Summary Under the proposed Cloud and AI Development Act (CADA), Member States and Union entities must conduct mandatory risk assessments to determine the appropriate Union assurance level for public sector activities. Article 29(3) explicitly mandates that the Commission's methodology must specify how to apply the highest level of assurance for the most critical public sector activities, including defence. These assessments, required within one year of entry into force and repeated every two years, evaluate data sensitivity, criticality, and public order impact. The outcome dictates procurement obligations under Article 30, ensuring that high-risk operations are shielded from third-country control and service disruption by requiring services recognised at Union assurance levels 2, 3, or 4.

Detail

The proposed Cloud and AI Development Act (CADA) establishes a sovereignty framework designed to mitigate the strategic risks associated with the European Union's dependence on non-European cloud computing service providers. Central to this framework is the obligation for public sector bodies to conduct rigorous, legally binding risk assessments before procuring cloud services. These assessments are not merely administrative formalities; they are the primary legal mechanism that dictates which tier of sovereignty assurance a public authority must demand from its vendors.

The Legal Basis: Article 29 Risk Assessments

Article 29 of the CADA proposal places a binding obligation on Member States and Union entities to carry out risk assessments to identify public sector activities that contribute to the preservation of public order. As defined in Article 29(1), these assessments must identify activities in sectors falling under Annex I or II of Directive (EU) 2022/2555 (the NIS2 Directive), as well as in the areas of national security, internal security, external border management, defence, justice, or law enforcement, including the prevention, investigation, detection and prosecution of criminal offences.

The primary objective of these assessments, as outlined in Article 29(1), is twofold: first, to identify which activities use or will use cloud computing services, and second, to determine which Union assurance level (2, 3, or 4) is appropriate for those specific activities. The assessment is not a one-time event; it must be conducted by the date of entry into force plus one year, and thereafter every two years, or whenever necessary due to changing circumstances.

Methodology and the Mandate for Highest Assurance

A critical component of the CADA risk assessment framework is the standardization of methodology to ensure consistency across the Union. Article 29(3) stipulates that the Commission shall specify the methodology to be applied, the templates to be used, and the elements to be taken into account via implementing acts.

Crucially, Article 29(3) explicitly mandates that this methodology "shall specify how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence."

This provision ensures that the principle of proportionality is applied consistently across the Union. While not every public sector activity requires the stringent controls of Union assurance level 4, activities deemed "most critical" are explicitly directed toward the highest tiers of protection. The methodology ensures that decisions regarding assurance levels are not arbitrary but are based on a harmonized understanding of risk across all Member States. By naming defence explicitly, the proposal acknowledges that activities in this sector inherently carry the highest risk of undermining public order if compromised by third-country control or service disruption.

Key Elements of the Assessment

When carrying out these risk assessments, Article 29(2) requires Member States and Union entities to consider at least three specific aspects:

  1. Data Sensitivity and Criticality: This involves evaluating the sensitivity, criticality, and magnitude of non-personal data processed, as well as the nature, scope, context, and purpose of processing personal data. It also requires assessing the risk to the rights and freedoms of data subjects.
  2. Risk of Unlawful Access: Authorities must assess the risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country. This directly addresses concerns regarding extraterritorial data access laws, such as those addressed by the US CLOUD Act, which may compel providers to disclose data regardless of its location.
  3. Risk of Service Disruption: Authorities must evaluate the risk and consequent impact on public order of possible service disruption. This includes the potential for a provider to degrade or disrupt service continuity due to third-country pressure, sanctions, or operational failures.

The Link to Procurement and Assurance Levels

The outcome of the Article 29 risk assessment directly dictates procurement behavior under Article 30. If an activity is identified as contributing to the preservation of public order, the contracting authority must only procure cloud computing services that have been recognised as offering Union assurance levels 2, 3, or 4.

For the most critical activities, such as those in the defence sector, the methodology mandated by Article 29(3) guides authorities toward the highest assurance levels. Union assurance level 4, for instance, requires that the provider and its subcontractors are not subject to the control of a third country, that all infrastructure and personnel are located in the Union, and that customer data remains exclusively within the Union. By linking the risk assessment to these strict criteria, CADA ensures that critical infrastructure is insulated from external geopolitical risks.

Commission Oversight and Correction

The CADA proposal also includes a mechanism for Commission oversight to prevent national assessments from undermining Union security objectives. Under Article 29(5), if the Commission concludes, after reviewing the results of a Member State's risk assessment, that the identified Union assurance level is not appropriate or does not adequately address public order concerns, it may adopt implementing acts specifying the Union assurance levels needed for that public sector activity.

Furthermore, if a risk assessment requires migration to another cloud computing service, Article 29(6) mandates that the Member State or Union entity must migrate within a reasonable transition period that shall not exceed 12 months, taking into account technical feasibility, continuity of service, and data portability requirements applicable to such migration.

What this means for you

For public-sector procurement officers, legal teams, and CIOs, the CADA risk assessment framework represents a significant shift in how cloud contracts are initiated and managed.

1. Proactive Assessment is Mandatory: You cannot simply procure a cloud service based on technical specifications and price. Before any procurement procedure for cloud services begins, your organization must have a completed risk assessment on file. This assessment must explicitly map your activities to the relevant public order criteria and justify the chosen assurance level.

2. Documentation and Methodology: Ensure that your internal processes align with the methodology and templates that the Commission will specify under Article 29(3). While the final implementing acts are forthcoming, you should begin documenting your evaluation of data sensitivity, third-country access risks, and service disruption risks now. For defence and other critical sectors, prepare to justify why the highest assurance level is necessary, as the methodology will explicitly require it.

3. Transition Planning: If your current cloud providers do not meet the assurance levels identified in your risk assessment, you have a maximum of 12 months to migrate. Start planning your exit strategies and data portability protocols immediately. The assessment is not just a compliance exercise; it is a trigger for potential infrastructure changes.

4. Multi-Cloud Considerations: Article 29(9) requires that risk assessments consider whether a multi-vendor or multi-cloud strategy is appropriate. Procurement officers should evaluate if distributing workloads across multiple sovereign providers can mitigate the risks identified in the assessment, particularly for high-availability critical services.

Common misconceptions

Misconception 1: Risk assessments are optional for non-critical sectors. While the highest assurance levels are mandated for critical activities, Article 29 applies to all Member States and Union entities. Even if an activity is not deemed "critical," a baseline assessment is required to confirm that Union assurance level 1 is sufficient. You cannot skip the assessment process; you must formally determine that lower assurance is appropriate.

Misconception 2: The assessment is a one-time event. Article 29(1) clearly states that assessments must be carried out "every two years, or whenever necessary." Cloud landscapes and geopolitical risks evolve rapidly. A static assessment from two years ago may no longer reflect the current risk profile of your data or the threat landscape regarding third-country access.

Misconception 3: Only national security agencies need to worry about this. Article 29 covers a broad range of activities, including those in sectors under the NIS2 Directive, justice, and law enforcement. Many public sector bodies outside of traditional defence ministries handle data that contributes to public order. Procurement officers in healthcare, transport, and energy sectors must also conduct these assessments.

Misconception 4: The Commission's methodology is just guidance. Article 29(3) refers to implementing acts that specify the methodology. Implementing acts under the CADA are binding. Member States must use the specified methodology and templates. Deviating from the Commission's prescribed methodology could lead to the Commission intervening under Article 29(5) to mandate a higher assurance level.

Related

This is general information about a draft EU regulation, not legal advice.