How does a healthcare provider apply CADA when procuring cloud services?

Summary As proposed, the Cloud and AI Development Act (CADA) requires healthcare providers acting as public-sector contracting authorities to conduct mandatory risk assessments to determine the appropriate Union assurance level for their cloud services. Under Article 29, healthcare activities contributing to public order must use services recognised at Union assurance levels 2, 3, or 4, while non-critical activities require at least Union assurance level 1 under Article 30. This ensures that sensitive health data and critical infrastructure remain under Union control, mitigating risks from third-country access and service disruption.

Detail

The proposed Cloud and AI Development Act (CADA), COM(2026) 502 final, introduces a harmonised framework for the procurement of cloud computing services and AI systems by public sector bodies, including healthcare providers. The regulation aims to reduce the Union's dependence on non-European cloud providers and protect public order by establishing a tiered sovereignty framework known as Union assurance levels. For healthcare providers, which often process highly sensitive personal data and operate critical infrastructure, CADA imposes specific obligations regarding risk assessment and procurement criteria.

Healthcare as a Critical Sector under NIS2

Healthcare is explicitly recognised as a sector of high criticality under the Directive on the Security of Network and Information Systems (NIS2). Specifically, entities in the healthcare sector are listed in Annex I of Directive (EU) 2022/2555. CADA leverages this classification to determine the stringency of sovereignty requirements. Because healthcare providers often manage essential services and process sensitive personal data, their cloud procurement activities are subject to heightened scrutiny to ensure operational autonomy and data confidentiality.

The proposal explicitly links the definition of "public order" activities to these NIS2 sectors. Under Article 29(1)(a), Member States and Union entities must identify public sector activities that contribute to the preservation of public order in sectors falling under Annex I or II of Directive (EU) 2022/2555. Healthcare, being in Annex I, is a primary candidate for such identification.

Mandatory Risk Assessments under Article 29

The cornerstone of CADA's demand-side measures for the public sector is the obligation to conduct risk assessments. Article 29(1) requires Member States and Union entities to carry out these assessments by one year after the regulation enters into force, and subsequently every two years or whenever necessary.

Article 29(1)(a) specifies that these assessments must identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, such as healthcare, as well as areas of national security, internal security, external border management, defence, justice, and law enforcement.

When conducting these assessments, healthcare providers must evaluate several key factors outlined in Article 29(2):

• Sensitivity and Criticality: The sensitivity, criticality, and magnitude of the non-personal data processed, as well as the nature, scope, context, and purpose of processing personal data. This includes assessing the risk of varying likelihood and severity for the rights and freedoms of data subjects.
• Third-Country Access Risks: The risk and consequent impact on public order of unlawful access to such data by a third country or a legal entity established in a third country under Union law.
• Service Disruption Risks: The risk and consequent impact on public order of possible service disruption.

Based on this assessment, the contracting authority must determine which Union assurance level (2, 3, or 4) is appropriate for the identified public sector activities. The Commission will provide guidance and methodology for these assessments via implementing acts, ensuring consistency across the Union.

Procurement Obligations under Article 30

Once the risk assessment is complete, Article 30 dictates the procurement requirements. This article applies to contracting authorities procuring cloud computing services for their exclusive use.

• Baseline Requirement (Level 1): Union entities and public sector bodies whose activities have not been identified as contributing to the preservation of public order under the Article 29 risk assessment must use cloud computing services recognised under Article 17 as having a Union assurance level 1. This ensures a baseline of sovereignty and security for all public cloud usage.
• Enhanced Requirement (Levels 2–4): Contracting authorities, including healthcare providers, whose activities have been identified as contributing to the preservation of public order (e.g., critical hospital operations, processing of sensitive patient data, or essential public health services) must only procure cloud computing services recognised as having a Union assurance level 2, 3, or 4.

Article 30(3) explicitly states that for activities in sectors falling under Annex I or II of the NIS2 Directive (which includes healthcare), if the risk assessment determines public order relevance, the procurement is restricted to services offering higher assurance levels. This prevents the use of services that may be subject to extraterritorial laws allowing third-country access to data or service degradation.

Assessing Sensitive Data Criticality

For healthcare providers, the determination of the appropriate assurance level heavily depends on the nature of the data processed. Health data is classified as special category personal data under the GDPR, warranting enhanced protection. Under CADA, the risk assessment must consider the magnitude of this data.

