How does a defence or law-enforcement body comply with CADA cloud rules?

Summary Under the proposed Cloud and AI Development Act (CADA), defence and law-enforcement bodies are legally required to procure cloud computing services recognised at Union assurance levels 2, 3, or 4. This obligation is triggered by mandatory risk assessments that identify these sectors as critical to the preservation of public order. Consequently, these bodies are prohibited from procuring services at Union assurance level 1 for such activities. Compliance requires verifying that providers meet stringent sovereignty criteria—including strict data localisation, Union citizenship for personnel, and the absence of third-country control—through independent third-party audits.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, establishes a harmonised framework for cloud sovereignty across the EU. Its primary objective in this domain is to safeguard the Union's public order by ensuring operational autonomy and data confidentiality in critical sectors. For defence and law-enforcement entities, the compliance pathway is not optional; it is a two-step statutory process defined by Article 29 (Risk Assessments) and Article 30 (Public Procurement).

The Public Order Mandate and Risk Assessments

CADA explicitly recognises that certain public sector activities are essential for the preservation of public order. Article 29(1) requires Member States and Union entities to carry out risk assessments to identify which public sector activities fall into this category. The provision explicitly lists "national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence" as areas contributing to the preservation of public order.

Because defence and law-enforcement activities are inherently linked to public order, they trigger the highest tier of scrutiny under the CADA framework. Article 29(3) specifies that the methodology for these risk assessments must detail "how Member States use the highest level of assurance for the most critical public sectors activities including, but not limited to, defence." This creates a presumptive requirement for the highest levels of sovereign assurance in these sectors. The risk assessment must evaluate the sensitivity and criticality of the data processed, the potential impact on public order of unlawful access by third countries, and the risk of service disruption.

The Commission is empowered to adopt implementing acts to specify the methodology, templates, and elements to be taken into account for these assessments. Crucially, if the Commission concludes that a Member State's risk assessment does not adequately address public order concerns, it may adopt implementing acts specifying the Union assurance levels needed for the activity.

Procurement Restrictions: Levels 2, 3, and 4

Once a risk assessment identifies a defence or law-enforcement activity as contributing to public order, strict procurement rules apply. Article 30(3) mandates that contracting authorities in these sectors "shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

This provision effectively bars defence and law-enforcement bodies from procuring cloud services that only meet Union assurance level 1. While Union assurance level 1 serves as the baseline for general public sector procurement (Article 30(2)), it does not provide the rigorous controls required for sensitive security operations. Therefore, compliance for these bodies necessitates engaging with providers who have undergone independent third-party audits and received formal recognition for higher assurance levels.

The restriction is absolute for activities identified under Article 29(1). A contracting authority cannot justify the use of a Level 1 service for defence operations by citing cost or availability, unless a specific derogation under Article 30(4) applies (e.g., if no recognised service exists and no adequate alternative is available, provided this is not the result of an artificial narrowing of the tender).

Understanding the Assurance Levels for Security Sectors

To comply with Article 30(3), defence and law-enforcement bodies must understand the specific criteria for Union assurance levels 2, 3, and 4, as detailed in Annex II of the CADA proposal. These levels are cumulative; a Level 4 provider must meet all criteria of Levels 2 and 3, plus additional stringent requirements.

Union Assurance Level 2 requires that the cloud computing service provider and its subcontractors are established in the Union. Infrastructure, assets, and personnel must be located in the Union. Crucially, customer data must remain exclusively within the Union. This level also requires that data generated by the service is not used to train AI systems operated by third countries. It mandates a European cybersecurity certificate of at least assurance level 'substantial' (or equivalent national standards until the EU scheme is fully established).

Union Assurance Level 3 introduces stricter personnel and control requirements. In addition to the Level 2 criteria, Annex II (3.1(d)) mandates that "the personnel, including the personnel of the subcontractors which are involved in the provision of the audited service are Union citizens." Furthermore, the provider and subcontractors must not be subject to the control of a third country or a legal entity established in a third country. By way of derogation, Article 18 allows the Commission to identify "associated third countries" that provide sufficient safeguards. If a third country is designated, its providers can be audited for Union assurance level 3, provided they demonstrate that third-country control does not restrict service delivery, access data, or disrupt continuity. This level is designed for services handling sensitive information where third-country influence must be strictly limited.

Union Assurance Level 4 represents the highest tier of sovereignty, intended for the most critical applications, such as those involving classified information. It includes all Level 3 requirements but adds stringent controls over the software supply chain. Annex II (4.1(i)(ii)) requires providers to demonstrate that a third country does not hold effective control over the design, development, maintenance, and evolution of the software components used. This ensures that critical defence and law-enforcement infrastructure cannot be remotely disabled or manipulated by foreign actors through backdoors or supply chain dependencies. Additionally, Level 4 requires a European cybersecurity certificate of at least assurance level 'high'.

