How does a public buyer justify procuring above the minimum CADA assurance level?

Summary Under the proposed Cloud and AI Development Act (CADA), public buyers cannot arbitrarily choose a higher cloud assurance level. The decision to procure above the baseline Union assurance level 1 is strictly governed by Article 30(3), which mandates that contracting authorities whose activities contribute to the preservation of public order must procure services recognised at Union assurance levels 2, 3, or 4. This requirement is triggered and justified solely by a mandatory risk assessment under Article 29, which evaluates the sensitivity, criticality, and magnitude of data processed, as well as the risks of unlawful third-country access or service disruption. If the risk assessment identifies a public-order relevance, the procurement of level 1 is legally insufficient; the buyer must procure the specific higher level (2, 3, or 4) determined by that assessment.

Detail

The proposed Cloud and AI Development Act (CADA) introduces a sovereignty framework where procurement decisions are not driven by market preference or cost alone, but by a legally binding link between operational risk and assurance levels. For public buyers, the "justification" for procuring above the minimum is not a discretionary business case, but a compliance obligation derived from the intersection of Article 29 (Risk Assessments) and Article 30 (Public Procurement).

The Legal Baseline: Article 30(2) vs. Article 30(3)

The Regulation establishes a clear dichotomy in procurement obligations based on the outcome of a risk assessment.

1. The Default Baseline: Article 30(2) For the majority of public sector activities that do not touch upon critical public order functions, the law sets a floor, not a ceiling. Article 30(2) states:

"Union entities and public sectors bodies whose public sector activities have not been identified as contributing to the preservation of public order under the risk assessment referred to in Article 29(1) shall use cloud computing services that have been recognised under Article 17 as having a Union assurance level 1."

This means that if a risk assessment determines an activity is not critical to public order, the buyer is legally bound to procure at least level 1. Procuring a higher level (e.g., level 3) for such low-risk activities is not prohibited but is not mandated by the sovereignty framework.

2. The Mandatory Higher Tiers: Article 30(3) The core of the justification for higher assurance levels lies in Article 30(3). This provision applies to contracting authorities whose activities have been identified as contributing to the preservation of public order. It states:

"Contracting authorities, including the entities acting on their behalf, whose activities have been identified as contributing to the preservation of public order under Article 29(1) in sectors falling under Annex I or II of Directive (EU) 2022/2555 and in the areas of national security, internal security, external border management, defence, justice or law enforcement, including the prevention, investigation, detection and prosecution of criminal offence, shall only procure cloud computing services that have been recognised as having a Union assurance level 2, 3 or 4."

Crucially, the text uses the mandatory phrase "shall only procure." This removes discretion: if the risk assessment identifies public-order relevance, level 1 is legally excluded. The buyer must procure a service recognised at level 2, 3, or 4.

The Mechanism: Article 29 Risk Assessments

The "justification" for moving to a higher level is the risk assessment itself. Article 29 requires Member States and Union entities to carry out these assessments by a specific deadline and thereafter every two years, or whenever necessary.

Article 29(1) mandates that these assessments must:

• Identify public sector activities that use or will use cloud computing services and contribute to the preservation of public order.
• Determine which Union assurance level (2, 3, or 4) is appropriate for those identified activities.

Article 29(2) provides the specific criteria that buyers and risk officers must evaluate to make this determination. The justification for a higher level rests on the findings regarding:

1. Data Sensitivity and Criticality: The assessment must consider "the sensitivity, criticality, and magnitude of the non-personal data processed, including the potential impact on public order and the nature, scope, context and purpose of processing of personal data."
2. Risk of Unlawful Access: The assessment must evaluate "the risk and consequent impact on public order of unlawful access under Union law to such data by a third country or a legal entity established in a third country."
3. Risk of Service Disruption: The assessment must evaluate "the risk and consequent impact on public order of possible service disruption."

If the risk assessment concludes that the sensitivity of the data or the risk of disruption is high enough to threaten public order, the buyer is justified—and required—to procure a higher assurance level. The specific level (2, 3, or 4) must be the one deemed "appropriate" by the assessment.

Linking Choice to Data Sensitivity and Disruption Risk

The choice between levels 2, 3, and 4 is not arbitrary; it is a direct function of the risks identified in Article 29.

