How to handle multi-vendor cloud strategies under CADA risk assessments

Summary Under the proposed Cloud and AI Development Act (CADA), contracting authorities must explicitly evaluate whether a multi-vendor or multi-cloud strategy is appropriate when procuring cloud services. This is not a voluntary best practice but a mandatory requirement under Article 29(9), which states that risk assessments "shall consider whether a multi-vendor or multi-cloud strategy is appropriate." This evaluation must be documented within the risk assessment itself, which determines the required Union assurance level for specific public sector activities. By integrating this consideration, authorities can enhance operational resilience, mitigate single-provider dependencies, and ensure continuity while complying with the Act's sovereignty framework.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a comprehensive framework to strengthen Europe's cloud and AI ecosystem. A central pillar of this framework is the reduction of dependencies on non-European providers and the safeguarding of public order through a harmonised sovereignty framework. A critical, yet often overlooked, component of this framework is the strategic decision-making process regarding vendor diversity.

The Mandate: Article 29(9) and the Risk Assessment

The core obligation for public sector bodies lies in Article 29, which mandates that Member States and Union entities carry out risk assessments to determine the appropriate Union assurance level (1, 2, 3, or 4) for their public sector activities. These assessments are designed to identify activities that contribute to the preservation of public order, particularly in sensitive sectors such as national security, internal security, external border management, defence, justice, and law enforcement.

Crucially, Article 29(9) introduces a specific procedural requirement: "In their risk assessments, Member States and Union entities shall consider whether a multi-vendor or multi-cloud strategy is appropriate as part of their procurement of cloud computing services."

This provision elevates the multi-cloud strategy from a mere technical preference or commercial option to a regulatory consideration. It requires contracting authorities to actively evaluate the benefits of distributing workloads across multiple cloud providers rather than relying on a single incumbent. This evaluation is not a standalone exercise; it must be integrated into the broader risk assessment that also considers the sensitivity, criticality, and magnitude of the data processed, as well as the potential impact on public order.

Integration with Risk Assessments and Assurance Levels

The decision to adopt a multi-vendor or multi-cloud architecture is intrinsically linked to the outcome of the risk assessment mandated by Article 29(1) and (2). The risk assessment must first identify public sector activities that contribute to the preservation of public order and then determine the appropriate Union assurance level for those activities.

For activities identified as having public order relevance, Article 30(3) restricts contracting authorities to procuring only cloud computing services recognised as offering Union assurance levels 2, 3, or 4. In these high-stakes scenarios, a multi-vendor strategy serves as a vital risk mitigation measure. By avoiding reliance on a single provider, authorities can:

1. Mitigate Operational Disruption: If one provider experiences a service outage, security breach, or operational disruption, workloads can be shifted to another provider, ensuring business continuity. This directly addresses the risk of "service disruption" identified in Article 29(2)(c).
2. Reduce Vendor Lock-in: Diversifying providers reduces the leverage of any single vendor, allowing for more favorable negotiation terms and easier migration if necessary. This aligns with the Act's broader objective of reducing dependencies on critical technologies.
3. Enhance Sovereignty Posture: By combining services from different providers, potentially including those with different Union assurance levels or origins (where permitted), authorities can tailor their sovereignty posture to the specific risks of each workload.

However, the Act emphasizes that the decision to adopt a multi-cloud architecture must be based on a context-specific risk assessment. Article 29(2) requires authorities to consider at least the sensitivity, criticality, and magnitude of the data, the risk of unlawful access by a third country, and the risk of service disruption. The assessment should identify any relevant operational, regulatory, or resilience-related circumstances that would support the adoption of such a strategy. It is not a blanket requirement for all public sector bodies; rather, it is a tool to be used where the risk profile justifies the added complexity and cost.

Documentation and Justification

While the Act does not prescribe a specific format for documenting the multi-vendor strategy, the requirement to "consider" it within the risk assessment implies that the rationale for the decision—whether to adopt or reject a multi-cloud approach—must be clearly documented. This documentation serves several critical purposes:

• Accountability: It demonstrates that the contracting authority has fulfilled its obligations under Article 29(9).
• Transparency: It provides a clear record of the risk factors considered, such as the criticality of the data, the potential for service disruption, and the availability of alternative providers.
• Auditability: It allows for the assessment of the procurement decision by national competent authorities and the European Commission, ensuring consistency across the Union.

The risk assessment must also consider the sensitivity, criticality, and magnitude of both personal and non-personal data processed in the cloud environment. This includes ordinary business information, commercially sensitive information, operationally critical data, and personal data. The assessment must evaluate the risk of unlawful access to such data by a third country or a legal entity established in a third country, as well as the risk of service disruption. The decision regarding multi-vendor strategies must be explicitly linked to these risk factors.

Procurement Implications

When a multi-vendor strategy is deemed appropriate, it directly influences the procurement process. Contracting authorities must structure their tenders to accommodate multiple providers. This may involve:

• Dividing Lots: Splitting the procurement into separate lots for different workloads or services, allowing different providers to bid for each lot. This aligns with Article 33(2), which encourages measures to improve access for SMEs, including the division into lots.
• Interoperability Requirements: Specifying strict interoperability standards to ensure that services from different providers can work together seamlessly. This aligns with the Act's emphasis on open standards and open-source solutions (Article 41).
• Data Portability: Ensuring that contracts include robust data portability clauses to facilitate the movement of data between providers if needed.

