CADA Risk Assessments

Summary Under the proposed Cloud and AI Development Act (CADA), the risk assessment mandated by Article 29 is the critical mechanism ensuring that cloud procurement obligations respect the EU principles of proportionality and subsidiarity. Rather than imposing a blanket "highest security" requirement on all public bodies, the proposal requires Member States and Union entities to identify specific activities that contribute to the preservation of public order and determine the appropriate Union assurance level (2, 3, or 4) based on a contextual analysis of data sensitivity and criticality. As clarified in Recital 52, "most public services would not require the highest levels of assurance." This ensures that stringent sovereignty constraints apply only where genuine risks to public order exist, while lower-tier services remain accessible for standard administrative tasks.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework for cloud computing sovereignty to mitigate the EU's dependence on third-country providers. A central pillar of this framework is the requirement for Member States and Union entities to conduct periodic risk assessments. These assessments are not merely administrative formalities; they are the legal engine designed to operationalise the principles of proportionality and subsidiarity, ensuring that regulatory burdens are strictly matched to actual risks.

The Role of Article 29 Risk Assessments

Article 29 of the CADA proposal obliges Member States and Union entities to carry out risk assessments within one year of the regulation's entry into force, and thereafter every two years or whenever necessary. The purpose of these assessments is twofold:

1. Identification: To identify public sector activities that use cloud computing services and contribute to the preservation of public order. This includes sectors falling under Annex I or II of Directive (EU) 2022/2555 (NIS2) and specific areas such as national security, internal security, external border management, defence, justice, or law enforcement.
2. Determination: To determine which Union assurance level (2, 3, or 4) is appropriate for these identified activities.

Crucially, Article 29(2) requires assessors to consider specific aspects, including the sensitivity, criticality, and magnitude of the data processed, the risk of unlawful access by a third country, and the risk of service disruption. This structured approach ensures that the choice of assurance level is evidence-based rather than arbitrary.

Proportionality: Matching Assurance to Risk

The principle of proportionality is explicitly embedded in the design of the Union assurance levels. Recital 52 of the CADA explanatory memorandum states that the framework provides for a "proportionate framework to ensure that public order is preserved by maintaining control and agency by public-sector bodies." It clarifies that "most public services would not require the highest levels of assurance."

This distinction is vital for compliance officers. The CADA does not mandate Union Assurance Level 4 for every government server. Instead, the framework operates on a tiered logic:

• Union Assurance Level 1 serves as the mandatory baseline for all public sector procurement under Article 30(2). It requires basic safeguards such as EU establishment and data localisation but does not require independent third-party audits or Union-citizen personnel.
• Union Assurance Levels 2, 3, and 4 are reserved exclusively for activities identified through the Article 29 risk assessment as contributing to public order.
• Highest Tiers (Levels 3 and 4) are reserved for specific cases where the risk assessment determines that the protection of public order requires the highest level of assurance. As noted in Recital 52, "In some specific cases Union assurance levels 3 or 4 may be considered necessary and proportionate in preserving public order."

By requiring a risk assessment before applying Levels 2–4, the CADA ensures that public authorities do not impose unnecessary costs or operational friction on low-risk services. This prevents a "one-size-fits-all" approach that could stifle innovation or increase public spending without a corresponding security benefit. The risk assessment acts as a filter, ensuring that the most stringent criteria—such as mandatory Union citizenship for personnel (Annex II 3.1(d)/4.1(d)) or "high" cybersecurity certification (Annex II 4.1(e))—are applied only where the risk to public order justifies them.

Subsidiarity: National Competence with EU Coordination

Subsidiarity in the CADA context refers to the balance between EU-wide harmonisation and national discretion. While the CADA establishes a single EU-wide sovereignty framework (Article 16) to prevent market fragmentation, it leaves the determination of which activities require high assurance to the Member States and Union entities.

Article 29(2) grants Member States and Union entities the competence to assess the specific context of their operations. Recital 62 reinforces this by stating that "the determination of the level of sensitivity of information that may be hosted in a cloud computing service that offers a Union assurance level lies within the competence and discretion of the Member States."

However, to ensure consistency and preserve the integrity of the digital single market, the Commission will provide guidance to assist Member States in carrying out these assessments. Article 29(3) empowers the Commission to specify the methodology, templates, and elements to be taken into account. Furthermore, Article 29(5) provides a safeguard: if the Commission concludes that a Member State's identified assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts to specify the required level.