• Data Sensitivity as a Driver: If the risk assessment identifies that the data processed is highly sensitive (e.g., classified information, sensitive law enforcement data), the buyer must justify a level that guarantees data remains exclusively within the Union and is handled by personnel with appropriate security clearances. For instance, Annex II indicates that Union assurance level 4 requires that "the personnel... are Union citizens and, where appropriate, the personnel must also have the necessary national security clearance." If the risk assessment identifies a need for such clearance to prevent public order harm, level 4 becomes the justified choice.
• Disruption Risk as a Driver: If the risk assessment highlights a high risk of service disruption by a third country (e.g., due to extraterritorial sanctions or coercion), the buyer must justify a level that prevents such disruption. Annex II criteria for levels 2, 3, and 4 all require measures to prevent "disruption of the service continuity and/or the degradation of the service quality by a third country." The severity of the disruption risk identified in Article 29(2)(c) will dictate whether the stricter controls of level 3 or 4 (such as the prohibition on third-country control in level 4) are necessary.

The Commission is empowered to specify the methodology for these assessments via implementing acts (Article 29(3)), ensuring that the link between the identified risk and the required assurance level is consistent across the Union. If a Member State's assessment is found inadequate, the Commission may adopt implementing acts specifying the required level (Article 29(5)), further reinforcing that the justification is objective and risk-based, not subjective.

Exceptional Circumstances

While Article 30(3) mandates higher levels for public-order activities, Article 30(4) provides a narrow derogation. A contracting authority may decide not to procure a recognised service at levels 1, 2, 3, or 4 only if:

• The subject matter cannot be supplied by recognised services available in the central repository, and no adequate alternative exists (provided this is not due to artificial narrowing of parameters).
• A similar procurement process within the previous year yielded no suitable tenders.
• Applying the requirements would require the authority to procure services at disproportionate cost.

These exceptions require "duly justified" circumstances and do not negate the general rule that the risk assessment drives the assurance level.

What this means for you

For public procurement officers and legal teams, the practical implication is a shift from cost-based decision-making to risk-based compliance.

1. Do Not Decide in Isolation: You cannot simply decide to buy a "more secure" cloud service. You must first consult the risk assessment conducted under Article 29. If your activity is not listed as contributing to public order, Article 30(2) applies, and you must procure at least level 1. If it is listed, Article 30(3) applies, and you must procure levels 2, 3, or 4.
2. Document the Risk Link: Your procurement file must explicitly reference the Article 29 risk assessment. You must document how the "sensitivity, criticality, and magnitude" of the data (Article 29(2)(a)) and the "risk of unlawful access" or "service disruption" (Article 29(2)(b) and (c)) led to the determination of the specific assurance level.
3. Verify the Repository: Ensure the service you intend to procure is listed in the central repository established under Article 22. Only services recognised at the specific level determined by your risk assessment can be legally procured under Article 30(3).
4. Plan for Migration: If your current provider does not meet the level required by your risk assessment, Article 29(6) requires migration within a reasonable transition period not exceeding 12 months. Start this process immediately upon the risk assessment's conclusion.

Common misconceptions

"I can choose a higher assurance level just to be safe."

• Reality: While you can choose a higher level if it is available, the justification for a mandatory higher level (2, 3, or 4) is strictly tied to the risk assessment. If your activity is not identified as contributing to public order, you are not required to go above level 1. Conversely, if your activity is identified as critical, you cannot stay at level 1. The choice is binary and risk-driven.

"Union assurance level 1 is the standard for all public bodies."

• Reality: Level 1 is the standard only for activities not contributing to public order. For sectors like defence, justice, and law enforcement, Article 30(3) explicitly mandates levels 2, 3, or 4. Level 1 is legally insufficient for these critical functions.

"The risk assessment is a one-time administrative formality."

• Reality: Article 29(1) requires assessments every two years, or whenever necessary. As the threat landscape evolves or data sensitivity changes, the required assurance level may change, triggering a new procurement obligation.

Related

• When can a public buyer use a derogation from CADA's assurance-level procurement rules?
• How does a public buyer verify a provider's CADA assurance level before awarding?
• How to determine the required CADA Union assurance level for public workloads
• CADA Public Procurement Checklist: Risk Assessments, Assurance Levels & Added Value
• How does a public buyer procure cloud services correctly under CADA?

This is general information about a draft EU regulation, not legal advice.