Furthermore, the Act encourages the use of Union added value criteria in public procurement (Article 32). Contracting authorities can use these criteria to evaluate tenderers' contributions to the development of a European cloud and AI ecosystem, including the use of software or hardware designed or manufactured in the Union. A multi-vendor strategy can help authorities meet these criteria by engaging a diverse range of European providers.

Challenges and Considerations

While a multi-vendor strategy offers significant benefits, it also introduces complexities. Managing multiple providers requires greater technical expertise, more complex contract management, and robust governance frameworks. Contracting authorities must ensure they have the necessary resources and skills to manage a multi-cloud environment effectively.

Additionally, the Act recognizes that not all activities require the highest levels of assurance. For activities that do not contribute to the preservation of public order, a minimum Union assurance level 1 is required (Article 30(2)). In these cases, the decision to adopt a multi-vendor strategy may be driven more by commercial considerations, such as cost optimization and innovation, rather than strict sovereignty requirements. However, the obligation to consider the strategy remains.

In summary, CADA elevates the multi-vendor cloud strategy from a technical option to a regulatory imperative for certain public sector activities. By integrating this consideration into the risk assessment process, contracting authorities can build more resilient, sovereign, and secure cloud environments that align with the EU's strategic objectives.

What this means for you

For public-sector procurement officers, CTOs, and legal counsel, the CADA proposal introduces a new layer of due diligence in cloud procurement. You can no longer treat vendor selection as a purely commercial or technical decision. Instead, you must embed the evaluation of multi-vendor strategies into your mandatory risk assessments.

Actionable Steps:

1. Review Your Risk Assessment Methodology: Update your risk assessment templates to include a specific section for evaluating multi-vendor or multi-cloud strategies. This should be done in accordance with Article 29(9). Ensure the template explicitly asks: "Is a multi-vendor strategy appropriate given the identified risks?"
2. Document Your Rationale: Whether you decide to adopt a multi-cloud architecture or stick with a single provider, document the reasons for this decision. Consider factors such as data sensitivity, operational criticality, and the availability of alternative providers. This documentation is your primary evidence of compliance.
3. Align with Assurance Levels: Ensure that your multi-vendor strategy aligns with the Union assurance levels required for your specific activities. If your activities require Union assurance level 2, 3, or 4, ensure that all providers in your multi-cloud setup meet these criteria. A single weak link can compromise the entire strategy.
4. Plan for Interoperability: If you adopt a multi-vendor strategy, specify clear interoperability and data portability requirements in your tender documents. This will facilitate seamless integration and migration between providers, reducing the risk of lock-in.
5. Engage with National Competent Authorities: Stay informed about guidance from your national competent authority on conducting risk assessments and implementing multi-vendor strategies. The European Commission will also provide guidance to assist Member States in carrying out these assessments under Article 29(3).

By taking these steps, you can ensure compliance with CADA, enhance the resilience of your cloud infrastructure, and contribute to the EU's broader goal of technological sovereignty.

Common misconceptions

Misconception 1: A multi-vendor strategy is mandatory for all public sector bodies. Reality: CADA does not mandate a multi-vendor strategy for all public sector procurements. Article 29(9) requires authorities to consider whether such a strategy is appropriate. The decision depends on the outcome of the context-specific risk assessment. For low-risk activities, a single-vendor approach may be sufficient and more cost-effective, provided the rationale is documented.

Misconception 2: Multi-cloud automatically ensures higher sovereignty. Reality: While multi-cloud can enhance resilience, it does not automatically guarantee higher sovereignty. Each provider in a multi-cloud setup must still meet the required Union assurance level. If a provider does not meet the criteria for the required assurance level, including them in a multi-cloud strategy could introduce new risks rather than mitigate them. The sovereignty of the service is determined by the assurance level, not the number of vendors.

Misconception 3: The risk assessment is a one-time exercise. Reality: Article 29(1) requires risk assessments to be carried out by the date of entry into force plus one year, and thereafter every two years, or whenever necessary. This means that your evaluation of multi-vendor strategies must be regularly reviewed and updated to reflect changes in technology, threats, and operational needs.

Misconception 4: Multi-cloud is only for high-assurance levels. Reality: While multi-cloud is particularly relevant for high-assurance levels (2, 3, and 4) where public order is at stake, it can also be beneficial for activities requiring Union assurance level 1. The decision should be based on a holistic assessment of risks, including commercial and operational factors, not just sovereignty requirements. The obligation to consider applies across the board.

Related

• When are CADA risk assessments due and how often must they be repeated?
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• How to use the Commission's methodology for CADA risk assessments
• CADA Member State obligations: strategies, zones, NCAs and penalties
• How does a Member State combine environmental assessments for a CADA zone?

This is general information about a draft EU regulation, not legal advice.