• Union Assurance Level 1: Requires the provider to be established in the Union, with infrastructure and assets located in the Union (unless the public sector body explicitly requires otherwise). Data must remain exclusively within the Union.
• Union Assurance Levels 2–4: These levels impose stricter criteria, including requirements for European cybersecurity certification, strict controls on third-country control over the provider, and prohibitions on using customer data to train third-country AI systems.
  • Level 2: Requires "substantial" cybersecurity certification and ensures personnel screening if the public body requires it.
  • Level 3: Requires "substantial" cybersecurity certification and mandates that personnel are Union citizens (where appropriate). It also allows for a derogation regarding third-country control where the Commission has adopted an implementing act under Article 18 (Associated third countries), provided specific safeguards are met.
  • Level 4: The highest tier, requiring "high" cybersecurity certification, mandatory Union citizenship for all personnel, and a strict prohibition on any third-country control over the provider or its subcontractors.

Healthcare providers must map their specific use cases—such as electronic health records, telemedicine platforms, or medical imaging storage—to these criteria. If a service processes data that, if accessed by a third country, could undermine public health or individual rights, it likely requires Level 2 or higher.

Exceptions and Derogations

Article 30(4) provides limited derogations. A contracting authority may decide not to procure a recognised service if:

1. The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists.
2. A similar procurement process was launched within the previous year but yielded no suitable tenders.
3. Applying the requirements would result in disproportionate cost.

However, these exceptions are narrow and require justification. Healthcare providers cannot use these derogations to bypass sovereignty requirements for critical systems without robust evidence that no Union-assured service is available or feasible.

What this means for you

For healthcare procurement officers and IT directors, CADA introduces a structured, risk-based approach to cloud sourcing that prioritises sovereignty alongside technical and financial criteria.

1. Conduct Thorough Risk Assessments: You must document why specific cloud workloads are or are not critical to public order. Use the Commission's forthcoming guidance to assess the sensitivity of health data and the potential impact of third-country access or service disruption.
2. Map Workloads to Assurance Levels: Not all healthcare cloud usage requires the highest assurance level. Administrative systems with low sensitivity may qualify for Level 1, while clinical data systems likely require Level 2, 3, or 4. Clearly categorise your services to avoid over-procuring expensive high-assurance services for low-risk tasks, or under-protecting critical data.
3. Check the Central Repository: Before launching a tender, verify that the cloud services you intend to use are listed in the Commission's central repository of recognised Union-assured services. Procuring from unrecognised providers for critical activities will result in non-compliance.
4. Prepare for Migration: If your current cloud provider does not meet the required Union assurance level, you must plan for migration. Article 29(6) allows for a reasonable transition period, not exceeding 12 months, to migrate to a compliant service, taking into account technical feasibility and data portability.
5. Engage with National Competent Authorities: Work closely with your Member State's designated national competent authority to ensure your risk assessments align with national interpretations of public order and criticality in the healthcare sector.

Common misconceptions

• "All healthcare cloud services must be Level 4." This is incorrect. CADA uses a proportionate approach. Only activities identified as contributing to public order and deemed highly sensitive require the highest assurance levels. Many administrative or non-critical healthcare functions may only require Level 1 or 2. The risk assessment determines the level, not a blanket rule for the entire sector.
• "CADA replaces GDPR compliance." CADA complements but does not replace the GDPR. While GDPR focuses on data protection rights and lawful processing, CADA focuses on sovereignty, operational autonomy, and protection from third-country interference. A service can be GDPR-compliant but fail to meet CADA's Union assurance levels if it is controlled by a third country or allows data to leave the Union.
• "Private healthcare providers are fully regulated by CADA's procurement rules." Article 30 primarily binds public sector contracting authorities. However, Article 31 allows private sector entities in NIS2 Annex I sectors (including private healthcare providers) to conduct similar impact assessments. While not mandatory for all private entities, the Commission may require impact assessments for high-criticality private entities via delegated acts. Furthermore, private providers often mirror public sector requirements due to contractual obligations or industry standards.
• "We can keep our current non-EU cloud provider if it's cheaper." Cost is only a valid exception under Article 30(4) if applying sovereignty requirements leads to disproportionate cost, and even then, it is an exceptional derogation. For critical healthcare services, the protection of public order and data sovereignty generally outweighs cost savings. Reliance on non-EU providers for critical health data poses significant risks under CADA.

Official sources

• GDPR (Regulation (EU) 2016/679)

Related

• How does a Union entity comply with CADA when procuring for its own use?
• How does a cloud provider check whether CADA's sovereignty rules apply to it?
• Which National Competent Authority Do I Apply to for CADA Recognition?
• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• When are CADA risk assessments due and how often must they be repeated?

This is general information about a draft EU regulation, not legal advice.