticality, and magnitude of the non-personal data processed." An outage is more impactful if it involves large volumes of critical data or data that is difficult to replicate. Therefore, the "impact" is a composite of service availability and data integrity. The assessment must also consider the "risk of varying likelihood and severity for the rights and freedoms of data subjects" when personal data is involved.

Private Sector Parallel: Article 31

While Article 29 applies to Member States and Union entities, private sector entities operating in sectors of high criticality (as defined in Annex I of the NIS2 Directive) are not left without guidance. Article 31 allows these entities to carry out similar impact assessments. Furthermore, the Commission may issue guidance on the methodology for these assessments and may adopt delegated acts to specify the need for such assessments and risk mitigation measures for private companies in high-criticality sectors.

What this means for you

For CTOs, architects, and SMEs evaluating CADA compliance, the absence of a simple numerical formula means you must build a more nuanced risk assessment framework.

1. Map Services to Public Order: Identify which of your cloud services support critical public sector functions. If you provide services to government entities, understand which of their activities are classified as contributing to public order under Article 29(1).
2. Document Disruption Scenarios: Go beyond standard SLAs. Document the specific consequences of an outage for each critical service. How long can the public sector body operate without this service before public order is compromised? Consider the "continuity, quality and resilience" aspects highlighted in Recital 46.
3. Evaluate Multi-Cloud Viability: Assess whether your architecture supports a multi-cloud strategy as required by Article 29(9). If you are a provider, demonstrate how your service can be integrated into a multi-vendor environment to mitigate outage risks. If you are a public sector buyer, use the risk assessment to justify the cost and complexity of multi-cloud deployments for critical services.
4. Prepare for Higher Assurance Levels: If your service is deemed critical, be prepared to meet the stringent requirements of Union Assurance Levels 2, 3, or 4. This includes independent audits, strict data localization, and personnel screening.
5. Monitor Commission Guidance: Keep an eye on the implementing acts referenced in Article 29(3), which will provide detailed templates and methodologies for conducting these risk assessments.

Common misconceptions

• Misconception 1: CADA provides a standard outage impact calculator.
  • Reality: CADA does not provide a mathematical formula. It requires a qualitative risk assessment based on the impact on public order, data sensitivity, and service disruption.
• Misconception 2: Only financial loss matters in the assessment.
  • Reality: The assessment focuses on "public order," which includes national security, justice, healthcare, and other critical functions. Financial loss is a secondary consideration compared to the societal and operational impact.
• Misconception 3: Multi-cloud is always the solution.
  • Reality: While Article 29(9) encourages multi-cloud strategies, it is not a blanket solution. The risk assessment must determine if the multi-cloud approach sufficiently mitigates the risk to public order. If both providers are subject to similar third-country controls, the risk may remain high.
• Misconception 4: Only large government bodies need to do this.
  • Reality: While Article 29 applies to Member States and Union entities, private sector entities in high-criticality sectors (as defined in NIS2 Annex I) can carry out similar impact assessments under Article 31. SMEs providing cloud services to these entities must be prepared to support these assessments.

Related

• CADA Risk Assessment vs. Impact Assessment: Article 29 vs. Article 31
• Why is the CADA risk assessment described as a risk-based and context-specific approach?
• When is the first CADA risk assessment due?
• What triggers cloud migration after a CADA risk assessment?
• CADA Risk Assessment Reports: What Must Be Submitted to the Commission?

This is general information about a draft EU regulation, not legal advice.