This structure allows national authorities to account for local security threats, specific sectoral needs, and existing national security protocols, while still adhering to a common EU definition of sovereignty levels. It ensures that the EU intervenes only to the extent necessary to address cross-border dependencies and market failures, leaving detailed operational risk management to the competent national bodies.

Ensuring Proportionate Measures in Procurement

The risk assessment process directly dictates the procurement strategy under Article 30. The logic is strict and binary based on the assessment outcome:

• If an activity is not identified as contributing to the preservation of public order, the contracting authority must procure services with at least Union Assurance Level 1 (Article 30(2)).
• If an activity is identified as contributing to the preservation of public order, the contracting authority must procure services recognised at Union Assurance Levels 2, 3, or 4 (Article 30(3)).

This tiered approach ensures that mitigation measures are proportionate to the threat. For example, a local municipal library using cloud storage for public catalogues may only need Level 1 assurance. In contrast, a national defence ministry using cloud infrastructure for strategic planning would undergo a rigorous risk assessment, likely resulting in a requirement for Level 3 or 4 assurance, which includes strict controls on third-country control, personnel citizenship, and independent audits.

The proposal also anticipates the need for migration. Article 29(6) states that where a risk assessment requires migration to another cloud computing service, the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months. This ensures that the shift to proportionate measures is implemented efficiently without causing indefinite service disruption.

What this means for you

For in-house counsel, compliance officers in the public sector, and private entities serving the public sector, the CADA risk assessment regime introduces specific obligations and strategic considerations:

1. Mandatory Assessment Timeline: You must prepare for the initial risk assessment by one year after CADA's entry into force. This is not a voluntary exercise; it is a statutory obligation under Article 29(1). Failure to conduct these assessments could lead to non-compliant procurement practices.
2. Documentation and Reporting: Article 29(4) requires Member States to provide the Commission with the results of these risk assessments within three months of completion. You must ensure that your risk assessment methodology is documented, defensible, and aligns with the Commission's forthcoming implementing acts on methodology (Article 29(3)).
3. Procurement Alignment: Your procurement teams must integrate the results of the risk assessment into tender documents. Under Article 30, you cannot simply choose the highest assurance level for all contracts. You must map specific workloads to their corresponding assurance levels based on the risk assessment. Procuring Level 4 services for non-critical tasks may be challenged as disproportionate and economically inefficient.
4. Transition Planning: Article 29(6) notes that if a risk assessment requires migration to another cloud service, the migration must occur within a reasonable transition period not exceeding 12 months. Compliance officers must factor this timeline into their IT roadmaps to avoid service disruptions.
5. Private Sector Spillover: While Article 29 applies to public entities, Article 31 allows private sector entities in sectors listed under Annex I of the NIS2 Directive to conduct similar impact assessments. If you are a private cloud provider or a critical private entity, understanding the public sector's risk assessment outcomes is crucial, as these assessments will drive market demand for specific assurance levels.

Common misconceptions

• Misconception 1: "All public sector cloud services must be Level 4."
  • Reality: This is incorrect. Recital 52 explicitly states that "most public services would not require the highest levels of assurance." Level 1 is the mandatory baseline for all public procurement. Levels 2–4 are reserved only for activities identified as contributing to public order through a formal risk assessment.
• Misconception 2: "The EU dictates exactly which services are high-risk."
  • Reality: While the Commission provides guidance and can specify assurance levels if a Member State's assessment is deemed inappropriate (Article 29(5)), the initial determination of which activities contribute to public order and which assurance level is appropriate lies with the Member States and Union entities. This reflects the principle of subsidiarity.
• Misconception 3: "Risk assessments are a one-time event."
  • Reality: Article 29(1) requires assessments to be carried out every two years, or whenever necessary. The dynamic nature of cloud services and evolving geopolitical threats necessitate regular reviews to ensure that the chosen assurance levels remain proportionate to the current risk landscape.
• Misconception 4: "Proportionality means choosing the cheapest option."
  • Reality: Proportionality in CADA refers to the alignment of security measures with the level of risk to public order, not cost. While cost is a factor in procurement, the primary driver is the sensitivity and criticality of the data and the operational importance of the service. A low-cost service that fails to meet the required assurance level for a high-risk activity is non-compliant.

Related

• Who sets the methodology for CADA risk assessments?
• Who must carry out risk assessments under Article 29 of CADA?
• What templates must be used for CADA risk assessments?
• CADA Risk Assessments: What Cloud Providers Must Know
• CADA Risk Assessments: How Article 29 Drives Digital Sovereignty

This is general information about a draft EU regulation, not legal advice.