The Role of National Competent Authorities and Audits

Compliance is not self-certified for these higher levels. Providers seeking recognition for Union assurance levels 2, 3, or 4 must submit to independent third-party audits (Article 20). The national competent authority of the provider's establishment evaluates the audit evidence and grants recognition. Defence and law-enforcement procurement officers must verify that any potential vendor is listed in the central repository of recognised services maintained by the Commission (Article 22). Procuring a service without this formal recognition constitutes a breach of Article 30(3).

The audit process is rigorous. Auditing organisations must verify the provider's establishment, the location of infrastructure and personnel, data localisation, and the absence of third-country control. For Level 3 and 4, auditors must specifically verify Union citizenship of personnel and the legal separation from third-country subsidiaries.

Transition and Migration

If a current cloud provider does not meet the required Union assurance level, Article 29(6) provides for a migration period. Member States or Union entities must migrate to a compliant provider within a reasonable transition period that shall not exceed 12 months. This timeframe must account for technical feasibility, continuity of service, and data portability requirements. Defence and law-enforcement bodies must plan these migrations carefully to avoid operational gaps during the transition. The risk assessment itself must identify the need for migration and the timeline for achieving compliance.

What this means for you

For public-sector procurement officers in defence and law-enforcement, CADA introduces a mandatory filter into your sourcing processes. You can no longer evaluate cloud providers solely on cost, performance, or general cybersecurity certifications like ISO 27001. You must now verify their status within the CADA sovereignty framework.

Actionable Steps:

1. Verify Assurance Levels: Before issuing a tender, confirm that your current or prospective cloud providers hold formal recognition for Union assurance level 2, 3, or 4. Check the central repository maintained by the Commission. Do not accept self-declarations; look for the audit report and the 'positive' audit opinion.
2. Update Risk Assessments: Ensure your organisational risk assessments explicitly classify your activities under the "public order" scope defined in Article 29(1). Document why the highest level of assurance is necessary for your specific use cases, particularly for defence operations. Remember that Article 29(3) requires the methodology to specify how the highest level of assurance is used for critical sectors.
3. Review Contracts: Audit existing cloud contracts to ensure they align with the data localisation and personnel requirements of Annex II. If your provider is moving towards Level 3 or 4, ensure contractual clauses reflect the requirement for Union citizen personnel and the prohibition of third-country control.
4. Plan for Migration: If you are currently using a provider that only offers Union assurance level 1, initiate a migration plan immediately. You have a maximum of 12 months to transition to a compliant provider once the risk assessment dictates the change.
5. Engage with Competent Authorities: Collaborate with your national competent authority to ensure your risk assessment methodology aligns with the Commission's implementing acts. This alignment is crucial for defending your procurement decisions against legal or political challenges.

Common misconceptions

Misconception 1: Cybersecurity certification is sufficient. Many assume that a European Cybersecurity Certification Scheme (EUCS) certificate is enough to meet CADA requirements. While EUCS is a component of Union assurance levels 2, 3, and 4 (Annex II), it is not the whole picture. CADA adds layers of sovereignty, such as data localisation, personnel citizenship, and third-country control restrictions, that go beyond technical cybersecurity. A service can be cyber-secure but fail to meet the sovereignty criteria for defence use.

Misconception 2: Union assurance level 1 is acceptable for sensitive data. Some procurement officers believe that Union assurance level 1, which requires data to remain in the Union, is sufficient for law-enforcement data. However, Article 30(3) explicitly restricts public-order activities to levels 2, 3, or 4. Level 1 lacks the independent audit and stricter personnel/control requirements necessary for the high-risk nature of defence and law-enforcement operations.

Misconception 3: Third-country providers can never be used. It is often believed that no cloud provider controlled by a third country can be used for defence. This is partially incorrect. Article 18 allows the Commission to designate "associated third countries" that provide sufficient safeguards. If a third country is designated, its providers can be audited for Union assurance level 3. However, for Union assurance level 4, providers must not be subject to third-country control. Therefore, while not entirely excluded, third-country providers face significant hurdles and are likely restricted to lower assurance levels unless specific derogations apply.

Misconception 4: The risk assessment is a one-time event. Article 29(1) requires risk assessments to be carried out "every two years, or whenever necessary." Defence and law-enforcement landscapes evolve rapidly. Procurement officers must treat the risk assessment as a living document, updating it to reflect new threats, new data types, or changes in the provider's ownership structure.

Official sources

• Cybersecurity Act (Regulation (EU) 2019/881)

Related

• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• What should a public-sector body do before CADA's application date?
• How does an SME cloud provider comply with CADA most cheaply?
• How does a Union entity comply with CADA when procuring for its own use?
• How does a small council or municipality comply with CADA cloud procurement?

This is general information about a draft EU regulation, not legal advice.